Markdown Version | Transcript | Session Recording | Session Materials

Session Date/Time: 17 Mar 2026 06:00

MAPRG

IETF 120 - Measurement and Analysis for Protocols (maprg) Session Date: July 24, 2024 Location: Vancouver, Canada Chairs: Dave Plonka, Mirja Kühlewind

Summary

The MAPRG session at IETF 120 featured a series of technical presentations focusing on internet-scale measurements of core protocols, including DNS, RPKI, IPv6, Email delivery, X.509 certificates, and NTP. Many of the presentations were invited talks based on papers accepted for the Internet Measurement Conference (IMC) 2023 and 2024. The session highlighted systemic vulnerabilities in protocol implementations and suggested paths for standardization to mitigate discovered risks.

Key Discussion Points

1. Heads-up Talk: Measurement of Systemic DNS Resolver Vulnerabilities (Informing Six DNSOP I-Ds)

• Presenter: Yuxi Chen
• Technical Summary: The presentation detailed how ambiguities in DNS specifications lead to exploitable divergences in resolver implementations. The research identified six novel attacks (e.g., DNSBomb, NRB-Style) with high amplification factors.
• Mitigation: The work informs six drafts in the DNSOP working group covering cache delegation, query handling (specifically addressing RFC 7871), and packet preprocessing.
• Discussion: The presenter highlighted that these are not "bad coding" issues but "systematic attack surfaces" created when high-level principles lack standardized implementation checks.

2. Are you RPKI Ready: The Road Left to Full ROA Adoption

• Presenter: Deepak Kumar
• Technical Summary: While RPKI Route Origin Authorization (ROA) adoption has exceeded 50%, the remaining 50% faces significant technical and organizational hurdles. Issues include complex inter-organizational reallocations and the risk of invalidating more specific sub-prefixes.
• Findings: Approximately 20% of non-covered prefixes (notably in ARIN, involving entities like the US DoD) have high policy barriers and haven't signed up for RPKI.
• Tooling: The researchers introduced a platform, "Are you RPKI Ready," to help operators navigate ROA planning and provide recommendations to avoid routing outages.

3. RScope: Unveiling Global ROV Deployments and Dependencies in the Post-ROV Era

• Presenter: Waitong
• Technical Summary: RScope is a framework designed to measure Route Origin Validation (ROV) deployment without relying on globally visible invalid prefixes. By using a custom publication point and selective ROA distribution to specific Relying Parties (RPs), the researchers can isolate which ASes are performing filtering.
• Findings: Many ASes rely on a single RP server, despite RFC recommendations for redundancy. Lower-ranked ASes typically benefit from upstream filtering rather than deploying ROV themselves.
• Discussion: Deepak Kumar queried how the system handles networks using multiple RPs that might have inconsistent ROA data. Waitong noted that while testing all combinations is difficult, they have identified several ASes that require consistency across RPs.

4. What IPv6 RFCs Don’t Say About VPNs

• Presenter: Ye-jin Cho
• Technical Summary: The research explores "IPv6 de-preference" in VPNs. Due to RFC 6724 (Default Address Selection), clients often prefer IPv4 private addresses over IPv6 Unique Local Addresses (ULAs). VPN providers frequently use ULAs for internal tunnel addresses, causing clients to default to IPv4.
• Proposed Solutions:
  1. Assigning unique Global Unicast Addresses (GUAs).
  2. Assigning shared static GUAs.
  3. Creating a new "Tunnel Local Address" class.
  4. Modifying RFC 6724 prioritization rules.
• Discussion: Lorenzo Colitti argued for GUA assignment to preserve end-to-end connectivity and mentioned RFC 7934. Suresh Krishnan recommended bringing the proposal for a new address class to the 6man working group, as it involves protocol actions and address selection changes.

5. Understanding and Characterizing Intermediate Paths of Email Delivery

• Presenter: Shibo Cui
• Technical Summary: Using 2 billion Received headers from Coremail, the study analyzed the shift from end-to-end delivery to "segment-to-segment" delivery involving middle nodes (hosting, security, and signature providers).
• Findings: Extreme centralization around Microsoft (Outlook.com), which participates in ~70% of intermediate paths. The study also highlighted regional dependencies, such as the reliance of South American traffic on North American infrastructure and the domestic isolation of Russian email infrastructure.

6. Analyzing Compliance and Complications of Integrating Internationalized X.509 Certificates

• Presenter: Mingming Zhang
• Technical Summary: An investigation into "unicerts" (certificates containing internationalized content). Using a tool called RFC-GPT to extract 95 rules from scattered specifications, the study found 250,000 non-compliant certificates in Certificate Transparency (CT) logs.
• Findings: Widespread issuance of malformed Internationalized Domain Names (IDNs) and inconsistent parsing across TLS libraries. Major issues include improper character checks and lack of Unicode NFC normalization.
• Security Impact: Demonstrated potential for user spoofing via malformed bidirectional characters in warning pages (Chrome/Firefox) and misleading CT monitoring.

7. Measuring the Time Source Vulnerabilities in the NTP Ecosystem

• Presenter: Genshin (Jinchen Huang)
• Technical Summary: Measurement of 7 million NTP servers revealed significant "bad timekeeping" (offset >10s), even among Stratum 0 sources.
• Vulnerabilities:
  1. Single Source Vulnerability: Over 2 million servers rely on a single upstream time source.
  2. Dangling IP Address: Risks associated with static IP configurations for cloud-hosted NTP servers that may be reassigned.
• Solution: The researchers proposed NTS-mon, a system that scores NTS-enabled servers based on accuracy and availability, providing a dynamic, load-adjusted list for clients.
• Discussion: Karen O'Donoghue invited the presenter to bring this work to the NTP working group and noted ongoing efforts to add NTS support to the NTP Pool.

Decisions and Action Items

• Ye-jin Cho (IPv6/VPNs): Action to take the discussion regarding Tunnel Local Addresses and RFC 6724 updates to the 6man working group.
• Genshin (NTP): Action to follow up with the NTP working group regarding time source vulnerabilities and the NTS-mon proposal.

Next Steps

• Chairs Dave Plonka and Mirja Kühlewind will look into tracking the "after-effects" of MAPRG presentations (e.g., interaction with CAs or working groups) to report at future meetings, such as IETF 121 in Vienna.
• Presenters from the IMC community are encouraged to share preprints and code on the MAPRG mailing list to facilitate further IETF review.