Tag Archives: scientific

Tracking the deployment of TLS 1.3 on the Web: A story of experimentation and centralization

Ralph HolzJens Hiller, Johanna Amann, Abbas Razaghpanah, Thomas Jost, Narseo Vallina-Rodriguez, Oliver Hohlfeld

Abstract

Transport Layer Security (TLS) 1.3 is a redesign of the Web’s most important security protocol. It was standardized in August 2018 after a four year-long, unprecedented design process involving many cryptographers and industry stakeholders. We use the rare opportunity to track deployment, uptake, and use of a new mission-critical security protocol from the early design phase until well over a year after standardization. For a profound view, we combine and analyze data from active domain scans, passive monitoring of large networks, and a crowd-sourcing effort on Android devices. In contrast to TLS 1.2, where adoption took more than five years and was prompted by severe attacks on previous versions, TLS 1.3 is deployed surprisingly speedily and without security concerns calling for it. Just 15 months after standardization, it is used in about 20% of connections we observe. Deployment on popular domains is at 30% and at about 10% across the com/net/org top-level domains (TLDs). We show that the development and fast deployment of TLS 1.3 is best understood as a story of experimentation and centralization. Very few giant, global actors drive the development. We show that Cloudflare alone brings deployment to sizable numbers and describe how actors like Facebook and Google use their control over both client and server endpoints to experiment with the protocol and ultimately deploy it at scale. This story cannot be captured by a single dataset alone, highlighting the need for multi-perspective studies on Internet evolution.

Download the full article (from ACM)

Preprint

An Artifact Evaluation of NDP

Noa Zilberman

Abstract

Artifact badging aims to rank the quality of submitted research artifacts and promote reproducibility. However, artifact badging may not indicate inherent design and evaluation limitations.

This work explores current limits in artifact badging using a performance-based evaluation of the NDP artifact. We evaluate the NDP artifact beyond the Reusable badge’s level, investigating the effect of aspects such as packet size and random-number seed on throughput and flow completion time.

Our evaluation demonstrates that while the NDP artifact is reusable, it is not robust, and we identify architectural, implementation and evaluation limitations.

Download the full article

An Open Platform to Teach How the Internet Practically Works

Thomas Holterbach, Tobias Bü, Tino Rellstab, Laurent Vanbever

Abstract

Each year at ETH Zurich, around 100 students collectively build and operate their very own Internet infrastructure composed of hundreds of routers and dozens of Autonomous Systems (ASes). Their goal? Enabling Internet-wide connectivity. We find this class-wide project to be invaluable in teaching our students how the Internet infrastructure practically works. Among others, our students have a much deeper understanding of Internet operations alongside their pitfalls. Besides students tend to love the project: clearly the fact that all of them need to cooperate for the entire Internet to work is empowering. In this paper, we describe the overall design of our teaching platform, how we use it, and interesting lessons we have learnt over the years. We also make our platform openly available.

Download the full article

Validating the Sharing Behavior and Latency Characteristics of the L4S Architecture

Dejene Boru Oljira, Karl-Johan Grinnemo, Anna Brunstrom, Javid Taheri

Abstract

The strict low-latency requirements of applications such as virtual reality, online gaming, etc., can not be satisfied by the current Internet. This is due to the characteristics of classic TCP such as Reno and TCP Cubic which induce high queuing delays when used for capacity-seeking traffic, which in turn results in unpredictable latency. The Low Latency, Low Loss, Scalable throughput (L4S) architecture addresses this problem by combining scalable congestion controls such as DCTCP and TCP Prague with early congestion signalling from the network. It defines a Dual Queue Coupled (DQC) AQM that isolates low-latency traffic from the queuing delay of classic traffic while ensuring the safe co-existence of scalable and classic flows on the global Internet. In this paper, we benchmark the DualPI2 scheduler, a reference implementation of DQC AQM, to validate some of the experimental result(s) reported in the previous works that demonstrate the co-existence of scalable and classic congestion controls and its low-latency service. Our results validate the co-existence of scalable and classic flows using DualPI2 Single queue (SingleQ) AQM, and queue latency isolation of scalable flows using DualPI2 Dual queue (DualQ) AQM. However, the rate or window fairness between DCTCP without fair-queuing (FQ) pacing and TCP Cubic using DualPI2 DualQ AQM deviates from the original results. We attribute the difference in our results and the original results to the sensitivity of the L4S architecture to traffic bursts and the burst sending pattern of the Linux kernel.

Download the full article

The web is still small after more than a decade

Nguyen Phong Hoang, Arian Akhavan Niaki, Michalis Polychronakis, Phillipa Gill

Abstract

Understanding web co-location is essential for various reasons. For instance, it can help one to assess the collateral damage that denial-of-service attacks or IP-based blocking can cause to the availability of co-located web sites. However, it has been more than a decade since the first study was conducted in 2007. The Internet infrastructure has changed drastically since then, necessitating a renewed study to comprehend the nature of web co-location.

In this paper, we conduct an empirical study to revisit web co-location using datasets collected from active DNS measurements. Our results show that the web is still small and centralized to a handful of hosting providers. More specifically, we find that more than 60% of web sites are co-located with at least ten other web sites—a group comprising less popular web sites. In contrast, 17.5% of mostly popular web sites are served from their own servers.

Although a high degree of web co-location could make co-hosted sites vulnerable to DoS attacks, our findings show that it is an increasing trend to co-host many web sites and serve them from well-provisioned content delivery networks (CDN) of major providers that provide advanced DoS protection benefits. Regardless of the high degree of web co-location, our analyses of popular block lists indicate that IP-based blocking does not cause severe collateral damage as previously thought.

