Report available! Modelling and identifying IP address space fragmentation pressure points

Despite exhaustion of the IPv4 address space commencing in 2011, the Internet has largely not transitioned to IPv6, and in fact the rate of IPv6 diffusion has recently begun to slow down (Huston, 2018).  The IPv6 transition is expected to take decades and hence problems stemming from issues the lack of scalability of IPv4 will continue to affect the Internet for many years to come.

Indeed, the number of allocated IPv4 address blocks continues to grow; this is enabled due to subdivision of existing allocations into multiple blocks, and is argued to allow un-used or under-utilised address space to be moved to other organisations with greater need.  The amount of address space which could potentially be reallocated in this way is substantial: the volume of routed IPv4 address space is considerably less than the total allocated IPv4 address space (Richter et al., 2015), suggesting that there is a considerable amount of un-used address space which could potentially be transferred to other network operators.

This typically involves partitioning existing IPv4 address blocks into smaller pieces and transferring some of those pieces to other operators.  In some cases operators re-number their networks to free up contiguous address space which is subsequently transferred; while this can result in more effective use of address space it also results in BGP routing table growth, one of the major scaling issues facing the Internet today (Gamba et al., 2017).  In other cases network operators could migrate whole networks from public to private address space and deploy NAT before transferring address space elsewhere.

Continuing the current practice of dividing address space into ever-smaller allocations while increasingly relying on NAT not only presents challenges for IPv6 diffusion efforts but will increasingly create ‘pressure points’ in economies or regions where allocations are smaller.  Further, it also increases the prevalence of layered NAT (sometimes dubbed ‘double NAT’), which can not only lead to a range of operational problems but which has security implications including the creation of attack points to be targeted by malicious parties and increasing the difficulty of identifying hosts involved in botnet activity (BITAG, 2012).  Nevertheless, there has been nothing to suggest that the practice will end in the foreseeable future.

There has been no modelling to identify economies or regions likely to be first affected by such pressure points, or for how long this practice can continue.  This project will develop a statistical model of the process, thus allowing countries at greatest risk to develop mitigation strategies, providing clarity to the Internet community, and providing stakeholders tasked with stimulating IPv6 diffusion with a better understanding of differences between different countries and economies.

The final report is available here.

Two tools available for network operators for rapid detection of BGP anomalies

Evaluating BGP Replay Tool (BRT) using generated BGP updates and past BGP events

The Centre for Advanced Internet Architectures (CAIA) from the Swinburne University of Technology, explored a new technique that quickly detects different BGP anomalies as part of their Internet Operations Research Grant they received from ISIF Asia during 2016 and implemented during 2017.

The Internet’s default inter-domain routing protocol, the Border Gateway Protocol (BGP) is vulnerable to different types of anomalies such as hijacking, misconfiguration, and Denial of Service (DoS) attacks. Although considerable research has been carried out into BGP anomalies, existing approaches were not able to mitigate or identify BGP misconfiguration and lack of ground truth time stamps for BGP events.

In this project, CAIA’s team introduced two new tools, real-time BGP Anomaly Detection Tool (RTBADT) and BGP Replay Tool (BRT), to detect BGP anomalies in real-time. Specifically, RTBADT can be used by ISP operators to monitor and detect BGP anomalies through peering it with the intended peer AS, while BRT is able to replay past BGP updates with time-stamps. These tools enable network operators to protect their network from the worst consequence and mitigate the threats of Internet stability.

Read their technical report to find more about the outcomes of this research project and its contribution to support network operators https://application.isif.asia/theme/default/files/ISIFAsia_2016_Grants_TechReport_SwinburneUni_AU_BGPResearch.pdf

ISIF Asia 2016 grant recipients announced!

ISIF Asia 2016 Grants

The first CERT in the Pacific, a Peering Strategy for the Pacific, and a mobile app reader to access books in Thailand’s Karen dialects are just some of the initiatives that will receive funding.

This year ISIF Asia will award its largest ever grants pool, across four categories, to support research and development of Internet technologies for the benefit of the Asia Pacific.

APNIC Internet Operations Research Grants

Around AUD 115,000 was awarded to support the following projects:

  • Realistic simulation of uncoded, coded and proxied Internet satellite links with a flexible hardware-based simulator. The University of Auckland, New Zealand. The main focus of this research is to establish realistic satellite simulator of UDP flows. It also automates experiments run on non-coded and coded configurations. The project builds upon a 2014 ISIF Asia grant to improve connectivity in the Pacific islands (see report).
  • Rapid detection of BGP anomalies. Centre for Advanced Internet Architectures (CAIA), Swinburne University of Technology, This research focuses on producing techniques for the real-time detection of different types of BGP anomalies that can be used by an operator. The evaluation of this tool will be carried out with a controlled testbed using BGP Replay Tool (BRT) to emulate past BGP events.
  • A Peering Strategy for the Pacific Islands. Telco2 Limited, New Zealand. This research continues and expands a set of Internet measurements of latency to Pacific Island telecommunications providers from various locations around the world, that when evaluated in conjunction with submarine cable availability, can be used to determine a metric for efficiency of transit that can be considered along with the economic impact of having an efficient transit. The measurements will be made available in real-time via a web interface to help operators, regulators, and funders understand the physical routing of network traffic, availability of content, and benefits of peering to improve availability, reachability and security of the Internet in the Asia Pacific region.

