Prefix- and Lexicographical-order-preserving IP Address ...mharvan.net/talks/noms-ip_anon.pdfJun Xu,...
Transcript of Prefix- and Lexicographical-order-preserving IP Address ...mharvan.net/talks/noms-ip_anon.pdfJun Xu,...
![Page 1: Prefix- and Lexicographical-order-preserving IP Address ...mharvan.net/talks/noms-ip_anon.pdfJun Xu, Jinliang Fan, and Mostafa H. Ammar. Prefix-preserving IP address anonymization:](https://reader035.fdocuments.us/reader035/viewer/2022071403/60f680b9c7f4e2668638c948/html5/thumbnails/1.jpg)
Prefix- and Lexicographical-order-preserving IPAddress Anonymization
Matus Harvan
International University BremenBremen, Germany
2006 IEEE/IFIP Network Operations and ManagementSymposium
Matus Harvan IP Address Anonymization 1
![Page 2: Prefix- and Lexicographical-order-preserving IP Address ...mharvan.net/talks/noms-ip_anon.pdfJun Xu, Jinliang Fan, and Mostafa H. Ammar. Prefix-preserving IP address anonymization:](https://reader035.fdocuments.us/reader035/viewer/2022071403/60f680b9c7f4e2668638c948/html5/thumbnails/2.jpg)
Why do we need SNMP measurements?
many speculations on how SNMP is being used in real worldproduction networks and how it performs
no systematic measurements have been performed andpublished so far
comparative studies based on assumed usage, lackingexperimental evidence
important to understand impact on network and devices while
improvements to SNMPdesigning new management protocols
Matus Harvan IP Address Anonymization 2
![Page 3: Prefix- and Lexicographical-order-preserving IP Address ...mharvan.net/talks/noms-ip_anon.pdfJun Xu, Jinliang Fan, and Mostafa H. Ammar. Prefix-preserving IP address anonymization:](https://reader035.fdocuments.us/reader035/viewer/2022071403/60f680b9c7f4e2668638c948/html5/thumbnails/3.jpg)
SNMP Questions
usage of protocol operations
message size distributions
response times distributions
periodic vs. aperiodic traffic
trap-directed polling
usage of obsolete objects (e.g. ipRouteTable)
more questions in draft-schoenw-nrmg-snmp-measure-01.txt
Matus Harvan IP Address Anonymization 3
![Page 4: Prefix- and Lexicographical-order-preserving IP Address ...mharvan.net/talks/noms-ip_anon.pdfJun Xu, Jinliang Fan, and Mostafa H. Ammar. Prefix-preserving IP address anonymization:](https://reader035.fdocuments.us/reader035/viewer/2022071403/60f680b9c7f4e2668638c948/html5/thumbnails/4.jpg)
Why do we need (IP) anonymization?
required to obtain and analyze SNMP traces from severalproduction networks
neccessary to analyze SNMP payload, not just headers
traces need to be anonymized (management traffic naturallycontains sensitive data)
traces need to retain enough information after anonymization
IP address prefix-relationships important (routing)
SNMP imposes an additional constraint of preserving thelexicographical ordering
Matus Harvan IP Address Anonymization 4
![Page 5: Prefix- and Lexicographical-order-preserving IP Address ...mharvan.net/talks/noms-ip_anon.pdfJun Xu, Jinliang Fan, and Mostafa H. Ammar. Prefix-preserving IP address anonymization:](https://reader035.fdocuments.us/reader035/viewer/2022071403/60f680b9c7f4e2668638c948/html5/thumbnails/5.jpg)
Prefix-preserving IP address anonymization
prefix-preserving anonymization solved by Crypto-PAn[1, 2]
canonical form for all prefix-preserving anonymizationfunctions
using cryptography (AES) for anonymization
working implementation
Matus Harvan IP Address Anonymization 5
![Page 6: Prefix- and Lexicographical-order-preserving IP Address ...mharvan.net/talks/noms-ip_anon.pdfJun Xu, Jinliang Fan, and Mostafa H. Ammar. Prefix-preserving IP address anonymization:](https://reader035.fdocuments.us/reader035/viewer/2022071403/60f680b9c7f4e2668638c948/html5/thumbnails/6.jpg)
Prefix-preserving Anonymization[1]
Definition
Two IP addresses a = a1a2 . . . an and b = b1b2 . . . bn share a k-bitprefix (0 ≤ k ≤ n) if a1a2 . . . ak = b1b2 . . . bk and ak+1 6= bk+1
when k < n.
