Information

Due to the ongoing migration to Jekyll, this page is still work in progress

IP-ID: Classifying IP-ID host behavior in the wild

Originally used to assist network-layer fragmentation and reassembly, the IP identification field (IP-ID) has been used and abused for a range of tasks, from counting hosts behind NAT, to detect router aliases and, lately, to assist detection of censorship in the Internet at large. These inferences have been possible since, in the past, the IP-ID was mostly implemented as a simple packet counter: however, this behavior has been discouraged for security reasons and other policies, such as random values, have been suggested. These policies can be inferred by leveraging two vantage points sending packets that arrived interleaved at the target host: the resulting sequences (denoted as constant, local, global, random and “odd”) are illustrated in the following pictures (where the two vantage points are represented as a white box and a purple circle).

Technique

In this page, we collect and make available useful resources concerning our IP-ID classification technique [PAM-18a] , in particular:

Results

In this page, we also make available results concerning the application of our IP-ID classification [PAM-18a] technique to a broad Internet-wide census we perfomed in 2017, in particular:

Datasets

Publications