Quirin Scheitle, Taejoong Chung, Jens Hiller, Oliver Gasser, Johannes Naab, Roland van Rijswijk-Deij, Oliver Hohlfeld, Ralph Holz, Dave Choffnes, Alan Mislove, Georg Carle
Shaken by severe compromises, the Web’s Public Key Infrastructure has seen the addition of several security mechanisms over recent years. One such mechanism is the Certification Authority Authorization (CAA) DNS record, that gives domain name holders control over which Certification Authorities (CAs) may issue certificates for their domain. First defined in RFC 6844, adoption by the CA/B forum mandates that CAs validate CAA records as of September 8, 2017. The success of CAA hinges on the behavior of three actors: CAs, domain name holders, and DNS operators. We empirically study their behavior, and observe that CAs exhibit patchy adherence in issuance experiments, domain name holders configure CAA records in encouraging but error-prone ways, and only six of the 31 largest DNS operators enable customers to add CAA records. Furthermore, using historic CAA data, we uncover anomalies for already-issued certificates. We disseminated our results in the community. This has already led to specific improvements at several CAs and revocation of mis-issued certificates. Furthermore, in this work, we suggest ways to improve the security impact of CAA. To foster further improvements and to practice reproducible research, we share raw data and analysis tools.
Download the full article DOI:10.1145/3213232.3213235
Fahad R. Dogar
We are moving towards an Internet where most of the packets may be consumed by machines — set-top-boxes or smart-phone apps prefetching content, Internet of Things (IoT) devices uploading their data to the cloud, or data centers doing geo-distributed replication. We observe that such machine centric communication can afford to have slack built into it: every packet can be marked as to when it will be consumed in future. Slack could be anywhere from seconds to hours or even days. In this paper, we make a case for slack-aware networking by illustrating slack opportunities that arise for a wide range of applications as they interact with the cloud and its pricing models (e.g., spot pricing). We also sketch the design of SlackStack, a network stack with explicit support for slack at multiple levels of the stack, from a slack-based interface to slack-aware optimizations at the transport and network layers.
Download the full article DOI:10.1145/3213232.3213236
Elmano Ramalho Cavalcanti, Jose Anderson Rodrigues de Souza, Marco Aurelio Spohn, Reinaldo Cezar de Morais Gomes, Anderson Fabiano Batista Ferreira da Costa
Since its inception, Vehicular Ad hoc Networks (VANETs) have been attracting much attention from both academia and industry. As for other wireless networking areas, scientific advancements are mainly due to the employment of simulation tools and mathematical models. After surveying 283 papers published in the last decade on vehicular networking, we pinpoint the main studied topics as well the most employed tools, pointing out the changes in research subject preference over the years. As a key contribution, we also evaluate to what extent the research community has evolved concerning the principles of credibility in simulation-based studies, such as repeatability and replicability, comparing our results with previous studies.
Download the full article DOI:10.1145/3213232.3213237
Michael Breza, Ivana Tomic, Julie McCann
This document presents the views expressed in the submissions and discussions at the FAILSAFE workshop about the common problems that plague embedded sensor system deployments in the wild. We present analysis gathered from the submissions and the panel session of the FAILSAFE 2017 workshop held at the SenSys 2017 conference. The FAILSAFE call for papers specifically asked for descriptions of wireless sensor network (WSN) deployments and their problems and failures. The submissions, the questions raised at the presentations, and the panel discussion give us a sufficient body of work to review, and draw conclusions regarding the effect that the environment has as the most common cause of embedded sensor system failures.
Download the full article DOI:10.1145/3213232.3213238
Danilo Cicalese, Dario Rossi
IP anycast is a commonly used technique to share the load of a variety of global services. For more than one year, leveraging a lightweight technique for IP anycast detection, enumeration and geolocation, we perform regular IP monthly censuses. This paper provides a brief longitudinal study of the anycast ecosystem, and we additionally make all our datasets (raw measurements from PlanetLab and RIPE Atlas), results (monthly geolocated anycast replicas for all IP/24) and code available to the community.
Download the full article DOI:10.1145/3211852.3211855
Andreas Reuter, Randy Bush, Italo Cunha, Ethan Katz-Bassett, Thomas C. Schmidt, Matthias Wählisch
A proposal to improve routing security—Route Origin Authorization (ROA)—has been standardized. A ROA specifies which network is allowed to announce a set of Internet destinations. While some networks now specify ROAs, little is known about whether other networks check routes they receive against these ROAs, a process known as Route Origin Validation (ROV). Which networks blindly accept invalid routes? Which reject them outright? Which de-preference them if alternatives exist?
Recent analysis attempts to use uncontrolled experiments to characterize ROV adoption by comparing valid routes and invalid routes. However, we argue that gaining a solid understanding of ROV adoption is impossible using currently available data sets and techniques. Instead, we devise a verifiable methodology of controlled experiments for measuring ROV. Our measurements suggest that, although some ISPs are not observed using invalid routes in uncontrolled experiments, they are actually using different routes for (non-security) traffic engineering purposes, without performing ROV. We conclude with presenting three AS that do implement ROV as confirmed by the operators.
Download the full article DOI:10.1145/3211852.3211856