IRTF maprg agenda for IETF-117 (San Francisco)

Date: Friday, 28 July 2023, Session I 0930-1130

Full client with Video: https://meetecho.ietf.org/conference/?group=maprg&short=maprg&item=1

Room: Continental 6

IRTF Note Well: https://irtf.org/policies/irtf-note-well-2019-11.pdf

Agenda

Overview and Status - Mirja/Dave (5 min)

Internet Scale Reverse Traceroute - Kevin Vermeulen (remote) (15 mins)

Web Privacy By Design: Evaluating Cross-layer Interactions of QUIC, DNS and H/3 - Jayasree Sengupta (remote) (15 mins)

Exploring the Cookieverse: A Multi-Perspective Analysis of Web Cookies - Ali Rasaii (remote) (15 mins)

User Awareness and Behaviors Concerning Encrypted DNS Settings in Web Browsers - Ranya Sharma (remote) (15 mins)

IPvSeeYou: Exploiting Leaked Identifiers in IPv6 for Street-Level Geolocation - Robert Beverly (remote) (15 mins)

Measurement Lab: Supporting Open Internet Research - Lai Yi Ohlsen (remote) (15 mins)

Abstracts

Internet Scale Reverse Traceroute

Authors:

K. Vermeulen, E. Gurmericliler, I. Cunha, D. Choffnes, E. Katz-Bassett.

Abstract:

Knowledge of Internet paths allows operators and researchers to better understand the Internet and troubleshoot problems. Paths are often asymmetric, so measuring just the forward path only gives partial visibility. Despite the existence of Reverse Traceroute, a technique that captures reverse paths (the sequence of routers traversed by traffic from an arbitrary, uncontrolled destination to a given source), this technique did not fulfill the needs of operators and the research community, as it had limited coverage, low throughput, and inconsistent accuracy. In this paper we design, implement and evaluate revtr 2.0, an Internet-scale Reverse Traceroute system that combines novel measurement approaches and studies with a large-scale deployment to improve throughput, accuracy, and coverage, enabling the first exploration of reverse paths at Internet scale. revtr 2.0 can run 15M reverse traceroutes in one day. This scale allows us to open the system to external sources and users, and supports tasks such as traffic engineering and troubleshooting.

Publication:

Web Privacy By Design: Evaluating Cross-layer Interactions of QUIC, DNS and H/3

Authors:

Jayasree Sengupta, Mike Kosek, Justus Fries, Pratyush Dikshit, and Vaibhav Bajpai

Abstract:

Every Web session involves a DNS resolution. While, in the last decade, we witnessed a promising trend towards an encrypted Web in general, DNS encryption has only recently gained traction with the standardisation of DNS over TLS (DoT) and DNS over HTTPS (DoH). Meanwhile, the rapid rise of QUIC deployment has now opened up an exciting opportunity to utilise the same protocol to not only encrypt Web communications, but also DNS. In this paper, we evaluate this benefit of using QUIC to coalesce name resolution via DNS over QUIC (DoQ), and Web content delivery via HTTP/3 (H3) with 0-RTT. We compare this scenario using several possible combinations where H3 is used in conjunction with DoH and DoQ, as well as the unencrypted DNS over UDP (DoUDP). We observe, that when using H3 1-RTT, page load times with DoH can get inflated by >30% over fixed-line and by >50% over mobile when compared to unencrypted DNS with DoUDP. However, this cost of encryption can be drastically reduced when encrypted connections are coalesced (DoQ + H3 0-RTT), thereby reducing the page load times by 1/3 over fixed- line and 1/2 over mobile, overall making connection coalescing with QUIC the best option for encrypted communication on the Internet.

Publication:

Exploring the Cookieverse: A Multi-Perspective Analysis of Web Cookies

Authors:

Ali Rasaii, Shivani Singh, Devashish Gosain, and Oliver Gasser

Abstract:

This paper presents a global study on web cookies and their impact on
user privacy. We analyze cookie banners prevalence, privacy law
effectiveness in particular GDPR, cookie behavior across geographic
locations, website consistency, and other factors that might impact
cookies distribution. The main contributions are as follows:
- Automated Interaction with Cookie Banners: We develop BannerClick, an
automated tool using Selenium browser automation and built on OpenWPM,
to detect and interact with cookie banners. BannerClick achieves a 99%
accuracy rate in detecting banners embedded on main pages, iFrames, and
ShadowDOM. It can effectively interact with banners for both acceptance
and rejection, with accuracy rates of 97% and 87% respectively.
- Analysis of Cookies and Cookie Banners Distribution: Our study reveals
that around half of the top 10k websites listed on Tranco display cookie
banners when accessed from EU countries, almost double the rate in
non-EU countries. We compare observed cookies, particularly third-party
and tracking cookies, between EU and non-EU locations, finding that
tracking cookies are more prevalent in non-EU countries.
- Consistency of Websites: Statistical tests are conducted to assess
cookie consistency within and between different locations. We identify
greater cookie consistency within the EU and significant differences
between EU and non-EU countries.
- Other Factors Impacting Cookie Differences: We investigate variations
in cookies between landing and inner pages of websites, as well as
discrepancies between desktop and mobile platforms. These differences
are emphasized as important considerations for future research and
analysis.
- CCPA Efficacy: Additionally, we analyze the impact of privacy laws
such as CCPA on web cookies, challenging assumptions about their direct
positive impact.
The source code for BannerClick and analysis scripts are publicly
available at https://github.com/bannerclick/bannerclick

Publication:

Proceedings of the 2023 Passive and Active Measurement: 24th
International Conference, PAM 2023

User Awareness and Behaviors Concerning Encrypted DNS Settings in Web Browsers

Authors:

Alexandra Nisenoff, Carnegie Mellon University and University of Chicago; Ranya Sharma and Nick Feamster, University of Chicago

Abstract:

Recent developments to encrypt the Domain Name System (DNS) have resulted in major browser and operating system vendors deploying encrypted DNS functionality, often enabling various configurations and settings by default. In many cases, default encrypted DNS settings have implications for performance and privacy; for example, Firefox’s default DNS setting sends all of a user’s DNS queries to Cloudflare, potentially introducing new privacy vulnerabilities. In this paper, we confirm that most users are unaware of these developments—with respect to the rollout of these new technologies, the changes in default settings, and the ability to customize encrypted DNS configuration to balance user preferences between privacy and performance. Our findings suggest several important implications for the designers of interfaces for encrypted DNS functionality in both browsers and operating systems, to help improve user awareness concerning these settings, and to ensure that users retain the ability to make choices that allow them to balance tradeoffs concerning DNS privacy and performance.

Publication:

IPvSeeYou: Exploiting Leaked Identifiers in IPv6 for Street-Level Geolocation

Authors:

Erik C. Rye and Robert Beverly

Abstract:

We present IPvSeeYou, a privacy attack that permits a remote and unprivileged adversary to physically geolocate many residential IPv6 hosts and networks with street-level precision. The crux of our method involves: 1) remotely discovering wide area (WAN) hardware MAC addresses from home routers; 2) correlating these MAC addresses with their WiFi BSSID counterparts of known location; and 3) extending coverage by associating devices connected to a common penultimate provider router.

We first obtain a large corpus of MACs embedded in IPv6 addresses via high-speed network probing. These MAC addresses are effectively leaked up the protocol stack and largely represent WAN interfaces of residential routers, many of which are all-in-one devices that also provide WiFi. We develop a technique to statistically infer the mapping between a router's WAN and WiFi MAC addresses across manufacturers and devices, and mount a large-scale data fusion attack that correlates WAN MACs with WiFi BSSIDs available in wardriving (geolocation) databases. Using these correlations, we geolocate the IPv6 prefixes of >12M routers in the wild across 146 countries and territories. Selected validation confirms a median geolocation error of 39 meters. We then exploit technology and deployment constraints to extend the attack to a larger set of IPv6 residential routers by clustering and associating devices with a common penultimate provider router. While we responsibly disclosed our results to several manufacturers and providers, the ossified ecosystem of deployed residential cable and DSL routers suggests that our attack will remain a privacy threat into the foreseeable future.

Publication:

Proceedings of IEEE Symposium on Security and Privacy (IEEE S&P),
San Francisco, CA, May 2023 (to appear).

Measurement Lab: Supporting Open Internet Research

Speaker:

Lai Yi Ohlsen, Lead Data Scientist, Measurement Lab

Abstract: Measurement Lab was founded in 2009 with the goal of supporting open Internet research in the public interest at scale. Since then we've developed a platform with over 750+ servers in interconnection points and cloud networks worldwide, as well as collected and published over 6 billion rows of Internet measurement data. Our talk will focus on sharing opportunities for MAPRG researchers to use M-Lab to scale their work, outlining some of the public interest research questions we're interested in advancing and gaining insight into what MAPRG thinks are the important and relevant priorities in Internet measurement research today.