IRTF MAPRG agenda for IETF-113 (Vienna)

Date: March 23 2022, 10:00-12:00 UTC+1 Webex link: Room: Park Suite 9

Overview & Status - Mirja & Dave (remote) (5 min)

IRTF Note-well:

Glowing in the Dark: Uncovering IPv6 Address Discovery and Scanning Strategies in the Wild - Hammas Tanveer (20 mins)

Survey on DNSSEC deployment metrics - Moritz Müller (10 mins)

Assessing Support for DNS-over-TCP in the Wild - Jerome Mao (20 mins)

One to Rule them All? A First Look at DNS over QUIC - Mike Kosek (20 mins)

Performance of QUIC Implementations Over Geostationary Satellite Links - Joerg Deutschmann (20 mins)

QUICsand: quantifying QUIC reconnaissance scans and DoS flooding events - Matthias Waehlisch (20 mins)


Glowing in the Dark: Uncovering IPv6 Address Discovery and Scanning Strategies in the Wild - Hammas Tanveer (in collaboration with Rachee Singh, Paul Pearce and Rishab Nithayanand)

In this work we identify scanning strategies of IPv6 scanners on the Internet. We offer a unique perspective on the behavior of IPv6 scanners by conducting controlled experiments leveraging a large and unused /56 IPv6 subnet. We selectively make parts of the subnet visible to scanners by hosting applications that make direct or indirect contact with IPv6- capable servers on the Internet. By careful experiment design, we mitigate the effects of hidden variables on scans sent to our /56 subnet and establish causal relationships between IPv6 host activity types and the scanner attention they evoke. We show that IPv6 host activities e.g., Web browsing, membership in the NTP pool and Tor network, cause scanners to send a magnitude higher number of unsolicited IP scans and reverse DNS queries to our subnet than before. DNS scanners focus their scans in narrow regions of the address space where our applications are hosted whereas IP scanners broadly scan the entire subnet. Even after the host activity from our subnet subsides, we observe persistent residual scanning to portions of the address space that previously hosted applications.If our work is accepted for a presentation at the conference, I would be the only author presenting it. Looking forward to hearing back.

Survey on DNSSEC deployment metrics - Moritz Müller

Transparent and unbiased metrics are important to gain a better understanding of DNSSEC deployment. On behalf of ICANN, we are carrying out a survey on metrics that measure DNSSEC deployment in the DNS ecosystem. The goal is to perform a survey of academic and industry literature related to the deployment of DNSSEC and to make recommendations to ICANN for which metrics to measure to obtain the most comprehensive view of DNSSEC deployment across the Internet. See [1] for a more detailed project description. In this presentation, we would like to share our approach to this project. Also, we would like to collect feedback from the measurement community such that our study does not only serve ICANN but also can be useful to a broader community. [1]

Assessing Support for DNS-over-TCP in the Wild - Jiarun Mao and Michael Rabinovich (Case Western Reserve University), Kyle Schomp (Akamai)

While the DNS protocol encompasses both UDP and TCP as its underlying transport, UDP is commonly used in practice. At the same time, increasingly large DNS responses and concerns over amplification denial of service attacks have heightened interest in conducting DNS interactions over TCP. This talk presents our assessment of the support for DNS-over-TCP in the deployed DNS infrastructure, which we have conducted from several angles: - First, we assess resolvers responsible for over 66.2% of the external DNS queries that arrive at a major content delivery network (CDN). We find that 2.7% to 4.8% of the resolvers, contributing around 1.1% to 4.4% of all queries arriving at the CDN from the resolvers we study, do not properly fallback to TCP when instructed by authoritative DNS servers. Should a content provider decide to employ TCP-fallback as the means of switching to DNS-over-TCP, it faces the corresponding loss of its customers. - Second, we assess authoritative DNS servers (ADNS) for over 10 million domains and many CDNs and find some ADNS, serving some popular websites and a number of CDNs, that do not support DNS-over-TCP. These ADNS would deny service to (RFC-compliant) resolvers that choose to switch to TCP-only interactions. - Third, we study the TCP connection reuse behavior of DNS actors and describe a race condition in TCP connection reuse by DNS actors that may become a significant issue should DNS-over-TCP and other TCP-based DNS protocols, such as DNS-over-TLS, become widely used. We hope our findings will inform DNS operators who consider possible adoption of DNS-over-TCP and help improve DNS-over-TCP support of the platforms that have already adopted it.

Paper is going to appear in PAM 2022:
The work of Jiarun Mao and Michael Rabinovich was supported in part by NSF through grant CNS-1647145.

One to Rule them All? A First Look at DNS over QUIC - Mike Kosek, Trinh Viet Doan, Malte Granderath, Vaibhav Bajpai

The DNS is one of the most crucial parts of the Internet. Since the original DNS specifications defined UDP and TCP as the underlying transport protocols, DNS queries are inherently unencrypted, making them vulnerable to eavesdropping and on-path manipulations. Consequently, concerns about DNS privacy have gained attention in recent years, which resulted in the introduction of the encrypted protocols DNS over TLS (DoT) and DNS over HTTPS (DoH). Although these protocols address the key issues of adding privacy to the DNS, they are inherently restrained by their underlying transport protocols, which are at strife with, e.g., IP fragmentation or multi-RTT handshakes - challenges which are addressed by QUIC. As such, the recent addition of DNS over QUIC (DoQ) promises to improve upon the established DNS protocols. However, no studies focusing on DoQ, its adoption, or its response times exist to this date - a gap we close with our study. Our active measurements show a slowly but steadily increasing adoption of DoQ and reveal a high week-over-week fluctuation, which reflects the ongoing development process: As DoQ is still in standardization, implementations and services undergo rapid changes. Analyzing the response times of DoQ, we find that roughly 40% of measurements show considerably higher handshake times than expected, which traces back to the enforcement of the traffic amplification limit despite successful validation of the client's address. However, DoQ already outperforms DoT as well as DoH, which makes it the best choice for encrypted DNS to date.

Performance of QUIC Implementations Over Geostationary Satellite Links - Joerg Deutschmann

QUIC was recently standardized as RFC 9000, but the performance of QUIC over geostationary satellite links is problematic due to the non-applicability of Performance Enhancing Proxies. As of today, there are more than a dozen of different QUIC implementations. So far performance evaluations of QUIC over satellite links were limited to specific QUIC implementations. By deploying a modified version of the IETF QUIC-Interop-Runner, this paper evaluates the performance of multiple QUIC implementations over multiple geostationary satellite links. This includes two emulated ones (with and without packet loss) and two real ones. The results show that the goodput achieved with QUIC over geostationary satellite links is very poor in general, and especially poor when there is packet loss. Some implementations fail completely and the performance of the other implementations varies greatly. The performance depends on both client and server implementation.

QUICsand: quantifying QUIC reconnaissance scans and DoS flooding events - Marcin Nawrocki, Raphael Hiesgen, Thomas C. Schmidt, Matthias Wählisch

In this paper, we present first measurements of Internet background radiation originating from the emerging transport protocol QUIC. Our analysis is based on the UCSD network telescope, correlated with active measurements. We find that research projects dominate the QUIC scanning ecosystem but also discover traffic from non-benign sources. We argue that although QUIC has been carefully designed to restrict reflective amplification attacks, the QUIC handshake is prone to resource exhaustion attacks, similar to TCP SYN floods. We confirm this conjecture by showing how this attack vector is already exploited in multi-vector attacks: On average, the Internet is exposed to four QUIC floods per hour and half of these attacks occur concurrently with other common attack types such as TCP/ICMP floods.