You are here: Home > Publications > RIPE Labs > Geoff Huston

Geoff Huston

10 Jul, 2010 04:23 PM
Traffic in Network 1.0.0.0/8 by Geoff Huston — last modified 08 Jun, 2017 04:51 PM

1.0.0.0/8 has been assigned by IANA to APNIC on 19 January 2010, for use for as public unicast space for further address allocations and assignments. Before starting to allocate and assign from this range, APNIC has undertaken a study into 1.0.0.0/8.

Testing Teredo by Geoff Huston — last modified 12 Nov, 2017 12:48 PM

How well does Teredo perform? This article reports on an exploration of Teredo performance using the 1x1 gif test technique.

Hacking Away at the Internet's Security by Geoff Huston — last modified 17 Oct, 2016 09:00 AM

The front page story of the September 13 2011 issue of the International Herald Tribune said it all: "Iranian activists feel the chill as hacker taps into e-mails." The news story relates how a hacker has "sneaked into the computer systems of a security firm on the outskirts of Amsterdam" and then "created credentials that could allow someone to spy on Internet connections that appeared to be secure." According to this news report this incident punched a hole in an online security mechanism that is trusted by hundreds of millions of Internet users all over the network.

Routing 2011 by Geoff Huston — last modified 01 Dec, 2016 12:18 AM

The size of the global routing table has been growing at a constant pace for many years. However, over the last few months, it is not growing as fast as it used to.

Routing IPv6 in 2011 by Geoff Huston — last modified 30 Nov, 2016 09:51 PM

This is a follow-up to the recently published article "Routing 2011" which focused on IPv4. In this new article Geoff is looking at the IPv6 routing table.

Dual Stack Esotropia by Geoff Huston — last modified 17 Oct, 2016 08:58 AM

The introduction of a second IP protocol into the Internet presents many technical issues, and in previous columns we've explored many of the issues related to network engineering and infrastructure. In this column I'd like to head upward in the protocol stack to the rarefied air way up there at the level of the application, and look at how applications are managing to cope with the issue of two IP stacks.

The Curious Case of the Crooked TCP Handshake by Geoff Huston — last modified 31 Oct, 2016 03:22 PM

In this article we will be delving into the behaviour of the Linux implementation of TCP, and looking at the way in which TCP establishes a connection. There are socket options in Linux that cause the TCP handshake to behave in a rather curious way.

Detecting IP Address Filters by Geoff Huston — last modified 26 Jan, 2017 09:43 AM

Until recently IP network operators were encouraged to set up so-called "bogon address filters" at the edge of their networks. These filters were intended to discard all incoming traffic where the source address in the IP header was from a block of addresses that was known to be unallocated. The inference was that a matching packet was either an unintentional leak from some privately addressed network domain or was generated using source address spoofing. In either case there is no point in delivering the packet, since it comes from a demonstrably fictitious source.

Occam's ITRs by Geoff Huston — last modified 17 Oct, 2016 08:55 AM

Or: Some Further Reflections on revising the International Telecommunications Regulations

The QoS Emperor's Wardrobe by Geoff Huston — last modified 17 Oct, 2016 08:59 AM

In the process of revising the International Telecommunications Regulations, it has been suggested to base a new IP interconnection framework on the concept of end-to-end Quality of Service. This raises a question in my head: How "real" is end-to-end Quality of Service in the Internet?

Measuring IPv6 - Country by Country by Geoff Huston — last modified 17 Oct, 2016 08:59 AM

Some years ago a report was published that ranked countries by the level of penetration of broadband data services. This ranking of national economies had an electrifying impact on this industry and upon public policies for broadband infrastructure in many countries. What if we did the same for IPv6? Would measuring each country's success or otherwise in deploying IPv6 act as a further incentive for IPv6?

Counting DNSSEC by Geoff Huston — last modified 17 Oct, 2016 09:00 AM

It is possible to measure how well we are doing with DNSSEC? How many of the DNS resolvers will now perform DNSSEC validation of a domain name? How many of the Internet's user population are using these DNSSEC-validating resolvers? In this article we will explore a way to answer these questions, and provide some measures that describe which countries are well advanced in their use of DNSSEC deployment, and which are falling behind.

