►
From YouTube: IETF95-IRTFOPEN-20160405-1000
Description
IRTFOPEN meeting session at IETF95
2016/04/05 1000
A
A
A
The
applied
networking
research
prize
is
it's
something
that
we
award
on
an
annual
basis.
We
have
up
to
two
Prize
winners
of
each
I
ATF
meeting
and
today's
prize
winners
are
roya
and
Saffy
and
zakir
durham.
Erick
row
is
going
to
go
first
and
she's,
going
to
give
us
a
talk
about
her
work
on
understanding
how
the
Chinese
Great
Firewall
discovers
hidden
circumvention
servers,
also
Roy.
If
you
could
come
up
and
we'll
get
you
plugged
in
and
perhaps
while
Roy
is
doing,
that,
we
could
give
her
a
round
of
applause
for
her
award.
B
C
B
Be
difficult
a.
C
C
B
B
C
B
C
Highway
run,
my
name
is
roya
and
safi,
and
I'm
currently
a
postdoc
at
Princeton
University
working.
We
to
purchase
any
creams
team,
sir
Weber
and
burn
pacsun.
This
is
a
joint
work.
I
did
bid
to
amazing
tour
developers,
David
vigilant
for
the
winter
I
hope
I
do
them
to
justice.
By
presenting
this
park.
C
For
many
of
us
accessing
different
web
servers
is
just
typing
it
in
a
web
browsers
and
then
spread.
Then
press
enter,
but
that's
not
the
same
for
many
citizens
around
the
world,
especially
if
their
governments
practice
internet
censorship,
especially
over
the
past
few
years.
Wedel
boxes
technologies
are
becoming
much
more
cheaper
and
affordable,
and
therefore
many
more
governments
as
started
blocking
information.
On
the
other
hand,
citizens
of
these
countries
have
developed
skills
to
be
able
to
circumvent
censorship,
and
one
common
way
for
them
to
do
so
is
by
using
proxy
servers.
C
C
To
study
this
problem
more
systematically
with
greater
details,
we
decided
to
focus
on
Chinese
censorship
apparatus,
not
only
because
China
has
a
sophisticated
censorship
system,
but
also
because
others,
oppressive
regimes
look
up
to
them.
It
wasn't
long
back
ago,
when
China
announced
actually
that
they
were
helping
another
security
version
with
their
national
firewall.
So
I
strongly
believe
that
the
we
know
about
how
great
firewall
is
implemented
and
architected
the
better.
C
We
focus
on
tour
and
the
relationship
between
Great,
Firewall
and
tour
because
it
has
been
a
decades
of
arms
race
between
Great,
Firewall
and
tour,
and
therefore
it
makes
it
interesting
and
complicated
problem
to
study
to.
Let
me
go
over
the
arms
race
and
there
to
read
at
a
steps.
I
cover
some
background
knowledge
that
is
necessary
for
you
to
understand
my
work.
It
was
more
than
10
years
ago,
when
tour
become
popular
in
China
and
thousands
of
their
citizens
is
started
to
use
tor
to
to
convent
internet
censorship.
C
Therefore,
great
fire
will
event
after
them.
At
the
time,
tor
published
only
published
or
relayed
the
list
of
ips
online,
and
it
was
easy
for
Great
Firewall
to
download
this
list
of
IP,
which
was
allowed
around
six
thousands
of
them
and
block
them
all.
They
were
successful
for
a
while
at
blocking
tour,
but
soon
after
tour
developers
came
up
with
the
idea
of
Torah
bridge
DB.
This
is
a
list
of
ips
or
relays
that
are
private.
C
They
are
not
announced
and
publicly
and
therefore
it's
not
easy
for
any
government
to
actually
download
them
and
block
them
and
I
bet
you.
The
great
fairy
will
tried
manually
to
download
and
blocked
bridges,
tor,
hidden
relays
or
bridges,
but
soon
after
they
realize
they
don't
need
to.
Actually
they
don't
need
to
go,
find
IPS
for
their
proxies
and
block
them.
That
way,
they
just
need
to
monitor
their
citizens
traffic
by
deploying
a
deep
packet
inspection
tour
traffic,
and
then
they
observed
such
traffic.
C
They
block
it
that
way,
or
they
discover
a
piece
of
the
proxies
that
way.
Well,
as
it
turns
out,
it's
not
that
hard
to
fingerprint
or
traffic,
the
TLS,
handshake,
tour
and
first
of
all,
the
TLS
handshake
is
unencrypted
and
second
of
all,
a
second.
The
tour
TLS
handshake
has
some
peculiarities
in
it,
which
makes
it
simpler
to
finger
brain
and
specifically
great,
very
well
look
at
the
cypher
list,
and
it's
a
it's
decipher
list
is
specifically
it's
very
easy
to
see
by
looking
at
the
Cypress.
C
That
went
well
until
poor
developers
came
up
with
the
idea
to
a
tour,
pluggable
transport
and
the
goal
was
to
wrap
tour
traffic
in
another
protocol.
That
makes
it
harder
for
any
deep
packet
inspection
inside
that
protocol,
which
it
was
tor
handshake
one.
We
have
different
pluggable
transfer.
Currently
they
have
a
5,
a
version
of
it,
but
it
started
with
application
to
and
the
goal
was
to
make.
The
poor
traffic
looks
like
uniformly
random
the
program
we,
the
first
version,
was
by
looking
at
first
to
any
rights.
C
You
could
decrypt
the
rest
and
therefore
you
can
easily
and
reliably
detect
or
traffic
that
way,
so
they
upgraded
it
to
ops
3,
which
does
a
good
job
in
hiding
tour
traffic.
Look
that
the
fourth
firewalls
to
be
able
to
detect
your
traffic.
They
have
to
make
a
bet,
so
they
they.
There
is
a
high
chance
that
they
end
up,
beat
false
positive
and.
C
As
you
know,
for
any
national
file
of
national
firewall,
first
positive
as
a
scary,
because
it
costs
collateral
damage,
especially
in
China,
because
there
are
millions
of
users
at
a
time
using
internet.
So
even
for
a
short
time.
If
cause
disrupt
the
disruption,
it
will
be
detected
by
public
and
it
will
cause
anger.
C
C
Specifically,
they
look
at
the
tour
and
you
get
the
TLS
and
I'm
for
toward
a
look
at
the
TLS
client
hello.
If
they
find
something
similar
to
what
they
want
to
block,
then
they
say
she
ate
or
fire
a
short
live,
active
probe
by
speaking
the
protocol
to
the
server
this
destination
IP
to
the
server
and
if
they
succeed
at
talking
to
that
server,
if
the
handshake
happened,
then
we
know
for
sure
that
is
the
tor
tor
bridge
or
correlated
and
therefore
they
block
it.
C
So,
as
of
now,
the
answers
look
like
that
DPI
plus
active
rubbing.
This
is
this
is
amazing.
