As crippling economic sanctions are poised to be lifted by the United States, Iran is starting to emerge from its isolation as a regional and, in a very limited sense, global Internet player. Iran continues to methodically build out its Internet infrastructure, working on its domestic connectivity (including IPv6), providing service to neighboring countries (such as Iraq and Afghanistan), stockpiling limited IPv4 address space, and providing a strategic terrestrial alternative to vulnerable submarine cables.
Recently, Iran began hosting a root DNS server, thereby potentially providing this critical service to the rest of the world. In this blog, we’ll explore some of these latest developments and their challenges. In November, European Internet registrar RIPE will hold its regional operator meeting (MENOG) in Tehran, where attendees from around the world will learn firsthand about recent developments in the fast-growing Iranian Internet.
K-root Debuts in Iran
As most readers of this blog will know, when you access any resource on the Internet by name (e.g., www.cnn.com), your computer must first convert this name into an IP address (e.g., 126.96.36.199), which it then uses to gain access to the resource you’ve requested. The process of converting names to IP addresses relies on a distributed hierarchy of servers, each responsible for only a subset of names, with the root name servers at the top of this heap. The root servers tell you how to reach the top-level domains, like .com, .gov, or .uk, and from there you can work your way down the hierarchy to find what you want. This is why the root name servers are so important. They are the starting point for navigating the Internet. There are 13 root server IP addresses — each of which is known by a single letter (A through M) — and there are hundreds of instances of these servers, distributed throughout the world.
A few weeks ago, we noticed an instance of the K-root appearing in Iran, filling in an important geographic gap in root server coverage, as shown below.
The route to the K-root in Iran makes its way into the global routing table via the Telecommunications Infrastructure Company, TIC (formerly, DCI), the country’s incumbent telecommunications provider. Although TIC attempts to limit propagation of this route (via prepending its AS four times in the corresponding BGP announcement), it is accepted by Omantel, one of TIC’s international providers, and from there propagates out to the rest of the Internet. A routing-level map of Iran’s Internet is shown below, highlighting the importance of TIC (AS48159 and AS12880, red ovals) to the country’s connectivity.
Once Iran’s K-root route makes it outside the country, it is free to be picked up (or not) by any service provider anywhere in the world — exactly as intended. We’re seeing routes to Iran from major economies as diverse as India and the United States. In fact, two of India’s major providers, Bharti Airtel (AS9498) and Tata Communications (AS4755), carry this route. The next two graphics illustrate the move from India and Russia to Tehran for K-root service from providers in Mumbai and Delhi, India, along with a considerable decrease in performance.
Unfortunately, along with the decrease in performance to the K-root in Iran, we’re also observing an extremely high rate of failure to answer DNS queries, presumably due to congested international links or, perhaps, overloaded DNS root servers. We’re not the first to observe DNS traffic leaving India for Iran, despite the existence of quite a few root nameservers in India, including the K root. That’s just how Internet routing works sometimes — there should be no expectation of geographic locality for your Internet traffic. (In particular, there is considerable uncertainty around anycast routing. See our presentation here for more details.)
What is bad is that route to RIPE’s K root from AS4755 is going outside India and not to the instance in Noida.
— Anurag Bhatia (@anurag_bhatia) August 24, 2015
Staying with India as an example, we next consider Dyn’s servers in Bangalore, Chennai, Delhi and Mumbai. Some of these servers are routed to the K-root in Iran, while others are routed to K-root servers in other locations. (We’ll call the latter set our control group.) From both of these two sets of servers, we ran numerous queries to all of the 13 root servers over the course of a day and recorded the answers and the failures. While all of the root servers showed some very low levels of failure from India, only the K-root instance in Iran consistently failed to respond. Failure rates for this Iranian server can consistently hover around 50%, which is terrible by any standard.
On the bright side, unlike the case when Chinese root nameservers were globally reachable, we see no evidence of Iranian censorship via poisoned DNS responses. When the K-root in Iran does respond, it faithfully provides the correct answers.
Western Connectivity into Iran
In perhaps the most surprising recent development, on 10 June 2015, we observed McLean, Virginia-based GTT Communications (GTT) initiating service into Iran via the Gulf Bridge International (GBI) cable. As shown below, GBI runs a submarine cable system linking up the Gulf region to Europe and Asia, and maintains a cable landing in the port city of Bushehr, Iran. In addition, GBI has publicly announced their partnership with GTT.
GTT & GBI held strategic discussion&chartered action plan on how to position value-added services across Middle East pic.twitter.com/LCuTC35jTw
— GBI (@GBI_Network) May 12, 2015
The next graphic illustrates the transit percentages for Iran’s TIC (AS48159) over time, as computed by Dyn’s IP Transit Intelligence product. The percentage of routes carried by GTT (AS3257) grows quickly after its introduction, at the expense of a number of its competitors. (This plot includes a normalized (upper) and absolute (lower) representation of the amount of routed address space announced through TIC’s various international carriers over recent months.)
The following example trace illustrates the path from GTT into Iran via the GBI gateway. Routers on Iran’s border are often unresponsive to trace probes and are indicated here at hops 14 — 18 with *’s.
Iran Buying and Selling IPv4 Address Space
As we’ve noted previously, Iran has been an active participant in the IPv4 transfer market, recently acquiring nearly two million addresses of this increasingly scarce commodity. (Iran has acquired nearly 800,000 IPv4 addresses since we first broke this story in April and it was covered by the Washington Post.) Iran is also an exporter, having transferred some of their address space to Syria, as shown on RIPE’s IPv4 transfer page, a snippet of which is reproduced below.
None of this space was routed before being acquired by the Syrians, but is now originated by STE, Syrian Telecommunications Establishment (AS29256). Regardless of the penetration of IPv6 (still low by any objective standard), when most of the world’s content and users remain exclusively on IPv4 and its very limited pool of available addresses, IPv4-rich nations will continue to have a decided advantage over those who are IPv4-poor.
While Iran is making all of the right strategic moves, it still has a long way to go to become much of a global or even regional player on the Internet. Despite being in an ideal central geographic location in the Middle East, Iran has few customers outside the country. And, as our K-root example illustrates, performance into the country remains quite poor, undoubtedly inhibiting the growth of Iran’s Internet economy. Were it not for economic sanctions against the country, it would certainly be better-connected to the regional and global Internet.
But there is no magic to discovering Internet connectivity and performance issues and then fixing them. With a globally diversified sensor network, good tools and detailed analysis, anyone can explore the pathways and problems that Internet traffic encounters as it flows from place to place. Dyn’s Internet Intelligence family of products puts sophisticated Internet infrastructure mapping, measurement, and monitoring technology in the hands of IT professionals. Try it for yourself!
A translation of this blog is available in Farsi courtesy of ASL19:
اخیرا ایران میزبانی یک سرور روت DNS را آغاز کرده و از همین طریق این سرویس حیاتی را در اختیار بقیه جهان قرار میدهد. https://t.co/ZsXB11sgJt
— ASL19 (@aslnoozdah) October 5, 2015
Please see follow-up analysis by Anurag Bharti and RIPE Labs:
— Anurag Bhatia (@anurag_bhatia) October 5, 2015
— Mirjam (RIPE Labs) (@mir_ripe_labs) September 30, 2015