Re-Counting DNSSEC by Geoff Huston — last modified 17 Oct, 2016 08:59 AM

This is a followup article to "Counting DNSSEC" that reflects some further examination of the collected data. This time I'd like to describe some additional thoughts about the experiment, and some revised results in our efforts to count just how much DNSSEC is being used out there.

Counting IPv6 in the DNS by Geoff Huston — last modified 07 Dec, 2018 09:27 AM

At the recent ARIN XXX meeting in October 2012 I listened to a debate on a policy proposal concerning the reservation of a pool of IPv4 addresses to address critical infrastructure. The term "critical infrastructure" is intended to cover a variety of applications, including use by public Internet Exchanges and authoritative name servers for various top level domains. As far as I can tell, the assumptions behind this policy proposal includes the assumption that a top level authoritative name server will need to use IPv4 for the foreseeable future, so that an explicit reserved pool of these IPv4 addresses needs to be maintained for use by the authoritative name servers for these domain names.

Superstorm Sandy and the Global Internet by Geoff Huston — last modified 17 Oct, 2016 08:59 AM

The Internet has managed to collect its fair share of mythology, and one of the more persistent myths is that from its genesis in a cold war US think tank in the 1960's the Internet was designed with remarkable ability to "route around damage."

Here’s looking at you … by Geoff Huston — last modified 10 Apr, 2017 09:18 AM

Much has been said in recent weeks about various forms of cyber spying. The United States has accused the Chinese of cyber espionage and stealing industrial secrets. A former contractor to the United States’ NSA, Edward Snowden, has accused various US intelligence agencies of systematic examination of activity on various popular social network services, through a program called “PRISM”. These days cloud services may be all the vogue, but there is also an emerging understanding that once your data heads into one of these clouds, then it’s no longer necessarily entirely your data; it may have become somebody else’s data too.

A Question of DNS Protocols by Geoff Huston — last modified 17 Oct, 2016 08:58 AM

In this article we are looking at possible ways to prevent denial of service attacks. One solution could be to use TCP instead of UDP for large DNS responses. We conducted an experiment to find out what the resolution failure rate would be.

All IP Addresses Are Not The Same by Geoff Huston — last modified 14 Sep, 2018 08:44 AM

One IP address is much the same as another – right? There’s hardly a difference between 192.0.2.45 and 192.0.2.46 is there? They are just encoded integer values, and aside from numerological considerations, one address value is as good or bad as any other – right? So IP addresses are much the same as each other and an after-market in IP addresses should be like many other markets in undistinguished commodity goods. Right?

Valuing IP Addresses by Geoff Huston — last modified 18 Dec, 2017 08:32 AM

The prospect of exhaustion of the IPv4 address space is not a surprise. We've been anticipating this situation since at least 1990. But it's a "lumpy" form of exhaustion. It's not the case that the scarcity pressures for IP addresses are evidently to the same level in every part of the Internet. It's not the case that every single address is being used by an active device.

Measuring Google's Public DNS by Geoff Huston — last modified 17 Oct, 2016 09:01 AM

Much has been said about how Google uses the services they provide, including their mail service, their office productivity tools, file storage and similar services, as a means of gathering an accurate profile of each individual user of their services. The company has made a very successful business out of measuring users, and selling those metrics to advertisers. But can we measure Google as they undertake this activity? How many users avail themselves of their services? Perhaps that's a little ambitious at this stage, so maybe a slightly smaller scale may be better. Let's just look at one Google service. What I would like to describe here is the results of an extended effort to measure which of the world’s Internet user population are users of Google’s Public DNS Service.

New gTLD Concerns: Dotless Names and Name Collisions by Geoff Huston — last modified 17 Oct, 2016 09:01 AM

In the long discussions about the new generic Top level Domains (gTLD), there were two technical topics that were the subject of many assertions and little in the way of observed data. The first concerned the viability of a so-called "dotless" name, where the gTLD label itself contains an IP address in the DNS, and the second concerns the concept of "name collisions" between existing local use of a name and the same name being delegated as a new gTLD. This article explores these two topics, and adds some data to the debate in the way of observed behaviours of the way common operating systems and browsers handle names.

