Danny McPherson

Internet inter-domain traffic

In this paper, we examine changes in Internet inter-domain traffic demands and interconnection policies. We analyze more than 200 Exabytes of commercial Internet traffic over a two year period through the instrumentation of 110 large and geographically diverse cable operators, international transit backbones, regional networks and content providers. Our analysis shows significant changes in inter-AS traffic patterns and an evolution of provider peering strategies. Specifically, we find the majority of inter-domain traffic by volume now flows directly between large content providers, data center / CDNs and consumer networks. We also show significant changes in Internet application usage, including a global decline of P2P and a significant rise in video traffic. We conclude with estimates of the current size of the Internet by inter-domain traffic volume and rate of annualized inter-domain traffic growth.

Toward understanding distributed blackhole placement

The monitoring of unused Internet address space has been shown to be an effective method for characterizing Internet threats including Internet worms and DDOS attacks. Because there are no legitimate hosts in an unused address block, traffic must be the result of misconfiguration, backscatter from spoofed source addresses, or scanning from worms and other probing. This paper extends previous work characterizing traffic seen at specific unused address blocks by examining differences observed between these blocks. While past research has attempted to extrapolate the results from a small number of blocks to represent global Internet traffic, we present evidence that distributed address blocks observe dramatically different traffic patterns. This work uses a network of blackhole sensors which are part of the Internet Motion Sensor (IMS) collection infrastructure. These sensors are deployed in networks belonging to service providers, large enterprises, and academic institutions representing a diverse sample of the IPv4 address space. We demonstrate differences in traffic observed along three dimensions: over all protocols and services, over a specific protocol and service, and over a particular worm signature. This evidence is then combined with additional experimentation to build a list of sensor properties providing plausible explanations for these differences. Using these properties, we conclude with recommendations for the understanding the implications of sensor placement.

BGP route reflection revisited

The original BGP design requires that all BGP speakers within an autonomous system be directly connected with each other to create a full mesh, and BGP update messages be propagated to directly connected neighbors only. This requirement leads to BGP session scalability problems in networks with large numbers of BGP routers. Route reflection was proposed as a quick fix to address this BGP session scalability problem and has been widely deployed in the operational Internet without a thorough analysis of its pros and cons. In this article, we first provide an overview of the route reflection design, summarize the discoveries from published literature, and discuss the trade-offs in using route reflection as compared to using a fully connected i-BGP mesh. Then we show that well engineered route reflector placement can overcome certain drawbacks, and that a few issues remain open for future study.

The great IPv4 land grab: resource certification for the IPv4 grey market

The era of free IPv4 address allocations has ended and the grey market in IPv4 addresses is now emerging. This paper argues that one cannot and should not try to regulate who sells addresses and at what price, but one does need to provide some proof of ownership in the form of resource certification. In this paper we identify key requirements of resource certification, gained from both theoretical analysis and operational history. We further argue these requirements can be achieved by making use of the existing reverse DNS hierarchy, enhanced with DNS Security. Our analysis compares reverse DNS entries and BGP routing tables and shows this is both feasible and achievable today; an essential requirement as the grey market is also emerging today and solutions are needed now, not years in the future.

Verifying Keys through Publicity and Communities of Trust: Quantifying Off-Axis Corroboration

The DNS Security Extensions (DNSSEC) arguably make DNS the first core Internet system to be protected using public key cryptography. The success of DNSSEC not only protects the DNS, but has generated interest in using this secured global database for new services such as those proposed by the IETF DANE working group. However, continued success is only possible if several important operational issues can be addressed. For example, .gov and .arpa have already suffered misconfigurations where DNS continued to function properly, but DNSSEC failed (thus, orphaning their entire subtrees in DNSSEC). Internet-scale verification systems must tolerate this type of chaos, but what kind of verification can one derive for systems with dynamism like this? In this paper, we propose to achieve robust verification with a new theoretical model, called Public Data, which treats operational deployments as Communities of Trust (CoTs) and makes them the verification substrate. Using a realization of the above idea, called Vantages, we quantitatively show that using a reasonable DNSSEC deployment model and a typical choice of a CoT, an adversary would need to be able to have visibility into and perform on-path Man-in-the-Middle (MitM) attacks on arbitrary traffic into and out of up to 90 percent of the all of the Autonomous Systems (ASes) in the Internet before having even a 10 percent chance of spoofing a DNSKEY. Further, our limited deployment of Vantages has outperformed the verifiability of DNSSEC and has properly validated its data up to 99.5 percent of the time.

A comparative study of architectural impact on BGP next-hop diversity

Large ISPs have been growing rapidly in both the size and global connectivity. To scale with the sheer number of routers, many providers have replaced the flat full-mesh iBGP connectivity with a hierarchical architecture, using either Route-Reflection (RR) or AS confederation. Given that each intermediate iBGP router in the hierarchy selects and propagates only one best path per destination network, there is a common perception that, compared to full-mesh, a hierarchical iBGP connectivity is likely to lose sight of alternative paths to external destinations. To gauge the path diversity reduction in the operational networks, we performed a comparative study by using iBGP data collected from two global-scale ISPs, with full-mesh core and RR architecture respectively. Our results show that both ISPs suffer a significant reduction (up to 42%) in the overall path diversity. However the specifics of different iBGP architectures only made a minor impact (less than 2.9%) on this reduction. Rather, in both ISPs the majority of the alternative paths are eliminated by the first two criteria in BGP best path selection, i.e., LOCAL PREF and AS PATH length.