Internet Society Cybersecurity Grant

With the support from the Internet Society, one grant of AUD 56,000 was allocated for this category, plus additional Monitoring , Evaluation and Communications support valued at AUD 2,500 and a travel grant to participate at the Internet Governance Forum in Guadalajara, Mexico where they will be one of the speakers at the workshop “Cybersecurity – Initiatives in and by the Global South“.

  • Developing Tonga National CERT to the Department of Information & ICT under the Ministry of Meteorology, Energy, Environment, Climate Change, Information, Communication, Disaster Management (MEIDECC), Tonga. The Tonga Computer Emergency Response Team (CERT) launched recently, is the first national CERT in the Pacific region. Tonga CERT was launch with a long-term goal to expand its services to the greater Pacific once fully operational. Tonga CERT will conduct incident handling; perform vulnerability handling; and provide security consultation and advice. Read more from Andrew Toimoana, Director of MEIDECC, Tonga.

Community Impact Grant

The AUD 50,000 Community Impact Grant was awarded to:

  • Equal Access to the Information Society in Myanmar, the Myanmar Book Aid and Preservation Foundation, Myanmar. This project focuses on women and youth, and benefits 500 people through 20 libraries across the country. The curriculum, developed specifically for Myanmar, focuses on critical thinking in a digital environment of smartphones and tablets. It develops the skills of young female leaders by providing them with specialized information technology training, leadership and job skills, and opportunities to engage in critical public discussion. Myanmar Book Aid and Preservation Foundation will also participate in a three-week mentoring program in Singapore, facilitated by JFDI.Asia, valued at AUD 25,000 plus expenses during their stay.

Technical Innovation Grants

Just over 195,000 AUD was allocated to support five projects under the Technical Innovation category.

  • Khushi Baby, India. This project improves digital medical records for mothers and children by streamlining data collection, improving decision making in the field, aiding in district resource management, and delivering effective dialect-specific voice call reminders to mothers. Khushi Baby will also participate in a three-week mentoring program in Singapore, facilitated by JFDI.Asia, valued at AUD 25,000 plus expenses during their stay.

Four small technical innovation grants of up to AUD 30,000 were awarded to:

  • My Community Reader: a Mobile-First Distributed Translation Tool and Reader for Ethnic Minority Languages. The Asia Foundation, Thailand. This project will build, test, and deploy a tool to translate text into minority languages books, significantly expanding the available online library of digital and printable mother-tongue children’s books. It will also deliver a mobile app so people can search the library and download titles on local Android devices.
  • UAV-Aided Resilient Communications for Post Disaster Applications: Demonstrations and Proofs of Concept. Ateneo de Manila University, Philippines. This project will design and demonstrate UAV-borne radio payloads as critical network nodes in the development of a post-disaster resilient, delay tolerant communications system, using both multi-rotor and fixed wing platforms with long range radio payload to demonstrate the concept. The UAV will act as data aggregators and wireless store-and-forward relays for collecting important information and providing connectivity to evacuation centers, ground teams and concerned agencies. Data can be gathered from multiple sources below and delivered to another ground team or to a central station, while it can use the wireless link to broadcast messages to the ground nodes. Relayed information can include survivor profiles, food supply audits, medicine requests, and images of victims. This system will be used to assist response team coordination, hasten rescue efforts, and deliver timely updates, among others.
  • Legalese. Legalese Pte. Ltd. Singapore. This is a web application that will enable the growing Asian population of first-time entrepreneurs and first-time investors to transact seed-stage financing with confidence and without expensive legal fees.  The app educates end-users about entrepreneurial finance, facilitates choosing and configuring investment agreements, manage signatures through to completion, and develops libraries of contract templates for Asian languages and Asian jurisdictions.
  • Deployment of Collaborative Modern HoneyNet to improve Regional Cybersecurity Landscape (CMoHN). Institute of Systems Engineering, Riphah International University, Pakistan. The project will deploy and establish the core skills required to manage and integrate different honeynets and design new honeypots for countering cyber-attacks. The project will connect with other honeynets in the region to form a regional collaborative honeynet network, and promote R&D activities to secure network infrastructure through publications and conducting community awareness seminars.