Date: Thursday, 6 Nov 2025, Session I 9:30-11:00
Full client with Video: https://meetecho.ietf.org/conference/?group=maprg&short=maprg&item=1
Room: Viger
IRTF Note Well: https://irtf.org/policies/irtf-note-well-2019-11.pdf
Overview and Status - Mirja/Dave (5 min)
A Longitudinal Study of the Prevalence of WiFi Bottlenecks in Home Access Networks - Ranya Sharma (15 mins)
VPN or Vpwn? How Afraid Should You be of VPN Traffic Identification? - Tanmay Rajore (15 mins)
The Threat Landscape of IP Leasing in the RPKI Era - Weitong Li (10 mins)
Lazy Eye Inspection: Capturing the State of Happy Eyeballs Implementations - Johannes Zirngibl (10 mins)
Observations and Measurements of HTTP/2 During Large-Scale Web Crawls - Thom Vaughan (10 mins)
An overview of connection characteristics at Cloudflare's servers - Syed Suleman Ahmad (remote) (10 mins)
Measuring Trends in Server Support for Post-Quantum TLS - Tommy Pauly (10 mins)
Although home wireless networks (WiFi) are increasingly becoming performance bottlenecks, there are no research studies based on long-running field deployments that document this phenomenon. Given both public and private investment in broadband Internet infrastructure, a rigorous study of this phenomenon---and accompanying public data, based on open-source methods, is critical. To this end, this study pioneers a system and measurement technique to directly assess WiFi and access network performance. This study is first to continuously and contemporaneously measure Internet performance along two segments---the wireless client to the access point, and from the access point to the ISP access network. It is also the largest and longest-running study of its kind, with public data spanning more than two years (and counting), and, to our knowledge, the first such study in nearly a decade. Our study is based on data from over 22,000 joint measurements across more than 50 broadband access networks. Our findings have important implications for both the development of access technologies and Internet policy. Notably, for users with access links that exceed 800~Mbps, the user's wireless network was the performance bottleneck 100% of the time. Such inflection points will continue to evolve, yet the contributions of this paper include not only the results, but also open-source tools, data, and ongoing continuous measurements.
Tanmay Rajore, Jithin S, Arnav Gupta, Keshav Gambhir, Anindya Prithvi, Sambuddho Chakravarty (IIIT Delhi)
Several governments are gradually choosing to mon- itor VPN traffic. In this paper, we explore how hard or easy it would be for large ISP-scale adversaries to identify and block VPN traffic. More specifically, we try to answer questions like should ordinary netizens fear such decisions or whether it is not as trivial to identify and block all sorts of VPNs.
A recent study found that blocking and identifying OpenVPN endpoints is feasible for small ISPs. We explored detecting Open- VPN and alternatives like TLS, SSH, IPSec/IKEv2, Wireguard, and proprietary VPNs. Analyzing seven popular commercial and open-source VPN services, we identified patterns for detection. While OpenVPN is easily spotted, many alternatives resist iden- tification, some using tactics like obscure TLS ClientHello SNI strings. We demonstrated evasion methods, including altering packet sizes, sending dummy traffic to confuse middleboxes, and obscuring plaintext strings. We also proposed a scalable mechanism for OpenVPN services to hide identifiable plaintext without affecting user or gateway scalability.
Weitong Li, Yongzhe Xu, Taejoong (Tijay) Chung
The rise of IPv4 leasing—where address owners rent out unused space to third parties—has created new risks for routing security under the Resource Public Key Infrastructure (RPKI). Although Route Origin Validation (ROV) aims to prevent prefix hijacks, current practice still grants lessors full control over Route Origin Authorizations (ROAs), enabling them to revoke or alter lessees’ ROAs and silently invalidate legitimate routes.
We present the first systematic study of rogue-lessor attacks, showing how malicious lessors can exploit RPKI publication to perform covert, region-specific hijacks. Through Internet-wide measurements and controlled experiments across two cloud platforms and the PEERING testbed, we find 44 k leased prefixes (4.8 % of the global table), of which 76 % remain vulnerable to unilateral manipulation. Our experiments demonstrate up to 80 % traffic redirection and even fraudulent TLS-certificate issuance under realistic conditions.
While transitioning to an IPv6-only communication, many devices settled on a dual-stack setup. IPv4 and IPv6 are available to these hosts for new connections. Happy Eyeballs (HE) describes a mechanism to prefer IPv6 for such hosts while ensuring a fast fallback to IPv4 when IPv6 fails. The IETF is currently working on the third version of HE. While the standards include recommendations for HE parameter choices, it is up to the client and OS to implement HE. In this work, we investigate the state of HE in various clients, particularly web browsers. We introduce a framework to analyze and measure clients’ HE implementations and parameter choices. According to our evaluation, only Safari supports all already standardized HE features. Safari is also the only client implementation in our study that uses a dynamic IPv4 connection attempt delay, a resolution delay, and interlaces addresses. We further show that problems with the DNS A record lookup can even delay and interrupt the network connectivity despite a fully functional IPv6 setup with Chrome and Firefox. We operate a publicly available website (www.happy-eyeballs.net) which measures the browser’s HE behavior, and we publish a testbed measurement framework.
This study analyses the prevalence and performance of HTTP/2 in a recent Common Crawl dataset. Using aggregated HTTP header statistics, we measured protocol adoption during a large-scale web crawl, which reveals how HTTP/2 usage differs across top-level domains. The results give a concise view of the composition of transport protocol usage on the web as captured at scale.
From "mice" to "elephants"—and everything in between—studying connection and flow characteristics has been a focus of networking research for decades. In this talk, Cloudflare presents measurements collected from millions of TCP connections it receives. These empirical insights and distributions provide a grounded view of server-side connection characteristics that can help inform network modeling and transport-level design.
Sharing a view from client connection measurements to look at server support for Post-Quantum TLS, along with impact on connection setup time. PQTLS support is correlated with support for QUIC and IPv6, showing a widening gap between servers that support a family of "modern" protocols and those that don't.