Randy's Work Blog

APNIC 26 attempted to focus on IPv6. It was a major disaster from Layer 2 to Layer 9. The network failed both at Layer 2 in the 802.11 and, for the few who managed to connect for a few minutes, applications at Layer 7 which should have worked did not. And, despite demonstrating on Tuesday that the IPv6 network did not work, APNIC staff persisted in turning the IPv4 network off on Wednesday. And they were proud of it. All in all, it was an impressive demonstration of non-professionalism and operational lack of clue.

And the panel held Tuesday morning was a complete train wreck. People walked away saying they were going home and telling folk that their companies should wait some years for IPv6 and consider just NATting IPv4.

APNIC has set a high bar that future IPv6 train wrecks will find hard to beat.

Network Discovery from Passive Measurements was interesting work on cartography. Use of the Record Route option in traceroute, is something we need to look at more seriously than we have. They went specifically after the failure of RocketFuel, that there are many interfaces on a router. Then it got into a daunting disjunctive logic model, which was not something to try at home (exponential in sample size). But it did a lot better than RocketFuel.

Nathan from UW is using many traceroute hacks to try to improve RocketFuel.

Our paper, iSPY: Detecting IP Prefix Hijacking on My Own, went well, probably because the wireless was not working. 🙂

Had a good lunch at Cafe Flora with JR, MM, and two JR students.

None of the p2p presentations grabbed me. And none of the wireless papers either, but it’s far from any of my interests.

WW was also interested in control plane visibility.

In the wireless session, one paper, ZigZag Decoding: Combating Hidden Terminals in Wireless Networks, was pretty sharp. They showed how to recover the packets from 802.11 frames which collided and thus otherwise would have been discarded.

If you were interested in URLs in SPAM, perhaps Spamming Botnets: Signatures and Characteristics might have been interesting to you. Not my cup of tea.

Anja’s group and Vern’s described sampling fiber tap recording. Not sure where the computer science was in this, but it could be operationally useful. See Enriching Network Security Analysis with Time Travel.

There was a quite good paper on radically reducing the state space in regexp evaluation, Deflating the Big Bang: Fast and Scalable Deep Packet Inspection with Extended Finite Automata.

Rationality and Traffic Attraction: Incentives for Honest Path Announcements in BGP used an incentive model to motivate and test if the data plane follows the BGP control plane. This could be used for routing security to test if a neighbor was lying about how it would route traffic given to it. It modeled ASses as rational actors. Bottom line was that Secure BGP could be used to enforce the conditions, but a multi-homed node could announce the path it does not actually use.  It explores additional mechanisms that improve the situation.  Definitely interesting work in the secure BGP area.

As promised in my post almost two weeks ago, Olaf Maennel, Steve Bellovin, Luca Cittadini, and I have come up with a proposal which we believe to be preferable to Carrier Grade NAT (CGN). We have written it up as a tech report for small circulation at the moment, see here for pdf.

The routing session ranged from uninteresting to embarrassing. One paper in particular was a notable disaster, rediscovering the decade+ wisdom that route distribution between protocols is dangerous. Maybe the authors should google “7007 incident.” They claimed to have analyzed router configurations from 1,600 networks and found redistribution in almost all of them. I’ll bet a good diner that, among their other massive lack of clue, they did not know that we all nail up our eBGP prefixes by redistributing special statics into BGP. And it contained not one bit of computer science.

And too many control plane researchers have only studied the one particular large ISP who has wide-scale control plane disasters twice a year, maybe more often than they have management reorgs, hard as that is to believe.  And guess what their solution to all these failures is, add more complexity and control to the network.  Rinse, repeat, …  I wish all my competitors did this.

Things got better in the data center session. One in particular, DCell: A Scalable and Fault-Tolerant Network Structure for Data Centers, a non-hierarchic connection topology, was both interesting operationally and had done the actual formal analysis. OMG, computer science!

What’s Going On? Learning Communication Rules In Edge Networks was a good tool-set for correlation of traffic within a network to understand what traffic flows are related to what others, and how to reveal unexpected and/or anomalous behavior.

In the decade or longer transition to IPv6, NAT is inescapable.  This is a direct consequence of the design of a new protocol which is 100% incompatible on the wire, there is not the slightest compatibility mode.

We may not like this, and I certainly do not, but NATs are inevitable, get over it.

Alain Durand (Comcast) and Miyakawa Shin (NTT) have a common problem.  They say that their networks’ customer edges are so large that, even giving each CPE a small bit of IPv4 space for the ‘front’ of a NAT, they need two to five /8s of IPv4 space.  They are in a terrible trade-off space.  They either request many public IPv4 /8s from the internet registries (not likely with the exhaustion of the IPv4 IANA free pool on the horizon) or do something more complex.

The approach they are testing is being called Carrier Class NAT.  It is essentially one or more IPv4 NATs in the core of their networks and various tunneling and translation techniques.  If the CPE has dual stack, traffic where source and destination is IPv6 would not have to me NATted.

We can contrast this to, for example, NAT-PT on the CPE, which would probably scale to the needs of even a large non-consumer backbone.  But, as we noted above, Alain and Shin would need way too much IPv4 space just to front the NAT-PT front ends for their large consumer networks.

I and a few other researchers have taken up a desperate search for alternatives.  The reasons are simple.

‘Carrier class’ is a euphemism for centralized.  More semantics move to the core of the network.  This is bad in and of itself.  Net-heads call it ‘telco-think’ because it is the telco model of smarts in the core as opposed to the internet model of a simple, just forward packets, core and smart edges.

With the smarts at the edges, e.g. NAT-PT, I can easily field new protocols between consenting end-points by just tweaking the NATs at the consenting CPEs, even adding ALGs if needed.

With NAT in the core, then if a customer wants to field a new application protocol which requires cooperation from the NAT, they get to beg help from Comcast and NTT and all other users of carrier class NATs.  This is the ultimate horror the NAT-haters fear, and they are not all that wrong.

You don’t build an internet walled garden at the edges, you build it by restricting the core.  Comcast has recently received a lot of bad press for just this, though I know that Alain is very far from the those responsible.  But be assured that the developer/deployer of new applications will be talking to Comcast’s walled garden loving lawyers not Alain.

It means that all new application protocols have to go through the carrier lawyers to be allowed to be handled by the NATs in their core.  So, if someone wants to deploy a new application, they can talk to Comcast’s and NTT’s lawyers or do it over HTTP, pick your poison.

And remember that, as IPv6 deploys, and we want to have one internet, i.e. IPv4 nodes talking freely with IPv6 nodes, then translation must be done somewhere.  The challenge is whether someone can figure out a scheme where it is done for these large networks at the customer edge, not in the core.

While Olaf and I were looking for other things, we stumbled on a revealing sub-experimental result.

• We announced a /25 prefix via BGP from our research routers at the Westin in Seattle
• Sprint did not listen to it
• Verio/NTT did, and said they propagated to their customers but not their peers
• We looked at BGP feeds from RouteViews, RIS, and 700+ other BGP feeds
• BGP data said the /25 reached 15 ASs
• From a prefix in the source /25, we probed IP addresses in over 20,000 ASs
• 1023 ASs replied
• I.e. RV et alia showed a shockingly small fraction of the real AS topology, less than 1.5%

Interestingly, the AS path length shown in the 15 ASs visible in BGP was 3, while pingability and the BGP path length for a /20 was the normal >4. See the diagram.