PING

In his regular monthly spot on PING, APNIC’s Chief Scientist Geoff Huston discusses DNSSEC and it's apparent failure to deploy at scale in the market after 30 years: Both as the state of signed zone uptake (the supply side) and the low levels of verification seen by DNS client users (the consumption side) there is a strong signal DNSSEC isn't making way, compared to the uptake of TLS which is now ubiquitous in connecting to websites. Geoff can see this by measurement of client DNSSEC use in the APNIC Labs measurement system, and from tests of the DNS behind the Tranco top website rankings.

This is both a problem (the market failure of a trust model in the DNS is a pretty big deal!) and an opportunity (what can we do, to make DNSSEC or some replacement viable) which Geoff explores in the first of two parts.

A classic "cliffhanger" conversation about the problem side of things will be followed in due course by a second episode which offers some hope for the future. In the meantime here's the first part, discussing the scale of the problem.

Read more about DNSSEC and TLS on the APNIC Labs website and the APNIC Blog:

• Calling time on DNSSEC (Geoff Huston, APNIC Blog June 2024)
• "Keytrap" attacks on DNSSEC (Geoff Huston, APNIC Blog June 2024)
• DNS topics at RIPE88 (Geoff Huston, APNIC Blog June 2024)
• The Tranco top website Rankings
• DNSSEC validation client usage (APNIC Labs)
• DNSSEC enabled domains from Cloudflare public DNS (APNIC Labs)

This time on PING, Philip Paeps from the FreeBSD Cluster Administrators and Security teams discusses their approach to systems monitoring and measurement. Its eMail.

“Short podcast” you say, but no, there’s a wealth of war-stories and “why” to explore in this episode.

We caught up at the APNIC57/APRICOT meeting held in Bangkok in February of 2024. Philip has a wealth of experience in systems management and security and a long history of participation in the free software movement. So his ongoing of support of email as a fundamental measure of system health isn’t a random decision, it’s based on experience.

Mail may not seem like the obvious go-to for a measurement podcast, but Philip makes a strong case that it’s one of the best tools available for a high-trust measure of how systems are performing, and in the first and second order derivative can indicate aspects of velocity and rate of change of mail flows, indicative of the continuance or change in the underlying systems issues.

Philip has good examples of how Mail from the FreeBSD cluster systems indicates different aspects of systems health. Network delays, disk issues. He’s realistic that there are other tools in the armoury, especially the Nagios and Zabbix systems which are deployed in parallel. But from time to time, the first best indication of trouble emerges from a review of the behaviour of email.

A delightfully simple, and robust approach to systems monitoring can emerge from use of the fundamental tools which are part of your core distribution.

Read more about Philip, FreeBSD, Zabbix and Nagios at their websites:

• FreeBSD Project home page
• The FreeBSD Foundation welcomes donations!
• The FreeBSD Project and Administration
• Philip’s home page
• Zabbix for systems and network monitoring
• Nagios for systems and network monitoring

In his regular monthly spot on PING, APNIC’s Chief Scientist Geoff Huston discusses the question of subnet structure, looking into the APNIC Labs measurement data which collects around 8 million discrete IPv6 addresses per day, worldwide.

Subnets are a concept which "came along for the ride" in the birth of Internet Protocol, and were baked into the address distribution model as the class-A, class-B and class-C subnet models (there are also class-D and class-E addresses we don't talk about much).

The idea of a sub-net is distinct from a routing network, many pre-Internet models of networking had some kind of public-local split, but the idea of more than one level of structure in what is "local" had to emerge when more complex network designs and protocols came into being.

Subnets are the idea of structure inside the addressing plan, and imply logical and often physical separation of hosts, and structural dependency on routing. There can be subnets inside subnets, its "turtles all the way down" in networks.

IP had an ability out-of-the-box to permit subnets to be defined, and when we moved beyond the classful model into classless inter-domain routing or CIDR, the idea of prefix/length models of networks came to life.

But IPv6 is different, and the assumption we are heading to a net-subnet-host model of networks may not be applicable in IPv6, or in the modern world of high speed complex silicon for routing and switching.

Geoff discusses an approach to modelling how network assignments are being used in deployment, which was raised by Nathan Ward in a recent NZNOG meeting. Geoff has been able to look into his huge collection of IPv6 addresses and see what's really going on.

Read more about networks and subnets and address policy on the APNIC Web and blog

• APNIC's current address policy
• RFC4632 Classless Inter-Domain Routing (CIDR) (IETF RFC)
• IPv6 Prefix Lengths (Geoff Huston, blog article)

This time on PING Doug Madory from Kentik discusses his recent measurements of the RPKI system worldwide, and it's visible impact on the stability and security of BGP.