It
means
that
the
active
they
go
after
the
proxy
servers
and
then
I
started.
This
problem
I've
noticed
that
we
don't
have
any
comprehensive
picture
of
how
this
active
rubbing
happening
and
like
how
its
implemented.
Is
it
only
for
tour,
because
it
was
only
two
bloods
and
Philip
winters
work
that
should
lights
on
this
phenomena,
so
we
started
to
run
our
own
comprehensive
measurements.
C
First,
we
did
something
that
makes
sense
basically
to
be
to
answer
this
type
of
questions
we
needed
be
what
a
client
in
China
does
and
experience
and
and
capture
that
so
we
started
rating
VPS
machines
inside
to
isps
in
China.
My
previous
work
suggests
that
that
you
will
come,
which
is
the
most
common.
A
monster
use
is
be
in
China
being
treated
differently
from
the
sir
net,
which
is
Chinese
educational
research
network.
C
So
we
we
gathered
PPS
in
both
of
these
is
fees
and
we
established
core
private
or
bridges,
each
of
them
hosting
different
authorizations,
and
we
continuously
and
repeatedly
connect
from
our
clients
to
this
list
of
pages,
because
this
data
set
shadow
data
set,
because
we
put
a
huge
effort
in
making
sure
that
no
one
else
know
about
the
IP
of
our
bridges.
Basically,
we
make
sure
that
none
of
these
bridges
talk
to
your
authorities
for
giving
us
that
or
the
next
relay
that
they
have
to
connect.
C
C
We
learn
this
measurement
for
three
months
and
we
learned
a
lot,
but
that
wasn't
enough,
so
we
we
started.
Another
experiment
which
is
honesty
valve
is
really
interesting,
because
our
previous
work
showed
that
tour
is
being
blocked
by
IP
port.
It
means
that
the
oil
port
is
blocked,
but
not
the
rest
of
the
parts.
So
what
we
did
is
we
redirect
600
port,
2
or
port
and
then
front
our
client
in
China.
We
establish
connection
to
all
of
them,
one
by
one.
In
the
eye
of
a
Great
Firewall,
it
looked
like.
C
We
suddenly
connect
the
two
600
toralei's.
This
experiment
lasted
for
two
hours
and
we
capture
for
22
hours
of
pickup,
and
we
learned
a
lot
about
active
rubbings
just
by
this
experiment.
We
also
were
fortunate
that
one
of
our
colleague
had
five
years
of
server
logs
and
the
web
server
hosted
the
tour
bridge
at
the
same
time.
So
that
is
a
very
limited
log.
We
had,
but
still
taught
us
a
lot
about
ring.
C
Active
probing
started,
did
great
firewall,
active
probe
other
protocols
or
not
so
we
had
peak
apps
like
this
lots
of
lots
of
pcap
lots
of
experiments.
The
first
question
we
asked:
how
can
we
make
sure
that
these
are
active
progress
coming
from
China?
How
do
we
distinguish
that?
Well,
for
the
stable
data
set,
the
one
that
we
we
send
two
different
ports.
C
It
was
easy
because
all
the
probes
showed
up
after
we
establish
a
connection
from
our
client
to
the
bridge,
so
that
was
easy
and
we
use
max
my
DB
a
paid
version,
obviously,
and-
and
we
found
that
all
of
them
are
in
China,
although
IPS
that
showed
up.
So
we
knew
that
there
are
active
robbers,
so
the
other
data
set
we
adopted
the
algorithm.
So
basically,
we
started
looking
at
the
cipher
suit
and
cipher
suitors
dead,
client,
hello,
and
if
it
was
two
related,
then
we
knew
it
is
a
vanilla
third
probe.
C
We
saw
more
than
thousand
unique
IP
addresses.
Interestingly,
ip's
wearing
a
ninety-five
percent
of
the
ip's
appear
it
only
once,
and
the
the
IP
that
was
shared
among
all
of
our
data
set
was
great,
firewall
famous
IP.
So
fifty
percent
of
the
traffic
view
got
therapist
from
that
IP
and
that
and
previous
work
of
ours
in
other
people
suggest
that
that
is
one
of
the
great
firewall
is
scanning
machine
which
recently
went
down
after
our
publication
and
before
that
it
has
open
ssh
port,
open.
C
So,
where
are
these
sixteen
thousands
IPS
or
what
is
a
special
about
them?
First,
we
did
a
reverse
DNS
lookup
and
with
the
vsauce3
such
as
I
dsl,
so
it
suggests
that
they
are
coming
from.
Is
people
and
they're
coming
from
a
tree,
a
famous
autonomous
system
of
Great
Firewall
of
China?
Sorry,
we
did
trace
route,
we
did
protest
and
all
of
them,
but
we
didn't
learn
anything
as
special
about
the
IPS.
Actually
traced
routes
ended
up
getting
dropped
to
hop
in
the
country.
This
is
where
the
Great
Firewall
actually
located.
C
So
I
started
to
talk
and
by
saying
that
Great
Firewall
started
fingerprinting
pro
traffic.
We
were
interested
to
know
that
can
be
fingerprint
active
robbers
and
for
that
we
started
looking
at
all
the
OSI
model
layer.
So
we
started
by
looking
at
layer
and
what
is
common
about
it
till
a
TCP
layer
that
is
common
about
all
this
active
probers
that
showed
up.
We
saw
a
lot
of
shocking
patterns
but
specifically
and
interestingly,
for
the
timestamp
value
in
a
TCP
layer.
C
We
found
out
that
obviously
a
linear
pattern,
especially
in
Seville
experiment.
As
you
know,
time
Assam
roughly
show
system,
uptime
and
404
packets
that
originated
from
100
sorry
thousand
probability.
We
shouldn't
have
seen
such
a
striking
pattern.
So
what
does
the
dress
by
itself
is
great?
Fire
will
operate
a
handful
physical
machines
that
does
the
active
probing.
C
C
C
Well,
let's
focus
a
little
bit
on
usability
and
effectiveness
and
assume
you,
your
friend
in
China,
ask
you
to
set
up
a
private
bridge
for
him,
and
you
did-
and
here
start
this
establish
a
tour
connection
to
use
your
the
bridge.
How
long
do
you
think
it
takes
for
the
Great
Firewall
to
active
probe
and
come
after
you?
Well,
a
measurement
showed
that
they
come
after
you
in
a
real
time
actually
for
the
Civil
experiment.
C
I
go
back
in
that
two
hours
experiment,
but
for
better
specifically,
we
saw
that
for
more
than
fifty
six
person
of
the
probes,
they
came
immediately
the
purple
shirt
immediately
and
for
reverse
the
median
was
500
millisecond.
This
is
them
like
three
years
ago.
We
did
the
same
type
of
experiment
and
be
the
figure
that
it's
it's
happening,
every
15
minutes,
but
they
upgraded
the
system
in
the
past
two
years
and
it's
right
now
in
real
time
happening.
