Category Archives: 2018

A First Look at Certification Authority Authorization (CAA)

Quirin Scheitle, Taejoong Chung, Jens Hiller, Oliver Gasser, Johannes Naab, Roland van Rijswijk-Deij, Oliver Hohlfeld, Ralph Holz, Dave Choffnes, Alan Mislove, Georg Carle

Abstract

Shaken by severe compromises, the Web’s Public Key Infrastructure has seen the addition of several security mechanisms over recent years. One such mechanism is the Certification Authority Authorization (CAA) DNS record, that gives domain name holders control over which Certification Authorities (CAs) may issue certificates for their domain. First defined in RFC 6844, adoption by the CA/B forum mandates that CAs validate CAA records as of September 8, 2017. The success of CAA hinges on the behavior of three actors: CAs, domain name holders, and DNS operators. We empirically study their behavior, and observe that CAs exhibit patchy adherence in issuance experiments, domain name holders configure CAA records in encouraging but error-prone ways, and only six of the 31 largest DNS operators enable customers to add CAA records. Furthermore, using historic CAA data, we uncover anomalies for already-issued certificates. We disseminated our results in the community. This has already led to specific improvements at several CAs and revocation of mis-issued certificates. Furthermore, in this work, we suggest ways to improve the security impact of CAA. To foster further improvements and to practice reproducible research, we share raw data and analysis tools.

Download the full article DOI:10.1145/3213232.3213235

Towards Slack-Aware Networking

Fahad R. Dogar

Abstract

We are moving towards an Internet where most of the packets may be consumed by machines — set-top-boxes or smart-phone apps prefetching content, Internet of Things (IoT) devices uploading their data to the cloud, or data centers doing geo-distributed replication. We observe that such machine centric communication can afford to have slack built into it: every packet can be marked as to when it will be consumed in future. Slack could be anywhere from seconds to hours or even days. In this paper, we make a case for slack-aware networking by illustrating slack opportunities that arise for a wide range of applications as they interact with the cloud and its pricing models (e.g., spot pricing). We also sketch the design of SlackStack, a network stack with explicit support for slack at multiple levels of the stack, from a slack-based interface to slack-aware optimizations at the transport and network layers.

Download the full article DOI:10.1145/3213232.3213236

VANETs’ research over the past decade: overview, credibility, and trends

Elmano Ramalho Cavalcanti, Jose Anderson Rodrigues de Souza, Marco Aurelio Spohn, Reinaldo Cezar de Morais Gomes, Anderson Fabiano Batista Ferreira da Costa

Abstract

Since its inception, Vehicular Ad hoc Networks (VANETs) have been attracting much attention from both academia and industry. As for other wireless networking areas, scientific advancements are mainly due to the employment of simulation tools and mathematical models. After surveying 283 papers published in the last decade on vehicular networking, we pinpoint the main studied topics as well the most employed tools, pointing out the changes in research subject preference over the years. As a key contribution, we also evaluate to what extent the research community has evolved concerning the principles of credibility in simulation-based studies, such as repeatability and replicability, comparing our results with previous studies.

Download the full article DOI:10.1145/3213232.3213237

Failures from the Environment, a Report on the First FAILSAFE workshop

Michael Breza, Ivana Tomic, Julie McCann

Abstract

This document presents the views expressed in the submissions and discussions at the FAILSAFE workshop about the common problems that plague embedded sensor system deployments in the wild. We present analysis gathered from the submissions and the panel session of the FAILSAFE 2017 workshop held at the SenSys 2017 conference. The FAILSAFE call for papers specifically asked for descriptions of wireless sensor network (WSN) deployments and their problems and failures. The submissions, the questions raised at the presentations, and the panel discussion give us a sufficient body of work to review, and draw conclusions regarding the effect that the environment has as the most common cause of embedded sensor system failures.

Download the full article DOI:10.1145/3213232.3213238

The Future of CISE Distributed Research Infrastructure

Ilya Baldin, Tilman Wolf, et al.

Abstract

The following paper represents an initial snapshot of the community vision for a possible future of CISE distributed research infrastructure aimed at enabling new types of research and discoveries. As such, it is only the first step in helping define this vision. It is expected that it will change over time as the research community contributes new ideas.

Download the full article DOI:10.1145/3213232.3213239

The January 2018 issue

Computer Communication Review (CCR) continues to promote reproducible re- search by encouraging the submission of papers providing artifacts (software, datasets, . . . ). The editorial board also evolves. Katherina Argyraki, Athina Markopoulos and Fabian Bustamante have stepped down after several years of service to our community. Thanks again for all your effort in handling papers submitted to CCR. I’m happy to announce that four new editors have agreed to serve the community : KC Claffy (CAIDA), Phillipa Gill (UMass), Anna Sperotto (University of Twente) and Hamed Haddadi (Imperial College).

The first three technical papers provide artefacts to enable other researchers to reproduce and expand their work. In Relaxing state-access constraints in stateful programmable data planes, C. Cascone and his colleagues propose a new model for pipelined stateful packet processing in hardware and evaluate this design with trace-driven simulations. They release their trace-driven simulator. In Towards a Rigorous Methodology for Measuring Adoption of RPKI Route Validation and Filtering, A. Reuter and his colleagues study interdomain routing security. After many discussions, the ISP community has agreed to deploy Route Origin Authorization (ROA) to improve the security of interdomain routing. As we are currently at the beginning of this deployment, little is known about how those ROAs are actually used by network operators. One question is whether network operators use ROAs to validate interdomain routes before accepting them. A. Reuter et al. first tried to reproduce a measurement methodology proposed in a recent paper that unfortunately did not release software or datasets. They explain why they could not succeed to repro- duce those results and propose a more accurate methodology that enables them to correctly identify which network operators validate ROAs. They release the source code for their methodology and have launched a companion website that tracks this deployment at https://rov.rpki.net.

