[arin-ppml] "Millions of Internet Addresses Are Lying Idle" (slashdot)

Michael Sinatra michael at rancid.berkeley.edu
Sat Oct 18 19:05:02 EDT 2008 

On 10/18/08 2:22 PM, Leo Bicknell wrote:
> In a message written on Sat, Oct 18, 2008 at 09:01:17PM +0000, Paul Vixie wrote:
>> "The most comprehensive scan of the entire internet for several decades
>> shows that millions of allocated addresses simply aren't being
>> used. Professor John Heidemann from the University of Southern California
> 
> Unfortunately while I might even give him that this is the most
> comprehensive, I believe there are more than a few severe holes in
> it that mean it may not be representative.
> 
> A large problem is that many hosts will not respond to unsolicited
> ICMP, TCP, or other packets.

[snip]

I am seriously concerned about drawing any sort of conclusion from an 
study that has methodological holes like this.  Here's some language 
from the Technology Review article that sets off alarm bells for me:

> Sending an ICMP packet to another host (an action known as pinging) is generally not seen as hostile, Heidemann says. "There are certainly people who misunderstand what we are doing," and interpret it as the prelude to an attack, he says. "By request, we remove them from the survey, but its fewer people than you might think. Pings are pretty innocuous."

It is my experience that people who are clueful enough to understand 
what ICMP does and that blocking ICMP often does more harm than good are 
a serious minority, especially when it comes to the population of people 
who run firewalls.  While I might agree with the notion that ICMP is 
innocuous, attributing that view to the rest of the networking and 
security community is dangerously deceptive.  It makes it sound as if 
most people let ICMP flow freely across borders when I think our 
experiences with network troubleshooting and PMTUD show otherwise.  If 
you contradict the assumption that ICMP is recognized as benign and 
treated as such by firewall admins, much of the *article's* conclusion 
goes out the window.

My *quick* reading of the study itself indicates to me that the study 
tries hard not to draw conclusions about address scarcity from the 
results.  (IPv6 is mentioned only once, and in passing.)  It appears to 
me (and from comments posted by one of the authors) that Technology 
Review played fast-and-loose with the study and drew conclusions that 
weren't there.

michael

More information about the ARIN-PPML mailing list