C
How
successful
is
active,
robbing
I
mean
we
rerun
it
three
months,
measurements
from
our
clients
in
China
to
tour
bridges,
our
toll
bridges,
what
the
reach
ability
look
like
first
for
tour,
vanilla,
which
is
very
easy
to
fingerprint
other
than
that
it's
almost
always
block,
but
we
found
something
more
interesting,
and
that
is
those
dots
that
you
see
basically
of
roughly
every
25
hours.
Our
Koreans
in
China
could
establish
a
toiler
handshake
to
our
burgers,
that's
very
as
that
we
speculate.
C
That
is
because
they
update
their
access
list
and
they
go
to
fail
open
for
a
short
time,
almost
30
minutes
every
day,
so
that
is
nice
of
them.
And
strangely
enough
we
observe
at
the
station
two
and
three
almost
always
reachable,
and
that
is
weird
because
we
found
evidence
of
the
active
program
shows
up
at
our
probes.
Are
our
bridges,
so
they
detect
us,
but
for
some
reason
they
don't
yet
want
to
block
us.
So
we
don't
know
why
that
is
the
case.
C
Well,
this
research
was
quite
interesting
it.
It
should
likes
on
many
things
about
great
firewall
of
china,
for
example,
and
we
found
out
that
they
have.
They
have
been
up
their
games
in
blocking
tour.
They
have
a
large
amounts
of
IP
addresses
that
they
used
to
actively
probe.
So
thinking
about
blacklisting,
active
probers
IP
is
meaningless
and,
more
importantly,
we
found
out
tour.
Pluggable
transfer
led
to
the
great
fire
all
have
their
own
pluggable
censorship.
So
too,.
A
C
So
so
it
success
a
big
issue
when
we're
dealing
did
any
censorship
measurement
but
specifically
of
eternal
knowledge
is
the
key:
do
you
that
China
doesn't
go
after
anybody
connecting
to
tour
and
there
were
any
previous
persecution
or
something
like
that
in
China,
and
actually
China
doesn't
care
about
that?
They
just
want
to
make
sure
the
majority
of
the
people.
Don't
access,
don't
get
access
to
the
proxy
servers,
so
you
can
set
up
your
own
proxy
servers
as
long
as
I
like
you
have
a
limited
number
of
users.
E
Okay,
at
nalini
elkins,
a
great
presentation,
I'm
just
curious
if
the
IP
addresses,
if
you
solve
v4,
addresses
or
v6
or
both
so.
C
F
Wonka
Akamai
hurt
more
question,
is
actually
a
good
lead
into
what
I
was
gonna
ask
about,
is
I'm
monitoring,
v6
and
what
I
noticed
is
the
only
place
I
cv6
from
China
is
coming
across
research
and
education
networks.
They
seem
to
somehow
find
the
way
into
internet
too,
and
I
was
wondering-
maybe
you
don't
know,
but
then
maybe
I'll
sess,
the
audience
general
do
we
know,
are
people
really
getting
around
it?
F
I
mean
I'm,
definitely
seeing
some
evidence
of
them
coming
across
and
hitting
internet
to
located
machines,
and
presumably
it's
mean
treated
differently
somehow,
but
it
may
be
in
the
v4
space.
Did
you
see
a
difference
between
are
any
networks
and
then
coming
into
stasis,
for
instance
in
the
state's
internet,
to
vs.
commercial
located
or
bridges?
Yes,.
C
As
I
mentioned,
only
the
main
reason
why
we
chose
their
nets
also
to
consider
Senate
and
all
unicom
was
because
of
the
observation
that
sir
net
is
being
treated
differently
and
there
are
rumors
that,
like
business,
part
of
the
country
like
I'm
Shanghai
I
think
it
might
have
a
more
relaxed
firewall
rules
because
of
the
business
reason
and
economical
reason
behind
it.
But
we
haven't
looked
into
my
previous
work
on
Great
Firewall,
which
is
the
the
type
to
charge
of
this
Great
Firewall
over
time,
and
a
space
was
trying
to
investigate
that.
C
Basically,
I
am
I,
use
a
special
side
channels
to
choose
client
all
over
the
map
of
china
and
try
to
see
better
tour
is
being
blocked
differently
in
different
location
in
china,
and
I
didn't
find
any
reason
to
accept
that
great
firewall
is
being
treated
differently
from
region
to
region,
for
the
dns
layer
and
other
colleagues
of
mine
did
this
investigation
and
they
couldn't
also
see
any
bias
towards
a
dns
regional
dns
manipulation
except
the
ISPs,
for
example,
play
around,
but
but
basically
I,
don't
think
it's
a
very
contradictory
results.
We
see
so
tour.
G
Steve
has
a
google
question.
You
mentioned
that
you
both
the
the
regular
plain
vanilla
tour,
was
the
one
that
was
blocked
and
the
the
other
one
that
was
a
fused
to
Gator
was
not,
but
you
also
said
that
the
deep
guy
could
detect
the
act
of
tort
right.
Yes,
so
do
you
think
it's
likely
that,
like
the
act,
the
DPI
is
what's
doing,
the
blocking
as
opposed
to
the
active
probing
or
I,
mean?
How
do
you
know
that
the
active
probing
is
is
generating
most
recent.
C
The
DPI
first
detect
the
IP
of
their
bridges
and
then
the
active
probers
confirm
that
he
is
running
the
protocol
and
therefore
blocking
so
it
might
be.
The
vp
is
separated
and
I
think
it
is
separated
from
the
active
probers.
Obviously,
but
but
I
don't
know,
I'm.
G
C
Okay
for
a
while,
actually
tourists
started
to
do
that,
so
they
try
to
detect
whether
the
active
probers
coming
from
China
and
therefore
they
didn't
respond
back
so
that
that
was
their
way
of
actually
dealing
with
active
rubber.
So
they
couldn't
make
a
conclusion
that
is
tore
and
so
yeah.
That's
that
that
is
possible.
Actually
probing
didn't
work
and
for
it's,
a
temporary
solution
is
like
patching
it.
They
try
to
upgrade
the
pluggable
transfer
to
ask
for
and
for
now
we
think
that
up
for
is
safe,
so
they
haven't
yet
figured
that
part
out.
C
H
Do
you
have
any
plans
on
looking
at
other
national
firewalls?
Are
you
d
know
any
other
national
firewalls,
like
maybe
North
Korea,
to
see
how
he
behaves
differently
and,
yes,.
C
We
actually
do
a
study
other
national
firewalls,
but
yet
we
haven't
published,
but
we
know
China
leads
the
way
and
and
the
other
countries
follows
so
it
would
be
interesting
to
see
how
different,
for
example,
other
countries
actually
like
implement
or
national
firewall.
And
therefore,
if
you
see
the
same
technology,
we
can
actually
say
that
very
far
about
selling
it
so
I
had.
A
C
My
suggestion
was
every
24
hours,
the
ask
users
to
up
like
connected
tour
authority.
