09:30
|
Welcome and Opening Remarks
Welcome and Opening Remarks
Phillipa Gill
(UMass Amherst)
and Jana Iyengar
(Fastly)
|
|
09:45
|
QUIC
Existing performance comparisons of QUIC and TCP compared an optimized QUIC to an unoptimized TCP stack. By neglecting available TCP improvements inherently included in QUIC, comparisons do not shed light on the performance of current web stacks. In this paper, we can show that tuning TCP parameters is not negligible and directly yields significant improvements. Nevertheless, QUIC still outperforms even our tuned variant of TCP. This performance advantage is mostly caused by QUIC’s reduced RTT design during connection establishment, and, in case of lossy networks due to its ability to circumvent head-of-line blocking.
A Performance Perspective on Web Optimized Protocol Stacks: TCP+TLS+HTTP/2 vs. QUIC.
Talk
Konrad Wolsing (RWTH Aachen University), Jan Rüth (RWTH Aachen University), Klaus Wehrle (RWTH Aachen University), and Oliver Hohlfeld (RWTH Aachen University).
Performance measurement in terms of packet loss, delay, and jitter is key in modern packet switched networks. These values give a clear indication of the quality of service (QoS) perceived by users, thus being helpful to service providers to properly support, in particular, real-time communications such as voice and video conferences. This paper addresses these issues in QUIC-based communications, introducing a novel performance measurement methodology and comparing it with existing proposals in this field.
The new solution for delay measurement uses only one more bit in addition to the Spin Bit, rather than the two additional bits required by the Valid Edge Counter (VEC) solution. Despite this, it is equally effective in overcoming the limitations of the Spin Bit solution and it performs similarly to the VEC solution.
These results are shown by means of an experimental validation and evaluation on a proper testing environment.
Performance Measurements of QUIC Communications.
Talk
Fabio Bulgarella (Politecico di Torino), Mauro Cociglio (Telecom Italia), Giuseppe Fioccola (Huawei Technologies), Guido Marchetto (Politecnico di Torino), and Riccardo Sisto (Politecnico di Torino).
|
Nick Sullivan
|
10:30
|
Break
|
|
10:40
|
DNS and Security
Dragonblood: A Security Analysis of WPA3’s SAE Handshake
Invited talk
Mathy Vanhoef
(New York University Abu Dhabi)
and Eyal Ronen
(Tel Aviv University and KU Leuven)
DNS queries from end users are handled by recursive DNS servers for scalability. For convenience, Internet Service Providers (ISPs) assign recursive servers for their clients automatically when the clients choose the default network settings. But users should also have flexibility to use their preferred recursive servers, like public DNS servers. This kind of trust, however, can be broken by the hidden interception of the DNS resolution path (which we term as DNSIntercept). Specifically, on-path devices could spoof the IP addresses of user-specified DNS servers and intercept the DNS queries surreptitiously, introducing privacy and security issues.
In this paper, we perform a large-scale analysis of on-path DNS interception and shed light on its scope and characteristics. We design novel approaches to detect DNS interception and leverage 148,478 residential and cellular IP addresses around the world for analysis. As a result, we find that 259 of the 3,047 ASes (8.5%) that we inspect exhibit DNS interception behavior, including large providers, such as China Mobile. Moreover, we find that the DNS servers of the ASes which intercept requests may use outdated vulnerable software (deprecated before 2009) and lack security-related functionality, such as handling DNSSEC requests. Our work highlights the issues around on-path DNS interception and provides new insights for addressing such issues.
Who Is Answering My Queries: Understanding and Characterizing Interception of the DNS Resolution Path.
Talk
Baojun Liu (Tsinghua University), Chaoyi Lu (Tsinghua University), Haixin Duan (Institute for Network Science and Cyberspace, Tsinghua University; Beijing National Research Center for Information Science and Technology), Ying Liu (Tsinghua University), Zhou Li (UC Irvine), Shuang Hao (University of Texas at Dallas), and Min Yang (Fudan University).