NTP for Evil by Geoff Huston — last modified 17 Oct, 2016 08:55 AM

In this article Geoff Huston describes attacks that involve the Network Time Protocol (NTP) and what can be done to defend against them.

Privacy and Security - Five Objectives by Geoff Huston — last modified 17 Oct, 2016 09:01 AM

It has been a very busy period in the domain of computer security. With "shellshock", "heartbleed" and NTP monlink adding to the background of open DNS resolvers, port 445 viral nasties, SYN attacks and other forms of vulnerability exploits, it's getting very hard to see the forest for the trees. We are spending large amounts of resources in reacting to various vulnerabilities and attempting to mitigate individual network attacks, but are we making overall progress? What activities would constitute "progress" anyway?

ECDSA and DNSSEC by Geoff Huston — last modified 17 Oct, 2016 08:58 AM

Yes, that's a cryptic topic, even for an article that addresses matters of the use of cryptographic algorithms, so congratulations for getting even this far! This is a report of an experiment conducted in September and October 2014 by the authors to measure the extent to which deployed DNSSEC-validating resolvers fully support the use of the Elliptic Curve Digital Signature Algorithm (ECDSA) with curve P-256.

Who's Watching by Geoff Huston — last modified 17 Oct, 2016 08:58 AM

Much has been said over the pasts year or so about various forms of cyber spying. The United States has accused the Chinese of cyber espionage and stealing industrial secrets. A former contractor to the United States' NSA, Edward Snowden, has accused various US intelligence agencies of systematic examination of activity on various popular social network services, through a program called “PRISM”. These days cloud services may be all the vogue, but there is also an emerging understanding that once your data heads off into one of these clouds, then it’s no longer necessarily entirely your data; it may have become somebody else's data too.

The Resolvers We Use by Geoff Huston — last modified 17 Oct, 2016 08:56 AM

The Internet’s Domain Name System is a modern day miracle. It may not represent the largest database that has ever been built, but nevertheless it’s truly massive. And even if it’s not the largest database that’s ever been built, it’s perhaps one of the more intensively used. The DNS is consulted every time we head to a web page, every time we send an email message, or in fact every time we initiate almost any transaction on the Internet. It's the essential bridge between a world of human names and the underlying world of binary protocol addresses. And it’s fast. Fast enough that it’s still largely invisible as part of the user experience, despite continued growth in size. Given the fragmentation of the IPv4 address space with the widespread use of various forms of address sharing, then it increasingly looks as if the DNS is the only remaining common glue that binds the Internet together as a single network.

Today's Mobile Internet by Geoff Huston — last modified 17 Oct, 2016 09:00 AM

It has been observed that the most profound technologies are those that disappear. They weave themselves into the fabric of everyday life until they are indistinguishable from it, and are notable only by their absence.

More Leaky Routes by Geoff Huston — last modified 17 Oct, 2016 08:56 AM

Most of the time, mostly everywhere, most of the Internet appears to work just fine. Indeed, it seems to work just fine enough to the point that that when it goes wrong in a significant way then it seems to be fodder for headlines in the industry press.

Examining IPv6 Performance by Geoff Huston — last modified 17 Oct, 2016 08:54 AM

Every so often I hear the claim that some service or other does not support IPv6 not because of some technical issue, or some cost or business issue, but simply because the service operator is of the view that IPv6 offers an inferior level service as compared to IPv4, and by offering the service over IPv6 they would be exposing their clients to an inferior level of performance of the service. But is this really the case? Is IPv6 an inferior cousin of IPv4 in terms of service performance?

Evaluating IPv4 and IPv6 Packet Fragmentation by Geoff Huston — last modified 17 Oct, 2016 08:56 AM

One of the more difficult design exercises in packet-switched network architectures is that of the design of packet fragmentation. In this article, I’d like to examine IP packet fragmentation in detail and look at the design choices made by IP version 4, and then compare that with the design choices made by IP version 6.