Definition
An anonymization function F is defined as one-to-one functionfrom {0, 1}n to {0, 1}n.
Definition
An anonymization function F is prefix-preserving if given two IPaddresses a and b that share a k-bit prefix, F (a) and F (b) share ak-bit prefix as well.
Matus Harvan IP Address Anonymization 6
![Page 7: Prefix- and Lexicographical-order-preserving IP Address ...mharvan.net/talks/noms-ip_anon.pdfJun Xu, Jinliang Fan, and Mostafa H. Ammar. Prefix-preserving IP address anonymization:](https://reader035.fdocuments.us/reader035/viewer/2022071403/60f680b9c7f4e2668638c948/html5/thumbnails/7.jpg)
Prefix-preserving Anonymization Example
Original IP addresses
IP1: 10.12.3.5 (00001010.00001100.00000011.00000101)
IP2: 10.16.220.3 (00001010.00010000.11011100.00000011)
Anonymized IP addresses
F (IP1): 117.16.14.250 (01110101.00010000.00001110.11111010)
F (IP2): 117.0.92.115 (01110101.00000000.01011100.01110011)
Matus Harvan IP Address Anonymization 7
![Page 8: Prefix- and Lexicographical-order-preserving IP Address ...mharvan.net/talks/noms-ip_anon.pdfJun Xu, Jinliang Fan, and Mostafa H. Ammar. Prefix-preserving IP address anonymization:](https://reader035.fdocuments.us/reader035/viewer/2022071403/60f680b9c7f4e2668638c948/html5/thumbnails/8.jpg)
Prefix-preserving Anonymization Example
Original IP addresses
IP1: 10.12.3.5 (00001010.00001100.00000011.00000101)
IP2: 10.16.220.3 (00001010.00010000.11011100.00000011)
Anonymized IP addresses
F (IP1): 117.16.14.250 (01110101.00010000.00001110.11111010)
F (IP2): 117.0.92.115 (01110101.00000000.01011100.01110011)
Matus Harvan IP Address Anonymization 7
![Page 9: Prefix- and Lexicographical-order-preserving IP Address ...mharvan.net/talks/noms-ip_anon.pdfJun Xu, Jinliang Fan, and Mostafa H. Ammar. Prefix-preserving IP address anonymization:](https://reader035.fdocuments.us/reader035/viewer/2022071403/60f680b9c7f4e2668638c948/html5/thumbnails/9.jpg)
Canonical Form Theorem[1]
Theorem
Let fi be a function from {0, 1}i to {0, 1} for i = 1, 2, . . . , n − 1and f0 be a constant function. Let F be a function from {0, 1}n to{0, 1}n defined as follows. Given a = a1a2 . . . an, let
F (a) := a′1a′2 . . . a′n
where a′i = ai ⊕ fi−1(a1, a2, . . . , ai−1) and ⊕ is the exclusive-oroperation, for i = 1, 2, . . . , n. Then F is a prefix-preservinganonymization function and every prefix-preserving anonymizationfunction necessarily takes this form.
