Beyond Counting: New Perspectives on the Active IPv4 Address Space - - PowerPoint PPT Presentation

beyond counting new perspectives on the active ipv4
SMART_READER_LITE
LIVE PREVIEW

Beyond Counting: New Perspectives on the Active IPv4 Address Space - - PowerPoint PPT Presentation

Mar 11, 2024 171 likes •479 views

Beyond Counting: New Perspectives on the Active IPv4 Address Space @IETF 96 Berlin (maprg) July 2016 Philipp Richter Georgios Smaragdakis David Plonka Arthur Berger TU Berlin MIT Akamai Akamai/MIT work under submission

slide-1
SLIDE 1

Beyond Counting: New Perspectives on the Active IPv4 Address Space

Philipp Richter Georgios Smaragdakis David Plonka Arthur Berger

TU Berlin MIT Akamai Akamai/MIT

@IETF 96 Berlin (maprg) July 2016

work under submission comments highly appreciated! preprint: http://arxiv.org/abs/1606.00360

slide-2
SLIDE 2

Philipp Richter | INET / TU Berlin 1

IPv4 Address Space Exhaustion

IPv4 Standard 1981 RIR Framework Initiation First RIR (RIPE) founded 1992 APNIC exhausted 2011 RIPE exhausted 2012 ARIN exhausted 2015 Early Registration Needs-Based Provision Depletion & Exhaustion 2005 Last RIR (AFRINIC) founded LACNIC exhausted 2014

/8 equivalents

  • 50

100 150 200 250 Nov 1997 Jan 2002 Jan 2006 Jan 2010 Jan 2014 routable address space limit (220.7 /8 equivalents) total address space limit (256 /8 equivalents)

  • allocated address blocks

routed address blocks

Figures: P. Richter, M. Allman, R. Bush, V. Paxson: A Primer on IPv4 Scarcity, ACM CCR 45(2), 2015.

  • IPv4 has been around for ~35 years
  • Theoretically routable IP addresses: 3.7B, ~2.8B routed
  • IANA exhausted its address pool in 2011
  • Today: Less than 2% of the IPv4 address space “free”

http://arxiv.org/abs/1606.00360

slide-3
SLIDE 3

Operators' Community Efforts

Efforts in the IETF community:

  • IPv6 transition mechanisms
  • IPv4 multiplexing/sharing mechanisms (e.g., EnIP, A+P)
  • Efforts to conserve IPv4 address space

IANA/Regional Internet Registries:

  • Establishment of address transfer policies
  • Incentives for increasing address space utilization

e.g., draft-fleischhauer-ipv4-addr-saving-05, RFC6346, draft-chimiak-enhanced-ipv4-03

Philipp Richter | INET / TU Berlin 2

http://arxiv.org/abs/1606.00360

slide-4
SLIDE 4

Academic Community Efforts

  • Measurements to understand “where we are” right now
  • Internet-wide: Number of actively used IPv4 addresses:


“1.2B IP addresses in use in 2014”, statistical estimation
 “5.3M /24 address blocks in use in 2013”, passive+active measurement

  • Challenge: No single vantage point captures all activity

Philipp Richter | INET / TU Berlin 3

http://arxiv.org/abs/1606.00360

Zander et al., IMC ‘14 Dainotti et al., JSAC ‘16

slide-5
SLIDE 5

Academic Community Efforts

  • Measurements to understand “where we are” right now
  • Internet-wide: Number of actively used IPv4 addresses:


“1.2B IP addresses in use in 2014”, statistical estimation
 “5.3M /24 address blocks in use in 2013”, passive+active measurement

  • Challenge: No single vantage point captures all activity

Philipp Richter | INET / TU Berlin 3

http://arxiv.org/abs/1606.00360

Zander et al., IMC ‘14 Dainotti et al., JSAC ‘16

What can we say from our CDN’s perspective? Can we do more than counting active IP addresses?

slide-6
SLIDE 6

The CDN as an Observatory

CDN front-end servers HTTP(S) requests

  • 200,000+ servers
  • 3 trillion requests per day
  • CDN logs: number of requests per IP per day

Totals for the entirety of 2015:

  • 1.2B active IPv4 addresses (42% of routed)
  • 6.5M active /24 address blocks (59% of routed)

Philipp Richter | INET / TU Berlin 4

http://arxiv.org/abs/1606.00360

Visibility: CDN logs vs. ICMP scan (ZMap project, 8 snapshots)

% IPv4 addresses visibly active (N=950M, Oct. 2015)

CDN only CDN & ICMP ICMP only

20 40 60 80 100

slide-7
SLIDE 7

Peak IPv4?

