Date: Friday, July 29, 12:30-14:30 Session II UTC-4 Webex link: https://meetings.conf.meetecho.com/ietf114/?group=&short=&item=1 Room: Liberty C
IRTF Note-well: https://irtf.org/policies/irtf-note-well-2019-11.pdf
On 24 February 2022 Russia invaded Ukraine, starting one of the largest military conflicts in Europe in recent years. We present preliminary findings about the impact of the conflict on the Internet performance in Ukraine and in Russia during the first two months of the conflict, introducing an ironically asymmetric picture: the Internet performance in Ukraine has significantly degraded, while the performance in Russia has improved.
This talk will be partly based on the following manuscript, with some additional material: https://arxiv.org/pdf/2205.08912.pdf
In this study we look at some initial results of a large-scale user measurement of the use of HTTP/3 (and QUIC) in the Internet. We present the deployment numbers of the use of HTTP/3 using a Ad-based measurement regime, looking at the differences in per-country deployment rates as well as the global counts.
We are also interested in the HTTP/3 trigger mechanisms of DNS HTTPS provisioning and content Alt-Svc: steering. The presentation will also cover some results concerning browser and operating fingerprints, packet size distribution, connection failure rates and relative speed of HTTP/2 vs HTTP/3 connections.
See also https://www.potaroo.net/ispcol/2022-07/quic.html
The web serving protocol stack is constantly evolving to tackle the technological shifts in networking infrastructure, end-user devices and website complexity. As a result of this evolution, CDN edge servers can use a plethora of protocols and configuration parameters to address a variety of realistic network conditions. Yet, today, despite the significant diversity in end-user networks and devices, most content providers have adopted a “one-size-fits-all” approach towards configuring the edge networking stack.
In this work, we demonstrate that the status quo results in sub-optimal performance and our measurements show that dynamically tuning can significantly improve web performance, as compared to today’s edge network configurations. However, dynamic tuning at the edge requires a flexible data-path that can tune configurations on a per-connection manner, and a data-driven control-plane that can minimize the costs associated with searching the optimal configurations. Our framework, Configanator, makes contributions across both dimensions and leverages data across connections to identify their network and device characteristics, and learn the optimal configuration parameters to improve end-user performance. The optimal configurations are then used for serving the content from the edge, based on a connection’s network and device’s characteristics. Our real-world deployment and trace-driven evaluation shows that Configanator improves tail (p95) web performance by 32-67% across diverse websites and networks.
Active measurements can be used to collect server characteristics on a large scale. This kind of metadata can help discovering hidden relations and commonalities among server deployments offering new possibilities to cluster and classify them. As an example, identifying a previously-unknown cybercriminal infrastructures can be a valuable source for cyber- threat intelligence. We propose herein an active measurement- based methodology for acquiring Transport Layer Security (TLS) metadata from servers and leverage it for their fingerprinting. Our fingerprints capture the characteristic behavior of the TLS stack primarily caused by the implementation, configuration, and hardware support of the underlying server. Using an empirical optimization strategy that maximizes information gain from every handshake to minimize measurement costs, we generated 10 general-purpose Client Hellos used as scanning probes to create a large database of TLS configurations used for classifying servers. We fingerprinted 28 million servers from the Alexa and Majestic toplists and two Command and Control (C2) blocklists over a period of 30 weeks with weekly snapshots as foundation for two long-term case studies: classification of Content Delivery Network and C2 servers. The proposed methodology shows a precision of more than 99 % and enables a stable identification of new servers over time. This study describes a new opportunity for active measurements to provide valuable insights into the Internet that can be used in security-relevant use cases.
https://tma.ifip.org/2022/wp-content/uploads/sites/11/2022/06/tma2022-paper35.pdf
HTTP/3 comes with a significant change on the transport layer by switching from TCP to QUIC. Of particu- lar interest is that QUIC features independent streams which removes transport HOL blocking during packet loss: loss- unaffected streams no longer have to wait for full retransmis- sions of affected streams which was the case for HTTP/2. To leverage this new capability, multiple streams have to be in flight at the same time. This can, e.g., be governed by HTTP resource prioritization which allows a browser to signal its desired scheduling of streams to improve web performance. For HTTP/2, sequential scheduling, as used by Chrome, has proven to achieve good results. This choice, however, prevents QUIC’s independent streams from taking effect. In contrast, round-robin scheduling could exploit this specific feature best, but it has shown detrimental effects for HTTP/2. Yet, in that case, it could not benefit from independent streams. Whether round-robin is now beneficial with HTTP/3 is unknown, as the interplay of resource prioritization and HOL blocking on performance for HTTP/3 is unexplored. Since the alleviation of HOL blocking is one of the main features of QUIC, we thus analyze its impact and influencing factors. We find that for bursty loss, e.g., from congestion, sequential scheduling achieves good web performance, but that parallelism can help for increasing random loss rates. Nevertheless, for moderate loss, parallelism taking priorities into account is more helpful than agnostic round-robin.
https://tma.ifip.org/2022/wp-content/uploads/sites/11/2022/06/tma2022-paper28.pdf
Unencrypted DNS traffic between users and DNS resolvers can lead to privacy and security concerns. In response to these privacy risks, many browser vendors have deployed DNS-over-HTTPS (DoH) to encrypt queries between users and DNS resolvers. Today, many client- side deployments of DoH, particularly in browsers, select between only a few resolvers, despite the fact that many more encrypted DNS resolvers are deployed in practice. Unfortunately, if users only have a few choices of encrypted resolver, and only a few perform well from any particular vantage point, then the privacy problems that DoH was deployed to help address merely shift to a different set of third parties. It is thus important to assess the performance characteristics of more encrypted DNS resolvers, to determine how many options for encrypted DNS resolvers users tend to have in practice. In this paper, we explore the performance of a large group of encrypted DNS resolvers supporting DoH by measuring DNS query response times from global vantage points in North America, Europe, and Asia. Our results show that many non-mainstream resolvers have higher response times than mainstream resolvers, particularly for non-mainstream resolvers that are queried from more distant vantage points—suggesting that most encrypted DNS resolvers are not replicated or anycast. In some cases, however, certain non-mainstream resolvers perform at least as well as mainstream resolvers, suggesting that users may be able to use a broader set of encrypted DNS resolvers than those that are available in current browser configurations.
Most online communications rely on DNS to map domain names to their hosting IP address(es). Previous work has shown that DNS-based network interference is widespread due to the unencrypted and unauthenticated nature of the original DNS protocol. In addition to DNS, accessed domain names can also be monitored by on-path observers during the TLS handshake when the SNI extension is used. These lingering issues with exposed plaintext domain names have led to the development of a new generation of protocols that keep accessed domain names hidden. DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) hide the domain names of DNS queries, while Encrypted Server Name Indication (ESNI) encrypts the domain name in the SNI extension. We present DNEye, a measurement system built on top of a network of distributed vantage points, which we used to study the accessibility of DoT/DoH and ESNI, and to investigate whether these protocols are tampered with by network providers (e.g., for censorship). Moreover, we evaluate the efficacy of these protocols in circumventing network interference when accessing content blocked by traditional DNS manipulation. We find evidence of blocking efforts against domain name encryption technologies in several countries, including China, Russia, and Saudi Arabia. At the same time, we discover that domain name encryption can help with unblocking more than 55% and 95% of censored domains in China and other countries where DNS-based filtering is heavily employed.
https://link.springer.com/content/pdf/10.1007/978-3-030-98785-5_23.pdf