On the Internet, Everyone is Connected to Everyone Else. Right? by Geoff Huston — last modified 25 Apr, 2017 05:14 PM

We tend to make a number of assumptions about the Internet, and sometimes these assumptions don’t always stand up to critical analysis. We were perhaps ‘trained’ by the claims of the telephone service to believe that these communications networks supported a model of universal connectivity. Any telephone handset could establish a call with any other telephone handset was the underlying model of a ubiquitous telephone service, and we’ve carried that assumption into our perception of the Internet. On the Internet anyone can communicate with anyone else – right?

Fragmenting IPv6 by Geoff Huston — last modified 17 Oct, 2016 09:01 AM

The design of IPv6 represented a relatively conservative evolutionary step of the Internet protocol. Mostly, it's just IPv4 with significantly larger address fields. Mostly, but not completely, as there were some changes. IPv6 changed the boot process to use auto-configuration and multicast to perform functions that were performed by ARP and DHCP in IPv4. IPv6 added a 20-bit Flow Identifier to the packet header. IPv6 replaced IP header options with an optional chain of extension headers. IPv6 also changed the behaviour of packet fragmentation. Which is what we will look at here.

Open Season by Geoff Huston — last modified 17 Oct, 2016 09:00 AM

In June 2016, the Organization for Economic Cooperation and Development (OECD) hosted a meeting of ministers to consider the state of the Digital Economy. The central message from this meeting was the message that: “Governments must act faster to help people and firms to make greater use of the Internet and remove regulatory barriers to digital innovation or else risk missing out on the potentially huge economic and social benefits of the digital economy.” All well and good, and as a piece of rhetoric, it seems to strike an appropriately positive note without straying far from what appears to be bland truisms of our time.

DNS Privacy by Geoff Huston — last modified 28 Apr, 2017 09:26 AM

The DNS is normally a relatively open protocol that smears its data (which is your data and mine too!) far and wide. Little wonder that the DNS is used in many ways, not just as a mundane name resolution protocol, but as a data channel for surveillance and as a common means of implementing various forms of content access control. But all this is poised to change. Now that the Snowden files have sensitized us to the level of such activities, we have become acutely aware that many of our tools are just way too trusting, way too chatty, and way too easily subverted. First and foremost in this collection of vulnerable tools is the Domain Name System.

DNSSEC and ECDSA by Geoff Huston — last modified 25 Apr, 2017 05:17 PM

Is the elliptical curve cryptographic algorithm (ECDSA) a viable crypto algorithm for use in DNSSEC today? And what has changed over the last two years?

IPv6 and the DNS by Geoff Huston — last modified 12 Feb, 2018 09:46 AM

The exhortations about the Internet’s prolonged transition to version 6 of the Internet Protocol continue, although after some two decades the intensity of the rhetoric has faded and, possibly surprisingly, it has been replaced by action in some notable parts of the Internet. But how do we know there is action? How can we tell whether, and where, IPv6 is being deployed in today’s Internet?

Speculating on DNS DDoS by Geoff Huston — last modified 18 Nov, 2016 11:45 AM

The recent attacks on the DNS infrastructure operated by Dyn have generated a lot of comment in recent days. Indeed, it’s not often that the DNS itself has been prominent in the mainstream of news commentary and, in some ways, this DNS DDoS prominence is for all the wrong reasons! I’d like to speculate a bit on what this attack means for the DNS and what we could do to mitigate the recurrence of such attacks.

The Death of Transit? by Geoff Huston — last modified 31 Oct, 2016 12:09 PM

Geoff Huston discusses the possible demise of transit services and the rise of content networking.

Scoring the DNS Root Server System by Geoff Huston — last modified 12 Dec, 2016 04:05 PM

The process of rolling the DNS Root’s Key Signing Key of the DNS has now started. During this process, there will be a period where the root zone servers’ response to a DNS query for the DNSKEY resource record of the root zone will grow from the current value of 864 octets to 1,425 octets. Does this present a problem?

BGP in 2016 by Geoff Huston — last modified 25 Apr, 2017 05:01 PM

It has become either a tradition or a habit for me that, each January, I report on the experience with the inter-domain routing system over the past year; looking in some detail at metrics from the routing system that can show the essential shape and behaviour of the underlying interconnection fabric of the Internet.