]> Attribution of Internet Probes Cisco
De Kleetlaan 64 Diegem 1831 Belgium evyncke@cisco.com
Université de Liège
Belgium benoit.donnet@uliege.be
Université de Liège
Belgium justin.iurman@uliege.be
Operations and Management Operational Security Capabilities for IP Network Infrastructure Internet-Draft Active measurements at Internet-scale can target either collaborating parties or non-collaborating ones. This is similar scan and could be perceived as aggressive. This document proposes a couple of simple techniques allowing any party or organization to understand what this unsolicited packet is, what is its purpose, and more importantly who to contact. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the Operational Security Capabilities for IP Network Infrastructure Working Group mailing list (), which is archived at . Source for this draft and an issue tracker can be found at .
Introduction Active measurements at Internet-scale can target either collaborating parties or non-collaborating ones. Such measurements include and . Sending unsolicited probes should obviously be done at a rate low enough to avoid wasting other parties resources. But even at a low rate, those probes could trigger an alarm that will request some investigation by either the party receiving the probe (i.e., when the probe destination address is one address assigned to the receiving party) or by a third party having some devices where those probes are transiting (e.g., an Internet transit router). This document suggests a couple of simple techniques allowing any party or organization to understand:
  • what this unsolicited packet is,
  • what is its purpose,
  • and more significantly who to contact for further information or stop the probing.
Note: it is expected that only good-willing researchers will use these techniques.
Probe / Measurement Description
Probe Description URI This document defines a "probe description URI" (see ) as a URI pointing to:
  • a "Probe Description", see , e.g., "https://example.net/measurement.txt";
  • an email address, e.g., "mailto:eric@example.net";
  • a phone number to call, e.g., "tel:+1-201-555-0123".
Probe Description Text Similarly, as in , when a node probes other nodes over the Internet, it should create a text file following the syntax described in section 3 of and should have the following fields:
  • contact;
  • expires;
  • preferred-languages.
Plus, another one "description" which is a URI pointing a document describing the measurement.
Out-of-band Probe Attribution When it is not possible to include the "probe description URI" in the probe packet itself, then a specific URI must be constructed based on the source address of the probe packet following , e.g., for a probe source address of 2001:db8::dead, the following URI are constructed:
  • if the reverse DNS record for 2001:db8::dead exists, e.g., "example.net", then the URI is "https://example.net/.well-known/probing.txt" ;
  • else (or in addition), the URI is "https://[2001:db8::dead]/.well-known/probing.txt". Of course, there will be a certificate verification issue.
The constructed URI must be a reference to the "Probe description Text" (see ).
In-band Probe Attribution When the desired measurement allows for it, one "probe description URI" should be included in the payload of all probes sent. This could be:
  • for a ICMPv6 echo request: in the optional data (see section 4.1 of );
  • for a ICMPv4 echo request: in the optional data;
  • for a UDP datagram: in the data part;
  • for a TCP packet with the SYN flag: data is allowed in TCP packets with the SYN flag per section 3.4 of (2nd paragraph);
  • for a IPv6 packet with either hop-by-hop or destination options headers, in the PadN option. Note that, per the informational section 2.1.9.5, it is suggested that PadN option should only contain 0x0 and be smaller than 8 octets, so the proposed insertion of the URI in PadN option could have influence on the measurement itself;
  • etc.
The URI should start at the first octet of the payload and should be terminated by an octet of 0x00, i.e., it must be null terminated. If the URI cannot be placed at the beginning of the payload, then it should be preceded also by an octet of 0x00. Note: using the above technique produces a valid and legit packet for all the nodes forwarding the probe. The node receiving the probe may or may not process the received packet, but this should cause no harm if the probing rate is very low as compared to the network bandwidth and to the processing capacity of all the nodes. As the insertion of the URI in the packet may not respect the syntax of the protocol, responses may not be received (such a TCP SYN+ACK) and perhaps an ICMP should be expected or more probably an absence of reply.