  • date [ticks: January of each year]

unique IPv4 addresses 200M 400M 600M 800M 1B 2008 2009 2010 2011 2012 2013 2014 2015 2016

  • unique active IPv4 addresses per month

linear regression until 2014−01

  • IANA exhaustion
  • RIPE exhaustion
  • ARIN exhaustion
  • APNIC exhaustion
  • LACNIC exhaustion

Active IPv4 address counts have stagnated since 2014

Philipp Richter | INET / TU Berlin 5

http://arxiv.org/abs/1606.00360

slide-8
SLIDE 8

Daily IPv4 Activity and Churn

  • days from 2015−08−17 to 2015−12−06

unique IPv4 addresses 200M 400M 600M 14 28 42 56 70 84 98 112

  • active IPv4 addresses

up events down events

Philipp Richter | INET / TU Berlin 6

http://arxiv.org/abs/1606.00360

slide-9
SLIDE 9

Churn on all Timescales

day-to-day: ~7% come, ~7% go week-to-week: ~5% come, ~5% go month-to-month: ~5% come, ~5% go The number of active IPv4 addresses stays constant the set of active addresses varies on all timescales

Philipp Richter | INET / TU Berlin 7

http://arxiv.org/abs/1606.00360

slide-10
SLIDE 10

Long-term Effect of Address Churn

time lag from 2015−01−01 change in active IPv4 addresses 1 week 26 weeks 52 weeks −200M −100M 100M 200M appear −25% −12.5% 12.5% 25% disappear

Over the course of one year, 25% of the 
 active IP address pool changed

Philipp Richter | INET / TU Berlin 8

http://arxiv.org/abs/1606.00360

slide-11
SLIDE 11

Address Activity Matrix

130.149.0.6 130.149.0.5 130.149.0.4 130.149.0.3 130.149.0.2 130.149.0.1

… …

address space days

for each day on which an IP address 
 was active (requested content), we draw a red dot.

Philipp Richter | INET / TU Berlin 9

http://arxiv.org/abs/1606.00360

slide-12
SLIDE 12

Patterns: “In situ” Address Activity

time [months] IP address activity within /24 1 2 3 4 .0 .127 .255 time [months] IP address activity within /24 1 2 3 4 .0 .127 .255 time [months] IP address activity within /24 1 2 3 4 .0 .127 .255 time [months] IP address activity within /24 1 2 3 4 .0 .127 .255

static block DE University DHCP pool US University residential users US ISP residential users DE ISP

“in situ” activity: address assignment practice + user behavior (no visible modification of address assignment practice)

Philipp Richter | INET / TU Berlin 10

http://arxiv.org/abs/1606.00360

slide-13
SLIDE 13

Patterns: Operational Change

time [months] IP address activity within /24 1 2 3 4 .0 .127 .255 time [months] IP address activity within /24 1 2 3 4 .0 .127 .255

DE University DE University

Philipp Richter | INET / TU Berlin 11

http://arxiv.org/abs/1606.00360

slide-14
SLIDE 14

Activity Matrix at Scale

Philipp Richter | INET / TU Berlin 12

http://arxiv.org/abs/1606.00360

20k adjacent IP addresses (in active /24s), University Network

slide-15
SLIDE 15

Metric 1: Filling Degree per /24

Number of active IP addresses per /24 [1…256]

time [months] IP address activity within /24 1 2 3 4 .0 .127 .255

rather low 
 (degree = 29)

time [months] IP address activity within /24 1 2 3 4 .0 .127 .255

Philipp Richter | INET / TU Berlin 13

http://arxiv.org/abs/1606.00360

high 
 (degree = 254)

slide-16
SLIDE 16

Metric 1: Filling Degree per /24

Philipp Richter | INET / TU Berlin 14

http://arxiv.org/abs/1606.00360

active IP addresses within /24 CDF: active /24 blocks 1 64 128 192 256 0.0 0.2 0.4 0.6 0.8 1.0

slide-17
SLIDE 17

Metric 1: Filling Degree per /24

Philipp Richter | INET / TU Berlin 14

http://arxiv.org/abs/1606.00360

active IP addresses within /24 CDF: active /24 blocks 1 64 128 192 256 0.0 0.2 0.4 0.6 0.8 1.0

  • nly less than 50% of all

active /24 blocks have filling degree > 250

slide-18
SLIDE 18

Addressing: Static vs. Dynamic

Philipp Richter | INET / TU Berlin 14

http://arxiv.org/abs/1606.00360

active IP addresses within /24 CDF: active /24 blocks 1 64 128 192 256 0.0 0.2 0.4 0.6 0.8 1.0 static all dynamic

  • We tagged likely static/dynamic blocks using PTR records
  • We identified 262K static blocks and 456K dynamic blocks
slide-19
SLIDE 19

Addressing: Static vs. Dynamic

Philipp Richter | INET / TU Berlin 14

http://arxiv.org/abs/1606.00360

active IP addresses within /24 CDF: active /24 blocks 1 64 128 192 256 0.0 0.2 0.4 0.6 0.8 1.0 static all dynamic

