Mailing List Archive: nsp: ipv6

Anybody running pcap traces?

Index | Next | Previous | View Threaded

brian.e.carpenter at gmail

May 30, 2011, 2:23 PM

Post #1 of 11 (1385 views)
Permalink

Anybody running pcap traces?

Hi,

I'm looking for some real world IPv6 pcap (a.k.a. bpf) traces for a specific
purpose, namely testing hash algorithms in connection with
draft-ietf-6man-flow-3697bis.

Basically I want traces that match this pcap capture filter
ip6 and tcp and ip6[53:1]=2
(this selects SYN packets only). The traces must *not* be
anonymized, since the algorithms I'm testing need genuine addresses.
Obviously, traces will be treated with complete confidentiality, and
in any case I prefer traces without payloads to make the files shorter.

If anyone can help, please contact me off-list.

Thanks
Brian Carpenter

fernando at gont

May 30, 2011, 3:30 PM

Post #2 of 11 (1335 views)
Permalink

Re: Anybody running pcap traces? [In reply to]

Hi, Brian,

On 05/30/2011 06:23 PM, Brian E Carpenter wrote:
> I'm looking for some real world IPv6 pcap (a.k.a. bpf) traces for a specific
> purpose, namely testing hash algorithms in connection with
> draft-ietf-6man-flow-3697bis.

Would you share with us what you're trying to measure? (just curious) --
Infer the algorithm used for selecting Flow-IDs (whether random,
incremental, etc.), or something else?

> Basically I want traces that match this pcap capture filter
> ip6 and tcp and ip6[53:1]=2
> (this selects SYN packets only). The traces must *not* be
> anonymized, since the algorithms I'm testing need genuine addresses.
> Obviously, traces will be treated with complete confidentiality, and
> in any case I prefer traces without payloads to make the files shorter.

David Malone has been performing measurements of this sort. -- You
should drop him an e-mail.. he might be willing to help.

P.S.: He published a paper with the data I think you're looking for --
although his apper is a bit dated.

Thanks,
--
Fernando Gont
e-mail: fernando [at] gont || fgont [at] acm
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

brian.e.carpenter at gmail

May 30, 2011, 6:36 PM

Post #3 of 11 (1335 views)
Permalink

Re: Anybody running pcap traces? [In reply to]

Fernando,

I'll be writing to the 6man list about this, since it really is
an algorithm design issue. I wanted to wait until I had some
real data though; soon...

Regards
Brian

On 2011-05-31 10:30, Fernando Gont wrote:
> Hi, Brian,
>
> On 05/30/2011 06:23 PM, Brian E Carpenter wrote:
>> I'm looking for some real world IPv6 pcap (a.k.a. bpf) traces for a specific
>> purpose, namely testing hash algorithms in connection with
>> draft-ietf-6man-flow-3697bis.
>
> Would you share with us what you're trying to measure? (just curious) --
> Infer the algorithm used for selecting Flow-IDs (whether random,
> incremental, etc.), or something else?
>
>
>
>> Basically I want traces that match this pcap capture filter
>> ip6 and tcp and ip6[53:1]=2
>> (this selects SYN packets only). The traces must *not* be
>> anonymized, since the algorithms I'm testing need genuine addresses.
>> Obviously, traces will be treated with complete confidentiality, and
>> in any case I prefer traces without payloads to make the files shorter.
>
> David Malone has been performing measurements of this sort. -- You
> should drop him an e-mail.. he might be willing to help.
>
> P.S.: He published a paper with the data I think you're looking for --
> although his apper is a bit dated.
>
> Thanks,

fernando at gont

May 31, 2011, 6:05 AM

Post #4 of 11 (1326 views)
Permalink

Re: Anybody running pcap traces? [In reply to]

On 05/30/2011 10:36 PM, Brian E Carpenter wrote:
> Fernando,
>
> I'll be writing to the 6man list about this, since it really is
> an algorithm design issue. I wanted to wait until I had some
> real data though; soon...