Matus Harvan IP Address Anonymization 8
![Page 10: Prefix- and Lexicographical-order-preserving IP Address ...mharvan.net/talks/noms-ip_anon.pdfJun Xu, Jinliang Fan, and Mostafa H. Ammar. Prefix-preserving IP address anonymization:](https://reader035.fdocuments.us/reader035/viewer/2022071403/60f680b9c7f4e2668638c948/html5/thumbnails/10.jpg)
Address Tree
1
0001
0000
1
0 1
1
10
1
10
00
0 1
10
0 1 0
0
0
0010
1011
0100
0101
1000
1110
1111
Figure: Original addresstree
0000
Leaf Node
Flip
Do Not Flip
0010
1011
0100
0101
1000
1110
1111
0001
����
��
���
��� �
�
� �
� �
�� �
�� �
��
Figure: Anonymizationfunction
1
1000
0111
0 1
1
0
0
0 1
10
0 1
1
1 0
0
1 1 00
0
0000
1001
0010
0110
1100
1101
1111
Figure: Anonymizedaddress tree
Matus Harvan IP Address Anonymization 9
![Page 11: Prefix- and Lexicographical-order-preserving IP Address ...mharvan.net/talks/noms-ip_anon.pdfJun Xu, Jinliang Fan, and Mostafa H. Ammar. Prefix-preserving IP address anonymization:](https://reader035.fdocuments.us/reader035/viewer/2022071403/60f680b9c7f4e2668638c948/html5/thumbnails/11.jpg)
Lexicographical order on IP addresses
Definition
Let a = a1a2 . . . an and b = b1b2 . . . bn be two IP addresses (of thesame length) where ai ’s and bi ’s are bits. Then a lexicographicordering <l is defined by
a <l b ⇔ a1a2 . . . an <l b1b2 . . . bn
⇔ (∃m > 0)(∀i < m)(ai = bi ) ∧ (am < bm)
Definition
An anonymization function F is lexicographical-order-preserving ifgiven two IP addresses a and b we have
a <l b ⇒ F (a) <l F (b)
Matus Harvan IP Address Anonymization 10
![Page 12: Prefix- and Lexicographical-order-preserving IP Address ...mharvan.net/talks/noms-ip_anon.pdfJun Xu, Jinliang Fan, and Mostafa H. Ammar. Prefix-preserving IP address anonymization:](https://reader035.fdocuments.us/reader035/viewer/2022071403/60f680b9c7f4e2668638c948/html5/thumbnails/12.jpg)
Lexicographical-order-preserving Anonymization Example
Original IP addresses
IP1: 10.12.3.5 (00001010.00001100.00000011.00000101)
IP2: 10.16.220.3 (00001010.00010000.11011100.00000011)
Anonymized IP addresses
F (IP1): 117.0.14.250 (01110101.00000000.00001110.11111010)
F (IP2): 117.16.92.115 (01110101.00010000.01011100.01110011)
Matus Harvan IP Address Anonymization 11
![Page 13: Prefix- and Lexicographical-order-preserving IP Address ...mharvan.net/talks/noms-ip_anon.pdfJun Xu, Jinliang Fan, and Mostafa H. Ammar. Prefix-preserving IP address anonymization:](https://reader035.fdocuments.us/reader035/viewer/2022071403/60f680b9c7f4e2668638c948/html5/thumbnails/13.jpg)
Lexicographical-order-preserving Anonymization Example
Original IP addresses
IP1: 10.12.3.5 (00001010.00001100.00000011.00000101)
IP2: 10.16.220.3 (00001010.00010000.11011100.00000011)
Anonymized IP addresses
F (IP1): 117.0.14.250 (01110101.00000000.00001110.11111010)
F (IP2): 117.16.92.115 (01110101.00010000.01011100.01110011)
previous example
Matus Harvan IP Address Anonymization 11
![Page 14: Prefix- and Lexicographical-order-preserving IP Address ...mharvan.net/talks/noms-ip_anon.pdfJun Xu, Jinliang Fan, and Mostafa H. Ammar. Prefix-preserving IP address anonymization:](https://reader035.fdocuments.us/reader035/viewer/2022071403/60f680b9c7f4e2668638c948/html5/thumbnails/14.jpg)
Lexicographical-order-preserving Anonymization
Theorem
Let fi , f ′i be functions from {0, 1}i to {0, 1} for i = 1, 2, . . . , n − 1and f0,f
′0 be constant functions. Let F be a function from {0, 1}n
to {0, 1}n defined as follows. Given a = a1a2 . . . an, let
F (a) := a′1a′2 . . . a′n
a′i = ai ⊕ f ′i−1(a1, a2, . . . , ai−1)
f ′i (a1, a2, . . . , ai ) = fi (a1, a2, . . . , ai )
∧ ¬ (usedi+1(a1, a2, . . . , ai , 0) ∧ usedi+1(a1, a2, . . . , ai , 1))
for i = 1, 2, . . . , n. Then we claim F is a prefix-preserving andlexicographical-order-preserving anonymization function.