  • We tagged likely static/dynamic blocks using PTR records
  • We identified 262K static blocks and 456K dynamic blocks

more than 70%


  • f “static”-tagged blocks


have filling degree < 64

slide-20
SLIDE 20

Addressing: Static vs. Dynamic

Philipp Richter | INET / TU Berlin 14

http://arxiv.org/abs/1606.00360

active IP addresses within /24 CDF: active /24 blocks 1 64 128 192 256 0.0 0.2 0.4 0.6 0.8 1.0 static all dynamic

  • We tagged likely static/dynamic blocks using PTR records
  • We identified 262K static blocks and 456K dynamic blocks

more than 70%


  • f “static”-tagged blocks


have filling degree < 64 more than 80% of “dynamic”-tagged blocks
 have filling degree > 250

slide-21
SLIDE 21

Metric 2: Spatio-temporal Utilization

low utilization (18%)

time [months] IP address activity within /24 1 2 3 4 .0 .127 .255 time [months] IP address activity within /24 1 2 3 4 .0 .127 .255

Philipp Richter | INET / TU Berlin 15

http://arxiv.org/abs/1606.00360

sum(<active IP, day>) sum(all possible <active IP, day>) = red red + grey

rather high (75%)

Dynamic addressing: Configuration/Pool sizes matter

slide-22
SLIDE 22

Utilization: Blocks w/ > 250 active IPs

% of max possible spatio−temporal utilization active /24 blocks 20 40 60 80 100 40K 80K 120K

Philipp Richter | INET / TU Berlin 16

http://arxiv.org/abs/1606.00360

slide-23
SLIDE 23

Utilization: Blocks w/ > 250 active IPs

% of max possible spatio−temporal utilization active /24 blocks 20 40 60 80 100 40K 80K 120K

Philipp Richter | INET / TU Berlin 16

http://arxiv.org/abs/1606.00360

majority of - likely dynamic - blocks show high utilization

slide-24
SLIDE 24

Utilization: Blocks w/ > 250 active IPs

% of max possible spatio−temporal utilization active /24 blocks 20 40 60 80 100 40K 80K 120K

Philipp Richter | INET / TU Berlin 16

http://arxiv.org/abs/1606.00360

a third of - likely dynamic - blocks show low utilization

slide-25
SLIDE 25

s p a t i

  • t

e m p

  • r

a l u t i l i z a t i

  • n

traffic contribution r e l a t i v e h

  • s

t c

  • u

n t

Summary

Philipp Richter | INET / TU Berlin 17

http://arxiv.org/abs/1606.00360

  • Comprehensive study of IPv4 address activity
  • Metrics “beyond” binary notion of IPv4 activity
  • Can inform: Network operations, address [re]assigment
  • Can inform: Network security and host reputation

Figure: active /24 address blocks

  • Spatio-temporal utilization
  • Traffic contribution
  • Relative host count
slide-26
SLIDE 26

Backup: IPv4 Traffic Consolidation

Philipp Richter | INET / TU Berlin

http://arxiv.org/abs/1606.00360 months [2015] % traffic share of top 10% IPs 49 50 51 52 53 01 06 12 weekly moving average (4 weeks)

slide-27
SLIDE 27

Backup: Churn Visibility in BGP

Philipp Richter | INET / TU Berlin

http://arxiv.org/abs/1606.00360 1 day 7 days 28 days aggregation window size % events correlated with BGP change 0.0 0.5 1.0 1.5 2.0 2.5 up events down events active (no change)

slide-28
SLIDE 28

Backup: Classification ICMP-only IPs

Philipp Richter | INET / TU Berlin

http://arxiv.org/abs/1606.00360

ASes (N=2k) BGP prefixes (N=55k) /24s (N=495k) IPs (N=77m) 0.0 0.2 0.4 0.6 0.8 1.0 server server/router router unknown

server identification: ZMap scans HTTP(S), POP3(S), IMAP(S) router identification: Ark, TTL exceeded received

ASes (N=51k) BGP prefixes (N=460k) /24s (N=6m) IPs (N=950m) 0.0 0.2 0.4 0.6 0.8 1.0 CDN only CDN & ICMP ICMP only

Visibility CDN/ICMP ICMP-only hosts

slide-29
SLIDE 29

Backup: IPv6 /64 Growth

Philipp Richter | INET / TU Berlin

http://arxiv.org/abs/1606.00360

Mar-2014 Apr-2014 May-2014 Jun-2014 Jul-2014 Aug-2014 Sep-2014 Oct-2014 Nov-2014 Dec-2014 Jan-2015 Feb-2015 Mar-2015 Apr-2015 May-2015 Jun-2015 Jul-2015 Aug-2015 Sep-2015 Oct-2015 Nov-2015 Dec-2015 Jan-2016 Feb-2016 Mar-2016 200 M 400 M Active WWW client IPv6 /64 count