Dog
race
directories
to
get
the
latest
tour
laser
or
bridges
IP,
but
these
are
all
patching
it.
So
the
current
pluggable
transferred
up
for
is,
is
being
used
in
China
and
also
we
have
obfuscation
is
one
way
to
go
around
the
Great
Firewall
sleepy
eyes.
We
have
meet
at
or
has
week
or
other
type
of
blog
about
stands
for
that
right
now
works
so
yeah.
I
Italian
I'm
living
in
China,
so
I
experienced
that
the
inconvenient
to
access
some
website.
So
my
question
is
so
you
think
you
think
the
great
the
Great
War
I
whoa
he's
using
DVI
to
detector
the
the
protocol.
But
if
the
TP
Iowa
has
the
real-time
response
to
the
set
up
a
procedure
to
in
the
every
every
border
internet,
I
mean
the
the
the
internet.
I
C
Good
question:
it
was
actually
for
us
very
interesting
to
and
to
be
able
to
answer
this
question
as
well,
because
it's
like
first
they
have
to
monitor
me
billions
of
traffic
and
at
the
same
time
then
detect
that
and
then
like
for
bed.
We
think-
and
so
previously,
three
years
ago,
we've
observed
that
every
15
minutes
the
probe
showed
up.
So
it
was
obvious
that
the
DPI
Dumpty
IPS
that
it's
they're
suspicious
about
and
then
another
system
such
that
an
active
robe
and
every
15
minutes,
but
but
I
think
that
just
become
much
more
faster.
C
So
I
don't
know
about
the
technology
that
they
were
using
and
it's
hard
to
actually
be
able
to
know
that.
I
think
they
are
in
its
state
that
they
can
come
up
with
your
own
technology,
but
but
I
I
don't
have
a
dream
answer
for
that.
You.
I
C
See
that's
how
surprising
our
our
observation
was
because
the
relay
we
have
it
was
a
private
relay
so
and
the
connection
be
established
from
China
like
no
one
knew
about
it.
So
basically
they
had
to
monitor
the
traffic
and
then
all
the
probes
happen
immediately
after
our
poop
from
the
client
in
China
happen
and
by
the
way
the
BPS
we
used
is
not
the
same
as
the
previous
one.
C
J
C
Tearless
and
the
TLS
handshake
is
unencrypted
and
they
and
if
it's
not
office
gated
but
the
vanilla
version.
So
you
can
easily
see
the
tour
soccer
suit,
like
the
cipher
lists
that
a
client
sent
to
a
tour
bridge
to
announce
what
type
of
protocols
they
actually
ciphers,
they
actually
support,
and
by
just
looking
at
that
you
could,
you
could
fingerprint
or
traffic
it's
in
a
handshake,
yeah.
J
C
E
Hi
Delaney,
all
kids
again
did
you
guys
take
a
look
at
layer.
2
addresses
at
all
I'm
just
curious,
because
I
think
you
were
saying
that
a
very
that
they
had
a
multiple
layer,
3
addresses
and
it
seemed
like
they
were
all
coming
from.
One
particular
thing:
so
was
it
like
you
know,
because
from
the
layer
to
you
can
see,
is
it
a
vm
or
you
know,
just
kind
of
you
know
did
any
kind
of
analysis
of
the
mac
address
or
any
of
that
she's
curious
and.
C
Goods
question
I'm
various
fashion,
actually,
I,
don't
know
on
top
of
my
head,
but
I
want
revenge
layer
by
layer
and
the
maybe
this.
So
we
didn't
see
any
a
special
pattern.
Otherwise
I
would
remember
it
so
I,
don't
think
we
didn't
see
anything
a
special
about
the
day
or
two
Butler
to
sorry.
K
K
C
Not,
but
actually
you
put
that
something
interesting
which
is
how
do
you
know
that
the
Great
Firewall
doesn't
zmapp
internet
for
finding,
for
example,
tour
bridges
or
here
so
we
had
a
control
bridges
set
up
and
we
had
like
it
was
a
shadow
infrastructure.
So
we
had
for
every
hour
gracious.
We
had
another
bridge
setup
that
we
didn't
establish
any
connection
from
China
to
it
and
it
was
residing
the
same
as
/
24
and
in
those
control
bridges.
A
Our
second
prize
winner
is
a
clear,
the
room
Erick
who
is
going
to
talk
to
us
about
an
empirical
analysis
of
email,
delivery,
security
and
while
he
gets
set
up
I'll
mention
that
the
the
beginning
of
like
years
paper,
the
title
is
neither
snow
nor
rain
which,
if
you
come
from
Scotland
like
I,
do
sounds
very
familiar.
So
this
should
be
interesting.
But
anyway,
let's,
let's
congratulate
Zakia
on
his
award.
L
Thank
you.
So
this
was
a
large
collaboration
between
the
gmail
and
abuse
team
at
Google,
the
University
of
Michigan
in
university
of
illinois
urbana-champaign
that
essentially
set
off
to
say
what
is
the
current
state
of
email
security
when
you
send
an
email,
what's
really
happening
behind
the
scenes,
because
this
is
really
is
kind
of
opaque
ecosystem
to
the
end-user.
Only
the
male
operators
really
know
what
is
going
on
the
end
user
doesn't
see
in
the
indication
was
an
email
encrypted
or
was
it
not?
L
L
How
do
we
essentially
better
understand
how
to
secure
systems
in
the
past
we'd
like
to
take
apart
protocols,
we'd
like
to
take
apart
devices
to
figure
out
their
security,
but
there's
also
this
perspective
of
looking
at
these
data
sets
and
trying
to
understand
what's
going
on
to
real
world
and
developing
protocols?
Based
on
that,
so
this
will
be
a
little
bit
of
background
about
email,
I
think
to
anyone
in
the
mail
community.
L
This
should
be
obvious,
but
may
not
to
be
to
others
when
you
go
ahead
and
send
an
email
you,
whether
this
be
from
your
Thunderbird
client,
on
your
machine
or
through
the
web
interface
of
your
mail
provider.
Essentially,
what
happens
is
this
email
is
sent
to
your
organization's
smtp
server
over
what
we
call
smtp
submission
and
essentially
you're,
delivering
the
message
to
your
organization
and
they
take
possession
of
it
and
they
say
we
will
make
sure
to
get
this
to
the
destination
later
on
on
the
internet.
You
don't
have
to
worry
about
it.
L
If
you
close
your
laptop,
it
doesn't
matter
we'll
get
it
there
after
that.
That
server
goes
ahead
and
it
does
what
we
call
an
MX
record
lookup
for
the
destination
domain.
That
essentially
says:
I
am
trying
to
send
mail
to
gmail
com.
What
server
should
I
send
it
to
its
ends
up
this
nail
exchange
request,
which
essentially
gmails
DNS
server,
says
connect
to
smtp
one
dot,
gmail
com.