Matus Harvan IP Address Anonymization 12
![Page 15: Prefix- and Lexicographical-order-preserving IP Address ...mharvan.net/talks/noms-ip_anon.pdfJun Xu, Jinliang Fan, and Mostafa H. Ammar. Prefix-preserving IP address anonymization:](https://reader035.fdocuments.us/reader035/viewer/2022071403/60f680b9c7f4e2668638c948/html5/thumbnails/15.jpg)
usedi
Idea
determines if any IP addresses in the subtree below the ai bit areused
Definition
Let usedi be a function from {0, 1}i to {0, 1} for i = 1, 2, . . . , n.usedi is defined recursively as
usedi (a1a2 . . . ai ) = usedi+1(a1a2 . . . ai0) ∨ usedi+1(a1a2 . . . ai1)
usedn(a1a2 . . . an) is true if the IP address a1a2 . . . ai is in thetraffic trace and false otherwise.
Matus Harvan IP Address Anonymization 13
![Page 16: Prefix- and Lexicographical-order-preserving IP Address ...mharvan.net/talks/noms-ip_anon.pdfJun Xu, Jinliang Fan, and Mostafa H. Ammar. Prefix-preserving IP address anonymization:](https://reader035.fdocuments.us/reader035/viewer/2022071403/60f680b9c7f4e2668638c948/html5/thumbnails/16.jpg)
Address Tree again
0000
Leaf Node
Flip
Do Not Flip
0010
1011
0100
0101
1000
1110
1111
0001
����
��
���
��� �
�
� �
� �
�� �
�� �
��
Figure: Prefix-preservingonly anonymizationfunction (fi )
0000
Leaf Node
Cannot Flip
Can Flip
0010
1011
0100
0101
1000
1110
1111
0001
��� �
���
��
���
��
� �
� �
�� �
�� �
��
Figure: Bits that can beflipped
0000
Leaf Node
Flip
Do Not Flip
0010
1011
0100
0101
1000
1110
1111
0001
��� �
�� �
�� �
�� �
�
�
��
��� �
�� �
��
Figure: Prefix- andlexicographical-order-preserving anonymizationfunction (f ′
i )
Matus Harvan IP Address Anonymization 14
![Page 17: Prefix- and Lexicographical-order-preserving IP Address ...mharvan.net/talks/noms-ip_anon.pdfJun Xu, Jinliang Fan, and Mostafa H. Ammar. Prefix-preserving IP address anonymization:](https://reader035.fdocuments.us/reader035/viewer/2022071403/60f680b9c7f4e2668638c948/html5/thumbnails/17.jpg)
Implementation
implemented as a C library libanon
works for both IPv4 and IPv6
lexicographical-order-preserving anonymization of other datatypes as well
MAC addressesstringsintegers
being integrated with snmpdump package (conversion ofsnmp traces from pcap format to xml)
Matus Harvan IP Address Anonymization 15
![Page 18: Prefix- and Lexicographical-order-preserving IP Address ...mharvan.net/talks/noms-ip_anon.pdfJun Xu, Jinliang Fan, and Mostafa H. Ammar. Prefix-preserving IP address anonymization:](https://reader035.fdocuments.us/reader035/viewer/2022071403/60f680b9c7f4e2668638c948/html5/thumbnails/18.jpg)
Performance
0.01
0.1
1
10
1 10 100 1000 10000 100000
Run
time
[s]
Number of IP Addresses
Runtime
runtime - IPv4runtime - IPv6
Figure: Runtime
1000
10000
100000
1 10 100 1000 10000 100000
Mem
ory
[KB
]
Number of IP Addresses
Memory Consumption
memory - IPv4memory - IPv6
Figure: Memory consumption
runtime generally acceptable for offline analysis as long as thebinary tree data structure fits into main memory
memory consumption increases significantly faster for IPv6
Matus Harvan IP Address Anonymization 16