Virtually every Internet communication typically involves a Domain Name System (DNS) lookup for the destination server that the client wants to communicate with. Operators of DNS recursive resolvers—the machines that receive a client’s query for a domain name and resolve it to a corresponding IP address—can learn significant information about client activity. Recognizing the privacy vulnerabilities associated with DNS queries, various third parties have created alternate DNS services that obscure a user’s DNS queries from his or her Internet service provider. Yet, these systems merely transfer trust to a different third party. We argue that no single party ought to be able to associate DNS queries with a client IP address that issues those queries. To this end, we present Oblivious DNS (ODNS), which introduces an additional layer of obfuscation between clients and their queries. To do so, ODNS uses its own authoritative namespace; the authoritative servers for the ODNS namespace act as recursive resolvers for the DNS queries that they receive, but they never see the IP addresses for the clients that initiated these queries. Our experiments using a prototype show that ODNS introduces minimal performance overhead, both for individual queries and for web page loads. Critically, we design ODNS to be compatible with existing DNS infrastructure.
Oblivious DNS: Practical Privacy for DNS Queries.
Talk
Paul Schmitt (Princeton University), Anne Edmundson (Princeton Univeristy), Allison Mankin (Salesforce), and Nick Feamster (Princeton University).
We measure the effect of DoH and DoT on name resolution performance and content delivery.
We find that although DoH and DoT response times can be higher than for conventional DNS (Do53), DoT performs better than DoH and Do53 in terms of page load times.
However, when network conditions degrade, webpages load quickest with Do53, and up to one second faster compared to DoH.
Furthermore, in a substantial amount of cases, a webpage may not load at all with DoH, while it loads successfully with DoT and Do53.
Our in-depth analysis reveals various opportunities to readily improve DNS performance, for example through opportunistic partial responses and wire format caching.
Analyzing the Costs (and Benefits) of DNS, DoT, and DoH for the Modern Web.
Talk
Austin Hounsel (Princeton University), Kevin Borgolte (Princeton University), Paul Schmitt (Princeton University), Jordan Holland (Princeton University), and Nick Feamster (Princeton University).
|
Christopher Wood
|
12:00
|
Lunch
|
|
13:15
|
Time, Fairness, and Neighbors
This paper proposes and evaluates a new approach, based on Software Defined Networking (SDN), to secure the IPv6 Neighbor Discovery Protocol (NDP) message exchange and make the Stateless Address Autoconfiguration safer. We created an SDN application on the Ryu SDN framework which functions as an intelligent NDP-Proxy. The SDN application inspects all NDP messages in the data path of the access switch. Once the application has accumulated data about the respective network segment, it performs sanity checking and filtering. We used several relevant attacks from the THC IPv6 toolkit to assert resiliency against attacks on the Neighbor Discovery Protocol. Load tests showed that the overhead for the NDP packet inspection is not neglectable, but once the relevant flow-rules have been installed, subsequent packets are forwarded on the fast-path of the switch and network performance is only minimally affected.
Securing IPv6 Neighbor Discovery and SLAAC in Access Networks through SDN.
Talk
Daniel Nelle (Universität Potsdam, Germany) and Thomas Scheffler (Hochschule für Technik und Wirtschaft Berlin, Germany).
Extending fairness to multiple timescales creates the right incentives for users
and provides better QoE for short sessions, e.g. for web page download.
In this paper, we show how to define and implement multi-timescale fairness
among flows independently of actual traffic mixes and resource capacities.
The proposed method is built on the top of Multi-Timescale Bandwidth Profile
concept and the core-stateless resource sharing framework called Per Packet Value (PPV) and requires two novel ideas:
1) Replacing the traditional weighted-fairness definition of PPV by extending Throughput-Value Functions to multiple timescales (MTS-TVF);
2) Providing an efficient packet marking algorithm using MTS-TVFs to assign values to packets.
After marking the packets, the routers in the network core can work with any prior schedulers of PPV.
Finally, our early results towards multi-timescale fairness are demonstrated by simulations.
Towards Core-Stateless Fairness on Multiple Timescales.
Talk
Szilveszter Nadas (Ericsson Research, Budapest, Hungary), Gergo Gombos (Eötvös Loránd University, Budapest, Hungary), Ferenc Fejes (Eötvös Loránd University, Budapest, Hungary), and Sandor Laki (Eötvös Loránd University, Budapest, Hungary).
In this paper, we report on our investigation of how current local time is reported accurately by devices connected to the internet. We describe the basic mechanisms for time management and focus on a critical but unstudied aspect of managing time on connected devices: the time zone database (TZDB). Our longitudinal analysis of the TZDB highlights how internet time has been managed by a loose confederation of contributors over the past 25 years. We drill down on details of the update process, update types and frequency, and anomalies related to TZDB updates. We find that 76% of TZDB updates include changes to the Daylight Saving Time (DST) rules, indicating that DST has a significant influence on internet-based time keeping. We also find that about 20% of updates were published within 15 days or less from the date of effect, indicating the potential for instability in the system. We also consider the security aspects of time management and identify potential vulnerabilities. We conclude with a set of proposals for enhancing TZDB management and reducing vulnerabilities in the system.
What time is it? Managing Time in the Internet.
Talk
Sathiya Kumaran Mani (University of Wisconsin - Madison), Paul Barford (University of Wisconsin - Madison), Ramakrishnan Durairajan (University of Oregon), and Joel Sommers (Colgate University).
|
Phillipa Gill
|
14:15
|
Break
|
|
14:30
|
Network Functions and Middleboxes
Limitless HTTP in an HTTPS World: Inferring the Semantics of the HTTPS Protocol without Decryption
Invited talk
Blake Anderson(Cisco), Andrew Chi(University of North Carolina), Scott Dunlop(Cisco), and David McGrew
(Cisco)
Nowadays, Internet actors have to deal with a strong increase in Internet
traffic at many levels. One of their main challenge is building high-speed and
efficient networking solutions. In such a context, kernel-bypass I/O frameworks
have become their preferred answer to the increasing bandwidth demands. Many
works have been achieved, so far, all of them claiming to have succeeded in
reaching line-rate for traffic forwarding. However, this claim does not hold
for more complex packet processing. In addition, all those solutions share
common drawbacks on either deployment flexibility or configurability and
user-friendliness.
This is exactly what we tackle in this paper by introducing mmb, a VPP
middlebox plugin. mmb allows, through an intuitive command-line interface, to
easily build stateless and stateful classification and rewriting middleboxes.
mmb makes a careful use of instruction caching and memory prefetching, in addition
to other techniques used by other high-performance I/O frameworks. We compare mmb
performance with other performance-enhancing middlebox solutions, such as kernel-bypass
framework, kernel-level optimized approach and other state-of-the-art solutions
for enforcing middleboxes policies (firewall, NAT, transport-level engineering).
We demonstrate that mmb performs, generally, better than existing solutions,
sustaining a line-rate processing while performing large numbers of complex
policies.
mmb: Flexible High-Speed Userspace Middleboxes.
Talk
Korian Edeline (Université de Liège), Justin Iurman (Université de Liège), Cyril Soldani (Université de Liège), and Benoit Donnet (Université de Liège).
When programming network functions, changes within a packet tend to have consequences—side effects which must be accounted for by network programmers or administrators via arbitrary logic and an innate understanding of dependencies. Examples of this include updating checksums when a packet’s contents has been modified or adjusting a payload length field of a IPv6 header if another header is added or updated within a packet. While static-typing captures interface specifications and how packet contents should behave, it does not enforce precise invariants around runtime dependencies like the examples above. Instead, during the design phase of network functions, programmers should be given an easier way to specify checks up front, all without having to account for and keep track of these *consequences* at each and every step during the development cycle. In keeping with this view, we present a unique approach for adding and generating both static checks and dynamic contracts for specifying and checking packet processing operations. We develop our technique within an existing framework called NetBricks and demonstrate how our approach simplifies and checks common dependent packet and header processing logic that other systems take for granted, all without adding much overhead during development.
Checking-in on Network Functions.
Talk
Zeeshan Lakhani (Carnegie Mellon Univeristy) and Heather Miller (Carnegie Mellon University).
|
Dave Oran
|
15:30
|
Break
|
|
15:50
|
Measurement and Optimisation
The internet was not designed with security in mind. A lot of recent protocols like Encrypted DNS, HTTPS, etc. target encrypting critical parts of the web architecture which can otherwise be exploited by eavesdroppers to infer user’s data. But encryption may not necessarily guarantee anonymity and privacy. While both DNS queries and the TLS SNI extensions can now be protected by on-path attackers using Encrypted DNS and extensions like Encrypted Server Name Indication, it might still be possible to determine which websites users are visiting by simply looking at the destination IP addresses on the traffic originating from users’ devices. We perform a measurement study to determine the anonymity provided by IP sets associated with the multiple sub-queries that are made as a consequence of accessing a particular web page. We also analyze the implication of privacy in the event that CDNs are associated with certain domains and when IP addresses can be directly mapped to certain web sites by performing reverse DNS lookups.
What Can You Learn from an IP?
Talk
Simran Patil (University of Illinois at Urbana-Champaign) and Nikita Borisov (University of Illinois at Urbana-Champaign).
Container systems (e.g., Docker) provide a well-defined, lightweight, and versatile foundation to streamline the process of tool deployment, to provide a consistent and repeatable experimental interface, and to leverage data centers in the global cloud infrastructure as measurement vantage points. However, the virtual network devices commonly used to connect containers to the Internet are known to impose latency overheads which distort the values reported by measurement tools running inside containers. In this study, we develop a tool called MACE to measure and remove the latency overhead of virtual network devices as used by Docker containers. A key insight of MACE is the fact that container functions all execute in the same kernel. Based on this insight, MACE is implemented as a Linux kernel module using the trace event subsystem to measure latency along the network stack code path. Using CloudLab, we evaluate MACE by comparing the ping measurements emitted from a slim-ping container to the ones emitted using the same tool running in the bare metal machine under varying traffic loads. Our evaluation shows that the MACE-adjusted RTT measurements are within 20 $\mu$s of the bare metal ping RTTs on average while incurring less than 25 $\mu$s RTT perturbation. We also compare RTT perturbation incurred by MACE with perturbation incurred by the built-in {\tt ftrace} kernel tracing system and find that MACE incures less perturbation.
Can We Containerize Internet Measurements?
Talk
Chris Misa (University of Oregon), Sudarsun Kannan (Rutgers University), and Ramakrishnan Durairajan (University of Oregon).
Many multi-domain use cases can benefit substantially from network information exposure, but also introduce new, key requirements that existing exposure solutions, such as the Application-Layer Traffic Optimization (ALTO) protocol, do not satisfy. In this talk, we review several important multi-domain use cases, discuss the key network information exposure requirements to support these use cases, and present a unified exposure architecture as well as novel mechanisms and abstractions to substantially improve the ALTO framework in the multi-domain setting.
Supporting Multi-domain Use Cases with ALTO.
Talk
Danny Alex lachos perez (University of Campinas (UNICAMP)), Christian Esteve Rothenberg (University of Campinas (UNICAMP)), Qiao Xiang (Yale University), Y. Richard Yang (Yale University), Börje Ohlman (Ericsson), Sabine Randriamasy (Nokia Bell Labs), Farni Boten (Sprint), and Luis M. Contreras (Telefonica).
|
Allison Mankin
|
16:50
|
Wrap-up
|
|