Download the full article

Path persistence in the cloud: A study of the effects of inter-region traffic engineering in a large cloud provider’s network

Waleed Reda, Kirill Bogdanov, Alexandros Milolidakis, Hamid Ghasemirahni, Marco Chiesa, Gerald Q. Maguire, Dejan Kostić

Abstract

A commonly held belief is that traffic engineering and routing changes are infrequent. However, based on our measurements over a number of years of traffic between data centers in one of the largest cloud provider’s networks, we found that it is common for flows to change paths at ten-second intervals or even faster. These frequent path and, consequently, latency variations can negatively impact the performance of cloud applications, specifically, latency-sensitive and geo-distributed applications.

Our recent measurements and analysis focused on observing path changes and latency variations between different Amazon AWS regions. To this end, we devised a path change detector that we validated using both ad hoc experiments and feedback from cloud networking experts. The results provide three main insights: (1) Traffic Engineering (TE) frequently moves (TCP and UDP) flows among network paths of different latency, (2) Flows experience unfair performance, where a subset of flows between two machines can suffer large latency penalties (up to 32% at the 95th percentile) or excessive number of latency changes, and (3) Tenants may have incentives to selfishly move traffic to low latency classes (to boost the performance of their applications). We showcase this third insight with an example using rsync synchronization.

To the best of our knowledge, this is the first paper to reveal the high frequency of TE activity within a large cloud provider’s network. Based on these observations, we expect our paper to spur discussions and future research on how cloud providers and their tenants can ultimately reconcile their independent and possibly conflicting objectives. Our data is publicly available for reproducibility and further analysis at http://goo.gl/25BKte.

Download the full article

RIPE IPmap Active Geolocation: Mechanism and Performance Evaluation

Ben Du, Massimo Candela, Bradley Huffaker, Alex C. Snoeren, kc claffy

Abstract

RIPE IPmap is a multi-engine geolocation platform operated by the RIPE NCC. One of its engines, single-radius, uses active geolocation to infer the geographic coordinates of target IP addresses. In this paper, we first introduce the methodology of IPmap’s single-radius engine, then we evaluate its accuracy, coverage, and consistency, and compare its results with commercial geolocation databases. We found that 80.3% of single-radius results have city-level accuracy for our ground truth dataset, and 87.0% have city-level consistency when geolocating different interfaces on the same routers. Single radius provided geolocation inferences for 78.5% of 26,559 core infrastructure IP addresses from our coverage evaluation dataset. The main contributions of this paper are to introduce and evaluate the IPmap single-radius engine.

Download the full article

A survey on the current internet interconnection practices

Pedro Marcos, Marco Chiesa, Christoph Dietzel, Marco Canini, Marinho Barcellos

Abstract

The Internet topology has significantly changed in the past years. Today, it is richly connected and flattened. Such a change has been driven mostly by the fast growth of peering infrastructures and the expansion of Content Delivery Networks as alternatives to reduce interconnection costs and improve traffic delivery performance. While the topology evolution is perceptible, it is unclear whether or not the interconnection process has evolved or if it continues to be an ad-hoc and lengthy process. To shed light on the current practices of the Internet interconnection ecosystem and how these could impact the Internet, we surveyed more than 100 network operators and peering coordinators. We divide our results into two parts: (i) the current interconnection practices, including the steps of the process and the reasons to establish new interconnection agreements or to renegotiate existing ones, and the parameters discussed by network operators. In part (ii), we report the existing limitations and how the interconnection ecosystem can evolve in the future. We show that despite the changes in the topology, interconnecting continues to be a cumbersome process that usu- ally takes days, weeks, or even months to complete, which is in stark contrast with the desire of most operators in reducing the interconnection setup time. We also identify that even being primary candidates to evolve the interconnection process, emerging on-demand connectivity companies are only fulfilling part of the existing gap between the current interconnection practices and the network operators’ desires.

Download the full article

Internet backbones in space

Giacomo Giuliari, Tobias Klenze, Markus Legner, David Basin, Adrian Perrig and Ankit Singla

Abstract

Several “NewSpace” companies have launched the ￿rst of thousands of planned satellites for providing global broadband Internet service. The resulting low-Earth-orbit (LEO) constellations will not only bridge the digital divide by providing service to remote areas, but they also promise much lower latency than terrestrial fiber for long- distance routes. We show that unlocking this potential is non-trivial: such constellations provide inherently variable connectivity, which today’s Internet is ill-suited to accommodate. We therefore study cost–performance tradeffs in the design space for Internet routing that incorporates satellite connectivity, examining four solutions ranging from naïvely using BGP to an ideal, clean-slate design. We find that the optimal solution is provided by a path-aware networking architecture in which end-hosts obtain information and control over network paths. However, a pragmatic and more deployable approach inspired by the design of content distribution networks can also achieve stable and close-to-optimal performance.

Download the full article

Securing Linux with a Faster and Scalable IPtables

Sebastiano Miano, Matteo Bertrone, Fulvio Risso, Mauricio Vásquez Bernal,
Yunsong Lu, Jianwen Pi

Abstract

The sheer increase in network speed and the massive deployment of containerized applications in a Linux server has led to the consciousness that iptables, the current de-facto firewall in Linux, may not be able to cope with the current requirements particularly in terms of scalability in the number of rules. This paper presents an eBPF-based firewall, bpf-iptables, which emulates the iptables filtering semantic while guaranteeing higher throughput. We compare our implementation against the current version of iptables and other Linux firewalls, showing how it achieves a notable boost in terms of performance particularly when a high number of rules is involved. This result is achieved without requiring custom kernels or additional software frameworks (e.g., DPDK) that could not be allowed in some scenarios such as public data-centers.

Download the full article