I was just curious about whether you were trying to infer which
algorithms are deployed, or what. -- FWIW, David Malone published a
document that measured this.

Thanks,
--
Fernando Gont
e-mail: fernando [at] gont || fgont [at] acm
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

brian.e.carpenter at gmail

May 31, 2011, 2:10 PM

Post #5 of 11 (1327 views)
Permalink

Re: Anybody running pcap traces? [In reply to]

On 2011-06-01 01:05, Fernando Gont wrote:
> On 05/30/2011 10:36 PM, Brian E Carpenter wrote:
>> Fernando,
>>
>> I'll be writing to the 6man list about this, since it really is
>> an algorithm design issue. I wanted to wait until I had some
>> real data though; soon...
>
> I was just curious about whether you were trying to infer which
> algorithms are deployed, or what. -- FWIW, David Malone published a
> document that measured this.

No, I'm not looking at that at all for now, although the trace files
will in fact include whatever flow labels the sources are setting,
so I guess that analysis can be done later.

I could also use the same test harness to run the algorithm
in draft-gont-6man-flowlabel-security-01.txt against the traces.

Brian

nick at foobar

May 31, 2011, 6:25 PM

Post #6 of 11 (1323 views)
Permalink

Re: Anybody running pcap traces? [In reply to]

On 31/05/2011 23:10, Brian E Carpenter wrote:
> I could also use the same test harness to run the algorithm
> in draft-gont-6man-flowlabel-security-01.txt against the traces.

I don't especially want to preempt David, but due to the European data
protection directive, it would be unlikely that he would be able to provide
actual packet dumps, particularly those which included a timestamp. The
reason for this is that there is informed legal opinion to the effect that
IP addresses may constitute personally identifiable information,
particularly if associated with a timestamp. Redistribution of personally
identifiable information is prohibited according to the country-specific
implementations of the Data Protection Directive in Europe.

Nick

brian.e.carpenter at gmail

May 31, 2011, 10:09 PM

Post #7 of 11 (1325 views)
Permalink

Re: Anybody running pcap traces? [In reply to]

On 2011-06-01 13:25, Nick Hilliard wrote:
> On 31/05/2011 23:10, Brian E Carpenter wrote:
>> I could also use the same test harness to run the algorithm
>> in draft-gont-6man-flowlabel-security-01.txt against the traces.
>
> I don't especially want to preempt David, but due to the European data
> protection directive, it would be unlikely that he would be able to
> provide actual packet dumps, particularly those which included a
> timestamp. The reason for this is that there is informed legal opinion
> to the effect that IP addresses may constitute personally identifiable
> information, particularly if associated with a timestamp.
> Redistribution of personally identifiable information is prohibited
> according to the country-specific implementations of the Data Protection
> Directive in Europe.

That's why anonymised traces are common. However, the informed legal opinion
may not apply to cases where IP addresses cannot be tied to individuals.
After all, that's exactly why privacy addresses were invented.

Brian

nick at foobar

Jun 1, 2011, 5:25 AM

Post #8 of 11 (1308 views)
Permalink

Re: Anybody running pcap traces? [In reply to]

On 01/06/2011 07:09, Brian E Carpenter wrote:
> That's why anonymised traces are common. However, the informed legal opinion
> may not apply to cases where IP addresses cannot be tied to individuals.

This isn't really relevant to ipv6, but...

It's a difficult area. On the one hand, there is a EU working group
opinion (I don't have the reference for this right now) to the effect that
the combination of IP addresses and timestamps unquestionably constitutes
personally identifiable information as defined in the data protection
directives. While this interpretation is not legally binding in any way,
it's the sort of thing that would be given very serious consideration by a
court of law.

