**Session Date/Time:** 10 Nov 2022 13:00

# maprg

## Summary

The maprg session featured a diverse set of research presentations covering various aspects of internet measurement and analysis. Discussions included potential BGP security vulnerabilities, passive measurement techniques for Quick, the performance implications of DNS over Quick, empirical analysis of Starlink's performance, challenges in detecting IPv6 scanning, insights into IoT device security, a meta-analysis of IETF standardization processes, and an assessment of the conflict's impact on Russian domain infrastructure. Common themes included the importance of longitudinal studies, the evolving landscape of internet protocols (IPv6, Quick), and the challenges of security and attribution in a complex global network.

## Key Discussion Points

*   **Kirin: Reconsidering Prefix Aggregation Attack (Pavel Foremsky)**
    *   Presented a revisited prefix aggregation attack against BGP, made easier by IPv6, distributed BGP sessions, and RPKI's role in route filtering.
    *   IPv6 /29 allocations can be split into millions of /48s, and remote BGP peering options facilitate distributed attack sources.
    *   Simulations and lab experiments showed that modern routers could be crashed with millions of IPv6 routes, indicating little headroom given current global routing table sizes.
    *   **Recommendations:** Implement dynamic Max-Prefix limits, new limits on originated routes per AS or more-specifics per assigned block, and apply scientific checks beyond PeeringDB values.
    *   **Q&A:** Emphasized responsible disclosure.

*   **Passive Measurement of Quick and Hypergiant Deployments (Jonas Mück)**
    *   Investigated passive measurement opportunities of Quick backscatter traffic to understand hypergiant content-serving infrastructure (Layer 7 load balancers).
    *   Observed distinct retransmission patterns and structured Connection IDs (CIDs) used by hypergiants like Facebook (encoding version, host ID, work ID, process ID).
    *   This structured CID allows fingerprinting off-net servers and simplifies routing for Layer 4 load balancers during client migration, avoiding state sharing.
    *   Active measurements revealed clusters of virtual IP addresses sharing Layer 7 load balancers.
    *   **Conclusion:** Passive measurements are effective and non-intrusive for understanding hypergiant Quick deployments.
    *   **Q&A:** Discussed the non-intrusive nature for competitor analysis and the potential for randomized CIDs to obscure internal infrastructure.

*   **DNS Privacy with Speed: Web Performance Impact of DoQ (Robin Marx)**
    *   Presented an analysis of the web performance impact of DNS over Quick (DoQ) compared to DoUDP, DoT, and DoH.
    *   **Findings:** DoQ performance is significantly better than DoH (often halving the performance penalty) but still slightly slower than DoUDP due to the 1-RTT handshake (as no 0-RTT was observed in deployments).
    *   For simple web pages, DoQ was ~10% slower than DoUDP; for complex pages with multiple DNS lookups, the performance difference was minimal (2%), as the connection setup cost is amortized.
    *   **Implementation Status:** All DoQ servers supported session resumption, but none supported 0-RTT, and many were not on the latest protocol versions, suggesting non-production deployments.
    *   **Future Work:** Scaling measurements, leveraging 0-RTT for DoQ, and comparing against DNS over HTTP/3 (DoH3).
    *   **Q&A:** Concerns were raised about bad DoQ server configurations (e.g., retries always on, session resumption without 0-RTT causing linkability) and the need for fair comparisons with production-level DoH3.

*   **A First Look at Starlink Performance (Francois Michel)**
    *   Evaluated Starlink's performance against traditional wired and geostationary satellite internet access from a vantage point in Belgium.
    *   **Findings:** Starlink performs surprisingly close to fast Ethernet, with a minimum added latency of 20ms (median 50ms on idle links).
    *   Observed significant bufferbloat under heavy HTTP/3 Quick loads (RTTs more than doubling).
    *   Packet losses occurred even under light load, with long bursts (dozens of packets), likely due to the antenna losing focus as satellites move.
    *   **Methodology:** Quick's explicit packet numbers were invaluable for studying latency and loss bursts.
    *   **Q&A:** Discussed how the measured RTT variation was lower than theoretical satellite path variation, suggesting compensation in the ground segment. BBR was noted to significantly outperform Cubic on Starlink, achieving much higher throughputs. The importance of specific measurement timing and location was highlighted due to the dynamic nature of the satellite constellation.

*   **Eliminating Large-Scale IPv6 Scanning (Philip Richter)**
    *   Presented the first longitudinal study on large-scale IPv6 scanning, leveraging CDN firewall logs and public traffic traces.
    *   **Findings:** IPv6 is actively being scanned, with 10-100 weekly active sources detected (far less than IPv4, but present).
    *   Scanning is heavily concentrated in a few cloud/data center ASNs, with a mysterious, continuously active source (likely in China) topping the list.
    *   IPv6 scans often target multiple ports, suggesting general penetration testing rather than specific vulnerability exploits.
    *   **Challenge:** Identifying and attributing IPv6 scan sources is difficult due to the flexibility of address assignment. Aggregating too little (e.g., /128) misses distributed scans, while aggregating too much (e.g., /32 for a cloud provider) conflates scanners with legitimate users, potentially causing collateral damage if used for blocking.
    *   **Q&A:** Confirmed the low volume of V6 scanning compared to V4 and the current absence of V6 botnets, but highlighted the attribution challenge should V6 botnets emerge.

*   **IoT Security by the Numbers (Leslie Daigle)**
    *   Discussed the scope of IoT attacks based on data from the Global Cyber Alliance's honey farm, primarily in the IPv4 space.
    *   **Findings:** Honeypots receive ~5,000 attacks/day. Many attacks originate from Tor-like VPN services, implicating unsuspecting home users.
    *   **Phase 1 (Passwords):** Devices with non-default passwords were never cracked, while default password devices were cracked ~80 times. This demonstrates the effectiveness of basic password hygiene.
    *   **Phase 2 (Software Stacks):** Two-thirds of attacks targeted software stacks (e.g., PHP, SQL), attempting to exploit known vulnerabilities (e.g., on old Boa web servers). Up-to-date software and strong passwords significantly reduced attack success and interest from attackers.
    *   **Conclusion:** Device security (updatable, non-default passwords) is crucial. A long tail of devices running outdated, vulnerable software remains a significant problem. Regulation might help, but addressing attacks at the source network level and developing network monitoring tools are also vital.
    *   **Q&A:** Encouraged collaboration with interested parties.

*   **Covetus IETF: Measuring IETF Ossification (Ignacio Castro)**
    *   Presented a meta-measurement of the IETF standardization process using RFCs, emails, and drafts to detect potential "ossification."
    *   **Findings:**
        *   Fewer email participants are generating a stable number of emails, indicating a "chattier" environment among fewer individuals.
        *   The IETF appears more cohesive, with a growing largest connected component of participants.
        *   An influential minority increasingly dominates email discussions and draft production, and it takes longer for new participants to gain influence.
        *   Conversations are becoming more complex, with more RFCs discussed across more areas.
        *   The publication process is harder: It takes three times longer and requires more drafts to publish an RFC, attributed to more authors, institutions, and countries.
    *   **Overall Takeaway:** The IETF relies heavily on an influential minority, publishing is more complex, and the process is slower.
    *   **Ongoing Work:** Building a recommendation tool for draft reviewers.
    *   **Q&A:** No time for questions, encouraged direct contact.

*   **Where.ru: Assessing the Impact of Conflict on Russian Domain Infrastructure (Tom Akawate)**
    *   Empirically assessed the impact of the Russia-Ukraine conflict, Western sanctions, and Russian internet sovereignty efforts on Russian domain infrastructure (.ru, .rf).
    *   **Findings (Hosting & DNS):** A significant portion of Russian internet infrastructure was already repatriated (fully Russian) by 2017 due to pre-existing sovereignty drives. Post-conflict, only a minor shift occurred, with some sanctioned domains moving from partly to fully Russian due to Western providers cutting ties (e.g., NetNod, Cedar).
    *   **Findings (Web PKI/Certificates):** This was the most affected area. Let's Encrypt (a U.S. entity) became nearly completely dominant (91% to 99.23%) as other Certificate Authorities stopped issuing for Russian domains post-conflict. Despite Russia's own root CA, uptake was very low, with most preferring Let's Encrypt.
    *   **Conclusion:** While hosting and DNS were largely insulated by prior repatriation efforts, the Web PKI sector showed significant exposure and an unexpected reliance on foreign (U.S.) infrastructure for certificates.
    *   **Q&A:** Discussed the challenge of differentiating between a governmental drive for internet sovereignty and natural domestic supply chains due to language/currency.

## Decisions and Action Items

*   No formal decisions were made by the Research Group.
*   **Action for Authors:** Authors were encouraged to engage with the audience on standards and operational perspectives, and to provide contact information for further discussions and collaboration.
*   **Action for Participants:** Participants were encouraged to read the papers for more details and to contact authors directly for collaboration, especially for projects like Starlink measurements or IETF process analysis.

## Next Steps

*   **LEO Satellite ISP Testbed:** A short paper from IMC announced the creation of a testbed for Low Earth Orbit satellite ISP systems. Contact Muhammad (details in IMC paper) for more info and the LEOCON bi-monthly webinar series.
*   **DNS Privacy with Speed:** Future work includes increasing the scale of DoQ measurements, exploring 0-RTT support, and evaluating DNS over HTTP/3 (DoH3).
*   **Starlink Performance:** Future work involves multi-vantage point studies, inter-satellite link studies, and benchmarking against Geo satellite access, with all data publicly available for collaboration.
*   **IoT Security:** Continued efforts to develop tools and techniques to monitor and manage networks with IoT devices, aiming for an "Automated IoT Defense Ecosystem."
*   **IETF Ossification:** Ongoing work includes building a recommendation tool for draft reviewers, and further research into the drivers of IETF dynamics.