OCR of the Document

View the Document >>

National Security Agency, Network Shaping 101, January 8, 2007. Top Secret.

TOP TO USA AUS CAN GBR Network Shaping 101 by- Derived From 1-52 Dated 20070108 Declassify On 20320108 TOP TO USA AUS CAN GBR NZLM20320108 TOP TO USA AUS CAN GBR This presentation is classified TOP TO USA AUS CAN GBR NZL Derived From 1-52 Dated 20070108 Declassify On 20320108 TOP TO USA AUS CAN GBR What This Will Cover o o o o o Caveats Example network we will work with What shaping would look like for that network Basic shaping problems A bit more advanced shaping problems Initial caveats o To understand how to do shaping and why it does doesn't work sometimes you have to go back to networking basics o To get the most of this presentation you should already understand how IP's CIDR's and Autonomous Systems ASN work o Some ips facts are just made up This presentation uses Yemennet as our target network This info is outdated and incomplete Don't use any of this information for any real analysis You're gonna talk about Layer 2 shaping right o o No It is extremely situational and only worth talking about if you are in a position where you have the right kind of access o Until then Layer 3 shaping is where it's at in my opinion Example network - Yemen o o Yemen has 1 ASN AS12486 We'll pretend it has 6 upstream providers - Mobily AS35819 - TATA AS6453 - FLAG AS15412 - PCCW AS3491 - STC AS39386 - SPRINT AS1239 AS12486 This network owns the following IP ranges 46 35 64 0 19 89 189 64 0 19 46 35 72 0 21 109 74 32 0 20 46 32 80 0 21 109 74 40 0 21 63 168 168 0 23 109 200 160 0 19 63 171 18 0 23 109 200 168 0 21 So when we reference AS12486 you can assume it includes any IP address that falls within any of the above ranges 6453 TATA 39386 STC 35819 Mobily 12486 Yemennet The rest of the Internet A 3491 PCCW 6453 TATA 39386 STC 35819 Mobily 1239 SPRINT 12486 Yemennet Okay so traffic for Yemen has to go through 1 of 6 providers so Armed with this high-level knowledge of Yemen's connectivity think about what that means - Yemennet has to have a router that connects it's own network with it's upstream providers That router is going to have a unique interface and IP address for each connection - That router has to use physical cables to connect between Yemennet and each upstream provider think big Transnational undersea fiber cables - Yemennet CAN control which upstream provider it sends data OUT of the country through because it controls the router that's sending the data out - Yemennet CAN NOT control which provider the data comes back IN to the country through because that is left to BGP routing tables out on the Internet The rest of the Internet 6453 TATA 39386 STC 35819 Mobily ill l 12486 Yemennet 1239 SPRINT 6453 TATA 35819 Mobily The rest of the Internet 39386 STC 1 ill 12486 Yemennet 1239 SPRINT Next let's visualize the physical connections between Yemennet and its upstream providers You can see here which cables are used So to recap o You understand the logical connectivity of Yemennet who it has to go through to get to the Internet o You grasp the physical connectivity of Yemennet you know which fiber cables physically connect it to the rest of the world o You know that Yemennet can choose which provider it sends data OUT through o Big Internet BGP routing tables can dynamically choose which link data comes back IN to Yemennet through o There are a couple more things to know before we talk about shaping About that router that connects Yemennet to it's peers o Remember how I mentioned that router has a different interface and unique IP address for each upstream provider That router will have at least 7 interfaces one for each upstream and one connected to the rest of it's network o The connection between the router and an upstream provider has to use IPs that are in the same subnet normally it's a 30 subnet which consists of 2 usable IPs o This means that one of the two networks will have to sacrifice an IP address to put on the other end of the connection most of the time it's the bigger network that gives up an IP address to assign to the customer side's router o So if we were to use the connection with SPRINT for example here's what it might look like 6453 TATA The rest of the Internet 35819 Mobily 12486 Yemennet 39386 STC Router on Yemen s end of the connection 144 232 234 150 a 1239 SPRINT Router on Sprint s end of the connection 144 232 234 149 The rest ofith Intem t 6453 TATA 35819 Mobily 39386 STC 1239 SPRINT 12486 Yemennet Router on Sprint s end of the connection 144 232 234 149 Router on Yemen s end of the connection 144 232 234 150 The rest of the Intern FLAG Side 62 216 145 129 Yemen Side 62 216 145 130 PCCW side 63 218 252 185 Yemen side 63 218 252 186 15412 FLAG 3491 PCCW 6453 TATA TATA Side 66 198 126 9 Yemen Side 66 198 126 10 39386 STC STC side 84 235 108 17 Yemen side 84 235 108 18 35819 Mobil 1239 SPRINT Sprint side 144 232 234 149 Yemen side 144 232 234 150 Mobily side 86 51 2109 Yemen side 86 51 2 110 12486 Yemennet WARNING WARNING o In the following slides when I talk about SSO collection capabilities I am completely MAKING UP - SIGADs - Case notations - Which cables are collected - Where SSO's collection capabilities are o I am MAKING UP this info for the sake of this lesson o For info on what SSO's capabilities are for your own target you will have to go talk to them yourself WARNING 2 WARNING 2 o For the sake of this example I am assuming that all of Yemennet's International links are equal By that I am making the assumptions that - An equal amount of traffic is going in out each link - Yemennet is not doing anything to manipulate traffic going over specific links - All links are actually active and are not just backups or down due to maintenance or cable breaks o With that out of the way So now you have a good idea about Yemen's connectivity o o Now time to overlay it with SIGINT collect Without going into how to do this yourself work with SSO to determine which of those links we can passively collect o Let's pretend that they have capabilities to collect the Yemen-Sprint link and the Yemen-FLAG link but have no capabilities on the rest o Once again this is only PRETEND for the sake of this lesson SIGAD US-9999 CASN YM234500000 15412 Fug 6453 TATA 2 22 39386 STC 12486 Yemennet SIGAD US-8888 CASN YM567800000 The rest of the Interne 15412 FLAG 3491 PCCW 6453 TATA 39386 STC 35819 Mobily 1239 SPRINT 12486 Yemennet 15412 FLAG 3491 PCCW 6453 TATA 39386 STC 35819 Mobil 1239 SPRINT 12486 Yemennet 15412 FLAG 3491 PCCW 6453 TATA 39386 STC 35819 Mobil - 1239 SPRINT 12486 Yemennet SIGAD US-9999 CASN YM234500000 15412 Fug 6453 TATA - 39386 STC WW 12486 Yemennet SIGAD US-8888 CASN YM567800000 Now that you're an expert on Yemennet let's talk about shaping o The purpose of shaping is taking traffic that wouldn't normally go through one of our passive links and making it go through one of our passive links so we can collect it and get it into the SIGINT system o Before we talk about how to shape traffic on Yemennet let's explore a couple different scenarios in which we would consider shaping as a solution they will be shaping traffic OUT of Yemennet and shaping traffic INTO Yemennet Shaping traffic OUT of Yemennet o For this scenario you have an access probably CNE inside of Yemennet and you want to make that access send traffic but make sure it goes out over a link that is passively collected by SSO o You need a DESTINATION on the Internet where you can send data to where you know it will go over 1 of the 2 links we can collect o Earlier I mentioned that Yemennet can control which links they send data OUT This is true Yemennet has that control however you as an end-user on their network do NOT have that control o So how can you control which link your traffic will go out through The rest of the Interne 15412 FLAG 3491 PCCW 6453 TATA WW 39386 STC 12486 Yemennet The rest of the Intern 15412 FLAG 3491 PCCW 6453 TATA 39386 STC 35819 Mobil - 1239 SPRINT 12486 Yemennet The rest of the Intern 15412 FLAG 3491 PCCW 6453 TATA 39386 STC 35819 Mobil - 1239 SPRINT 12486 Yemennet So in order to shape traffic OUT of a network o You need to have an understanding of the network that you are starting in who it's upstream providers are and what the collection capabilities are against that network o Then you can find a destination IP address directly on the other end of that link by looking at any of the IP ranges in that provider's ASN o From there you have a higher probability that traffic will traverse a link you can passively collect Shaping traffic INTO a network o This is a whole different animal and probably more relevant to what people traditionally think of as shaping in the SIGINT sense o There is only 1 feasible way that I can think of to make this work reliably o But first let's go back and look at our Internet connectivity The rest of the Interne 15412 FLAG 3491 PCCW 6453 TATA 39386 STC 35819 Mobily 1239 SPRINT 12486 Yemennet 5' 6453 TATA 35819 1K The rest of the Interne 3 153412 FLAG 3491 PCCW 3 39386 STC a 1239 SPRINT 12486 Yemennet The rest of the Interne 15412 FLAG 3491 PCCW 6453 TATA 39386 STC 35819 Mobily 1239 SPRINT 12486 Yemennet H Ex l traf c The rest of the Interne A 15412 FLAG 3491 PCCW 6453 TATA 39386 STC 35819 Mobily 1239 SPRINT 12486 Yemennet The rest of the Interne 15412 FLAG 3491 PCCW 6453 TATA 39386 STC 35819 Mobily 1239 SPRINT 12486 Yemennet 17 The rest of the Interne 15412 FLAG 3491 PCCW 6453 TATA 39386 STC 35819 Mobily 1239 SPRINT 12486 Yemennet 17 The rest of the Interne 15412 FLAG 3491 PCCW 6453 TATA 39386 STC 35819 Mobily 1239 SPRINT 12486 Yemennet The rest of the Interne 15412 FLAG 3491 PCCW 6453 TATA 39386 STC 35819 Mobily 1239 SPRINT 12486 Yemennet 6453 TATA 35819 Mobily- The rest of the Interne 15412 FLAG 3491 PCCW 39386 STC 12486 Yemennet 1239 SPRINT 17 The rest of the Interne 15412 FLAG 3491 PCCW 6453 TATA 39386 STC 35819 Mobily 1239 SPRINT 12486 Yemennet - The rest of the lnterne 4 FLAG side 62 216 145 129 PCCW side 63 218 252 185 Yemen side 62 216 145 130 Yemen side 63 218 252 186 15412 FLAG 3491 PCCW 6453 TATA TATA side 66 198 126 9 STC Yemen side 66 198 126 10 STC side 84 235 108 17 Yemen side 84 235 108 18 35819 Mobily-g 1239 SPRINT Mobily side 86 51 2109 Sprint s1de 144 232 234 149 Yemen side 36_51_2_11o 12486 Yemen net Yemen Sldei 144 232 234 150 FLAG side 62 216 145 129 TATA side 66 198 126 9 15412 FLAG PCCW side 63 218 252 185 x Q91 my 39386 STC 62 216 145 130 62 218 252 186 STC side 84 235 108 17 66 198 126 10 1 35819 Mobily - i 84 235 108 18 86 51 2 110 144 232 234 150 Mobily side 86 51 2 109 1239 SPRINT Sprint side 144 232 234 149 12486 Yemennet FLAG side 62 216 145 129 15412 FLAG PCCW side 63 218 252 185 Q91 my 39386 STC TATA side 66 198 126 9 - STC side 84 235 108 17 62 216 145 130 62 218 252 186 I 66 198 126 10 1 5% 84 235 108 18 35819 86 51 2 110 1239 SPRINT Sprint side 144 232 234 149 Mobily side 86 51 2 109 12486 Yemennet FLAG side 62 216 145 129 6453 TATA TATA side 66 198 126 9 15412 FLAG PCCW side 63 218 252 185 Q91 my @386 STC 62 216 145 130 62 218 252 186 x STC Side 84 235 108 17 1 35819 Mobily 66 198 126 10 84 235 108 18 - i 86 51 2 110 144 232 234 150 Mobily side 86 51 2 109 1239 SPRINT 12486 Yemennet Sprint side 144 232 234 149 FLAG side 62 216 145 129 The rest of the lnterne 6453 TATA TATA side 66 198 126 9 15412 FLAG trace PCCW side 63 218 252 185 x Q91 my 39386 STC 62 216 145 130 62 218 252 186 STC side 84 235 108 17 43 66 198 126 10 1 35819 Mobily- 84 235 108 1 8 86 51 2 110 Mobily side 86 51 2 109 1239 SPRINT 144 232 234 150 Sprint side 144 232 234 149 12486 Yemennet FLAG side 62 216 145 129 The rest of the lnterne 6453 TATA TATA side 66 198 126 9 15412 FLAG trace PCCW side 63 218 252 185 x Q91 my 39386 STC 62 216 145 130 62 218 252 186 STC side 84 235 108 17 43 66 198 126 10 1 35819 Mobily- 84 235 108 1 8 86 51 2 110 Mobily side 86 51 2 109 1239 SPRINT 144 232 234 150 Sprint side 144 232 234 149 12486 Yemennet FLAG side 62 216 145 129 trace The rest of the Interne 6453 TATA TATA side 66 198 126 9 15412 FLAG PCCW side 63 218 252 185 x Q91 39386 STC STC side 84 235 108 17 62 216 145 130 62 218 252 186 I 66 198 126 10 md 84 235 108 18 35819 Mobily- 86 51 2 110 Mobily side 86 51 2 109 12486 Yemennet 1239 SPRINT 144 232 