![Page 19: Prefix- and Lexicographical-order-preserving IP Address ...mharvan.net/talks/noms-ip_anon.pdfJun Xu, Jinliang Fan, and Mostafa H. Ammar. Prefix-preserving IP address anonymization:](https://reader035.fdocuments.us/reader035/viewer/2022071403/60f680b9c7f4e2668638c948/html5/thumbnails/19.jpg)
IPv4 - Memory
number of number measured theoreticalIP addresses of nodes memory footprint memory requests
0 1 3 212 KB 16 B1 33 3 220 KB 32 B
10 301 3 220 KB 4 KB100 2 646 3 220 KB 41 KB
1 000 23 182 3 744 KB 362 KB10 000 199 080 7 836 KB 3 110 KB
100 000 1 656 713 42 024 KB 25 886 KB
Table: Memory footprint for IPv4 anonymization
Matus Harvan IP Address Anonymization 17
![Page 20: Prefix- and Lexicographical-order-preserving IP Address ...mharvan.net/talks/noms-ip_anon.pdfJun Xu, Jinliang Fan, and Mostafa H. Ammar. Prefix-preserving IP address anonymization:](https://reader035.fdocuments.us/reader035/viewer/2022071403/60f680b9c7f4e2668638c948/html5/thumbnails/20.jpg)
IPv6 - Memory
number of number measured theoreticalIP addresses of nodes memory footprint memory requests
0 1 3 212 KB 16 B1 129 3 216 KB 2 KB
10 1 248 3 216 KB 19 KB100 12 143 3 480 KB 189 KB
1 000 118 189 5 860 KB 1 846 KB10 000 1 147 052 30 012 KB 17 922 KB
100 000 11 080 902 262 860 KB 173 139 KB
Table: Memory footprint for IPv6 anonymization
Matus Harvan IP Address Anonymization 18
![Page 21: Prefix- and Lexicographical-order-preserving IP Address ...mharvan.net/talks/noms-ip_anon.pdfJun Xu, Jinliang Fan, and Mostafa H. Ammar. Prefix-preserving IP address anonymization:](https://reader035.fdocuments.us/reader035/viewer/2022071403/60f680b9c7f4e2668638c948/html5/thumbnails/21.jpg)
Runtime
number of runtime runtimeIP addresses IPv4 IPv6
1 0.01 s 0.01 s10 0.01 s 0.01 s
100 0.01 s 0.02 s1 000 0.03 s 0.14 s
10 000 0.15 s 1.36 s100 000 1.43 s 13.4 s
Table: Runtime of IPv4 and IPv6 anonymization
Matus Harvan IP Address Anonymization 19
![Page 22: Prefix- and Lexicographical-order-preserving IP Address ...mharvan.net/talks/noms-ip_anon.pdfJun Xu, Jinliang Fan, and Mostafa H. Ammar. Prefix-preserving IP address anonymization:](https://reader035.fdocuments.us/reader035/viewer/2022071403/60f680b9c7f4e2668638c948/html5/thumbnails/22.jpg)
Summary & Further Work
suitable IP address anonymization schema found, rigorouslyproven to be correct and implemented in the form of a Clibrary libanon
our contribution consists of an extension to the existingprefix-preserving cryptography-based anonymization schemeused in Crypto-PAn
further work:
develop a tool for anonymization of SNMP traces includingcomplete SNMP payloadanalyze anonymized SNMP traffic tracesimprove memory consumption of the libanon implementation
Matus Harvan IP Address Anonymization 20
![Page 23: Prefix- and Lexicographical-order-preserving IP Address ...mharvan.net/talks/noms-ip_anon.pdfJun Xu, Jinliang Fan, and Mostafa H. Ammar. Prefix-preserving IP address anonymization:](https://reader035.fdocuments.us/reader035/viewer/2022071403/60f680b9c7f4e2668638c948/html5/thumbnails/23.jpg)
References
Jun Xu, Jinliang Fan, and Mostafa H. Ammar.Prefix-preserving IP address anonymization:measurement-based security evaluation and a newcryptography-based scheme.In Proceedings of the 10 th IEEE International Conference onNetwork Protocols (ICNP’02), 2002.
Jun Xu, Jinliang Fan, Mostafa H. Ammar, and Sue Moon.Crypto-pan, 2003.http://www.cc.gatech.edu/computing/Telecomm/cryptopan/.
snmpdumphttps://subversion.eecs.iu-bremen.de/svn/schoenw/src/snmpdump.
Matus Harvan IP Address Anonymization 21
![Page 24: Prefix- and Lexicographical-order-preserving IP Address ...mharvan.net/talks/noms-ip_anon.pdfJun Xu, Jinliang Fan, and Mostafa H. Ammar. Prefix-preserving IP address anonymization:](https://reader035.fdocuments.us/reader035/viewer/2022071403/60f680b9c7f4e2668638c948/html5/thumbnails/24.jpg)
Backup Slides
Matus Harvan IP Address Anonymization 22
![Page 25: Prefix- and Lexicographical-order-preserving IP Address ...mharvan.net/talks/noms-ip_anon.pdfJun Xu, Jinliang Fan, and Mostafa H. Ammar. Prefix-preserving IP address anonymization:](https://reader035.fdocuments.us/reader035/viewer/2022071403/60f680b9c7f4e2668638c948/html5/thumbnails/25.jpg)
Security
How hard is it for an attacker to recover the original addressesfrom an anonymized trace?
prefix-preservingDue to the prefix-preserving property, compromising one IPaddress compromises a prefix of other addresses as well.
lexicographical-order-preservingIn case a complete subnet of the address space is used, hostportion of the address cannot be anonymized.
IPv6 address space larger than IPv4, so more secureanonymization possible with IPv6
Matus Harvan IP Address Anonymization 23
![Page 26: Prefix- and Lexicographical-order-preserving IP Address ...mharvan.net/talks/noms-ip_anon.pdfJun Xu, Jinliang Fan, and Mostafa H. Ammar. Prefix-preserving IP address anonymization:](https://reader035.fdocuments.us/reader035/viewer/2022071403/60f680b9c7f4e2668638c948/html5/thumbnails/26.jpg)
Security
Theorem
The number of times a bit cannot be flipped, i.e., the number oftimes ¬(usedi (...0) ∧ usedi (...1)) = 0 (white nodes in middle figureof Address Tree 2) is the number of distinct addresses in the trace−1 (in case there is at least one IP address already in the trace).
Address Tree 2
Definition
q =number of times¬(usedi (...0) ∧ usedi (...1))
2n
=number of distinct addresses− 1
size of address space
Matus Harvan IP Address Anonymization 24
![Page 27: Prefix- and Lexicographical-order-preserving IP Address ...mharvan.net/talks/noms-ip_anon.pdfJun Xu, Jinliang Fan, and Mostafa H. Ammar. Prefix-preserving IP address anonymization:](https://reader035.fdocuments.us/reader035/viewer/2022071403/60f680b9c7f4e2668638c948/html5/thumbnails/27.jpg)
Security
Theorem
The number of times a bit cannot be flipped, i.e., the number oftimes ¬(usedi (...0) ∧ usedi (...1)) = 0 (white nodes in middle figureof Address Tree 2) is the number of distinct addresses in the trace−1 (in case there is at least one IP address already in the trace).
Address Tree 2
Definition
q =number of times¬(usedi (...0) ∧ usedi (...1))
2n
=number of distinct addresses− 1
size of address space
Matus Harvan IP Address Anonymization 24