Structure Preserving Anonymization of Router Configuration Data - PowerPoint PPT Presentation

1 / 22

About This Presentation

Title:

Structure Preserving Anonymization of Router Configuration Data

Description:

Networks firewalled, external probes dropped. 4. Topology. Router 1 Config. Router 2 Config ... Networks firewalled, with external probes dropped ... – PowerPoint PPT presentation

Number of Views:36

Avg rating:3.0/5.0

Slides: 23

Provided by: dma114

Category:

more less

Transcript and Presenter's Notes

Title: Structure Preserving Anonymization of Router Configuration Data

1
Structure Preserving Anonymization of Router
Configuration Data

David A. Maltz,
Jibin Zhan, Geoffrey Xie, Hui Zhang
Carnegie Mellon University
Gisli Hjalmtysson, Albert Greenberg, Jennifer
Rexford
ATT Labs Research

2
Why Configuration Files are Valuable

Configuration file program loaded on each
router
Controls operation of router
Controls interactions between routers
Configuration files allow researchers to study of
the details of real networks
The problem is getting access to them
We have developed a technique for anonymizing
configuration files
We have a proposal for how configs could be made
accessible to the research community

3
Why Configuration Files are Valuable - 2

The set of configurations defines the network
Captures many of the networks properties
Topology (node degree, interconnectivity)
Policies (CoS, QoS, packet filters, reachability)
Routing (neighbors, OSPF weights, BGP policies)
Security (vulnerabilities, mitigations)
Only source of insight for Enterprise networks
10K networks that are currently a mystery
Interesting! 10 1200 routers, global scale
Configs are the only way to look at them
Networks firewalled, external probes dropped

4
Topology
Internet
Router 1 Config
Router 2 Config
interface Serial2/1.5 ip address 1.1.1.2/30
interface Serial1/0.5 ip address 1.1.1.1/30
5
Quality of Service

class-map GoodCustomer
match access-group 136
policy-map GoldService
class GoodCustomer
bandwidth 2000
queue-limit 40
class class-default
fair-queue 16
queue-limit 20
interface Serial0/0
service-policy output GoldService

Class definition
CB-WFQ parameters
CB-WFQ policy name
6
Routing
AS Numbers

router bgp 65501
neighbor EdgeSwitch peer-group
neighbor EdgeSwitch remote-as 64740
neighbor EdgeSwitch distribute-list 11 in
neighbor EdgeSwitch route-map exportRoutes out
neighbor 192.168.96.8 peer-group EdgeSwitch
neighbor 192.168.96.9 peer-group EdgeSwitch
neighbor 10.217.248.14 remote-as 65500
neighbor 10.217.248.14 ebgp-multihop 5

Policies
Peers
7
Security Issues

access-list 143 deny 53 any any
access-list 143 deny 55 any any
access-list 143 deny 77 any any
access-list 143 permit ip any any
interface Serial0.2 multipoint
ip access-group 143 in
ip address 66.248.162.13 255.255.255.224
interface Ethernet0
ip address 144.201.41.59 255.255.255.0

Access list 143 Drops packets that can attack
Cisco interfaces
This interface is safe
This interface is not
8
How to Get Configuration Files?

Considered proprietary secrets of network owners
Discloses business strategy
Discloses vulnerabilities
Anonymization breaks tie between data and owner
Anonymized configs will show some network is
vulnerable, but which/where to attack?
We developed method for anonymizing configuration
files
Approach convinced some customers of ATT to
disclose their configs to CMU researchers

9
Anonymization Challenges

We dont know the intended use of the data
Must anonymize entire configuration file
A customized data set is easier to anonymize
Must preserve structure of information in files
Relationships of identifiers inside/between files
IP address subnet relationships
Traditional parsing tools are of no use
No published grammar for Cisco IOS
200 different versions seen in 31 networks

