Starting November 2018, I am on extended academic leave. This website, as well as contact information, etc. are no longer up-to-date. Please check for more information


Due to the ongoing migration to Jekyll, this page is still work in progress

IP-ID: Classifying IP-ID host behavior in the wild

Originally used to assist network-layer fragmentation and reassembly, the IP identification field (IP-ID) has been used and abused for a range of tasks, from counting hosts behind NAT, to detect router aliases and, lately, to assist detection of censorship in the Internet at large. These inferences have been possible since, in the past, the IP-ID was mostly implemented as a simple packet counter: however, this behavior has been discouraged for security reasons and other policies, such as random values, have been suggested. These policies can be inferred by leveraging two vantage points sending packets that arrived interleaved at the target host: the resulting sequences (denoted as constant, local, global, random and “odd”) are illustrated in the following pictures (where the two vantage points are represented as a white box and a purple circle).


In this page, we collect and make available useful resources concerning our IP-ID classification technique true , in particular:


In this page, we also make available results concerning the application of our IP-ID classification true technique to a broad Internet-wide census we perfomed in 2017, in particular: