Abstract
Online services often use IP addresses as client identifiers when enforcing access-control decisions. The academic community has typically eschewed this approach, however, due to the effect that NATs, proxies, and dynamic addressing have on a server's ability to identify individual clients. Yet, it is unclear to what extent these edge technologies actually impact the utility of using IP addresses as client identifiers. This paper provides some insights into this phenomenon. We do so by mapping out the size and extent of NATs and proxies, as well as characterizing the behavior of dynamic addressing. Using novel measurement techniques based on active web content, we present results gathered from 7 million clients over seven months. We find that most NATs are small, consisting of only a few hosts, while proxies are much more likely to serve many geographically-distributed clients. Further, we find that a server can generally detect if a client is connecting through a NAT or proxy, or from a prefix using rapid DHCP reallocation. From our measurement experiences, we have developed and implemented a methodology by which a server can make a more informed decision on whether to rely on IP addresses for client identification or to use more heavyweight forms of client authentication.
Original language | English (US) |
---|---|
Pages | 173-186 |
Number of pages | 14 |
State | Published - 2007 |
Externally published | Yes |
Event | 4th Symposium on Networked Systems Design and Implementation, NSDI 2007 - Cambridge, United States Duration: Apr 11 2007 → Apr 13 2007 |
Conference
Conference | 4th Symposium on Networked Systems Design and Implementation, NSDI 2007 |
---|---|
Country/Territory | United States |
City | Cambridge |
Period | 4/11/07 → 4/13/07 |
All Science Journal Classification (ASJC) codes
- Control and Systems Engineering
- Computer Networks and Communications