In Open Connect Everywhere: A Glimpse at the Internet Ecosystem through the Lens of the Netflix CDN, T. Bottger and his colleagues analyse the role that Internet eXchange Points (IXPs) play in the deployment of a large content provider such as Netflix. K. Foerster et al. propose in Local Fast Failover Routing With Low Stretch new algorithms to reroute flows in case of failures. In Charting the Algorithmic Complexity of Waypoint Routing S. Amiri et al. provide an overview of algorithmic techniques to route flows through specific waypoints, e.g. to support Network Function Virtualisation. Finally, M. Arashloo et al. propose and evaluate A Scalable VPN Gateway for Multi-Tenant Cloud Services.

In addition to the technical papers, this issue also contains four editorial notes. The first editorial note, ex uno pluria: The Service-Infrastructure Cycle, Ossification, and the Fragmentation of the Internet, was initially written as a conference keynote by M. Ammar. In this note, he takes a step back and look at some examples of successful deployments of network services. He identifies the Service-Infrastructure Cycle as one of the reasons to explain the success of some network services. P. Sermpezis reports in A Survey among Network Operators on BGP Prefix Hijacking the results of a recent survey that will be of interest for researchers working on interdomain routing or security.

The last two editorial notes discuss the reproducibility of networking research. In Thoughts and Recommendations from the ACM SIGCOMM 2017 Reproducibility Workshop, D. Saucez and L. Iannone sum- marise the main conclusions of a workshop organised during SIGCOMM 2017. Finally, M. Flittner et al. analyse in A Survey on Artifacts from CoNEXT, ICN, IMC, and SIGCOMM Conferences in 2017 the artifacts re- leased by the authors of the papers published at CoNEXT, ICN, IMC and SIGCOMM last year. This survey shows that there is a growing interest in releasing artefacts within the broad SIGCOMM community.

I hope that you will enjoy reading this new issue and welcome comments and suggestions on CCR Online or by email at ccr-editor at sigcomm.org.

Olivier Bonaventure

CCR Editor

Relaxing state-access constraints in stateful programmable data planes

Carmelo Cascone, Roberto Bifulco, Salvatore Pontarelli, Antonio Capone

Abstract

Supporting programmable stateful packet forwarding functions in hardware requires a tight balance between functionality and performance. Current state-of-the-art solutions are based on a very conservative model that assumes worst-case workloads. This finally limits the programmability of the system, even if actual deployment conditions may be very different from the worst-case scenario.

We use trace-based simulations to highlight the benefits of accounting for specific workload characteristics. Furthermore, we show that relatively simple additions to a switching chip design can take advantage of such characteristics. In particular, we argue that introducing stalls in the switching chip pipeline enables stateful functions to be executed in a larger but bounded time without harming the overall forwarding performance. Our results show that, in some cases, the stateful processing of a packet could use 30x the time budget provided by state of the art solutions.

Download the full article DOI:10.1145/3211852.3211854

A longitudinal study of IP Anycast

Danilo Cicalese, Dario Rossi

Abstract

IP anycast is a commonly used technique to share the load of a variety of global services. For more than one year, leveraging a lightweight technique for IP anycast detection, enumeration and geolocation, we perform regular IP monthly censuses. This paper provides a brief longitudinal study of the anycast ecosystem, and we additionally make all our datasets (raw measurements from PlanetLab and RIPE Atlas), results (monthly geolocated anycast replicas for all IP/24) and code available to the community.

Download the full article DOI:10.1145/3211852.3211855

Towards a Rigorous Methodology for Measuring Adoption of RPKI Route Validation and Filtering

Andreas Reuter, Randy Bush, Italo Cunha, Ethan Katz-Bassett, Thomas C. Schmidt, Matthias Wählisch

Abstract

A proposal to improve routing security—Route Origin Authorization (ROA)—has been standardized. A ROA specifies which network is allowed to announce a set of Internet destinations. While some networks now specify ROAs, little is known about whether other networks check routes they receive against these ROAs, a process known as Route Origin Validation (ROV). Which networks blindly accept invalid routes? Which reject them outright? Which de-preference them if alternatives exist?

Recent analysis attempts to use uncontrolled experiments to characterize ROV adoption by comparing valid routes and invalid routes. However, we argue that gaining a solid understanding of ROV adoption is impossible using currently available data sets and techniques. Instead, we devise a verifiable methodology of controlled experiments for measuring ROV. Our measurements suggest that, although some ISPs are not observed using invalid routes in uncontrolled experiments, they are actually using different routes for (non-security) traffic engineering purposes, without performing ROV. We conclude with presenting three AS that do implement ROV as confirmed by the operators.

Download the full article DOI:10.1145/3211852.3211856

Open Connect Everywhere: A Glimpse at the Internet Ecosystem through the Lens of the Netflix CDN

Timm Böttger, Felix Cuadrado, Gareth Tyson, Ignacio Castro, Steve Uhlig

Abstract

The importance of IXPs to interconnect different networks and exchange traffic locally has been well studied over the last few years. However, far less is known about the role IXPs play as a platform to enable large-scale content delivery and to reach a world-wide customer base. In this paper, we study the infrastructure deployment of a content hypergiant, Netflix, and show that the combined worldwide IXP substrate is the major corner stone of its Content Delivery Network. This highlights the additional role that IXPs play in the Internet ecosystem, not just in terms of interconnection, but also allowing players such as Netflix to deliver significant amounts of traffic.

Download the full article DOI:10.1145/3211852.3211857