Maybe it could be set up on a voluntary basis, so that you would have to opt in to get hijack protection? That would also bound the scope of the measurements you would need, and make the fingerprinting simpler. Notional design 1. ISP that wants to be protected publishes an IP address and a public key for a test host 2. Probe node sends a packet to test host IP address with a nonce 3. Test host responds with signature over nonce 4. Probe node knows hijack is not happening if (1) Signature over nonce is valid under the public key, and (2) Latency is not significantly higher The signature would guarantee that the hijacker wouldn't be able to trivially fake responses. The latency check helps address the case where the hijacker can get real signatures from the real test host (e.g., via a peer). I went ahead and threw a prototype up on GitHub. Only 43 lines of python! <https://github.com/bifurcation/hijack-nonces> On Apr 18, 2013, at 10:21 AM, Randy Bush <randy@psg.com> wrote:
When I talk about "behavior" I'm including everything under the umbrella of OS fingerprinting, network service fingerprinting, etc.
some folk consider these invasive
randy