L
It
does
a
second
resolution
to
say
what
is
the
IP
address
of
that
server,
at
which
point
it
initiates
a
connection
to
the
smtp
server
for
gmail
com
over
what
we
call
smtp
delivery,
and
these
two
smtp
protocols
are
nearly
identical
but
operate
on
different
ports
and
they're,
essentially
just
responsible
for
different
piece.
Looking
this
puzzle,
after
which
the
user
essentially
can
come
to
their
email
provider,
say
I
want
to
retrieve
my
email
from
pop3
or
imap,
and
they
can
collect
their
message.
L
So
the
first
and
last
step
of
this
essentially
operates
very
similarly
to
how
TLS
works
in
HTTPS
when
we
want
to
provide
security.
Essentially,
if
your
organization
supports
TLS
for
meal
either
submission
or
mail
retrieval,
when
you
connect,
you
start
a
TLS
connection
to
a
different
port.
You
deliver
that
you
essentially
do
a
normal
TLS
connection.
You
send
the
client,
hello,
the
services,
the
server
hello,
you
validate
the
name
of
the
certificate.
If
the
name
doesn't
validate
you
throw
an
error.
L
If
everything
looks
good,
you
go
ahead,
you
complete
the
tail
a
session,
and
then
you
do
the
SMTP
or
pop
your
imap
handshake
to
send
or
treat
your
meal.
What
I
want
to
focus
on
kind
of?
Is
this
piece
in
the
middle
or
what
we
call
smtp
delivery
now,
essentially,
this
is
the
piece
that
says
how
do
I
get
a
piece
of
mail
from
the
University
of
Michigan
to
gmail
or
to
a
different
organs,
zation
that
goes
across
the
internet
or
what
we
call
smtp
delivery.
L
L
So
I
mentioned.
We
have
these
extensions
to
smtp
the
first
one
to
start
TLS,
which
essentially
allows
a
TLS
session
to
be
started
within
an
smtp
handshake.
You
essentially
start
the
SMTP
to
say
I'm
speaking
us
and
Kiki
I
want
to
deliver
mail,
and
then
you
go
ahead
and
start
a
TLS
handshake,
which
is
kind
of
the
flip
of
what
we
usually
see
where
we
start
TLS
and
then
go
ahead
and
do
the
mail
can
she
live
in
TLS,
but
the
motive
is
essentially
the
same.
L
We
want
to
mostly
protect
against
passive
eavesdroppers
and
maybe
try
to
offend
a
cake
who
we're
trying
to
send
mail
to,
and
so
the
protocol
is
fairly
simple.
You
start
an
smtp
connection,
you
say
hello,
I
want
to
deliver
mail,
the
service,
and
she
says
these
are
the
features
I
support
and
these
can
be
while
I
support,
compression
or
I
support.
This
I
support
esmtp,
but
it
can
also
see
I
support.
L
This
start
TLS
command
and
if
the
client
also
supports
to
our
TLS,
it
sends
the
start
TLS
command
and
then
they
go
ahead
and
they
do
a
normal
TLS
handshake,
at
which
point
they
later
on
continue
to
send
mail
and
the
big
difference
I
think
between
this
and
what
we
normally
think
about
about
TLS
is
that
start.
Tls
is
opportunistic
and
the
essentially
when
the
RSC
was
originally
written.
L
The
way
it
was
written
said
a
server
should
never
not
deliver
a
piece
of
mail
because
it
can't
start
a
TLS
connection
on
we're
kind
of
deploying
this
later
on.
It's
at
a
thon
extension
in
the
beginning.
No
one
is
going
to
support
TLS
later
on
deployment
is
going
to
be
gradual,
so
try
to
encrypt
the
message
as
you
can,
but
if
you
can't
that's,
okay
still
deliver
a
message,
so
we
ended
up
in
this
weird
world
where
this
led
to
essentially
servers
not
validating
the
certificates
of
anyone
they
delivered
mail
to
because
you're.
L
Essentially,
your
option
would
be
to
validate
the
certificate,
see
that,
as
expired
to
say,
I
really
like
that
expire
certificate.
So
I'm
going
to
now
send
you
mail
in
clear
text
or
to
say
well,
I,
don't
really
like
your
expire
certificate,
but
sending
something
using
some
encryption
sure
seems
better
than
doing
nothing
honest.
We
kind
of
chose
that
ladder
where
you
essentially
deliver
mail,
no
matter
what
the
server
presented
to
you
and
this
provided
this
opportunistic
encryption
against
passives
eavesdroppers
or
really
has
no
protection
against
an
active
adversary.
L
When
you
put
the
name
of
the
host,
it
really
doesn't
do
anything
if
your
DNS
isn't
authenticated,
which
is
the
case
for
most
people
in
the
world
right
now,
because
essentially
a
man,
the
middle
just
tells
you
the
name
of
the
attacker
control
domain
and
they
can
easily
get
a
CA
signed
certificate
for
that
domain
on
and
when
you
put
the
actual
name
of
the
destination
domain,
we
have
this
problem.
L
We've
seen
like
a
pretty
massive
growth
over
the
last
couple
years.
It
looks
like
we're
making
progress
on.
At
the
same
time,
though,
we're
only
really
able
to
encrypt
eighty
percent
of
traffic,
that's
leaving,
and
only
about
sixty
percent
of
traffic.
That's
coming
in,
and
it's
even
worse,
when
you
kind
of
consider
the
shape
of
this
curve
and
what's
happening
is
here.
Is
this
there's
a
couple
of
very
large
mail
providers
and
then
there's
this
very
long
tail?
L
And
so
these
big
jumps
happen
when
large
providers
aside
there
to
support
start
to
us
and
they
deploy
it.
But
if
you
remove
these
big
hops,
the
progress
is
fairly
slow
between
the
the
rest
of
the
tail,
the
people
who
aren't
in
the
top
ten
providers
and
when
you
zoom
in
a
little
bit
more
look
at
this.
A
higher
resolution
you
actually
see
is
very
funny
zigzag,
pachter
pattern,
that's
going
back
and
forth
and
what
we
see
here
is
actually
the
difference
between
the
amount
of
mail
that
is
encrypted
on
weekends
versus
weekdays
and
well.
L
How
it
turns
out
is
that
on
weekends,
about
ten
percent
more
of
males
encrypted
than
on
weekdays,
and
the
idea
essentially
that
Lisa
this
is
that.
Well,
people
go
home
on
the
weekends
they
use
their
personal
email
account.
They
send
an
email
from
their
gmail
account
to
their
friends,
yahoo
account
and
these
large
providers
support
start
till.
L
I
support
this
transport,
a
security,
but
then
they
go
back
on
the
weekdays
and
they
go
back
to
their
job
and
the
companies
they
work
at
are
not
doing
as
well
as
deploying
this
because
they're
maintaining
their
own
mail
servers.
The
lot
of
them
are
not
using
these
providers,
and
we
also
see
this
kind
of
almost
twenty
percent
drop
right
around
the
pool,
vulnerability,
which
is
a
little
bit
mysterious.
L
But
essentially
this
happened
when
the
poodle
vulnerability,
with
a
vulnerability
in
TLS
that
affected
sslv3,
we
told
essentially
ever
go
out
and
disable
sslv3
like
no
people,
don't
really
use
this
anymore.
It's
a
deprecated
protocol.
If
you
disable
this,
it's
not
going
to
affect
many
clients,
but
what
seems
a
people
disabled
TLS,
all
together.
They
had
good
intentions,
but
they
ended
up
inadvertently.
L
L
It's
not
quite
as
pretty
we've
kind
of
been
ignoring
it
for
a
while
for
this
long
tale
of
operators.
We,
like
we
look
at
the
top
million
web
domains,
which
isn't
necessarily
pop
million
male
domain,
but
gives
you
a
decent
sense
of
who
the
big
companies
are?
Who
are
the
people
who
are
sending
mail
only
about
eighty
percent
of
organizations?
Support
start
to
us
at
all
in
that?
L
That's
rather
discouraging
within
that
space,
about
thirty
five
percent
of
certificates
that
map's
the
host
and
about
a
half
a
percent
have
certificates
that
map's
the
domain
on,
and
so
we've
really,
even
though
we
have
essentially
asked
to
deploy
start
TLS.
Quite
a
while
ago,
many
years
we've
been
trying
to
deploy
this
release,
not
in
the
spot
where
we
can
require
it.
Yet,
when
twenty
percent
of
these
mail
servers
say
we
just
we
won't,
we
can't
accept
mail
or
start
to
be
us.
L
But
at
the
end
of
the
day
there
are
common
male
software
that
don't
even
attempt
to
try
to
start
a
start,
TLS
connection
to
attempt
to
send
your
mail
over
an
encrypted
setting,
and
so
we
have
this
somewhat
broken
ecosystem.
Where
you're,
really
your
your
your
you
can
be
a
victim
to
an
active
attack
at
any
time,
given
that
this
call
all
opportunistic
and
so
ke
what
the
simplest
idea
would
be.
Well,
if
you're
an
active
attacker,
what
is
the
most
naive,
simple
attack?
L
You
could
do
to
essentially
read
someone's
email
and
that
essentially,
would
be
just
to
corrupt,
really
any
part
of
the
TLS
handshake,
because
no
matter
what
happens,
the
server
is
just
going
to
say:
well,
I,
don't
you
know,
support
start
TLS
and
I
will
just
go
back
to
clear
text,
and
so
an
easy
way
of
doing
this
is
to
prevent
the
TLS
handshake
from
ever
happening
and
that's
to
say,
you
could
just
garbled
the
announcement
that
says
I
sports,
star,
TLS
and
replace
it
with
something
else
or
when
the
client
sends
a
start.
L
But
then
you
just
need
to
recompute
the
check
some
of
this
packet
and
send
it
along,
and
you
prevented
this
connection.
When
you
look
at
the
kind
of
continuing
list
of
countries,
you
start
to
see
everybody
you
start
to
see,
though
European
nations
Asian
Nations,
the
United
States.
You
start
to
see
everyone
and
the
numbers
are
small
in
some
cases,
but
this
seems
to
be
happening
everywhere
that
people
are
being
prevented
from
starting
the
start.
L
Tls
connections
and
are
sending
nail
the
clear
as
such:
it's
not
necessarily
malicious,
though
it's
not
entirely
clear
that
actually
that
mail
operators
know
going
on.
There
are
a
couple
of
products
out
there
that
essentially
advertise
the
ability
to
protect
your
mail
on
and
this
the
way
they
say
we're
going
to
protect
your
meal
from
attached,
whether
the
buffer
overflows
or
addresses
that
you
blacklisted
is.
L
We
essentially
need
to
be
able
to
read
your
mail
and
so
to
do
that
we're
going
to
prevent
these
starts,
you're,
less
connections
from
ever
happening,
and
so
a
lot
of
this
looks
like
is
that
either
organizations
or
ISPs
have
deployed
these
essentially
middleboxes
that
they
believe
our
adding
security
that
are
allowing
them
to
to
look
at
the
mail.
But
these
middle
boxes
are
not
terminating
this
TLS
connection,
restarting
it
to
look
at
the
mail
to
protect
it.
L
L
Another
attack
that
you
can
imagine
is
if
your
DNS
is
not
authenticated,
then
nothing
really
prevents
a
DNS
server
from
just
lying
to
you
about
what
the
IP
address
is
for
the
mail
server.
So
you
go
to
your
your
DNS
server
and
you
say:
hi
I
would
like
to
essentially
relay
mail
over
to
gmail.
Can
you
give
me
the
MX
record
for
gmail
and
the
server
says
sure
does
I
VIP
address?
You
need
to
connect
to
is
X
and
you
connect
to
X
and
you
give
them
your
mail,
because
you
don't
validate
your
certificate.
L
You
really
have
no
idea
whether
or
not
that
is
or
is
not
gmail,
and
so
that
your
you
send
your
mail
to
your
malicious
party
and
who
knows
what
they
do
with
it.
Maybe
they
alter
it?
Maybe
they
just
start
to
disk.
Maybe
they
don't
do
either
of
those
on
and
then
they
send
it
on
to
gmail,
and
you
don't
really
know
that
there's
been
this
extra
hop
in
the
middle,
so
the
way
we
look
for
this
is
a
little
bit
ugly.
L
We
know
that
there
should
not
be
DMS
open
resolvers
on
the
internet
in
the
perfect
world.
We
would
not
be
seeing
this
happening,
but
there
still
exists
out
there,
where
you
can
connect
to.
Essentially
these
servers
that
are
out
there
and
say
what
is
the
MX
record
for
gmail
com?
What
is
the
IP
address
for
this
smtp
server
and
they'll?
L
Give
you
what
they
think
the
answer
is
and
when
you
look
at
these
most
of
these
answers,
like
are
obviously
not
correct,
but
they're,
obviously
not
necessarily
malicious,
either
they're,
these
really
just
bad
embedded
devices
that
they
don't
know
the
IP
addresses
something
they'll
make
one
up
on.
Some
of
them
will
just
always
give
you
localhost.
There
are
devices
out
there
that
will
actually
just
give
you
an
increment
encounter.
Every
time
you
asked
for
the
IP
address
of
something
that
doesn't
know
it
has
some
global
counter.
L
We
see
a
much
lower
number
of
messages
that
come
through
to
gmail
from
a
server
that
has
been
essentially
dead,
posing
as
a
gmail
server,
but
we
do
still
see
it
happening.
It's
hard
to
know
other
these
numbers.
How
close
these
numbers
are
to
the
upper
bound?
These
are
very
much
lower
bound
because
of
this
methodology,
but
again
is
a
kind
of
a
sign
that,
like
these
active
attacks,
actually
are
happening
in
practice.