Doug makes significant use of the Oregon RouteViews repository of BGP data, a collection maintained continuously at the University of Oregon for decades. It includes data from back to 1997, originally collected by the NLANR/MOAT project and has archives of BGP Routing Information Base (RIB) dumps taken every two hours from a variety of sources, and made available in both human-readable and machine readable binary formats.

This collection has become the de-facto standard for publicly available BGP state worldwide, along with the RIPE RIS collection. As Doug discusses, research papers which cite Oregon RouteViews data (over 1,000 are known of, but many more exist which have not registered their use of the data) invite serious appraisal because of the reproducibility of the research, and thus the testability of the conclusions drawn. It is a vehicle for higher quality science about the nature of the Internet through BGP.

Doug presented on RPKI and BGP, at the APOPS session held in February at APRICOT/APNIC57 Bangkok, Thailand

Read more about Doug's presentation, his measurements at Kentik, Oregon RouteViews, the state of BGP and RPKI on the Kentik website, and the APNIC Blog:

• RPKI ROV Reaches Major Milestone/ (APNIC Blog May 2024)
• Doug Madory's blog at Kentik
• Digging into the Orange España Hack (APNIC Blog January 2024)
• What can be learned from BGP hijacks targeting cryptocurrency services? (APNIC Blog November 2022)
• The University of Oregon RouteViews project website
• The RIPE Routing Information Service (RIS) website

In this episode of PING, APNIC’s Chief Scientist Geoff Huston discusses Starlink again, and the ability of modern TCP flow control algorithms to cope with the highly variant loss and delay seen over this satellite network. Geoff has been doing more measurements using starlink terminals in Australia and the USA, at different times of day exploring the system behaviour.

Starlink has broken new ground in Low Earth Orbit internet services. Unlike Geosynchronous satellite services which have a long delay but constant visibility of the satellite in stationary orbit above, Starlink requires the consumer to continuously re-select a new satellite as they move overhead in orbit. In fact, a new satellite has to be picked every 15 seconds. This means there's a high degree of variability in the behaviour of the link, both between signal quality to each satellite, and in the brief interval of loss ocurring at each satellite re-selection window. 

Its a miracle TCP can survive, and in fact in the case of the newer BBR protocol thrive, and achieve remarkably high throughput, if the circumstances permit. This is because of the change from a slow start, fast backoff model used in Cubic and Reno to a much more aggressive link bandwidth estimation model, which continuously probes to see if there is more room to play in.

Read more about Satellites, TCP and flow control algorithms on the APNIC Blog and on the IETF website.

• An explainer on Coherent Optical Transcievers (Geoff Huston, APNIC Blog 2024)
• Low Earth Orbit and the Congestion Control Problem (Geoff Huston, APNIC Blog 2023)
• APNIC Labs measurements of Starlink (APNIC Labs)
• Comparing TCP and QUIC (Geoff Huston APNIC Blog 2022)
• Testing LEO and GEO Satellite Services in Australia 
• Transport Protocols and the Network 
• Congestion Control at IETF 110

This time on PING, Dr Mona Jaber from Queen Mary University of London (QMUL), discusses her work exploring IoT, Digital Twins and Social Science led research in the field of networking and telecommunications.

Dr Jaber is a senior lecturer in QMUL and is the founder and director of the Digital Twins for Sustainable Development Goals (DT4SDG) at QMUL. She was one of the invited Keynote speakers at the recent APRICOT/APNIC57 meeting held in Bangkok, and the podcast explores the three major themes explored in her keynote presentation.

• The role of deployed fibre optic communication systems in measurement for sustainable green goals
• Digital Twin Simulation platforms for exploring the problem space
• Social Sciences led research, an inter-disciplinary approach to formulating and exploring problems which has been applied to Sustainable Development-related research through technical innovation in IoT, AI, and Digital Twins.

The Fibre Optic measurement method is Distributed Acoustic Sensor or DAS:

This Episode of PING was recorded live in the venue and is a bit noisy compared to the usual recordings, but it's well worth putting up with the background chatter!

Read more about Dr Jaber's presentation, the DAS system, Digital Twins and Fibre Optic communications:

• Intelligent IoT for sustainable development Goals: Keynote talk at APRICOT/APNIC57
• The recording of Dr Jaber's Keynote talk
• The DASMATE project: Assisting the uptake of Active Travel Tower Hamlets, London
• The DT4SDG group page at QMUL
• Coherent Optical Tranceivers (Geoff Huston, April 2024)

In this episode of PING, APNIC’s Chief Scientist Geoff Huston discusses the European Union's consideration of taking a role in the IETF, as itself. Network engineers, policy makers and scientists from all around the world have participated in IETF but this is the first time an entity like the EU has considered participation as itself in the process of standards development. 

