BGP in 2014

The Border Gateway Protocol, or BGP, has been holding the Internet together, for more than two decades and nothing seems to be falling off the edge so far. As far as we can tell everyone can still see everyone else, assuming that they want to be seen, and the distributed routing system appears to be working smoothly. All appears to be working within reasonable parameters, and there is no imminent danger of some routing catastrophe, as far as we can tell. For a protocol designed some 25 years ago, when the Internet of that time contained some 10,000 constituent networks, its done well to scale fifty-fold, to carry in excess of half a million routed elements by the end of 2014.

Continue reading

Workshop on DNS Future Root Service

The theme of a workshop, held at the start of December 2014 in Hong Kong, was looking
at means to enable further scaling of the root server system, and the 1½ day workshop was scoped in the form of consideration of alternative approaches to that of the default activity of adding further anycast instances of the existing 13 root server anycast constellations. There were two specific proposals that were considered at this workshop that formed the workshop’s focus.

Continue reading

Best Practices in Operating a Secure Routing Environment

The Internet’s Border Gateway Protocol (BGP) is one of the most critical components of today’s Internet. It’s the engine that ensures that when your application passes a packet into the network, the network is able to pass it onward to its intended destination. This routing protocol is the glue that binds a large collection of packet switches into a coherent system that functions as the Internet. However, it does not just work all by itself, and within each network the configuration and operation of the routing system are of critical importance.

Continue reading

The Resolvers We Use

The Internet’s Domain Name System is a modern day miracle. It may not represent the largest database that has ever been built, but nevertheless it’s truly massive. And even if it’s not the largest database that’s ever been built, it’s perhaps one of the more intensively used. The DNS is consulted every time we head to a web page, every time we send an email message, or in fact every time we initiate almost any transaction on the Internet. It’s the essential bridge between a world of human names and the underlying world of binary protocol addresses. And it’s fast. Fast enough that it’s still largely invisible as part of the user experience, despite continued growth in size. Given the fragmentation of the IPv4 address space with the widespread use of various forms of address sharing, then it increasingly looks as if the DNS is the only remaining common glue that binds the Internet together as a single network.

Continue reading

Who’s Watching?

Much has been said over the past year or so about various forms of cyber spying. The United States has accused the Chinese of cyber espionage and stealing industrial secrets. A former contractor to the United States’ NSA, Edward Snowden, has accused various US intelligence agencies of systematic examination of activity on various popular social network services, through a program called “PRISM”. These days cloud services may be all the vogue, but there is also an emerging understanding that once your data heads off into one of these clouds, then it’s no longer necessarily entirely your data; it may have become somebody else’s data too. And the rules and protocols relating to third party access to what used to be your data is no longer necessarily the rules and protocols as defined by your country’s legislative and regulatory framework. Other rules and protocols that are used in other countries may apply for third party access to what used to be your data. And perhaps if you are not a citizen of this other country you may have few, if any, rights regarding the privacy of this data, or any rights regarding the secure handling of personally identifying information in this foreign regime.

Continue reading


Yes, that’s a cryptic topic, even for an article that addresses matters of the use of cryptographic algorithms, so congratulations for getting even this far! This is a report of a an experiment conducted in September and October 2014 by the authors to measure the extent to which deployed DNSSEC-validating resolvers fully support the use of the Elliptic Curve Digital Signature Algorithm (ECDSA) with curve P-256.

Continue reading

Five Objectives for Privacy and Security

It has been a very busy period in the domain of computer security. What with “shellshock”, “heartbleed” and NTP monlink adding to the background of open DNS resolvers, port 445 viral nasties, SYN attacks and other forms of vulnerability exploits, it’s getting very hard to see the forest for the trees. We are spending large amounts of resources in reacting to various vulnerabilities and attempting to mitigate individual network attacks, but are we making overall progress? What activities would constitute “progress” anyway? Continue reading

Internet Regulation: Section 706 vs Title II

At the NANOG meeting in Baltimore this week I listened to a presentation by Patrick Gilmore on “The Open Internet Debate: Section 706 vs Title II” It’s true that this is a title that would normally induce a comatose reaction from any audience, but don’t let the title put you off. Behind this is an impassioned debate about the nature of the retail Internet for the United States, and, I suspect, a debate about the Internet itself and the nature of the industry that provides it.

Continue reading

How Big is that Network?

How “big” is a network? How many customers are served by an Internet Service Provider?

While some network operators openly publish such numbers, other operators regard such numbers as commercially sensitive information. There are a number of techniques used to estimate the relative size of each Service Provider from public information sources, including the number of IP addresses that are announced by the network, the number of transit customers who use the network, and so on, but the widespread use of NATs in IPv4, the varying IPv6 address plans used by IPv6 service providers, and the varying use of Autonomous Systems (ASes) by retail Service Providers add some considerable uncertainty to such indirect measurement exercises.

Continue reading