10
Anonymize Non-numeric Tokens

Created pass list of words by string-scraping
Ciscos web pages
Contains most IOS commands
Other words are generic networking terms (IETF)
All tokens not in pass list are hashed with
salted SHA1

router bgp 64780 redistribute ospf 64 match
route-map NYOffice neighbor 1.2.3.4 remote-as
701 route-map NYOffice deny 10 match ip address 4
router bgp 64780 redistribute ospf 64 match
route-map 8aTzlvBrbaW neighbor 66.253.160.68
remote-as 701 route-map 8aTzlvBrbaW deny 10
match ip address 4
11
Anonymize Specific Numbers

Most numbers are harmless, some reveal identity
Public AS numbers
Phone numbers (NOCs, backup modems)
26 rules used to find and anonymize
context-dependent items
"neighbor\\sipAddrPatt\\sremote-as"
" neighbor\s\w\sremote-as "

router bgp 64780 redistribute ospf 64 match
route-map NYOffice neighbor 1.2.3.4 remote-as
701 route-map NYOffice deny 10 match ip address 4
router bgp 64780 redistribute ospf 64 match
route-map 8aTzlvBrbaW neighbor 66.253.160.68
remote-as 1237 route-map 8aTzlvBrbaW deny 10
match ip address 4
12
Limits of Anonymization

Anonymization is a lossy process
Comments meaningful identifiers removed
(Were they right anyway???)
Anonymizer preserves relationships it knows about
Doesnt know about IP addr lt-gt ASN mapping
A packet filter, based on IP address, and route
policy, based on ASN, could target same AS
Post-anonymization both mechanisms preserved,
but wont show them targeting same AS
(Router didnt have that external information
either)

13
Potential Vulnerabilities Textual Attacks

Identifying information left in configs
Heuristics used as double-check
Rules that anonymize public AS numbers record the
public AS numbers they find
Search post-anonymization file for any remaining
occurrences

14
Potential VulnerabilitiesFingerprinting Attacks

Network characteristics (fingerprint) extracted
from anonymized configs matched against public
data
Potential fingerprints
BGP community strings
Number of POPs, number of BGP peers
Structure of address space utilization
Others
Evaluation still in progress
Seems like backbone networks are identifiable
Seems like enterprise networks are not

15
A Clearinghouse for Configuration Data
Network owners
Retrieve Anonymizer
Questions Results
Anonymize test configs
Run tools on site Scalable, pictures
Blinded email
Upload configs
Website enforcing single-blind methodology
Retrieve configs
Blinded email
Analyze data
Register with site
Questions Results

Researchers

Boot-strap with configs from academic/research
institutions?
16
Questions?
17
Fingerprinting Attacks
Data from networks in repository of anonymized
configs
BGP Peers per POP
POPs (sorted by peers/POP)

1. For each anonymized network, compute
fingerprint from anonymized config files
Will be 100 accurate
2. Experimentally measure real networks

18
Fingerprinting Attacks
BGP Peers per POP
POPs (sorted by peers/POP)

Evaluation still in progress
Seems like backbone networks are identifiable
Seems like enterprise networks are not

19
Anonymize Regular Expressions

Some AS numbers appear in regular expressions
Expressions w/ only private AS numbers ! no
change
Expressions w/ public AS numbers ! expand and
anonymize

ip as-path access-list 101 permit _70 1-3_
Anonymize
1234, 543, 21
701, 702, 703
ip as-path access-list 101 permit _(123454321)_
20
Anonymize IP Addresses

Extended Minshalls prefix-preserving algorithm
Made it class preserving
Class A to Class A, etc.
RIP and older protocols are class-full
Made it subnet address preserving
Assume 128.2.0.0/16 is subnet
We want 128.2.0.0 ! 150.7.0.0
Before extension, 128.2.0.0 ! 150.7.43.66

21
Anonymize IP Addresses - 2

Made it special address preserving
Multicast, private address space
Must fix collisions in mapping function

N
Special?
IP Addr
Anonymize
Y
22
Anonymization Overview

Minimize dependence on context
If in-doubt, hash it out
Remove all comments
Find all IP addresses and hash using specialized
prefix-preserving anonymization
Hash all non-numeric tokens not known to be safe
Anonymize specific numeric tokens using regular
expressions
Anonymize regular expressions appearing in
configs

23
Why Configuration Files are Valuable