What's lead to this outcome? What is driving the concern that the EU as a law setting and treaty body, an inter-governmental trade bloc needs to participate in the IETF process? Is this a mis-understanding of the nature of Internet Standards development or does it reflect a concern that standards are diverging from society's needs? Geoff wrote this up in a recent opinion piece on the APNIC Blog and the podcast is a conversation around the topic.

Read more about digital sovereignty on the APNIC Blog and on the IETF website.

• Digital sovereignty and standards (Geoff Huston, APNIC Blog)
• As the Balance of Security Controls shifts where does responsibility rest? (Kathleen Moriarty, Guest Author on the APNIC Blog)
• Reflections on Ten Years Past the Snowden Revelations (IETF RFC9446)
• Pervasive Monitoring is an Attack (IETF RFC7528)

This time on PING we have Phil Regnauld from DNS Operations Analysis & Resource Center (DNS-OARC) talking about the three distinct faces OARC presents to the community.

Phil came to the OARC presidents role, replacing Keith Mitchell who was the founding president since 2008 through to this year. Phil previously has worked with the Network Startup Resource Centre (NSRC) and with AFNOG, and the Francophone Internet community at large.

DNS OARC has at least 3 distinct faces. It is a community of DNS operators and researchers, who maintain an active ongoing dialogue face to face in workshops and online in the OARC Mattermost community hub. Secondly it is a home, repository and ongoing development environment for DNS related tools such as DNSVIZ (written by Casey Deccio) hosting the AS112 project, and development of the DSC systems amongst many other tools.

Thirdly it is the organiser and host of the Day In The Life or DITL activity, the periodic collection of 48-72 hours of DNS traffic from the DNS root operators, and other significant sources of DNS traffic. Stretching back over 10 years DITL is a huge resource for DNS research, providing insights in the use of DNS and its behaviour on-the-wire.

Read more about DNS OARC and its activities:

• The Domain Name Service Operations, Analysis and Research Center
• The DSC data collection and analysis system
• DNS OARC software tools catalog
• The Day In The Life (DITL) collection

In this episode of PING, APNICs Chief Scientist Geoff Huston discusses a new proposed DNS resource record called DELEG. The record is being designed to aid in managing where a DNS zone is delegated.

Delegation is the primary mechanism used in the DNS to separate responsibility between child and parent for a given domain name. The DELEG RR is designed to address several problems, including a goal of moving to new transports for the name resolution service the DNS provides to all other Internet protocols.

Additionally, Geoff believes it can help with cost and management issues inherent in out-of-band external domain name management through the registry/registrar process, bound in the whois system and in a protocol called Extensible Provisioning Protocol or EPP.

There are big costs here and they include some problems dealing with intermediaries who manage your DNS on your behalf.

Unlike whois, EPP, and registrar functions, DELEG would be an in-band mechanism between the parent zone, any associated registry, and the delegated child zone. It’s a classic disintermediation story about improved efficiency and enables the domain name holder to nominate intermediaries for their services, via an aliasing mechanism that has until now eluded the DNS.

Read more about DELEG on the APNIC Blog and on the IETF website.

• DNS and the proposed DELEG record (APNIC Blog)
• ‘Extensible Delegation for DNS‘ (IETF draft)
• Extensible Provisioning Protocol (EPP) (IETF RFC)

This time on PING we have Amreesh Phokeer from the Internet Society (ISOC) talking about a system they operate called Pulse, available at https://pulse.internetsociety.org/. Pulse’s purpose is to assess the “resiliency” of the Internet in a given locality.

Similar systems we have discussed before on Ping include APNIC’s DASH service, aimed at resource holding APNIC members, and the MANRS project. Both of these take underlying statistics like resource distribution data, or measurements of RPKI uptake or BGP behaviours and present them to the community, and in the case of MANRS there’s a formalised “score” which shows your ranking against current best practices.

The Pulse system measures resilience in four pillars: Infrastructure, Quality, Security and Market Readiness. Some of these are “hard” measures analogous to MANRS and DASH, but Pulse in addition to these kinds of measurements includes “soft” indicators like the economic impacts of design decisions in an economy of interest, the extent of competition, and less formally defined attributes like the amount of resiliency behind BGP transit. This allows the ISOC Pulse system to consider governance-related aspects of the development of Internet, and has a simple scoring model which allows a single health metric analogous to the use of pulse and blood pressure by a physician to assess your condition, but this time applied to the Internet.

Read more about Pulse:

• The https://pulse.internetsociety.org/ website
• The Pulse Blog
• Don’t put all your internet infrastructure in one basket (Robbie Mitchell in the APNIC Blog)
• Internet Resilience on Pulse
• Internet Resilience Index Methodology