Date: Thursday, 23 July 2026, Session IV 16:30-18:30
Full client with Video: https://meetecho.ietf.org/conference/?group=maprg&short=maprg&item=1
Room: Grand Klimt Hall 2
IRTF Note Well: https://irtf.org/policies/irtf-note-well-2019-11.pdf
Overview and Status - Mirja/Dave (5 min)
Heads-up talk: Towards a Common Measurement Framework for Large-Scale libp2p Deployments using CBOR-based Verifiable Telemetry - Johanna Moran (remote) (5 mins)
Feeding the Crawlers: An Experiment in Deliberate Bot Attraction - Dan Silvers (remote) (10 mins)
A Browser's Perspective: Surprises and Insights from Firefox Networking Telemetry - Oskar Mansfeld (10 mins)
TTL Jumps: Unexpected TTL Rewrites Impacting Inferences from Traceroutes - Johannes Zirngibl (15 mins)
Measuring Deployment Characteristics of Post-Quantum TLS Authentication Mechanisms - Nalini Elkins (10 mins)
Understanding DNS Dynamics over the Starlink Network - Robert Richter (10 mins)
The Future of DNS Privacy: A Comparison of DNS over QUIC and DNS over HTTP/3 - Newton Masinde (10 mins)
Detecting and Characterizing Exposed BGP Routers - Shyam Krishna Khadka (15 mins)
Noisy Routers: Investigating the Make-Up of Route Collector Data - Ebrima Jaw (15 mins)
Large-scale peer-to-peer systems have evolved from experimental research prototypes into critical Internet infrastructure supporting decentralized storage, content distribution, blockchain consensus, and increasingly autonomous agent-based applications. Networks such as Ethereum, IPFS, Filecoin, Celestia, and other decentralized ecosystems collectively operate hundreds of thousands of nodes across heterogeneous network environments, making them valuable real-world laboratories for protocol measurement and analysis. Despite their shared reliance on peer-to-peer networking technologies such as libp2p, there is currently no common framework for systematically measuring, encoding, comparing, and analyzing operational characteristics across these deployments.
This presentation explores the need for a reusable measurement framework for large-scale peer-to-peer protocol deployments that standardizes not only what network characteristics should be measured, but also how measurement data itself should be represented, exchanged, and validated across decentralized systems. While individual ecosystems have developed their own network crawlers, observability platforms, telemetry systems, and interoperability testing infrastructure, measurement methodologies and data formats remain ecosystem-specific. This fragmentation makes it difficult to compare network health, resilience, topology characteristics, peer behavior, routing performance, discovery effectiveness, and interoperability outcomes across deployments.
Drawing upon operational experience and measurement efforts across Ethereum consensus clients, IPFS nodes, Filecoin infrastructure, and other libp2p-based systems, this talk proposes a shared measurement architecture built around standardized measurement primitives and CBOR-based interoperable telemetry. We argue that Concise Binary Object Representation (CBOR) provides an ideal canonical serialization layer for decentralized network measurement, enabling compact, language-agnostic, deterministic, and protocol-native encoding of telemetry records that can be generated consistently across heterogeneous implementations.
Candidate measurement dimensions include peer discovery effectiveness, churn behavior, client diversity, geographic distribution, connectivity patterns, NAT traversal success, relay dependency, routing performance, topology evolution, and protocol interoperability. Rather than treating these observations as ecosystem-specific logs or isolated monitoring outputs, we propose standardizing them as portable telemetry records encoded using deterministic CBOR schemas. This allows measurement data to be efficiently exchanged across peer-to-peer systems, stored using content-addressed infrastructure, and analyzed consistently across independent decentralized deployments.
Emerging deterministic serialization profiles such as CBOR-42, developed within the IPFS ecosystem, introduce additional opportunities for verifiable telemetry generation by enabling deterministic encoding guarantees required for hashing, signing, and reproducible data verification. Under this model, network measurements themselves become verifiable protocol artifacts rather than ephemeral observability outputs. Measurement records can be cryptographically validated, shared as content-addressed datasets, and reused as reproducible research inputs across decentralized ecosystems.
The presentation discusses how combining common measurement methodologies with standardized CBOR-based telemetry infrastructure can improve protocol evaluation, deployment validation, operational observability, and resilience analysis across Internet-scale decentralized systems. We further explore opportunities for community-driven measurement infrastructure, shared benchmarking datasets, and interoperable tooling capable of transforming large-scale peer-to-peer networks into continuously observable protocol laboratories.
The broader goal of this contribution is to initiate discussion within MAPRG around establishing common measurement practices for peer-to-peer protocols and advancing toward a universal telemetry framework for decentralized systems. By standardizing measurement semantics alongside CBOR-based verifiable telemetry formats, the community can build shared infrastructure for evidence-based protocol evolution, reproducible experimentation, and collaborative analysis across the next generation of Internet-scale peer-to-peer networks.
As AI training pipelines grow hungrier for fresh data, the crawlers feeding them have grown increasingly aggressive — creating a meaningful measurement problem. We present ACPWB.com, a fictitious company website designed to attract, classify, and measure AI crawler activity through an abundance of synthetic content.
ACPWB is purposely designed to appear as a plausible corporate web presence, while offering an almost infinite supply of crawlable HTML pages with content variety that appeals to AI bots. The experiments in content generation have seen considerable success in attracting and maintaining the attention of highly aggressive bots.
The site launched in late March 2026, and in less than 3 months, over 500 million pages have been served. We deliberately chose quantity over quality when generating content. The content is effectively infinite and random, but authoritative enough to garner nearly constant attention from all major frontier AI model crawlers.
This short talk presents the methodology and preliminary findings from this grand experiment, along with some ideas for future exploration. As the web trends towards resisting AI scrapers, understanding how crawlers behave when welcomed — rather than blocked — offers a useful complement to the usual adversarial approaches.
Firefox collects anonymized networking telemetry from 200 million monthly active users. A large share of these measurements is directly relevant to maprg and the IETF: congestion control behavior, dns timings, path and connection characteristics, QUIC adoption, protocol evolution and distribution, happy-eyeballs-v3 performance, and more. This is a vantage point that complements server-side and active-probing datasets: it is the client side, at scale, across the globe, and it is entirely public.
The Firefox Networking Team uses this data every day to reason about and optimize the networking stack. We would like to share some of the more interesting findings, gotchas, and surprises from this work, along with the methods we use to cut through the noise when measuring how a specific implementation behaves in the wild.
We also want to make the broader research community aware that this data is available to everyone through our public web interface, and to show concretely how we use it and how you can use it too. We hope these insights inform ongoing research, help prioritization, and add a browser perspective to maprg discussions.
Traceroutes
Traceroute is an important Internet measurement tool used to infer
the Internet’s topology and to identify middleboxes. It relies on
network devices decrementing the Time to Live (TTL) in IP packet
headers by one at each hop and sending Internet Control Message
Protocol (ICMP) Time Exceeded error messages if the TTL reaches
zero. However, we show that TTL jumps exist on the Internet: some
devices rewrite the TTL, often to larger value of up to 255. These
rewrites hide the remaining path from traceroute and can lead
to incorrect inferences like spurious router and Autonomous System (AS)
links. Based on controlled experiments and public data
from RIPE Atlas and CAIDA Ark, we show that at least 47 ASes
are impacted by path-impairing devices that rewrite the TTL. A
prominent example is AT&T where more than 90 % of outgoing
IPv6 paths from CAIDA Ark nodes are affected since 2023.
The transition to post-quantum cryptography introduces multiple deployment choices for TLS authentication, including traditional X.509 certificates using ML-DSA, Merkle Tree Certificates (MTC), and other emerging mechanisms. While the cryptographic properties of these approaches are relatively well understood, there is comparatively little operational evidence to help architects evaluate their practical deployment implications.
This presentation describes an active measurement methodology for evaluating post-quantum TLS deployments. Rather than focusing solely on cryptographic correctness, the methodology measures deployment characteristics observed during live TLS handshakes, including certificate chain sizes, handshake message sizes, protocol negotiation behavior, post-quantum algorithm negotiation, fallback behavior, Subject Alternative Name (SAN) usage, certificate identity characteristics, and the relationship between certificate identities and the organizations operating the observed network infrastructure, including whether the associated IP address space and Autonomous System (ASN) are enterprise-owned or provided by third parties.
Using measurements collected from operational services, including financial institutions, healthcare organizations, major Internet companies, and emerging post-quantum test deployments, we discuss how empirical deployment data can help organizations evaluate the operational tradeoffs among ML-DSA certificates, Merkle Tree Certificates, and related approaches. The presentation will propose a framework for collecting operational metrics that support migration planning and discuss how these measurements can contribute to the development of operational deployment guidance for adoption of post-quantum authentication technologies.
The goal is to encourage discussion of measurement methodologies and operational metrics that enable evidence-based decision making and provide practical deployment insights that complement ongoing IETF standardization efforts.
Low-Earth Orbit (LEO) satellite networks have
as a viable Internet connectivity option, yet their Domain Name System (DNS) behavior remains largely unexplored.
This paper presents the first dedicated measurement study of DNS performance in the Starlink network. Using RIPE Atlas infrastructure, we analyze DNS resolution times across various
countries over a 13-month observation period from January 2025 to February 2026. We investigate three research questions: which DNS resolvers Starlink users commonly employ, how
different resolvers compare in performance, and what influences DNS latencies. Our measurements reveal that DNS latency in Starlink is predominantly determined by the satellite hop rather than terrestrial routing, with the CGNAT hop (100.64.0.1) accounting for approximately 69 % of total latency in traceroute measurements. Reducing this latency would only work by locating the resolver closer to the Starlink user. We also examine Starlink’s subscription-based DNS handling and find that unverified users are assigned a restricted resolver (34.145.127.1) that resolves only specific domains. Additionally, we identify SpaceX-operated IPv6 DNS resolvers that appear co-located with PoPs, potentially offering performance benefits through geographic proximity. Our findings provide insights into the design of the DNS ecosystem for LEO satellite networks.
Abstract: This study presents a large-scale empirical analysis of DNS-over-Encryption (DoE) protocols, focusing on the adoption, protocol feature support, and impact on webpage loading performance. We conducted measurements across over three thousand DoE resolvers, characterizing their support for features such as session resumption and 0-Round-trip Time (RTT) in DNS-over-QUIC (DoQ) and DNS-over-HTTP/3 (DoH/3). Despite broader feature adoption by DoQ, major browsers currently favor DoH/3. Our extensive latency measurements demonstrate that both protocols perform comparably, with DoQ slightly outperforming on average. Complementary experiments with the top one million websites show negligible overall page load time penalties when using DoQ or DoH/3 compared to traditional DNS-over-UDP (Do53), even under low-latency conditions. Further, our analysis explores the relationship between webpage complexity, quantified via metrics including number of objects, queried servers, and MIME type diversity, and the performance impact of DoE. We find no statistically significant correlation, indicating that DoEs performance effects are consistent across a range of website architectures. The study also addresses limitations in current client support for key protocol enhancements and validates effective 0-0-RTT resumption using proxy resolvers. Our findings alleviate prevalent concerns about DoE-induced performance degradation, supporting broader adoption of encrypted Domain Name System (DNS) protocols without sacrificing user experience. We release our datasets, source code, and analysis scripts to facilitate reproducibility and foster further research into encrypted DNS ecosystems.
RFC 7454 on BGP operations and security recommends that network operators restrict access to TCP port 179, which routers use to receive reachability messages from their peers. Reports from commercial companies indicate that around 283k IP addresses expose TCP 179 to the Internet, potentially increasing their susceptibility to denial-of-service attacks. This paper presents a detailed insight into this underexplored problem of exposed BGP routers using an Internet-wide TCP scan of port 179. We analyze device responses at both the application layer via BGP OPEN messages and transport layer (successful TCP connections, TCP RSTs, or silent drops). We identify 141,313 IP addresses that accept TCP connections and exchange OPEN messages, corresponding to 20,432 routers across 4,194
Autonomous Systems (ASes). From the OPEN messages, we infer each router’s IP addresses, the router’s type (border or internal), and assess their criticality based on connected ASes and interface IP addresses. Using an external SNMPv3 dataset, we further examine vendor distribution among exposed routers. Our study
offers new insights into router exposure: we identified 1,127 border routers, 16,124 internal routers, and 4,194 ASes associated with them, including critical routers in ASes. These insights can help network operators, policymakers, and security researchers assess the security of BGP routers and their associated ASes on the Internet.
The Border Gateway Protocol (BGP) is a crucial inter-domain routing protocol that uses
update messages to enable Autonomous Systems (ASes) to share network reachability
information. Typically, ASes should only trigger update messages to reflect configuration
changes and link failures for optimal path selection. However, we have identified recurring
patterns of high-frequency repeated updates without any topological changes, which
consume unnecessary resources of the route collectors for archiving and storage, and
complicate downstream analysis. Although the phenomenon of noisy BGP peers and
prefixes is known, current work has not quantified its scope and characteristics. This study
fills this gap and analyzes over 80 billion update messages from multiple RouteViews
collectors spanning several years. We identify and characterize high-frequency repeated
updates driven by a small fraction of sessions and prefixes. For instance, fewer than 2\% of
the prefixes accounted for over 90\% of update messages in some BGP update traces.