234 150 Sprint side 144 232 234 149 FLAG side 62 216 145 129 TATA side 66 198 126 9 15412 FLAG PCCW side 63 218 252 185 x Q91 my 39386 STC 62 216 145 130 62 218 252 186 STC side 84 235 108 17 66 198 126 10 1 35819 Mobily - i 84 235 108 18 86 51 2 110 144 232 234 150 Mobily side 86 51 2 109 1239 SPRINT Sprint side 144 232 234 149 12486 Yemennet trace The rest of the Interne FLAG side 62 216 145 129 PCCW side 63 218 252 185 15412FLAG Q91 my 39386 STC TATA side 66 198 126 9 STC side 84 235 108 17 62 216 145 130 62 218 252 186 I 66 198 126 10 Md 84 235 108 18 35819 86 51 2110 144 232 234 150 1239 SPRINT 6453 TATA Sprint side 144 232 234 149 Mobily side 86 51 2 109 12486 Yemennet FLAG side 62 216 145 129 The rest of the lnterne 6453 TATA TATA side 66 198 126 9 15412 FLAG trace PCCW side 63 218 252 185 x Q91 my 39386 STC 62 216 145 130 62 218 252 186 STC side 84 235 108 17 43 66 198 126 10 1 35819 Mobily- 84 235 108 1 8 86 51 2 110 Mobily side 86 51 2 109 1239 SPRINT 144 232 234 150 Sprint side 144 232 234 149 12486 Yemennet Scenario - I tried shaping one time and it didn't work o As we've seen earlier there are many facets that make shaping efforts unreliable o It matters whether you are trying to shape traffic OUT of a network or whether you are starting at a random place on the Internet and trying to shape traffic INTO the network o So what steps could you take So you might consider the following train of thought o o o o o o First you say I want to do shaping through SIGAD US-9999 Then look at all of the links collected at that site probably in BLACKPEARL Find a World-to-Geekistan link over CASN GE010100000 we'll assume you also know that this is actually a Level 3-to-Geekistan link Look at the IP space on the dest side of the link and say I will send my exfil to that IP space and it should go through US-9999 CASN GE010100000 Then you are left sorely disappointed when your exfil isn't reliably collected What went wrong Let's consider what we know so far Geekistan ASN Internet SIGAD US-9999 CASN GE010100000 Geekistan ASN Internet SIGAD US-9999 CASN GE010100000 Geekistan ASN Internet SIGAD US-9999 CASN GE010100000 Geekistan ASN Internet SIGAD US-9999 CASN GE010100000 Geekistan ASN Internet SIGAD US-9999 CASN GE010100000 Geekistan ASN Internet SIGAD US-9999 CASN GE010100000 Geekistan ASN Internet SIGAD US-9999 CASN GE010100000 Geekistan ASN Internet SIGAD US-9999 CASN GE010100000 Cogent 2 Sprint V- ex l 0 eekistan ASN Internet Level 3 SIGAD us-9999 CASN GE010100000 Geekistan ASN Internet SIGAD US-9999 CASN GE010100000 Internet Level 3 I li eekistan ASN I SIGAD US-9999 CASN GE010100000 Now to the nittier-grittier o This following section could also be renamed the I'm pulling my hair out in the fetal position while screaming 'Why didn't it work ' section o The previous slides described how shaping should work at a theoretical level following are a few reasons why it doesn't always work in the real world o The following issues are not all-encompassing of why shaping might not work just a few examples - k' ASN Internet 66 's 8 SIGAD CASN GE010100000 - k' ASN Internet 66 's 8 SIGAD CASN GE010100000 ex l Internet 0eekistan ASN SIGAD CASN GE010100000 0ex l - k' ASN Internet 66 's 8 SIGAD CASN GE010100000 I li - - k' ASN Internet Level 3 66 's a SIGAD US-9999 CASN GE010100000 I li - - k' ASN Internet Level 3 ee '8 a SIGAD US-9999 CASN GE010100000 I li - - k' ASN Internet Level 3 66 's a SIGAD US-9999 CASN GE010100000 Cogent 2 Sprint V- ex l 0 eekistan ASN Internet Level 3 SIGAD us-9999 CASN GE010100000 eekistan ASN ex l Internet SIGAD US-9999 CASN GE010100000 lili Internet Level 3 eeklstan ASN I SIGAD US-9999 CASN GE010100000 I li - - k' ASN Internet Level 3 66 's a SIGAD US-9999 CASN GE010100000 I li - - k' ASN Internet Level 3 66 's a SIGAD US-9999 CASN GE010100000 I li - - k' ASN Internet Level 3 ee '8 a SIGAD US-9999 CASN GE010100000                     National Security Archive    Suite 701  Gelman Library  The George Washington University    2130 H Street  NW  Washington  D C  20037    Phone  202 994‐7000  Fax  202 994‐7005  nsarchiv@gwu edu