People
are
delivering
mail
through
these
servers
when
they
have
really
no
idea
who
they
are.
L
So
that's
kind
of
the
state
of
Transport
Security,
it's
not
a
particularly
happy
state.
The
big
providers
are
doing
things
well,
the
rest
of
the
tale
is
kind
of
lagging
behind
in
this.
Opportunistic
protocol
really
isn't
quite
doing
what
I
think
most
people
outside
of
our
community
would
really
expect
when
they
send
the
message.
I.
Think
people
expect
that
there's
some
sort
of
security
when
they
send
something-
and
the
other
note
I
would
make-
is
a
lot
of
times.
L
People
say
well,
if
you
want
email
security,
you
should
be
using
PGP
or
s
mine,
but
really
these
are
kind
of
orthogonal
problems
on
PGP
and
SYM
are
not
quite
to
the
point
where
there
there's
widespread
use
on
the
interfaces
are
just
not
quite
there
yet
on.
So
the
majority
of
people
rely
on
this
transport
layer,
security
for
protecting
email.
L
So,
in
terms
of
authenticating
meal,
there
are
again
a
couple
of
protocols
that
have
that
are
that
are
commonly
used.
Probably
the
foremost
is
called
beacon,
which
essentially
allows
a
sender
to
sign
a
message:
provide
a
cryptographic
signature,
an
additional
header
on
the
message
and
then
was
when
the
recipient
receives
the
message.
They
can
look
up
the
public
key
for
that
sender
and
verify
that
that
message
was
not
altered
somewhere
on
the
path.
L
Dk,
unfortunately,
has
this
kind
of
odd
property
that
each
message
can
essentially
designate
a
different
public,
key
or
different
key
pair.
That
is
used
to
sign
that
message
and
because
of
that,
there
isn't
actually
a
way
for
the
receiver
to
realize
whether
that
sender
should
have
signed
the
message
and
so
essentially
an
easy
attack.
Here.
Is
you
just
remove
the
signature
and,
if
that
receiver
doesn't
hasn't
received
me
up
from
for
you
before
they
aren't
paying
attention
to
other
mail
from
you
before
has
been
signed
on?
L
Spf
is
another
protocol
that
essentially
allows
a
center
to
publish
the
IP
addresses
or
the
hosts
or
networks
that
are
allowed
to
send
mail
for
it,
and
essentially
the
receiver
will
check
the
IP
address
that
it
got
mail
from
and
it'll
say
this
did
not
originate
from
one
of
your
MX
servers
or
one
of
your
IP
addresses
I'm
going
to
reject
it
came
from
somewhere
else
on
the
IP
space
and
there's
the
last
a
standard
called
femur
which
essentially
allows
an
organization
to
publish
the
rules
that
it
wants
to
receive
to
follow.
L
And
so,
if
it
says
you,
you
should
expect
all
mail
for
me
to
be
become
signed
and
if
it's
not
I
want
you
to
quarantine
it
or
I
want
you
to
trash
it
or
I.
Want
you
to
report
it
back
to
me,
but
still
deliver
to
the
user.
So
I
know
what's
going
on
on
the
gmail
perspective.
Inks
are
not
again
not
too
bad.
L
Ninety-Four
percent
of
messages
are
essentially
verified
with
be
Kim
or
SPF,
or
some
combination
of
both
there's
only
six
percent
messages
that
don't
have
some
sort
of
indicator
that
they
came
from
the
right
person.
Again.
When
you
look
at
this
long
tail,
you
kind
of
you
see
a
slightly
different
picture,
which
is
that
less
than
half
of
the
domains
that
are
sending
mail
have
any
SPF
policy
to
find
in
about
one
percent
have
a
demark
policy
of
which
very
few
are
actually
willing
to
say
trash
or
quarantine.
L
The
messages
that
don't
match
my
policy
on
in
the
case
of
empty
essentially
means
just
report
that
messages
back
to
me
so
we're
again
in
this
in
this
kind
of
world,
where
we're
lagging
behind
in
getting
these
to
the
rest
of
the
world
on
moving
forward.
There
is
a
draft
that
is
currently
in
conversation
in
the
application
user,
TLS
working
group
called
strict
Transport
Security,
which
is
a
similar
to
the
idea
of
keep
inning
or
2.
Sts
are
h,
st
s
https
world.
L
L
So
we
looked
at
data
card
from
2015
the
slide.
I
want
to
quickly
mention
one
recent
change,
which
is
that
the
Google
team
essentially
deployed
indicators
that
say
whether
or
not
message
was
sent
securely
when
they
received
it
or
whether
the
first
copter
studying
too
can
be
protected.
/
start
TLS
and
if
you
use
google
mail,
you
may
have
seen
these
icons
on.
L
So
providers
are
continuing
the
role
of
Transport
Security,
the
last
slide.
We
saw
it
it's
starting
to
getting
better
if
people
are
starting
to
look
at
it
and
think
about
it,
but
we're
still
in
the
state
where
we
don't
have
a
protocol
that
really
protects
against
active
attacks
and
we're
going
to
continue
to
deliver
the
mail,
no
matter
what
that's
kind
of
where
this
this
title
comes
from
is
either
Matt,
neither
male,
no,
neither
male
Heather
snow
nor
rain,
nor
man,
the
middle.
Nor
whatever
else
comes
along
your
path.
L
M
In
different
Cisco,
did
you
ever
back
trace
from
received
spam
or
phishing
attacks
to
figure
out
whether
start
TLS
is
actually
helping
in
any
regard,
or
is
there
sort
of
low
correlation
between
how
bad?
From
a
social
engineering
point
of
view,
the
email
coming
in
is
versus
the
transport
that
was
used
to
deliver
it?
So.
L
I
believe
that
less
spam
is
protected
with
start
TLS,
but
I
don't
know
if
we
know
whether
that
affects
what
the
user
thinks
about
our
web
does
with
it.
Until
recently,
there
wasn't
even
the
indicator
for
them
to
know,
and
so
there
wasn't
much
reason
to
be
protected
by
start
TLS
and
so
I
mean
it's
interesting
question
by
alpha.
We
know
today.
N
L
F
G
Steep
edge
at
Google
in
one
of
the
earlier
slides
it
showed
something
like
point:
four
percent
of
certificates
were
actually
properly
created
is.
Is
that
correct?
Like
ninety
nine
point,
six
percent,
or
so
whatever
was
of
certificates,
are
not
actually
properly.
L
Deployed
on
servers,
correct,
and
that
is
that
have
the
the
name
of
the
domain
itself
not
of
the
host
on.
So
that
is
a
see
up
to
the
NSS
browser
store
to
the
Microsoft.
Browser
are
to
the
see,
a
store
that
you
have
signed
for
the
domain
and
it
links
up
for,
but.
G
L
We've
ended
up
in
this
weird
pond,
where
we
kind
of
have
this
cat-and-mouse,
where
it's
hard
to
encourage
people
to
deploy
the
right
thing,
if
no
one
validates
it,
but
then
we
don't
validate
anything
because
no
one
deploys
the
right
thing.
I
think
there
are
also
a
couple
of
roadblocks
in
terms
of
actually
having
certificates
that
have
the
domain,
which
is
these
large
large
cloud
providers
right
now
we
don't
have
an
obvious
solution
where
we
can
say
this
is
how
a
large
male
provider
should
present
a
certificate
for
each
of
those
domains.
L
L
So
Dane
does
help
solve
this,
particularly
with
when
you
have
a
certificate
that
matches
the
host
name
or
if
you
wanted
to
provide
some
sort
of
keep
inning
I
think
the
problem
is
and
the
reason
these
drafts
have
been
put
out.
Is
that
we're
not
the
point
where
Dane
has
been
deployed
widely
if
Dane
were
widely
used
of
DNS
SEC
were
widely
checked.
L
That
would
be
a
solution
where
you
can
say,
go
and
do
this
today,
but
it
still
requires
a
fair
amount
of
effort
for
an
organization
to
go
down
that
path
versus
thing.
I'm
going
to
publish
a
DNS
record
that
says
what
you
should
do
about
my
server.
A
And
that's
the
end
of
our
agenda,
so
thanks
all
for
coming
and
if
you
want
to
nominate
good
papers
that
you
read
the
nomination
cycle
for
the
AARP
for
2017
will
open
in
the
summer
Ram
sort
of
June,
July
time
frame
and
will
close
I
think
we
typically
close
for
nominations,
I'm
going
to
say
at
the
end
of
october.
So
you
you
have
that
that
window
to.
Let
us
know
about
great
research
that
you
see
between
now
and
then
and
hopefully
we'll
get
some
of
the
more
interesting
talks
at
the
ITF
meetings
next
year.
F
I
was
wondering
if,
since
we
have
so
much
extra
time,
if
we
could
keep
secure
for
a
couple
of
minutes,
I
would
love
you
to
tell
us
about
the
current
state
of
z,
map
and
census.
If
you
could,
I
think
it's
a
wonderful
infrastructure
and
some
people
probably
don't
know
what
it
is,
but
also
I
want
to
know,
maybe
where
you
are
with
these
six
with
it
too
sure.
L
For
those
who
don't
know,
Ozzy
map
is
an
open
source
project
that
was
released
I
believe
three
years
ago.
Now
that
essentially
allows
you
to
perform
a
single
core
horizontal
core
scan
of
the
entire
ipv4
address
space
in
an
hour
using
a
1,
gigabit
connection,
and
essentially
this
has
been
widely
used
within
the
research
community
for
understanding
how
TLS
have
been
deployed
for
working
with
cert
groups
to
essentially
do
notifications
about
embedded
devices
and
skated
devices
that
are
out
there,
but
it
gives
us
kind
of
a
new
perspective
of
how
the
world
operates.
L
It
requires
a
high
quality
network
equipment
to
kind
of
have
this
pack
up
per
second
throughput
and
requires
kind
of
an
IT
infrastructure
and
a
legal
infrastructure
to
back
up
researchers,
and
so
we
have
this
tool
that
allowed
this
perspective,
but
there
were
only
kind
of
top-tier
research
institutions
that
really
had
accessed
the
bandwidth
and
the
means
to
use
it.
L
After
that
happened,
we
received
this
kind
of
response
of
this
is
great,
but
we
don't
really
know
what
to
do
with
this
and
we
started
to
publish
essentially,
data
sets
out
of
the
University
of
Michigan,
where
we
would
crawl
the
entire
ipv4
address
space
on
various
protocols
and
essentially
do
protocol
handshake.
So
essentially,
we
connect
to
port
443
and
I'll
open
host
once
a
week.
We
would
do
a
standard,
TLS
handshake
and
we
would
record
all
details
of
the
handshake.
L
This
would
be
everything
from
the
random
numbers
that
were
provided
to
what
cipher
suite
is
being
used.
What
what
content
has
been
provided
over
HTTP
to
essentially
start
to
better
understand
the
host
on
the
internet?
As
time
went
on
this
people
said
this
is
still
really
hard.
You
gave
me
an
800
gigabyte
file
for
each
day
that
you
scanned
and
you
said,
go
look
at
this
/
over
the
past
year
and
so
the
next
step
that
was
released,
a
tool
called
census,
cen
sys,
which
essentially
is
a
query
engine
on
top
of
this
data.
L
You
say
these
are
the
websites
that
will
go
away
when
feature
is
deprecated
in
other
researchers
are
using
this
for
everything
from
censorship
measurement
to
embedded
device
security
where
the
projects
are
at
today,
I
think
zmap
as
well.
Xenapp
does
an
ipv4
address.
Space
is
fairly
stable,
I.
Think
the
big
question
on
that
layer
is
what
we
do
about.
Ipv6
on
ipv6
is
so
much
larger.
The
kind
of
brute
force
approach
is
never
going
to
work.
L
It's
going
to
need
to
be
a
much
more
calculated
kind
of
statistically
driven
approach
of,
given
how
we've
seen
the
devices
have
been
deployed
and
how
I
peace
have
been
allocated.
What
percent
coverage
can
we
gain
given
certain
scan
times
and
we're
so
working
on?
What
do
those
numbers
exactly
what
look
like
and
then
how
do
we
send
you
give
users
a
tool
that
they
can
actually
use
that
isn't
kind
of
research
grade
quality
code,
that
kind
of
works
kind
of?
Doesn't
you
have
to
have
these
seven
data
sources?
L
We
really
want
to
get
to
the
point
where
researchers
everywhere
can
use
it
on
in
the
kind
of
I
think
the
more
difficult
piece
or
the
layers
above
right
now.
What
do
we
do
about
all
these
application
layer,
protocols
and
the
layer
above
that
is
how
do
we
identify
what
all
these
devices
are?
We've
gotten
to
the
point
where
it's
not
just
a
couple
of
software
implementations
out
there
was
much
more
interesting.
L
Are
the
embedded
devices
is
the
thousands
of
companies
that
are
releasing
these
these
broken
products
and
how
do
we
actually
have
a
tractable
way
of
figuring
out
what
these
devices
are
and
what
we
do
about
them,
and
so
it
kind
of
started
down
this
process
of
me
annually
tagging
devices
and
saying
well,
this
is
a
UPS,
and
this
is
a
SCADA
controller
and
that's
helpful
to
like
sort
groups.
But
it's
really
not.
L
So
that's
what
I
think
things
are
census
continues
to
kind
of
move
along
people
propose
things
people
at
protocols
at
times
we're
always
looking
for
help
on
essentially
maintaining
and
adding
new
protocol
people
are
looking
for,
but
that's
where
I
think
things
are
at.
Unless
people
have
specific
questions.