Category Archives for "Potaroo blog"

The Cost of DNNSEC

If you’re playing in the DNS game, and you haven’t done so already, then you really should be considering turning on security in your part of the DNS by enabling DNSSEC. There are various forms of insidious attack that start with perverting the DNS, and end with the misdirection of an unsuspecting user. DNSSEC certainly allows a DNS resolver to tell the difference between valid intention and misdirection. But there's no such thing as a free lunch, and the decision to turn on DNSSEC is not without some additional cost in terms of traffic load and resolution time. In this article, I'll take our observations from running a large scale DNSSEC adoption measurement experiment and apply them to the question: What’s the incremental cost when turning on DNSSEC?

Where is Metadata Anyway?

There is an emerging picture that while networks, and network operators, make convenient targets for various forms of national security surveillance efforts, the reality of today’s IP network’s are far more complex, and Internet networks are increasingly ignorant about what their customers do. The result is that it's now quite common for Internet networks not to have the information that these security agencies are after. Not only can moderately well-informed users hide their activities from their local network, but increasingly this has been taken out of the hands of users, as the applications we have on our smartphones, tablets and other devices are increasingly making use of the network in ways that are completely opaque to the network provider.

What is Metadata and Why Should I Care?

August 2014 is proving yet again to be an amusing month in the Australian political scene, and in this case the source of the amusement was watching a number of Australian politicians fumble around the topic of digital surveillance and proposed legislation relating to data retention measures.

Some Internet Measurements

At APNIC Labs we’ve been working on developing a new approach to navigating through some of our data sets the describe aspects of IPv6 deployment, the use of DNSSEC and some measurements relating to the current state of BGP.

The Open Internet?

I hear the virtues of the “open Internet” being extolled so much these days that I can’t help but wonder what exactly we are referring to. So let’s ask the question. What is an “open” Internet?


The recent NANOG 61 meeting was a pretty typical NANOG meeting, with a plenary stream, some interest group sessions, and an ARIN Public Policy session. The meeting attracted some 898 registered attendees, which was the biggest NANOG to date. No doubt the 70 registrations from Microsoft helped in this number, as the location for NANOG 61 was in Bellevue, Washington State, but even so the interest in NANOG continues to grow, and there was a strong European contingent, as well as some Japanese and a couple of Australians. The meeting continues to have a rich set of corridor conversations in addition to the meeting schedule. These corridor conversations are traditionally focused on peering, but these days there are a number of address brokers, content networks, vendors and niche industry service providers added to the mix. Here’s my impressions of some of the presentations at NANOG 61.

RIP Net Neutrality

It's been an interesting couple of months in the ongoing tensions between Internet carriage and content service providers, particularly in the United States. The previous confident assertion was that the network neutrality regulatory measures in that country had capably addressed these tensions. While the demands of the content industry continue to escalate as the Internet rapidly expands into video content streaming models, we are seeing a certain level of reluctance from the carriage providers to continually accommodate these expanding demands within their networks though ongoing upgrades of their own capacity without any impost on the content provider. The veneer of network neutrality is cracking under the pressure, and the arrangements that attempted to isolate content from carriage appear to be failing. What's going on this extended saga about the tensions between carriage and content?

A Reappraisal of Validation in the RPKI

I’ve often heard that security is hard. And good security is very hard. Despite the best of intentions, and the investment of considerable care and attention in the design of a secure system, sometimes it takes the critical gaze of experience to sharpen the focus and understand what’s working and what’s not. We saw this with the evolution of the security framework in the DNS, where it took multiple iterations over 10 or more years to come up with a DNSSEC framework that was able to gather a critical mass of acceptance. So before we hear cries that the deployed volume of RPKI technology means that its too late to change anything, let’s take a deep breath and see what we've learned so far from this initial experience, and see if we can figure out what's working and what's not, and what we may want to reconsider.

NTP for Evil

There was a story that was distributed around the newswire services at the start of February this year, reporting that we had just encountered the “biggest DDOS attack ever” from a NTP-based attack. What’s going on? Why are these supposedly innocuous, and conventionally all but invisible services suddenly turning into venomous daemons? How has the DNS and NTP been turned against us in such a manner? And why have these attacks managed to overwhelm our conventional cyber defences?

Protocol Basics – The Network Time Protocol

These days we have become used to a world that operates on a consistent time standard, and we have become used to our computers operating at sub-second accuracy. But how do they do so? In this article I will look at how a consistent time standard is spread across the Internet, and examine the operation of the Network Time Protocol (NTP).

BGP in 2013 – The Churn Report

When looking at the Internet's Inter-domain routing space, the number of routed entries in the routing table is not the only metric of the scale of the routing space – it’s also what the routing protocol, BGP, does with this information that matters. As the routing table increases in size do we see a corresponding increase in the number of updates generated by BGP as it attempts to find a converged state? What can we see when we look a the profile of dynamic updates within BGP, and can we make some projections here about the likely future for BGP?

Addressing 2013

Time for another annual roundup from the world of IP addresses. What happened in 2013 and what is likely to happen in 2014? This is an update to the reports prepared at the same time in previous years, so lets see what has changed in the past 12 months in addressing the Internet, and look at how IP address allocation information can inform us of the changing nature of the network itself.

MITM and Routing Security

If the motivation behind the effort behind securing BGP was to allow any BGP speaker to distinguish between routing updates that contained “genuine” routing information and routing updates that contained contrived or false information, then these two reports point out that we’ve fallen short of that target. What’s gone wrong? Why are certain forms of routing Man-In-The-Middle attacks all but undetectable for the RPKI-enabled BGPSEC framework?

IPv6 at the OECD – A Public Policy Perspective on IPv6

The Organisation for Economic Co-operation and Development, the OECD, is a widely referenced and respected source of objective economic data and comparative studies of national economies and economic performance. The organization has a very impressive track record of high quality research and a justified reputation of excellence in its publications, even with its evident preference for advocating economic reform through open markets and their associated competitive rigors. OECD activities in the past have proved to be instrumental in facilitating change in governmental approaches to common issues that have broad economic and social dimensions. So how does IPv6 fit into this picture of OECD activities?

Who Uses Google’s DNS?

Much has been said about how Google uses the services they provide, including their mail service, their office productivity tools, file storage and similar services, as a means of gathering an accurate profile of each individual user of their services. The company has made a very successful business out of measuring users, and selling those metrics to advertisers. But can we measure Google as they undertake this activity? How many users avail themselves of their services? Perhaps that's a little ambitious at this stage, so maybe a slightly smaller scale may be better, so let's just look at one Google service. Can we measure how many folk use Google's Public DNS Service?

IP Addresses and Traceback

This is an informal description the evolution of a particular area of network forensic activity, namely that of traceback. This activity typically involves using data recorded at one end of a network transaction, and using various logs and registration records to identify the other party to the transaction. Here we’ll look at the impact that IPv4 address exhaustion and IPv6 transition has had on this activity, and also note, as we explore this space, the changing role of IP addresses within the IP protocol architecture.


It was never obvious at the outset of this grand Internet experiment that the one aspect of the network’s infrastructure that would truly prove to be the most fascinating, intriguing, painful, lucrative and just plain confusing, would be the Internet’s Domain Name System. After all, it all seemed so simple to start with.

The Big Bad Internet

I often think there are only two types of stories about the Internet. One is a continuing story of prodigious technology that continues to shrink in physical size and at the same time continue to dazzle and amaze us. We've managed to get the cost and form factor of computers down to that of an ordinary wrist watch, or even into a pair of glasses, and embed rich functionality into almost everything. The other is a darker evolving story of the associated vulnerabilities of this technology, where we've seen "hacking" turn into organised crime and from there into a scale of sophistication that is sometimes termed "cyber warfare". And in this same darker theme one could add the current set of stories about various forms of state sponsored surveillance and espionage on the net. In this article I'd like to wander into this darker side of the Internet and briefly look at some of the current issues in this area of cybercrime, based on some conferences and workshops I've attended recently.

Valuing IP Addresses

In the emerging IP address broker world it seems that one of the most widely cited address transactions was that of a US bankruptcy proceedings in 2011, where Microsoft successfully tendered $7.5M to purchase a block of 666,624 addresses from the liquidators of Nortel, which is equivalent to a price of $11.25 per address. Was that a "fair" price for IP addresses then, and is it a "fair" price now?

Not All IP Addresses are the Same

One IP address is much the same as another - right? There's hardly a difference between and is there? They are just encoded integer values, and aside from numerological considerations, one address value is as good or bad as any other - right? So IP addresses are much the same as each other, and an after-market in IP addresses should be like many other markets in undistinguished commodity goods. Right? Wrong!