Ethical Considerations Executing some measurement experiences over the global Internet obviously require some ethical considerations when transit/destination non-solicited parties are involved. This document proposes a common way to identity the source and the purpose of active probing in order to reduce the potential burden on the non-solicited parties. But there are other considerations to be taken into account: from the payload content (e.g., is the encoding valid ?) to the transmission rate (see also and for some probing speed impacts). Those considerations are out of scope of this document.
Security Considerations While it is expected that only good-willing researchers will use these techniques, they will simplify and shorten the time to identify a probing across the Internet. This information is provided to identify the source and intent of specific probes, but there is no authentication possible for the inline information. As a result, a malevolent actor could provide false information while conducting the probes, so that the action was attributed to a third party. The recipient of this information cannot, as a result, rely on this information without confirmation. If a recipient cannot confirm the information or does not wish to do so, they should treat the flows as if there were no attribution.
IANA Considerations The "Well-Known URIs" registry should be updated with the following:
  • additional values (using the template from ):
  • URI suffix: probing.txt
  • Change controller: IETF
  • Specification document(s): this document
  • Status: permanent
 References Normative References A File Format to Aid in Security Vulnerability Disclosure Nightwatch Cybersecurity When security vulnerabilities are discovered by researchers, proper reporting channels are often lacking. As a result, vulnerabilities may be left unreported. This document defines a machine-parsable format ("security.txt") to help organizations describe their vulnerability disclosure practices to make it easier for researchers to report vulnerabilities. Well-Known Uniform Resource Identifiers (URIs) This memo defines a path prefix for "well-known locations", "/.well-known/", in selected Uniform Resource Identifier (URI) schemes. In doing so, it obsoletes RFC 5785 and updates the URI schemes defined in RFC 7230 to reserve that space. It also updates RFC 7595 to track URI schemes that support well-known URIs in their registry. Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification This document describes the format of a set of control messages used in ICMPv6 (Internet Control Message Protocol). ICMPv6 is the Internet Control Message Protocol for Internet Protocol version 6 (IPv6). [STANDARDS-TRACK] Internet Control Message Protocol User Datagram Protocol Transmission Control Protocol Internet Protocol, Version 6 (IPv6) Specification This document specifies version 6 of the Internet Protocol (IPv6). It obsoletes RFC 2460. Informative References Efficient Algorithms for Large-Scale Topology Discovery Université Pierre & Marie Curie Laboratoire LiP6–CNRS Université Pierre & Marie Curie Laboratoire LiP6–CNRS Université Pierre & Marie Curie Laboratoire LiP6–CNRS Boston University Computer Science Department In the IP of the Beholder Strategies for Active IPv6 Topology Discovery Naval Postgraduate School University of Oregon Akamai Technologies Naval Postgraduate School Yarrp’ing the Internet Randomized High-Speed Active Topology Discovery Naval Postgraduate School Observations on the Dropping of Packets with IPv6 Extension Headers in the Real World This document presents real-world data regarding the extent to which packets with IPv6 Extension Headers (EHs) are dropped in the Internet (as originally measured in August 2014 and later in June 2015, with similar results) and where in the network such dropping occurs. The aforementioned results serve as a problem statement that is expected to trigger operational advice on the filtering of IPv6 packets carrying IPv6 EHs so that the situation improves over time. This document also explains how the results were obtained, such that the corresponding measurements can be reproduced by other members of the community and repeated over time to observe changes in the handling of packets with IPv6 EHs. IPv6 Transition/Co-existence Security Considerations The transition from a pure IPv4 network to a network where IPv4 and IPv6 coexist brings a number of extra security considerations that need to be taken into account when deploying IPv6 and operating the dual-protocol network and the associated transition mechanisms. This document attempts to give an overview of the various issues grouped into three categories: o issues due to the IPv6 protocol itself, o issues due to transition mechanisms, and o issues due to IPv6 deployment. This memo provides information for the Internet community.
Acknowledgments The authors would like to thank Alain Fiocco, Fernando Gont, Ted Hardie, Mehdi Kouhen, and Mark Townsley for helpful discussions as well as Raphael Leas for an early implementation.