Measurement and Analysis for Protocols Research Group (maprg)
Agenda for IETF-98 (Chicago)

Tuesday, March 28, 2017, 9:00-11:30 (Morning Session I)
Room: Zurich D

Intro & Overview, Project "Advertisements" [slides]
Mirja Kuhlewind & Dave Plonka
5 min

Refreshing MLab: www.measurementlab.net [Abstract] [slides]
Matt Mathis
5 min

LE codepoint: preliminary results and ongoing work in the IETF [Abstract] [slides]
Gorry Fairhurst
10 min

TCP ECN: Experience with Enabling ECN on the Internet [Abstract] [slides]
Padma Bhooma
20 min

Measuring Trends in IPv6 Support [Abstract] [slides]
Tommy Pauly
10 min

You can -j REJECT but you can not hide: Global scanning of the IPv6 Internet [Abstract] [slides]
Tobias Fiebig
15 min

No domain left behind: is Let's Encrypt democratizing encryption? [Abstract] [slides]
Giovane C. M. Moura
20 min

How Broadcast Data Reveals Your Identity and Social Graph [Abstract] [slides]
Rolf Winter
15 min

Weak Keys Remain Widespread in Network Devices [Abstract] [slides]
Marcella Hastings
20 min

Open Measurement of Internet Censorship [Abstract] [slides]
Will Scott
20 min

Abstracts

Refreshing MLab: www.measurementlab.net (Matt Mathis)

our planned M-Lab platform refresh

LE codepoint: preliminary results and ongoing work in the IETF (Gorry Fairhurst, Ana Custava)

This talk provides measurements results for a path-probing survey to explore the traversability and usefulness of using DSCP 0x02 for a new LE PHB.

Measuring Trends in IPv6 Support (Tommy Pauly)

A look at client-side data on IPv6 support over time, and how we can analyze trends in support and performance.

You can -j REJECT but you can not hide: Global scanning of the IPv6 Internet (Tobias Fiebig)

Related paper, "Something From Nothing (There): Collecting Global IPv6 Datasets From DNS" (Fiebig et al.) to appear PAM 2017.
In this talk we will explore and present the global application of an NXDOMAIN based IPv6 scanning techniques that allows attackers to peek into IPv6 networks. Using NXDOMAIN for IPv6 zone enumeration is possible due to its initially implicit (RFC1034) and by now explicit (RFC8020) semantic of "there is nothing here or thereunder in the tree". We demonstrate how this technique can be used to obtain a large- scale view on the state of IPv6 in infrastructures and data centers. The focus will be specifically on how IPv6 is currently deployed in various networks and how these practices compare to IPv4. Furthermore, we will investigate the security implications of this technique, especially focusing on privacy issues.

No domain left behind: is Let's Encrypt democratizing encryption (Giovane C. M. Moura)

Related paper (arXiv.org): No domain left behind: is Let's Encrypt democratizing encryption? (Aertsen et al.)
The 2013 National Security Agency revelations of pervasive monitoring have lead to an "encryption rush" across the computer and Internet industry. To push back against massive surveillance and protect users privacy, vendors, hosting and cloud providers have widely deployed encryption on their hardware, communication links, and applications. As a consequence, the most of web traffic nowadays is encrypted. However, there is still a significant part of Internet traffic that is not encrypted. It has been argued that both costs and complexity associated with obtaining and deploying X.509 certificates are major barriers for widespread encryption, since these certificates are required to established encrypted connections. To address these issues, the Electronic Frontier Foundation, Mozilla Foundation, and the University of Michigan have set up Let's Encrypt (LE), a certificate authority that provides both free X.509 certificates and software that automates the deployment of these certificates. In this paper, we investigate if LE has been successful in democratizing encryption: we analyze certificate issuance in the first year of LE and show from various perspectives that LE adoption has an upward trend and it is in fact being successful in covering the lower-cost end of the hosting market.

TCP ECN: Experience with Enabling ECN on the Internet (Padma Bhooma)

TCP ECN performance data collected from millions of Apple devices in the field. We will discuss some fallback mechanisms and adoption of TCP ECN.

How Broadcast Data Reveals Your Identity and Social Graph (Rolf Winter)

Two related drafts: draft-ietf-intarea-hostname-practice and draft-ietf-intarea-broadcast-consider
Related paper (hs-augsburg.de): How Broadcast Data Reveals Your Identity and Social Graph (Faath et al., TRAC 2016)
Networks rely on broadcasts and multicasts for some of the most basic services such as auto-configuration. In the recent past, application layer protocols have increasingly made use of the broadcast mechanism. Examples of these applications include Dropbox, Spotify or BitTorrent Sync. Given that broadcasts can be seen by every device in a broadcast domain, information that can be gleaned from this traffic is trivially accessible by a passive observer. Therefore, an obvious question is: what does broadcast and multicast traffic reveal about a device, a user or a group in a network?

To answer this question, the broadcast traffic of two fairly large wireless networks was analyzed. One of these networks was the campus network of a university which was analyzed for a period of six months. Also, two SSIDs of the IETF meeting network in Yokohama in November 2015 were analyzed for a period of about 36 hours.

In addition to a general analysis of the composition of the daily broadcast traffic such as protocols observed, the number of devices, the peak times of user activity etc., a more in-depth analysis of a few protocols was carried out in order to identify users and their relation to each other. In other words, we used the available broadcast data to show that it is possible to generate a social graph of the network's users base, which e.g. helps to identify groups among students, their course of study, their online times and other personal information. We have verified the correctness of our inferred social graph by asking students to confirm our findings.

None of the observed broadcast protocols alone is to blame for the above and there is no easy technical solution to the problem while retaining the benefits of the broadcast protocols. However, there is a simple yet effective countermeasure against this kind of analysis which is non-technical and ”only” requires changing user behavior.

Weak Keys Remain Widespread in Network Devices (Marcella Hastings)

Related paper (upenn.edu): Weak Keys Remain Widespread in Network Devices (Hastings et al., IMC 2016)
In 2012, two academic groups reported having computed the RSA private keys for 0.5% of HTTPS hosts on the internet, and traced the underlying issue to widespread random number generation failures on networked devices. The vulnerability was reported to dozens of vendors, several of whom responded with security advisories, and the Linux kernel was patched to fix a boottime entropy hole that contributed to the failures.

In this paper, we measure the actions taken by vendors and end users over time in response to the original disclosure. We analyzed public internet-wide TLS scans performed between July 2010 and May 2016 and extracted 81 million distinct RSA keys. We then computed the pairwise common divisors for the entire set in order to factor over 313,000 keys vulnerable to the aw, and fingerprinted implementations to study patching behavior over time across vendors. We find that many vendors appear to have never produced a patch, and observed little to no patching behavior by end users of affected devices. The number of vulnerable hosts increased in the years after notification and public disclosure, and several newly vulnerable implementations have appeared since 2012. Vendor notification, positive vendor responses, and even vendor-produced public security advisories appear to have little correlation with end-user security.

Open Measurement of Internet Censorship (Will Scott)

Related project (torproject.org): OONI: Open Observatory of Network Interference
Over the last decade, significant effort has gone into documentation of network interference and censorship. Understanding empirical connectivity through this lens complements IETF efforts to understand protocol failures. While censorship efforts have primarily been concerned with application-layer behavior, these are regularly impacted from BGP and IP connectivity anomalies. Of particular relevance are the challenges of attributing censorship, the techniques employed and their limitations, the availability of data, and areas of potential support from the IETF and network operators.

This presentation will discuss the current efforts in the space, including the current state and direction of OONI - the open community based measurement system - and several complementary efforts from the academic sphere. OONI has recently launched a pair of mobile applications in the spirit of netalyzer, and over the last year has established partnerships with a diverse set of civil society groups to perform measurements. Academic techniques complement this documentation with remote 'out-of-band' measurements watching IP and DNS level connectivity from remote vantage points.