On the other hand, there was an analysis of the situation in the High Court
in Ireland in 2009 (as part of the well-known EMI & Others vs Eircom case),
which for the purposes of that case concluded that IP addresses and
timestamps of were certainly personally identifiable information when
linked to a customer database, but perhaps not in other cases. E.g. they
would be personally identifiable information for an ISP, but so long as
there was no feedback from the ISP about the user of the address at the
time, not for a third party company which was in the business of collecting
information about potential criminal copyright ingringement. While this
was unreported, the opinion was echoed in the EMI&Ors vs UPC case in 2010,
where Justice Peter Charleton noted:

--
I find it impossible to recognise as a matter of constitutional law, that
the protection of the entitlement to be left in the sphere of private
communications could ever extend to conversations, emails, letters,
phonecalls or any other communication designed to further a criminal
enterprise. Criminals leave the private sphere when they infringe the
rights of other, or conspire in that respect.
[...]
In the case of internet file sharing to infringe copyright, I am of the
view that there are no privacy or data protection implications to detecting
unauthorised downloads of copyright material using peer-to-peer technology.
--

So once you conspire to commit a crime, you leave behind some of your
rights, including certain rights to data protection.

Outside this, while I'm not aware of any specific judgements which
categorically declare IP addresses and timestamps to be personally
identifiable information, my recollection of the 2009 hearing left me with
the very strong impression that this was extremely delicate ground to tread
on, and that legal judgement could easily go one way or the other in the
general case.

ianal.

Nick

fernando at gont

Jun 1, 2011, 12:03 PM

Post #9 of 11 (1316 views)
Permalink

Re: Anybody running pcap traces? [In reply to]

On 05/31/2011 06:10 PM, Brian E Carpenter wrote:
>> I was just curious about whether you were trying to infer which
>> algorithms are deployed, or what. -- FWIW, David Malone published a
>> document that measured this.
>
> No, I'm not looking at that at all for now, although the trace files
> will in fact include whatever flow labels the sources are setting,
> so I guess that analysis can be done later.

mm... I guess you are/were trying to infer how your algorithm would have
worked with the captured {src,dst} addresses and protocols?

> I could also use the same test harness to run the algorithm
> in draft-gont-6man-flowlabel-security-01.txt against the traces.

Please do. It should result in virtually no collisions.

Thanks,
--
Fernando Gont
e-mail: fernando [at] gont || fgont [at] acm
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

dwmalone at maths

Jun 1, 2011, 12:13 PM

Post #10 of 11 (1309 views)
Permalink

Re: Anybody running pcap traces? [In reply to]

On Tue, May 31, 2011 at 10:05:30AM -0300, Fernando Gont wrote:
> I was just curious about whether you were trying to infer which
> algorithms are deployed, or what. -- FWIW, David Malone published a
> document that measured this.

The paper is here:

http://www.maths.tcd.ie/~dwmalone/p/ec2nd08.pdf

we looked at ways to look up IPv6 flow state for FreeBSD's ipfw
firewall. Arising from that, I also have some code that takes pcap
files and strips UDP/TCP payloads, if anyone wants it.

David.

nick at foobar

Jun 2, 2011, 2:52 AM

Post #11 of 11 (1302 views)
Permalink

Re: Anybody running pcap traces? [In reply to]

On 01/06/2011 13:25, Nick Hilliard wrote:
> It's a difficult area. On the one hand, there is a EU working group opinion
> (I don't have the reference for this right now) to the effect that the
> combination of IP addresses and timestamps unquestionably constitutes
> personally identifiable information as defined in the data protection
> directives. While this interpretation is not legally binding in any way,
> it's the sort of thing that would be given very serious consideration by a
> court of law.

Just for the record, the reference for this is here:

http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2000/wp37en.pdf

Chapter 3 part I, paragraph "Personal data on the Internet" states:

"The possibility exists in many cases, however, of linking the user’s IP
address to other personal data (which is publicly available or not) that
identify him/her, especially if use is made of invisible processing means
to collect additional data on the user (for instance, using cookies
containing a unique identifier) or modern data mining systems linked to
large databases containing personally-identifiable data on Internet users.
Therefore, even if it might not be possible to identify a user in all cases
and by all Internet actors from the data processed on the Internet, this
paper works on the basis that that the possibility of identifying the
Internet user exists in many cases and that large masses of personal data
to which the data protection directives apply are therefore processed on
the Internet."

Nick

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads