Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Internet Engineering Task Force / Interim Meetings / 5 Aug 2020
Internet Engineering Task Force / Interim Meetings / 5 Aug 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: MAPRG Interim Meeting 2020-08-05

Description

MAPRG Interim Meeting 2020-08-05

A

All right, we started the recording.

A

All right so by my clock, it's a 1300 hours, coordinated universal time time for the meeting to start.

A

Welcome everyone uh for me: it's uh eight in the morning. I know for a number of people on its uh central european summer time see you're in the middle afternoon and I'm sure we have some people on an evening.

A

uh Welcome to the joint uh measurement analysis for protocols, research group and measurement analysis tools, working group meeting, I'm dave planka. I chair uh with miria coolwin the map rg group in the irtf and our co-chair for this meeting is nina ferguson uh and uh she can introduce herself in a minute when we switch to her portion of the content but she's uh she co-chairs with our colleague brian trammell the measurement analysis tools, working group for the ripe regional internet registry.

A

We have a two and a half hours session scheduled today. I think we have a little less content than that, so we should be pretty comfortable in terms of timings.

A

uh This is our recording notice. The meeting is being recorded now and all the presentations will be they'll, be it'll, be available on the ietf youtube channel and as usual for map rg after the meeting I'll post individual links to each of the top mapper g wiki, which is available through the memory page linked here.

A

Someone has their audio on. uh If you could please mute it, it would be helpful uh in minnesota. For today, uh the charters for these respective groups are at these urls. uh This is the first time we've tried this experiment of a combined map, rg meeting with uh with ripe uh matt wg, and the idea was that if we did it outside the ietf meeting schedule, then maybe more people could join between the two, when both of our groups have been having a bit of trouble scheduling uh in the pandemic era.

A

Both the groups have mailing lists uh that are mentioned here that you can subscribe to where, for instance, you would have heard about this meeting being scheduled. Today's slides can be found at that url there and, of course all you already know, but the webex link is available in the agenda and in the slides at that.

A

Url so um nina, why don't I pass it to you and you could introduce yourself and tell the folks about the first part of the agenda.

B

Thank you. uh Do you hear me? Yes, yeah great, thank you uh yeah, uh so I am I'm nina barkinson. I co-chair the uh reagan, uh the right working group on uh measurements, analysis and tools, along with brian tremel who's, also on nepal. Today, hello, hey um and um today we're gonna talk about so basically the the wedding group mostly focuses on on measurements and on tooling and a lot of the time.

B

We also focus on right atlas system um and today we're going to talk about uh the mechanisms and performance evaluations of the to pmax locations. But massimo is going to talk and then we will have some measurements about what happened under the uh the pandemic that we are still running through, uh but so far, and we have vesna and lai is going to give us their observations on that. We also thought that we would have an uh tools update from the ribbon cc.

B

People please be mindful of muting their microphones. Thank you, um but unfortunately we we have to cancel the tools update and you will just have to show up at the next right meeting to get the latest news on the atlas and other tools from the vibe ncc, uh but happy to be here, and I'm really excited about this uh joint meeting is. This is my first itf uh meeting.

A

All right well welcome, nina and thank you for um that overview.

A

um So, following the portion that nina will be running with the uh the items that she just enumerated, that were um that that were organized by matt, we'll switch to the map. Rg meeting proper and map rg is in the irtf, and so we have an intellectual property rights statement that binds you to as a presenter. If you have intellectual property regarding it, you should disclose that um just the canned portion, so this will be an official map rg meeting as well, and this applies only to the map rg portion of the meeting.

A

So the second part of the agenda that myria was wonderfully helpful in uh in putting together here are the following: we'll have a a presentation about measuring and analyzing the rfcs themselves, the security sections, the sort of a meta-analysis uh by mark mcfadden, then we'll switch to uh jake holland.

A

Talking about latency and aqm observations on the internet, uh then philip roon on packet, latencies and mobile networks, mike kosek, is with us to talk about uh their paper and uh from an academic conference, must don't care tcp, conformance in the wild and then we'll uh switch at the uh it's. The last session and portion of the session to steven stros talking about deborganizing, this uh slash 12 prefix, uh that the rape ncc is now using um to before we switch to some advertisements for various projects.

A

um I'll talk a little bit about how we're going to run the meeting for you to the presenters I'll switch you to the best of my ability to you being the host in the meeting, which will allow you just to show your slides. um If you have any trouble with that, no problem, let me know, and I'll show them like, I'm going to do for mark's presentation for those participants that have questions.

A

Please use the chat icon, which usually shows as a round circle on your webex window, and you can chat to everyone just type plusq and that will create a queue of people that we will uh invite you to ask a question by unmuting yourself and doing so if you'd, rather, the chairs, ask it or someone else asking on your behalf just type the question in that chat box to everyone so that we can see it and uh we'll have some time between each of the presentations to visit those uh questions.

A

There maprg invites projects that are not presenting at the meeting to also give us advertising slides for their projects and for this meeting yuri and I created a couple because we have not met so far this year because of the uh the pandemic and scheduling issues between ietf, 107 and 108. This is our first meeting of the year. So let's bring you up to date on some of the content that we would usually have hosted in map rg um imc.

A

uh One of the preeminent measurement conferences took place last year in october and pam 2020 in march of this year.

A

uh When and that's either side of the beginning of the pandemic and lockdowns for most of us, so um what we want to do is remind you here of a couple of papers, for instance giovanni offered these as potential papers to present here, but we decided not to because they'd been presented at um map meetings prior, but uh the imc content is up with the links to the papers and to videos, and I can I'm happy to say that also pam did a nice job of recording the videos and also making, uh I think, registration free for that event when it happened, so you can check either of those urls to see these papers and the others from those two conferences.

A

uh Another uh one of the permanent measurement conferences was tma that was held in june of this year. Similarly, um tma has had recordings or videos of the of the papers, and those papers are up at that url and uh gareth. One of the chairs has created a youtube playlist that url for the subset of papers, where the presenters gave permission to share the video so check those out.

A

uh Lastly, anna bremstrom has offered to us uh uh this this advertisement for a project with uh she and her authors, where they studied uh narrow band uh iot uh internet of things, devices into major metropolitan areas uh and their my understanding is their their interactions, for instance uh with lte and cellular in that area, and we included them here. Although they're not involving specifically an ietf protocol that they've released a data set, so there's a it could be the basis for other people to do.

A

Research and ana's provided a link to the paper on archive as a presumably uh preprint version of the paper, so give that a look uh if you're interested in that technology.

A

So now I'm going to hand it back to control back to nina and she's gonna walk us through those first set of presenters so uh coming up. Let me stop sharing this screen.

B

Yes, thank you so much dave. um That was a really interesting.

A

I just need to know who I need to make the presenter next, let's see.

B

Next, we want to invite massimo, so if you can massimo the co-host and to share his screen and give his presentation.

A

Yes, okay, you should be the presenter now perfect. Thank you very much.

C

So, are you able to see my life.

B

Yes,.

C

Perfect so hello, everybody, uh so my name is massimo candela, I'm a senior software engineer at ntt. First of all, I would like to thank the organizers of this event, because I personally really miss the math working group at the last right meeting. So I'm really happy that we could do it here so um the presentation uh here today I will show you a mechanism uh behind this uh service called write, ipmap and also, I will show you a performance evaluation. We did it together with the colleagues from keda.

C

This is a paper that appeared in the issue of april 2020 of computer communication reviews and well, let's start from uh the beginning. The first thing is: what is this uh write it up so right, ipmap is a service that has been developed and is offered by ripenc, and it is essentially a service that you provide an ip address and will try to tell you where such a p address is g located and so the a bit of of easter even this service.

C

The first uh attempt to tackle the uh uh geolocation topic was presented in 2013 by emil and essentially introduced the openip platform, where you can use cloud source data to improve ipg location and in 2017 in another rhyme meeting I introduced instead uh uh ripe, I team up, uh which is uh the idea behind. That is a a system that has the possibility to run various geolocation approaches and offer this platform to uh people that they want to provide a new geolocation system.

C

So each geolocation approach runs in an isolated fashion uh in something called geolocation engine that you can see in this chart at the bottom and they produce some sort of geolocation in a unified output format and after they pass through a reducer step, and the final answer is computed for the user.

C

So each geolocation engine can do some stuff and, for example, one of this is the crowd source data and another one can do active geolocation and in particular we are interested in one of the engine doing active geolocation, and in this presentation we will study the single radius engine.

C

So, a bit more of information, I developed the single radius engine while I was arriving to see and not any more ripe, ncc stuff, but we got some feedback that the system works, and there is also a paper that reports on a country accuracy of 99.9 for their use case, but we needed a formal study dedicated to the in particular, to single radius and in particular also to city level. Geolocation and also the mechanism behind was not uh for singer was not formally described uh anywhere.

C

So at some point, keda decides to study single radius and uh the uh guy that you see here in the picture is ben that he presented racy uh first preliminated herself.

C

The study was a black box, so at some point they decided to uh call me and on board of the team, to essentially uh provide more insight on how his work is working uh behind the scenes. The system, that's how I'm involved in this uh research project, so the just to start with the what what is active geolocation uh well, uh simply like you want to generate an ip address, and uh to do that, you uh take a host that you know the location of, and you do a ping measurement to the target.

C

In our case, the host is, for example, ripotlas probes and after you do a ping measurement. You know the latency, you get the latency, you transform it in a distance with a coefficient factor, usually expressing kilometers per millisecond. We will see better later and what you know is that the target ip is going to be around a specific area around your source of the measurement so like, in this case uh the circle so finger radius. uh Also, the as the name says, does exactly this um some additional step.

C

So the first thing is, uh there is a an initial selection of the probes.

C

This is an important step because a lot of methodologies, a lot of models describe, they assume the possibility to select all the probes possible, but maybe are based on platform that they have couple of hundred probes or any way they are developed, uh not as a production service, and the main issue you have is that you cannot really select uh enough serious platforms like red battle.

C

You cannot select like uh ten thousand probes for geolocating one single ip, uh because you will do essentially a ddos every time you would trigger a lot of icmp rate limiting. You would just uh also stress the platform itself, so there is an initial step that we will see for this election after you have the probes, you do the ping measurements to the target. You select a list single radius. Does that you select the closest the fastest of this uh ping measurement and it has to be also the router type below 10 milliseconds.

C

We will also see a bit better what this threshold is, and um after you take this run through time and you convert in distance by doing round three time divided by two multiply for two thirds of the speed of light.

C

So the round three time divided by two is the usual approximation that it's done to calculate the uh one way delay, or at least, as I said, an approximation of it and the two third speed of light is the upper bound of the signal traveling in fiber, which assumes that between the source and the target, there is a straight fiber with no hop in between them. So they are a really big approximation.

C

uh The last step is that single radius does tries to bring a bit more accuracy to the process is to select inside that circle inside that area, 100 cities, if there are at least 100 and ranks them based on distance from the source number of facilities uh and population, because the main goal of uh ripe pimp is to geolocate infrastructure. So these parameters, they kind of give an indication of how much internet infrastructure is in such steady, see this.

C

All of this methodology is described better in the article, but I briefly show you just one detail: is the initial probe selection?

C

Essentially the goal here is that you don't know where the target is, uh but you can uh select probes, they are topologically, close, hoping that they are also geographically close, at least that's the idea, and to do that, you can always do the target ip convert it to autonomous system with ip2s lookup and use pgp topologies to infer the topology and try to select props nearby.

C

So one thing that the single radius does is selects like bgp neighbors distance, one and another thing that it does is use speeding, db information to detect, which exp the autonomous system of the target is doing peering. So you detect the cities. This is an idea initially introduced by vasilius that you probably all know, and so at the end, what you do is to have a set of cities and a set of.

C

Autonomous system- and you select- you ask tripatlas to select probes nearby, which sometimes it works. You detect your digi location with one single probe. Sometimes you need up to 500, which is the up limit, but it's still anyway, better than selecting all of them or select random.

C

So uh this was uh the rest, as you saw, is essentially basic.

C

Basic active geolocation, uh more details are in the article, but more or less. We cover everything. So I'm going now to the part related to the evaluation we evaluated the accuracy comparing with maximizing and attacking, which are the leaders in this field.

C

We evaluated the effectiveness effectiveness of the probe selection method that I showed before we evaluated the coverage we evaluated also the rather level consistency where, essentially, we ask a single radius to gellocate ip addresses belonging to the same router in byte and checking if we got the same essential location and overall, the goal is to provide suggestions to rapidly see it to the entire community. um The one in bold are the point that I'm going to describe now.

C

So the first thing is, we need two data set. One is for the ground. The ground through data set, is essentially a collection of ip addresses of known location, and we need this to validate the accuracy we use the uh arc nodes. The nl-nog ring nodes, the m-lab pods and the arc proximity data set in this table.

C

You can see the division of ips by region and also coverage in terms of unique autonomous systems and after we filter out the ips that they have wrong metadata or they were offline, so not possible to do geolocation, and we reported some cases of wrong or missed or corrupted metadata to the uh administrators of this platform. So this was also one of the um benefit of this uh of this exercise.

C

So in the end we had 968 ips and for the coverage data set, where we are not interested in having information about the geolocation itself, but we need some responsive ip addresses. We use the manic interconnection data set produced by keda, which has more than 16 000 ip addresses active and answering things so go straight to the accuracy results. We you see this cdf. The blue line is single radius.

C

The orange one is net tag within the green is max mind and you see on the x axis the error in the geolocation in kilometers, so we consider a distance below 40 kilometers, accurate at city level at distance above 40 kilometers, not any more accurate at city level. This 40 kilometer is a trash that is, uh has been used multiple times in literature and it's considered kind of average metropolitan area size, and we can see that uh single radius outperforms the other two platforms and reaches uh an accuracy that is 80.3 percent.

C

um But the comparison is not yet uh finished, because if we compare the median 75th percentile and the 95th percentile of the three platform, uh we see that, for example, for single radius is 6. 26 and 344. Kilometers of error, while for net equity is 1080 and almost 3 000 and for max mine is 17 278 and almost 3 000, also so uh single radius. Even when uh produce a an answer that has an error above the 40 kilometers.

C

So not any more accurate at city level for our uh parameter produces anyway, an error that is uh considerably uh much smaller, like uh 300 kilometers, compared to almost three thousand uh but the problem.

C

uh Okay, before to go to uh the ten milliseconds threshold that we said before, we analyzed uh how it would change, because the threshold is essentially used in various works and the idea behind it is that if you have active measurement above 10 milliseconds, the kilometers are so much that it's not even worth to try to give a guessing of the generation.

C

That's the idea, but we try to investigate what would happen if he would use geolocation a different threshold like from 1 to 10 milliseconds, and in particular here I show the picture with two milliseconds. We have the 95th percentile of city level, accuracy. Of course.

C

Now the main project problem of active geolocation compared to the other systems is that uh there is only a finite amount of answer you can give so active geolocation, usually, is not so good in terms of coverage compared to the other platform, because the other platform can essentially provide an answer whatever it is to whatever question you have, uh but with active geolocation, only some ips are reachable, or only some ips are inside a certain boundaries of distance.

C

So we use the manic data set to uh gellocate and uh we find an answer for 78.5 of the uh 16 000 uh ips that were there, and uh so this is a actually a a good results in terms of numbers and we also went to analyze like we did before what would happen if we would make it more accurate.

C

So if we would uh change that threshold, so if you reduce the threshold from 10 to 5 milliseconds, we drop the coverage to 51.1 percent, but if we go to 2 milliseconds where we would have a 90, 50, percentile accuracy, a city level, uh we have a coverage of only 24., so you do your math. If it's, you can do your tuning. If it's uh convenient for you or not. uh In my opinion, you basically drop.

C

uh You increase a 50 15 percent accuracy, but you lose a 55 percent coverage, so uh I'm not sure how much uh it is worth in in our case. um So this is uh basically the only part that I want to show for today, but before too close, I want to just give some words about. I think it's always important to.

D

Realize real.

C

Life yeah. It's always important to realize that every analysis that you do related to platforms like the one that we saw before and related also to geolocation of us. They have an intrinsic bias induced by the fact that the internet infrastructure is not distributed equally.

E

In.

C

The world, so in our research we do also drill down for various regions and we try to split the various results you see here. Instead, the just the global view for simplicity, also the ground truth. Data set of the ips is really hard to obtain uh such uh accurate uh set of ips that you can uh test and you know exactly location. So this is also uh I mean we had 968, which is a big amount compared to a lot of other works, but uh still a small amount compared to the entire address space.

C

uh So I want to thank the colleagues from cada which are listed here for the hard work and the collaboration that we did and also this is my last slide and if you have questions this is the moment. I have also hear my contact, so you can also contact me offline if you would like.

C

Thank you very much.

B

Thank you for that massimo and- and we do have uh jay ignacio uh in the queue with a question. So please unmute yourself and ask her.

F

Yes, hi everybody. I I would like to ask to massimo how many times you need to get the the location- and I have a second question- is how many pins you need to send for every proof uh to the the location, the ip that you want to locate.

C

So I didn't get the first question so the second one I got it. uh What was the first question? Sorry.

F

How many times? Because you have an id you, you run this system and you just spend some time to run the system, because.

E

To send the guy the insurance.

F

Platform you get times is not immediately so yeah don't have an idea. How many times involves the full measurement for one id.

C

Yeah perfect, so um so to the amount of time the the the system takes to gellocate, it is set on average about three minutes. uh So after three minutes, uh the api allows you to retrieve the data from atlas and do the the query.

C

So if you look at the measurements itself, it could be faster, but we don't want to uh since arrive atlas has a queueing mechanism for the measurement. We don't want to retrieve data too early and give a wrong answer. So we wait the three minutes that we calculated us, basically, the maximum time for a measurement to be a one-off measurement to be executed, so that the answer is is in general three minutes, but the uh once an ap is of course calculated. The answer is cash, so it will take milliseconds to just retrieve it again.

C

This is the first answer for the second question, so how many ping measurements uh that depends on the amount of probes that they were selected. So the probe selection mechanism can uh basically has a priority queue of uh measurements to sell probes to select based on the topology.

C

uh So we can select one, but it can select up to 500 and and after basically, you have a usual thing, with three attempts to uh geolocate the uh the target. So that depends on the probe selected.

F

Yes, but imagine that you get 100, you got 100 pins or every proof you send most. You send three pings or this is my.

C

uh It should be for for uh okay, so no, it is a one-off, so we stand one off, but each ping has three attempts, so three run through time at times: okay, okay, thank you.

G

Thank.

B

You yeah, thank you very much. So uh the next uh question we have is from danielle karenbach and he asked in the chat. Did you outline? um Did you not mention the suggestions that you had to the right, ncc and and what were they.

C

uh No, the suggestion where, uh like the experiment, overall, that we had for the uh for the use of different thresholds, uh we did um a good amount of. uh We have also a list of them. um They are more in explicit in the article, so we did various things among which the graph that you see here can be used by the user to essentially tune their own. The api provides the run trip time used as a threshold, so you can use this to give provide you your own score. That is one of the suggestions.

C

uh The other suggestion that I have for writing cc would be to, at some point, implement a mechanism with multilateration. We did some preliminary tests by using, uh for example, regional uh coefficient to transform the distances and the uh the results were uh extremely positive in terms also of reduction of ambiguity of the geolocation, but that would work with a multilateration approach and another another one could be experimented is with the uh removing the last mile, um the last mile latency from the measurement to improve the the accuracy.

C

So uh this is uh the overall, I would say high level summary of it and yeah. The material is is public and I will make sure that uh all detailed suggestions are delivered by the way. This research ended up also with some patches that we did to the ipmap source code itself. So, after the analysis.

B

Great, thank you. Thank you so much massimo that was uh that was really interesting. uh If you please stop sharing your yes.

C

So, uh thank you very much. Stop sharing.

B

Excellent.

C

Thank.

B

You um and then we would like to invite lesnar to share your screen and do your presentation about the observations of during the pandemic.

A

Okay- and I just switched vesna to be the presenter, so she should be able to do that now.

B

Excellent. Thank you.

E

Hi everyone, my name, is vesna, I'm from the ripe ncc, I'm a community builder, and I am giving this presentation on behalf of my colleagues, mainly emile aben, who couldn't be here, but these are his slides mostly, so we have been active in uh analyzing the data from the ripe, ncc measurement projects and publishing our findings on ripe labs. We have a collection on a slash, kovit 19, and you can find all these results that I'm going to talk about there so from the beginning.

E

Other operators also contributed to this and also published some of their findings on rap labs, and we try to move our real hackathon that we wanted to have to the virtual world and that worked more or less as much as possible. So we um also publish some of the results of that hackathon there and some of the recommendations for the security regarding uh uh most of the applications for the tracking and so on.

E

So you can find more of information about our events, also on rap labs.

E

We have basically two types of results. One is about the network stability based on the routing data that we collect and the other one is about network delays.

E

So the first one is based on a so-called risk of routing information service and, if you're not familiar with that, it is a little bit like the route views and I'm a bit sad to actually compare it to the other one which is a competitor. But it's more well known. I guess- and it has a better name- I must admit so.

E

Our service called ris is having a global view of the bgp, and so we have the routing collectors that are listening to the routing updates and we can show you either the history of the routing changes or you can get uh the the direct updates as they happen.

E

So there are multiple ways to access this data, and basically this is an invitation for the other researchers and the network operators to use this data, because it's open- and it's very well documented how you can use it. So normally what you would use that for is uh to uh kind of troubleshoot your network and to show how is your.

E

The best performance actually different from what is happening in the world and maybe also to help you um kind of combat some of the root hijacks and takeovers, and all of that you can do by your own analysis, or you can see our views on the stat.tribe.net.

E

So when we looked at the corvid uh impact on the global bgp, we thought well, it's going to um flare up, because people can't travel to their uh distant points of presence to actually do the maintenance and there was the restricted access to data centers. So we thought oh now. This is going to actually um explode, but we were wrong. So basically internet is stable, at least on the routing level.

E

So this is um the the global view over time and you can see that in yeah from november until july, so november, last year, until july this year, there weren't many changes.

E

So um the other way to look at it is by the type of the announcement so either by adding the prefixes or removing the prefixes or the origin changes again. There were some flares, but it was nothing systematic and actually it didn't coincide too much with the lockdowns per country or anything because you could see that in december previous years. Actually there were similar events, so our conclusions are that the pandemic didn't impact the internet on the global routing table level.

E

So, as usual, we can see these uh weekly patterns, and so apparently all the operators are working very hard to maintain the internet. Now when it became even more important for even more people who are working remotely and and schooling remotely.

E

So if you want more details, they are on ripe labs and I do invite you to actually analyze it on a more granular level and to compare it with your own experiences and maybe come up with different conclusions.

E

And then the other type is measure network delays by using ripe atlas. We worked with the researcher roma, who made the very detailed analysis, and then he published that again on the iplant. So this one actually is.

E

How can I call it like a dashboard where you can choose a country and then we have uh pre-coded some dates of the very clear lockdown uh times per country and then looked at the month before and at that time, the month after the lockdown to compare.

E

But now you can also get them the latest data, and so this is just a a very quick overview per country. And again you can put your own country uh when analyzing data in your own way or a different time period and so per country. We also showed her a specific provider. What were the changes in latency? This is based on the ripe atlas data, so the pings, the ping measurements, and so this is the the rtt that you can see here and again.

E

um There are some spikes for some providers, but for us, looking from a distance, we couldn't really see a very clear reason why something would happen, but the people from a specific country probably can actually analyze it more related to their political situation or the lockdown details and so on, and so the other example is a little bit more busy when you just look at it as a picture as an illustration, and so there are much clearer differences from before the lockdown during and what is the situation now when the providers have actually increased, uh maybe their capacity or found a way to deal with the increased load.

E

So there are conclusions to be drawn here, but we didn't go into the very specific details ourselves. This is more to show what can be what is possible and to give like a very quick overview per country. How does uh rypatla see the networks uh and how they are impacted with the heightened usage, so the good news is internet is doing fine and if you would like to explore it yourself here are the links to the interface and to the projects that I mentioned.

E

So this is something that I added since I've sent the slides. uh This is not in the slides that I uploaded so pay very close attention.

E

uh We also opened some weeks ago, a community projects fund call for suggestions, so uh rypncc is uh decided some years ago to start funding the projects that are for the good of the internet, so the main criteria is that they are based on the open source and the open data, and so the projects that contribute to the resilience or sustainability of the internet can receive money, and we have already uh highlighted some of the winners from the previous project fund uh on the ripe labs and for this year you still have a few days few weeks to apply.

E

So please approach your communities and spread the news, because we would like to support the existing projects or the new ideas that work on the good of the internet contact us. If you have any questions there are my email addresses emails and a lot of twitter details and rap labs. Thank you very much.

B

Thank you so much mesna and we have a couple of questions. So. First I'd like to invite jay ignacio again.

B

uh Please thank you.

F

Yes, thank you um thanks for for the presentation um I I have been doing also measurements in latin america and using brightpearls here. The problem is we have a few troops among 400 spread in latin america. Some countries have very few and so on, but um we we try to identify.

F

We we concentrate in argentina and from argentina to concentrate to identify the the path, the routes uh through the cdns just to most use obsidians, which are the the the where dominates the traffic into internet.

F

And after that we performed some measurements, basically traceroute, because we want to to analyze the the the traffic inside different parts of the network. um We we just see the results, uh not so much uh analyzed for for the moment, because we we need people to do that, and it's a little bitty moment at that time, because the pandemic makes so complicate everything and but the mind.

F

The the first results are that in some specific time you perhaps you you- you got some some concession in in in in some isp, no, no exactly into the ixp, but in the in the in the some.

B

Specific.

F

Perhaps it's possible to analyze the information deeper and if you want, I can send an email with the details. Thank you.

E

Yes, I would be interested and if you publish something we can republish that in ripe labs and promote in our community and then maybe you can get somebody to cooperate with you and help you out and another comment on this is in the regions where we have fewer probes it. It might be possible to install the so-called software probes. I have posted the link in the chat and that's just easier from the logistics point of view. So please consider that.

F

Yeah. Thank you very good.

B

Thank you so much uh and the next one we have uh uh is dave.

A

Yes,.

B

Take it away.

A

Thank you thanks vezna, um I I noticed in a couple of your slides. You had, for instance, details like 18th of march, uh belgium went on lockdown.

A

I was wondering: what's what do you have as a resource in terms of a journal or what advice do you have for the rest of us that might want to study this on how to find real world events about when those lockdowns happen and also, presumably, the challenge is going to get even worse as we get more and more waves and changes with lockdowns?

A

What have you found.

E

Yes, so this was the first attempt to to work on this and uh uh it was quite early in the, um and then we were hopeful that there will be one lockdown, one date per country and then later on, we realized like. Oh, that was not uh so obvious.

E

So the first thing is that we actually consulted the wikipedia page, which lists for country then was the lockdown date like a third party, neutral resource and then currently there is an idea- or at least this is my wish- to change this- to to make it into a monthly report so that we just look at whatever a fixed date in a month per country.

E

And then we can see what the changes are, regardless of the actual lockdown date, because it's going to become fuzzy anyway, with the new lockdowns and the second waves and n plus one waves.

A

I see, and the wikipedia page was specifically about the overall covet 19 pandemic.

E

Yes, it is listed in that article by roma, uh where we have looked up the dates, but he had to actually hard code, those dates per country and that's a lot of manual work. So I think if we would to automate this to the next level, it should just be easier than that.

A

Okay, thank you.

E

Unless somebody has a better idea, so we can work on this later on offline online, but not on this webex.

H

Right right.

B

Great, thank you so much. Thank you, vajna. uh That was really cool. uh Next I'd like to invite li. Why is that? I hope that's the correct pronunciation of yours.

B

Thank you very much.

A

Give me a minute to make la the presenter, and there you are okay, you should be. You should be ready.

B

You're presenting now you can show you your slides great.

I

And we can see them yes, okay, great so hi. My name is olsen. I'm the project director of measurement lab um thanks for having us uh similar to vesna uh we're here, I'm here to just share the fact that our data exists and um give an overview of how it's generated so that researchers here can can take it and run with it. um So talking about what is mlab just to speak briefly about the the goals of our project, some of you may be already familiar, so apologies.

I

If so, but for those of you who haven't been introduced, our mission is to measure the internet, save the data and make it universally accessible and useful. I am preaching to the choir that there are many ways to do this, and by no means do we claim to do all of them, but we do focus on principles of openness and transparency, so all of our data is open and free to access um and I'll talk more about how that works.

I

um I always think it's useful to when talking about measurable measurement lab as a project to think about um the problems that it was trying to solve. uh The project was started in 2008, so it's been around for 12 years um and it was responding to a widely reported problem of not being able to not having access to commercially maintained, servers that were widely deployed enough with and with ample connectivity to support the kind of experiments that internet researchers wanted to perform.

I

And then another issue that it's trying to solve is the issue of big data sets and being able to share the data that these experiments um are producing.

I

um So these are the two kind of problem sets that the project set out to solve, and then, if you fast forward 12 years, we have a platform that I'll talk more about a pipeline that archives all of the data that the platform um that the experiments generate and then the data itself that we make publicly available. um We also maintain a suite of tools that are focused on community-based data collection, and um we, of course, also try and foster our community much like ripe to get researchers involved in in using our data.

I

Our team is based at code for science and society, which is an open data and open science, fiscal sponsor. We also have google as a core contributor and one of the things they do to contribute. Is they donate the time of a team of software engineers? So our team is made up of two organizations of core contributors so getting into the um the nitty-gritty of how the platform works um just to get the sense.

I

The uh currently we host about um 500 or so servers in 60 plus metro areas and off net service providers, um and for us off that we define as tier 1 data centers, where the they're serving more content than people um so essentially outside of access networks.

I

On these servers we host measurement services and they're, basically the server-side code, then clients are developed to run tests against them. So um we see this as measuring the inter part of the internet um going past the the eyeball network so to speak and having the clients test against servers that are within the backbone um anyone can develop clients. So our the the server-side experiments are approved are uh mostly written by academic researchers and approved by our experiment review committee. But anyone can write this the client-side code.

I

um One example is uh the uni application, runs an entity test and we'll talk more about ndt, the google search client as well as one of the integrators. So if you, google, how fast is my internet? We are what pops up um we're in the ndt test that is hosted on mlab is what pops up um by nature of ndt being on the project the longest.

I

We have the most um data for that test or for that measurement service, and so um often, when you hear about mlab data, we're actually probably talking about ndt data, um and so and for that reason I'll talk about that a little bit more. um These slides are kind of my standard slide. So I get into a lot of nuances here that actually, maybe folks here are more familiar with than most, um but to break it down. Just briefly ndt, which is one of the measurement services that we host is uh measuring.

I

The single stream performance of bulk transport capacity. um Bulk transport capacity is trying to look at the the reliability or the ability to deliver packets reliably across that link. um Just have some notes here about how often this term is conflated with link capacity. I feel like this is the audience that understands the difference, but um it's suffice to say often both are completed with speed, um and so it's often thought of as a speed test.

I

um It's also measuring the single stream performance as a way to effectively measure the baseline of the bulk stream or sorry, the volca transport capacity um and put these together and you get ndt and so um a question that we often get from from kind of end users is. Why is my you know, speed test different than other speed tests and it's just an overview of uh what ndt specifically is trying to measure um and then in combination with our offnet platform? That's giving you a vantage point outside of the access network.

I

This is um these. Are the the characteristics of the m-lab data set or more specifically, the ndt data set.

I

um One thing to note is that ndt 7, which we're actually in the process of migrating the majority of our clients to supports bbr so um has a better ability to model the network that it's based, basing its congestion control off of. It also runs over tls and uses modern web sockets, and actually uh today we're releasing a blog post talking about the comparisons between ndt7 and ndt5, our previous protocol and there's some links there too. If you're wanting to know more about either bbr or nbc7, um you can also run your own mdp server.

I

Just as a as a side note, if that's interesting to anyone, this is the same thing that we run on our offnet platform. You can run that same that same server side code on any machine that uses docker.

I

um These are more slides about our other measurement services that I encourage you to look at in the slides that I uploaded, um but the the main thing that I wanted to get there's like one thing that I can communicate today is that there is a ton of this data um and it has been being collected through all through the pandemic and longer uh for 10 for 12 years to be specific, um and as of today about 3 million new ndt measurements are added per day or um produced per day um and as of 2020 worthless, just 2 billion rows of ndt rows in our nbc table um through the pandemic as well, more people are testing, more people are home, more people are trying to figure out what's going on with their connection and we have been able to, and you can see, almost double the size of testing, and this is just the us, but uh this has been a a common um behavior across uh countries, so there is more data than ever um and I think the the the takeaway here is that we would we really invite researchers to to um join us in analyzing it, and uh we don't.

I

We don't have a research team, so we would love to work with you to support your research and your use of this data um just going through some of the uh other slides. These are just getting at that. It's um all open and free and I'll actually go on to um the what the slides about accessing the data, so um the most common way is through our visualization site.

I

um I'm not gonna exit out of the presentation, but if you go to that site actually right now, there's um data studio dashboards that make it really easy to just piece through what country you're interested in as well as what city and asn and and look at the data through the pandemic week by week, um there's also, but the most uh the next most popular way of accessing the data, and probably for most folks here who are look interested in looking at lower level.

I

Metrics is to use bigquery and that's just a sign up on our on um our discuss mailing list and you get a login and it's free to free to run queries as well. um So if there's any questions on uh uh how to access that, we're, always here at support measurement lab.net to support your your analysis, um I think I'll, just close by talking about just uh even outside of the the cover 19 pandemic. We're really interested in engaging with this group, specifically actually. So.

I

This is a really great opportunity to be introduced to you all, and I would defer to your expertise in terms of how we can be useful or how we can contribute to this working group. um Some ideas, uh if you are part of a of um a service provider, we'd, be happy to talk to you about pod sponsorship um for extending our platform.

I

um Also, our, as I think I mentioned a little bit, the um the the platform, uh the experiments that run on it are approved by our experiment, review committee, but we're open to any um experiment that is open source.

I

So if you have an experiment that would scale um well on the ml platform and benefit from using it, as well as generating open data, that's something we're really interested in talking about specifically with this group, and I think again, the invitation is to please use the mlab data and let us know how we can make it more useful to you, um and here are some examples actually of the researchers that have used it so far uh to analyze the code of the 19 impact.

I

um One is uh rahman which uh uh this I talked about earlier and then um also a researcher with uni um who looked at the network performance in italy and so I'll all uh pause there for questions or end there for questions.

B

Great, thank you elie. um We do not have any questions in the uh in the chat. um There's a there's, a discussion about the previous presentation, um and I wonder if that is something that we want to. We want to talk about now or we want to push that to an offline discussion at some later point.

J

You should probably take that one offline.

A

You know we're just about on schedule right now. Yes, so if we I I bet, we might have some time uh uh before the meeting ends which I'm happy to come back to it. um Otherwise, we'll do it on the mailing list.

B

Right.

A

So I'm going to make my myself nina, I'm sorry, are you done there.

J

I think we want to, I think we want to put robert on the spot exactly.

I

Yeah.

B

So we noticed that.

J

Yeah.

B

Robert robert joined uh joined the meeting so and, and then he found out that he was set to present so uh kindly enough he's gonna he's gonna, give us a a small update on the current state of the the write ntc tools. So if you can, please um dave make robert sturkey.

K

Yeah I have no slides so, okay, if you can hear me anyway, then I don't, we can hear you just yeah just go ahead thanks robert excellent. So yes thank you very much for for um putting me on the spot here, um but it's fine. um I unfortunately will not have slides to to um show you what I'm talking about, but still probably I will try to be cohering.

K

um So this is the ripencc tools update and I usually begin with ripe atlas. It's um still stable and still growing. We at the moment are floating around um 10 000 results per second coming in to the system. So that's a lot of result. Data from all over the world. um We have about 11 000, a bit more than 11 000, end devices that we call probes and we also have 600 650 ripe atlas anchors, which are somewhat bigger machines that you can also target.

K

If you are, if you want to measure something and you're looking for a target in the network now this is a lot of data that we're collecting. So one of the feedback that we got recently- um or I should say continuously- is that if you really want to work with all of that data- that's relatively hard, so what we're doing nowadays is um putting all of that data, or almost all of that data onto google bigquery somewhat similar.

K

That measurement lab does, and we plan to open that up to the whole world, to the research community in particular, so that you can get access and with the bigquery interface, you can really really dig deep and very quickly into details if you want to so that's ongoing, and I expect that we can make some announcements um soon, probably or hopefully before the next writing. If not, then the one after meaning everyone can have access to all of that data.

K

This is in addition to the way we present and make our data available to the community. Anyway, on the labs platform, it's just making it easier for anyone to to analyze that, um as you may have heard, from vesna, we are working on what we call software probes. So these are basically software packages that you can deploy anywhere. You want on your home, router or or your web server or your any kind of server that basically acts as a ripe atlas probe.

K

It does exactly the same thing, except that you don't need to deploy the hardware itself, so in some situations, especially if hardware is difficult to ship to a target, this can come really handy, so um vesna posted the link, but it's relatively easy to find. Anyway.

K

If you want to jump on, you can do this, we're still supporting the hardware probes and we don't have any plans currently to stop supporting them. So don't worry! If you want to have hardware probe, you can still apply for one and you will eventually get one.

K

We are working on improving the the actual measurement software. There are some new measurements coming up and we're trying to improve the existing measurements. So it has been pointed out to us, for example, that the trace routes measurements could be more efficient, which is on the agenda for us now.

K

The vm anchors are still growing. We are doing some life cycle replacements, as you can imagine. If you deploy hardware every now, and then you have to refresh that- and these are rec mounted pcs so every now and then that needs to be done um somewhat. Interestingly, 10 years of ripe atlas is coming up. um It's it's surprising even to me that we've been doing this for 10 years, but it's almost 10 years now the exact date is um october, end of october or mid-november, depending on which number you want to look at.

K

So what you can expect is that we are going to do some small gimmicks, interesting tidbits of information and some some celebratory tweets and pages that we can put up.

K

I think that for a measurement platform, 10 years is a lot and I'm sure the measurement lab is is also in this ballpark um and also if, for this event, you would like to um appear and um show us what you did with ripe atlas. So if you can have something like a testimonial that you think was is worth sharing with others, then please reach out to us uh on the usual channels and we'll try to uh include you in the information that we will put out.

K

Also, if you would like to sponsor atlas, that's always possible um right that that's one of the tools that has not been mentioned today. um Just yet so that's our resource, explanation service! If you ask what do you know about an as number or an ip prefix or an address, then we'll spit back a whole lot of information about geolocation, routing, dns and so on. um This service receives more than 100 million queries a day, all of which require some number crunching on our ends.

K

So that's that's a challenge to keep up, but the team is um luckily very agile on that also they are really trying to do their best to do this.

K

The user interface will be revamped, probably still this year, maybe early next year. So we will have something. That's nicer and works better on mobile platforms, which more and more and more people ask. So if you want to know something about an ip address on the road, you can do that very quickly, ipmap. That has been mentioned both by massimo and, I think, also by vestner.

K

Indeed, we're still working on that and, as massimo mentioned, um the system's point is to provide infrastructure geolocation information by combining multiple inputs to such a question uh which we, which we call engines, so the engines work independently.

K

They make their own decisions about what they think that particular ip address is, and then the system presents a unified output of that um the the engine that massimo described is one of those, um but we're still working on more of those to make it more useful for people. um Ris has been mentioned by vesna as well. So that's our routing information service.

K

There is some internal thinking about you know what's next for risk um and we we really wanted to cooperate with people who actually want to cooperate with risk as well, so both in terms of peering at risk providing data to the system, but also um running route collectors. If you're so inclined, um that's one of the features that we would like to explore a bit more.

K

um One of the features that I would like to mention here is um which, which is risk live, which is basically the streaming access to the risk data set, which is real-time access to the data that we have and massimo in his other working time has been working on some alerting tools based on there is live data, so if you're interested in real-time routing information and um normally detection must go on, then I encourage you to check out this live and the bgp alert that seymour has built, and in other news we have an arm that does research within the the ripen cc.

K

um Western couple examples, and one more is coming up at the end of this session. So that's measuring about uh 2810 12 in the ipv6 space, but in general, if you wanted to be up to date about what kind of interesting information we found or are looking at now, you can always just look at white labs and we will publish most or all of our researchers there.

K

So I'm hoping that I was more or less coherent um and you could follow and if you have any questions, then by all means contact us right here right now or on the usual channels. Thank you.

B

Thank you so much robert. That was uh that was incredible on the spot like that.

B

Well done, we should.

J

Surprise you more often that was a great tools update thanks. um Please don't.

B

Great- um and this was actually the end of the of the of the right mit working group part of the program, so I'm going to hand over to dave who will take you through the next part of the of the session today. Thank you so much.

A

All right, can you hear me?

A

No, yes, oh you can't okay, good thanks for joining us during your holiday uh robert. um I think I take better holidays than you. The the um uh this is the intellectual property rights uh statement uh to just to notify the following presenters. If you have ipr claims regarding your work to disclose them in a timely fashion, um what we so we're running about 10 minutes uh later than we thought we would but that's good, because we thought we would need an extra 10 minutes, so we should be able to fit this in time.

A

These are the upcoming presentations that uh miria and I um arranged for the measurement analysis for protocols. Research group um and mark is up first and mark has asked me to run the slides for him. So I'm going to stop sharing this and start sharing that one.

A

And mark are you there? Are you ready.

A

I think I might have to unmute mark.

A

All right, oh no, I still see marcus muted there we go and share want preview. This guy.

A

To you all right, uh take it away mark.

A

uh We can't hear you.

A

I can't hear you.

A

Mark.

A

Stop hearing that for a second, so I can go back and see mark uh your shown is unmuted in the participants list. For me.

A

I'm muted now try one more time yeah. I can't hear you um why? Don't you try uh disconnecting and reconnecting to the webex and um and we'll switch to? uh I think the next presentation in the meantime and come back to you. Does that make sense.

A

I think he said. Okay, so, let's see who so so. Who do we have up? Next? I think it's jake jake. Are you ready to go yep? I can go okay. Let me make you the presenter hold on a sec.

A

All right, jake should be the presenter now take it away. Jake.

D

Okay, I will uh all right, you can see my slides, I hope and hear me yep. We can see it great uh hi, I'm jake holland.

D

I work for akamai I'll, be talking about some observations about latency and aqm that I started in about february um I'll, go over a little bit of the background and goals behind what I was aiming for here, uh a couple of somewhat tentative conclusions that I have from the observations I've made and just give a little pitch for you know I'm mostly looking for a collaborator here, because I'm probably not going to do a whole lot more with this unless uh unless there's interest, but I think that the just because it's not very actionable for us um from where we're sitting as akamai, but um but I think, there's some worthwhile stuff in this data that that could bear some uh some improved um uh analysis.

D

uh If anybody can be enticed into uh into hooking up with me, I put a bunch of stuff in the backup slides also. So, if there's more, you want to know, take a look through.

D

Those this is, uh we enabled ecn uh in february, um and so we started looking at what we can see now. That ecn has enabled uh in some sense I'm using observation of the ce mark as a proxy for for existence of an aqm.

D

I know that's a lower bound, we, you know many aqms do not do marking, but, but I nonetheless did a little bit of comparing between uh aqm and not within the same isps, um and there were a few questions I wanted to get at first, which were how much are we seeing ecn, usage and utilization, and the key one which we did consider possibly actionable was whether home router solutions can really address the problem or not um we're looking for whether we can get it down to a reliable 45 milliseconds to support end-to-end gaming, um and for that reason this is not really.

D

I was I'll get into uh what I was looking looking at there when I get to that bit of it, but uh just put a pin in that um and my time to work on this was pretty limited, but uh so there might be some interesting yet unaddressed questions. uh So my first conclusion is that ce marking is not very prevalent, I'm seeing uh now about um about 0.3 prevalence uh last march, when uh you know after most of the shutdowns had begun. But before I had done a lot, you know.

D

Also after we started being able to see the data uh it was closer to 0.02 percent. um I think we're probably seeing some isp managed adoption go over a little bit. Why? I think that this was partially inspired by a prior talk. There's links in the slide in the slides.

D

This is the apple's talk from a few years ago, but we're measuring from the server side and we're basically looking only at the downstream, and I organized it by asn instead of by country, because it seemed more meaningful after kind of looking at it. uh If you follow the slides you'll see that it had a big observation in argentina, but that was later discovered to be not relevant.

D

So um I was looking to see if I could replicate this by the way- and I couldn't really- um and I think part of this is because we're getting a different view on the on the marking, because.

D

When you're the client trying to download something, then when you you get a better chance to see if, uh if there was any congestion ever uh to that client, then then we do from the server side, because we only will see congestion uh some of the time, especially if we are not actually inducing congestion, which often we don't um so here's a chart.

D

What we're looking at here is the uh proportion of the clients that ever asked for ecn that actually saw ce marks and uh sorted by uh by asn, and then this the size of the asm corresponds to the size of the data point. uh So this is just the top uh 35 or so uh asn's, and you can see that it drops off quite quickly. There's a few asn's that seem to have deployed something uh clearly managed by the asms that are sort of up in the or by the isp.

D

That's you know up in the 80 90 percentile percent of clients uh who ask for a seat for ecn, do sometimes see marks during a day um and uh but it drops off pretty quickly, uh there's a sort of middle ground here. um So you know here at three percent, or so it's still quite about uh you know ten times higher than the than the global uh typical count.

D

So I'm not totally sure what to make of this, but my guesses are written here on the slide. I think that um you know for these larger isps that are seeing uh you know. Seven percent of paths or of client ips do sometimes see.

D

Because it's it's quite a lot more people than um then you might otherwise guess uh the smaller ones, uh so the the largest dot on this chart is 103k. Client ips in the asn and the smallest is uh is 510, so some of these tiny ones are um are really pretty small. uh There's another filter. I didn't mention here.

D

uh This also is a little bit covered in the backup, slides, there's a I'm filtering for isps that had at least 100 clients that ever asked for ecn, um and so even in the 500 ips, we have at least 100 clients that that sometimes ask for ecn, but uh so the three percent that you're seeing here could be as low as three uh for a very small. uh You know three individuals for a very small ips, so I don't think that's particularly uh indicative of anything.

D

um It also should be noted that the what we can see is a lower bound. So these are. These are connections that are client ips that actually on some of their connections, did cce marking um and so there's the july line and the march line.

D

You can see that between march and july, it increased quite a bit and that we get um a lot more in the way of large isps that have done something um you know the.

D

However, that said, it remains quite small overall.

D

This also does not represent most of the ce marking paths on the internet. These are the top isps that seem to be doing something with it.

D

But if you look at the top uh hundreds so that you know it continues down to a smaller uh long tail here, but um but out of the top hundred uh of the you know, 800 or a thousand isps that passed the filters that only represents 140th of the ce marking paths on the internet. So um so I'm concluding that most ce paths on the internet are not isp managed. Most of them are probably these home router kind of deployments, uh they're widely available, um but uh but of the ones that are isp managed.

D

um You know, there's there's not that many, but they seem to be growing somewhat.

D

The reason I'm distinguishing between isp, managed or not is because we were interested in the question of whether a home, router deployment would be able to address the the latency issue mostly or whether it really would need something done by the isp, and my tentative conclusion here is that it probably needs something done by the isp. It's not good enough to do it uh in home, routers predominantly um so.

D

What I'm looking at here is uh the the samples that I'll be presenting are all uh just the the sin to the the synax to the ack. So this is just a snapshot.

D

One per connection, that's right when the when the connection opens and um I'm not saying anything about the home, router's aqm impact on on self congestion during an active tcp flow, um I'm looking for mostly like what you would see in a gaming scenario where you've got a lot of chatty back and forth, but not a great deal of bandwidth, and I took the tcp handshake as a decent proxy for this. For this kind of measurement,.

D

So and what I'm seeing is that ce marking paths still experience a pretty high uh latency variation according to the to the asn that they're in that is different, depending on which asm, which asn they're in.

D

So the the charts I'm showing are um for one day of data. I was doing one day at a time just partly because the way it's partitioned for uh for my access, uh this covers um I've done done this separately on a few different days, but not in a really. uh You know consistent and organized way. uh So I just sort of did spot checks for consistency between days and and kind of qualitative uh judgment of the.

D

Done any like putting the days together to make good sense out of them, um so I picked two particular asn's to to go over. uh These are chosen to be just sort of um from the kind of leading edge and from the middle of the pack of the asms I had available, um and then also I wanted to give a shout out to uh um the presentation also a couple years ago about.

D

I think it it got me thinking about the right way to do that. Links there. That's a good one, um so what I filtered for, I was looking for the uh trying to to isolate the effect on the access network, so as a cdn that has a large edge deployment.

D

uh We were looking for like what is the impact that we cannot address by sort of mapping better or or having more edge servers out there like. What are we going to be seeing, even if we do the everything perfect on the server side um and I'm looking for the latency span.

D

So I took only client ips, where I had at least 50 samples from the same data center to the same client ip in the same day, and I topped it out at 300 samples from any data center to the client ip and the reason for that is to exclude um care grade gnats and vpns, which have uh you know a very wide variety of paths um and again in the backup, slides, there's a chart that shows like why I think 300 is about the right cut.

D

The and all of the client ips that made it into the end had a a at least one rtt sample that was 20, milliseconds or below.

D

um So after these filters, I get about 5.3 billion samples across 31 million client ips, there's 11 million of these client ips that ever negotiated ecn and um 33 000 of them that ever saw markings.

D

uh So the the data also one other point to make is that I talk about client ips, because that's kind of an easier way to think about it. But each of these each of the points in the charts is actually looking at a data center to client ip pair.

D

So there might be multiple different data centers that talk to the same client ip, but um but those would show up as separate uh points in the chart, but the same client ip cannot appear more than six times and probably not more than five, because it would not have passed the filters if it did that so I'll be the charts, say pairs but I'll be talking, probably about client ips. Instead,.

D

So the the quote: good isp- this is kind of what I see so there's there's eight different cdfs here essentially, and what they are is the solid line is the 50th percentile of the client ips ban of the latency span. They observed over the over the day. So, however many samples they had you know, we've got a client ip. That's that's uh was in the middle here and their 50th percentile was uh had an rtt.

D

That was you know at this value, uh the the uh you know, and then we have the same chart for the 75th percentile, the 91st percentile in the 98th percentile.

D

So, as I said, each client ip each of these, each of the points on this chart has at least 50 samples, so we've thrown out at least one.

D

And uh at least the top outlier, um but these 98 percentiles uh values of the of the latency span for the client ip. Then each of those clients uh would would represent some point on this chart um and another point worth noting is that the same client might have you know a 98 percentile up here and a 91st percentile down here: they're, not necessarily the same client.

D

All the way across uh the only real restriction would would be that uh within the client, it's it's monotonic, um but so, given that uh what we've got is uh the the uh the green charts are the uh baseline. So that's all of the uh all of the data points within that asn and the blue ones are just the ce marking paths, whether or not the third mark any client ip. That ever in the day saw cme ce mark is included in the blue chart.

D

um So you can see that this is. This is what about uh uh point two percent uh ish of of the uh uh of the uh ips that were in the that were in the filter. So these are all within the same asn.

D

And um uh one interesting thing to note is that in this case it looks like some of the ce marked.

D

um uh Some of the ce marking paths actually had a worse uh 98th percentile than than the overall paths, I'm not sure if that's selection bias or if it's an artifact from um running an aqm, but this represents an isp where we think it's not. There's not an isp managed marketing deployment, and you know these are. These are the kinds of numbers I have for this.

D

I have uh probably what 1500 of these charts- I guess um you know so I just picked one out to to be illustrative here um per day that I run so. A middle isp is just chosen from the middle of the pack according to their 91st and 98th percentile, and this is about what we see there, where the it's the same thing, but the the pink line is ce marking and the orange line is, is the overall uh latency spans that we see and the the conclusion comes from?

D

If you just look at the overall values of the good isp versus the middle isp, it's pretty clear that this is, you know being in the good. Isp is dramatically better than doing ce marking in the middle isp. um So this is pretty typical. It's not universal and again I have a another chart in the backup slides of a different middle isp, where it was a better, a better value for marking ce for ce marking paths.

D

But this is sort of the evidence that I'm using to conclude that we cannot solve the latency problem by doing home, router deployments. uh So for you know, where do I want to take this next? um I feel like there's a lot of unexplored questions in this data, uh but it's you know.

D

I had to tell my corporate overlords here that I could easily spend six months or a year digging on this and come out with no concrete recommendations for what we should actually do in our network, and so I'm basically dropping this unless somebody reaches out to me and and is interested in developing this further.

D

um So yeah do that if you think it should be developed further and you have some ideas on how to do so. I just wanted to uh get that out there and let people know kind of what things we're seeing and I will take questions if there are any.

A

All right thanks, jake yeah, there are a few uh we've got three questions for you that um I'm going to ask on the questioner's behalf. um Bob briscoe uh first asked the question back on your slide. Five, um you were showing c marking prevalence and bob asked.

A

Is there any check um in your work to look to determine if it's real ecn, marking and not um field tingling? I did do.

D

Some spot checks. um You know, there's there's a few uh points of evidence that that I have um I I don't it's not great evidence.

D

I looked for any any ce or or ecn markings on paths that did not negotiate ce or ecn markings, and I never saw any of those uh over this band that I looked for them. um Okay, you.

A

Know, I'm not sure.

D

That there's I'm not sure that it never happens. uh Obviously it you know these things could happen, and I've mentioned it. Maybe they'll start happening who knows, but nobody was doing this uh as far as I could ever see during the time I was I was looking at this. um I don't have uh you know if you're talking about um the kinds of of traffic that was reported previously, where uh ecn mark were happening on every packet or something?

D

No, that also was definitely not happening most of the time. What we're seeing is a small number of um of blows ever get ce marked, even in the even on the path they're doing highly prevalent ce markings, um but uh uh we did not observe a lot in the way of um you know we're a lot we're relying on the on the client heuristics that apple talked about for uh when they see a problem uh where, like every packet is, is marked, then they will sort of cut off the negotiation of ecn.

D

um We're we're not doing that actively on the server side, because we know it's it's out there on the client, we're not behaving differently from other servers, and it's also like way harder to do that from the server side. As far as I could tell.

A

Okay, um let's jump to the other. The other two questions, um jay ignacio, uh asked us simply: are the ecn observations all in ipv4? Do they also include v6? This includes v6 as well, okay and then, and then the third question was also from bob and he's asking could increase in congestion. Experience be due more to congestion over an existing ecn node rather than an isp having newly deployed ecn.

D

uh This is possible, um it's a little hard to tell from where I'm standing. um You know there. There were uh more samples on the on the day I chose in july than in march.

D

uh Part of this can be attributed to the normal growth that we see in traffic over time, um but uh you know in both cases. The days I picked here were um sundays. Since kovid started, um you know it's, it's not uh yeah. I I don't have a solid yes or no on that, but um I'm rating it relatively unlikely, um but uh but not with great evidence to do so. um So I would, I would say, if I had contrary evidence, then I would uh you know I would change my mind on that.

A

Okay, okay, thanks jake, um so uh just to reiterate jake is uh saying you know: if there's a collaborator, that's interested uh both he and I have worked on some of the stuff in the past. Maybe it's something we can do with map rg in the hackathon and uh all right. uh What I'd like to do now is I'm gonna switch to making myself the presenter again and then uh we're gonna check in with mark mcfadden and see if we can hear him, because we can just squeeze that. Can you hear me?

A

Yes, we can very good. um So I'm going to bring up mark, slides.

A

And we'll run through that.

A

Let's see there, we I'm gonna view slideshow.

A

Okay, uh take it away mark.

L

All right, thanks dave, um this will be quick. uh This is completely different from the uh other presentations that we've had today. uh This has been motivated by uh some work that is going on.

L

um Maybe you could go back one slide here, yeah, um that's.

L

Okay, anyway, um uh there we go.

A

I'm sorry about this.

L

That one right there so um thanks, so this has been motivated um by some work, that's going on in the iab, and it was a sort of thought experiment. Originally, a very old rfc, rfc 3552 gives guidance to authors in terms of crafting um language for security considerations, but that is actually um pretty old.

L

If you think about it, and so what we thought was what, if you actually examined the rfc since 2003, looked at the securities consideration sections and tried to determine whether or not there were fundamental and crucial changes to the threat model for the internet and also a significant changes to the way that people are writing this security consideration section, and this isn't just a sort of piece of independent research. The idea was really to inform some of the other work. That's going on in the iab. So next slide dave.

L

Yeah, so the iab has already talked about potential revision to 3552. uh The iab currently has a piece of work underway right now called uh cleverly enough model. T that's talking about uh changes to the threat model that are in it. That's in rfc, 3552 and really the the body of work since rfc 3552 is actually fairly substantial um uh since we're uh we're in the neighborhood now of having um five and a half thousand more rfcs to look at so uh next slide.

L

Thanks um so there's two things going on here: uh first of all, I published a draft that actually talked about a possible methodology for doing research on the security considerations, text that are in rfcs, and it really proposes a pair of components.

L

One is a quantitative component and more about that later, the quantitative mode component is really a textual analysis of the the words that are in the rcs and then a qualitative analysis, and so what what the draft was, uh what the proposed piece of research does is propose this methodology, and what you'll see in a moment is uh that this proposed methodology, one part of it, uh we've done an experiment on so the next slide. Please dave.

L

um So what the methodology is in search of is comments for improvement, basically, except for an experiment that I'll report on in a minute, um the actual methodology hasn't been implemented. Yet there's no one who's actually executed it. Although there have been volunteers, who've stepped up to the plate and said they'd be interested in doing it.

L

Things I wanted to take some time on here is to report on a quantitative experiment that we've done, and the draft also reports on that quantitative experiment. So you can find out more details in the draft and the next slide.

L

Perfect, so uh what my co-author uh did- and we worked on in the summer and fall of last year- is that we did a word by word textual analysis of the security considerations of all the rfcs since 2003.

L

the thought was here, the the hypothesis was. Would you detect changes in the words that are actually being used to indicate the threats and the threat models? I mean, how is it if you look over the period of 17 years? Has that changed and would you find patterns that indicate that some terms have become more important to protocol designers by virtue of appearing more often in rfc text, and then one of the things that this last bullet on this slide?

L

My co-author was exceptionally interested in, was taking a look at whether or not security in large scale. Security incidents on the public internet had changed the way that the pro that protocol designers had written the security considerations of their documents. The idea was: do events in the real world on the public internet affect the way that protocol designers do their work and express that work through the security considerations sections of these documents?

L

So this experiment we did perform and so next slide did.

L

My co-author, my co-author, actually executed a experiment that was consistent with the quantitative part of what's in the draft, the quantitative methodology and basically what this does is.

L

It uses a set of python scripts to extract the security considerations document out of the texts of all of the rfcs and then parse each one of them and get word frequency counts for each uh it's a little more complicated than that there, for instance, it supports stop words, we omit words and you'll, see in a second that we conducted a second ex second experiment to see what the indication of normative words were in security considerations.

L

Documents- and let me report on that in a second. So next slide.

L

um So the parser that we used uh was a uh basically uh an open source parser uh it it removed all non-textual material and it removed what we call stop words, words that are either words like a and uh those sorts of things, or um other words that wouldn't wouldn't, in our judgment, be related to the protocol itself. uh It also removed some other materials, for instance rfc references and anchor urls and so forth.

L

Then it took all of that text and it parsed it into files by year, so the rfc was actually parsed year by year to so that we could actually have sort of a time series of what the rfcs looked like or the security consideration sections of the rfcs and then for each one of those years. It built a frequency list of all the words that weren't in the designated list of stop words. So next slide.

L

So the result of the experiment are paraphiles that go back to 2003 and one is a simple frequency. A word frequency count file for the number of times. A particular word appears in a security consideration section, and one of the things we were looking for, of course was well.

L

Do new words start to appear uh as we as we move forward in the years or in response to particular attacks and the second, uh a second thing we did was to actually do an rfc count of how many security sections actually referred back to previous rfcs, what those rfcs were and what the count, what the quantitative data was for that so dave. Could I go to the next slide.

L

So here are some examples, uh just so that you can see this is actually um taken directly from the internet draft. um You can see some word. I won't.

L

I won't read these out, but you can see some words that are fairly recent in 2019 rfcs and then you can go back and I what I did for the purposes of this is to just step back five years each time, and you can see that one of the things that we observed was that actually the just both the distribution of the word counts and the words themselves frankly didn't change very much over the space of 17 years, and so that's um that's interesting to us.

L

I think that's interesting input to the model t effort, for instance, it shows that um that our c people who are drafting rfcs are tending to uh use the same words despite the fact that the internet is evolving significantly uh so um again, there's more details in the internet draft, but this gives you a feel for what the top 10 word counts are in four sample years, separated by five years. So next slide.

L

One of the things we did that we sort of discovered was that there were many security sections that had normative language in them, uh and so I have two slides about this.

L

First of all, if you remove the normative language, you come up with different top 10 lists, but one of the things you'll see here is that once again the words that are used between 2019 and 2004, frankly, don't change very much, and so what we're seeing is no reflection in the security considerations, sections that is apparent by just doing a quantitative analysis of changes in the internet's threat model, and so uh one more.

L

Slide.

L

um So a couple results here. um This slide may or may not be interesting, but when we took a look at what the most common words were over the entire period of 17 years, that's in the first bullet there and then over. That's uh the the same 17 years. Here's a list of in order of their frequency.

L

What the 75 most frequent words are we compared this then to the year to by year one- and this is kind of how we reach our conclusion- that not much has changed in security, consideration, sections um and again the results are in appendix b of the internet draft. One more slide, then,.

L

um And so here are some conclusions we draw uh we drew um and I've already talked about them. So I won't. I won't uh in the interest of time bash this too much, but there really isn't uh much in the way of major changes if you're just doing uh word accounts of the security consideration, sections and act. Look at that in the draft proposes that you also do a qualitative analysis and my co-author- and I have not done that.

L

Yet um it turns out that the word may appears more often than any other normative language in security consideration sections. We found that to be extraordinary that that that the word may instead of, must appears and appears much more often in security, consideration sections, and so that also is input to the iab and uh input to uh other conversations about the internet threat model, and my last slide is just contact details dave um I'm happy to first of all have comments.

L

Second of all, um if anyone wants to talk about uh helping with the qualitative analysis of the data happy to talk about that as well. Thanks dave.

A

Okay, thanks mark uh nina, did you see any questions in there?

A

If not, I I I just have one I. I love the idea of using the artifact, that is the rfcs as a way to determine whether the engineering is moving with the real internet. Was there any any real life uh internet phenomenon that that you could correlate with the change in either quantity of uh words or just the quantity of the security considerations itself I mean you think you'd see evidence of the iab or the ietf's policy changes even on.

L

So we looked at one particular case. This is mostly an anecdotal story, but we looked at the dynatac and we thought that.

L

Certain changes to a certain maintenance for tcp. um We would have seen changes to the wording there and we didn't- and we also looked at the latency issue right so, for instance, dave. If we look at as an example, the dynatech one of the things we said was well. We wouldn't start to see changes in the rfcs until about a year, 18 months later because of the publication, the the pace of publication right.

L

But when we looked at that particular example, we didn't see much in the way of change and we actually went back and looked at. We targeted particular series of rfcs. For instance, we went to a ietf area and then limited the examination to just, for instance, the internet area um or, and the results were pretty much the same so uh and I see in the chat room that um bob suggests that you know privacy should have been appearing more and I agree with you bob, but it it simply doesn't show up when you do.

L

The word count- and the word pervasive uh surprisingly appears in very few rfcs, even after uh the iab statement on pervasive monitoring. So while we have a very, very strong statement from the iab about pervasive monitoring, we actually don't see those words showing up in the rfcs.

A

Afterwards, all right, thank you, um we're going to have to move on because we have just enough time to get the rest of the presentations in so we're going to switch to uh philip bruhn. Next, I'm going to make you the presenter phillip.

A

And let's see philip, let's make sure you're unmuted.

H

Yeah hi.

A

Okay, you're ready to go.

H

Yeah, so I'm phillip and I'm working for ericsson, um I want to tell you something about the behavior of tcp cubic that we have discovered in the context of my master thesis when doing measurements with cubic connections on mobile radio networks.

H

So here you can see our measurement setup in the middle. We have deployed an http server that is directly connected to the core of a mobile radio network and an http client that connects to the radio access network through an lte modem.

H

The host here runs tcp cubic and default settings, and the roundup time between server and client is between 18.5 and 30 milliseconds and last of all, the radio link here can be seen as ideal in terms of a stable signal, quality and no interference across traffic.

H

So then, taking this measurement setup and doing file downloads, we measured the total transfer time. That also includes the time for the connection, setup, etc and calculated the file throughput as file size divided by transfer time.

H

um When we then plotted the empirical cdf for two different file sizes, we were actually surprised to see that the file should the file throughput shows such a significant variance. So, for example, for a five megabyte file, we have samples between 30 megabits per second and 50 megabits per second.

H

So part of this is due to the current linux implementation and the fact that a smaller file seems to show a larger variance compared to a bigger file, then led us to the conclusion that this might have something to do with the slow start.

H

So then, tcp cubic uses, a hybrid slow start scheme called high start, so the window growth function is actually the same as in tcp reno. But heist has two mechanisms to find a suitable exit point. So an exit point before we lose any packets.

H

One of these mechanisms look at the looks at the egg train length, so the length and time of back to back x that return to the center in our measurement. This actually never triggers. So we don't discuss this here.

H

So then the second mechanism looks tries to detect the delay increase. So if the current round trip time exceeds the minimum round to time by a value of theta, this then indicates congestion at the bottleneck link.

H

So here the minimum rounded time is defined as the overall minimum, rounded time that that we have seen throughout the connection and the current rounded time is defined on a pair on basis. So the current rounded time is always the smallest round to time sample from the first 8x of a round.

H

I have summarized the delay increase condition down here, and the value of theta is actually defined as the minimum round to time divided by 8, but is clamped between the values of 4 and 16.. So since in our measurements, the the round trip time is small, theta actually always takes the value of 4..

H

So then, going back to this condition here we can. We can actually identify two reasons why this condition can become true, so either we already have found our minimum roundup time and then the current runtime time increases making this condition true or we are outside of the sampling phase of around so beyond the first 8x of around.

H

So then, the current rounded time is fixed but the minimum round, so we, but we could find a new minimum rounded time when the round time drops.

H

So these are two separate reasons why this condition can become true, since this is a little detailed. I want to give you an example and walk you through uh one example. So I want to walk you through one example for each of them.

H

So here I have plotted the roundup time samples that correspond to different packets and so for the first round- and here I have to say that the definition of a round from the high start point of view actually contains a bug. So high start considers the first 11 packets to belong to the first round instead of the first 10 packets.

H

But actually what's the case is since the initial window size is 10. The sender sends 10 packets in the first round, not 11., but let's stick with this. For for this example, so first of all, we have to find the minimum rounded time plus theta, so the threshold value that we compare the current round time against, and then we find our current rounded time as the minimum round to time during the sampling phase, which is here shown in gray.

H

So as long as we are below the as long as the dashed line is then above the solid line, we continue and go for another round.

H

Each time we go for another round, we head and reset the current round tip time, and then again we find our threshold, um which then here drops on the 31st packet, and we find our current rounded time, which is this time 20.. So again, the dashed line is above the solid line, so we go for the for. So we again reset the current round trip time then and go for the third round.

H

So this time we have already found our minimum round trip time. So the threshold here stays constant.

H

But what happens now is that the current jump to time increases from a value of 20 to 22, which then makes this condition to become true.

H

So then we keep on sampling but do not find any other smaller sample and we exit the slow start at the first egg after the sampling phase. So this then results in a congestion window at the exit point of 51.

H

this in the the example for the second reason, is actually pretty similar, so in the first round nothing else happens in the second round. We again see the drop on 31st packet, but this time the round trip time of the 15th packet is higher than before. So now the current rounded time is 22 instead of 20, which then makes the drop on the 31st packet um to force.

H

This condition to become true, and therefore we leave the slow start immediately instead of going for the next round and leaving up here so this time, the congestion window at the exit point is only 40..

H

So now we have understood these two reasons and we want to. We wanted to know okay, how likely are there? How likely are these two reasons so, therefore, we did another experiment and actually figured out that the probability that we leave the high start due to an increasing roundup time, which is actually how the delay increase mechanism is supposed to work, only happens in 30 percent of the cases, but in 70 percent of the cases we leave the high start when the round time decreased.

H

So we actually left the high start when we set a new minimum roundup time.

H

So now you you might ask. How can this even happen that the router time drops in the middle of the connection and to understand this? I have to tell you something about the uplink scheduling in radio access and radio access networks.

H

So in a mobile radio network, the radio access network actually controls all the transmissions so also the uplink transmissions. So the modem needs uplink resources in order to transmit its data, or in this case the x. So then there are two cases so either the modem already has some some uplink resources.

H

Then you can just piggyback a buffer status report onto the next data transmission, telling the radio access network that it needs more resources to transmit the rest of its buffers, so the rest of the data that it's still in the buffer.

H

If the modem does not have any valid uplink ground, it has to rely on one bit, scheduling request that is sent in the option, control channel.

H

So to understand this look at this example here on the right, so in the first round the server will send 10 packets to the client and the client will gen then generate 10x and send them to the modem.

H

Consider the modem to be idle from a transmission point of view. So then the modem has to cue these 10x and wait for the next opportunity to send a scheduling request after some time. The modem, the radio access network will then respond with a small amount of with a scheduling ground that grants a small amount of resources.

H

Since I cannot know how much data the motormate has in its buffer, because the scheduling request is only a one bit information, the modem can then fit. For example, 2x and digging back a buffer status report telling the radio access network it still has 8x in its buffer.

H

So the first two acts are then forwarded to the server and the radio access network will then grant a send a sufficiently large grant in order to so their modem. Can then, in the next step, send the rest of its buffer.

H

So, even though the 10 packets arrived at the client at the same time and the client generated the x at the same time, the x will arrive at it will read so the x will return to the server at different points in time and therefore the packets can have different roundup times.

H

Another reason for different round for the round of time variants is also that the mac layer has some periodicities.

H

So when you look at this graph here this time, I have plotted the mean round to time of individual packets and by looking at the first 10 packets. Here, you can pres precisely see what I just explained so the first two packets have a smaller roundup time and then the rounded time ramps up by about eight milliseconds on on the third packet.

H

So then, this kind of scheduling principles also lead to the fact that the first two x of the third round are then transmitted together with the last x of the second round.

H

So this means that these two acts here do not have to wait for any scheduling grant which could be triggered by either a scheduling, request or or a buffer status report, so that they can just hop onto the transmission of these acts.

H

This then causes the rounded time to drop so significantly and, as we have seen in the previous examples, this then in many cases leads to a false, positive detection of network congestion and into early exit point. So the at this point, the connection is still far from the maximum throughput.

H

So then, in the end, these mac layer effects dominate the behavior and the performance of tcpq.

H

So, to conclude, so we have seen that cubic connections can see a significant variance in the file throughput, which is due to the high start that usually or in many cases, fails to find a suitable exit point due to the latency variance of lte.

H

As I said earlier, there can be there can be made a couple of improvements. So the one hand the bug that the high stud reset was done, one packet too late, so that the first round would contain the first 11 packets instead of the first 10 packets.

H

We actually fixed fixed this in our version of the kernel, and then there was also a research also led to a different kernel patch. That now allows every roundup time sample to reduce the current roundup time.

H

So this means that we do not exit in the current round when we have a new when we find a new minimum roundup time so taking both of these together, we actually redid our measurements and found that for a five megabyte file, the throughput the throughput increased by about 15.7 and what you can also see by the graph here is that the portion of samples that is close to the mean increased from about 55 percent to about 85 percent.

H

So the jitter, the overall detail, was reduced, um even though still have our strong outliers. So this is because there are still some effects that are not compensated by either the bug fix or the kernel patch.

H

So since highstat still does not consider the round to time variance, it may still not be well suited for mobile radio networks and, in the end, it's important to say that, even though we conducted our drive with lte, we presume that the same effects will also happen on 5g. Since there we use the same kind of uplink scheduling, principles.

H

This is actually it all.

B

Right thanks.

H

I'm willing to answer questions now or you can also send us an email later so either me or I call it much and my colleague machek who worked with me on this.

A

All right, philip, thank you. So much uh there's been a a little bit of a lively discussion about about high start in the chat session uh and I'll I'll suggest that those folks do what you just suggested. Take it offline with you um by email or you can use the maprg mailing list as well.

A

um For instance, uh bob comment: bob briscoe commented that high start is on by default in linux cubic, um but according to a mini survey, he says he did a four to five cdn's about a year and a half ago, for instance, google, microsoft and apple um all, but won a disabled high start. um Do you have a comment? Fellow before we wrap up.

H

uh No, no, I don't I just okay, as we see as we saw it, it really can behave badly when used on mobile radio networks.

A

Okay, um thanks so um in the interest of time, because we just have 25 minutes for 25 minutes of presentations left um we're going to switch to mike kosek being the presenter, and let me do that by finding mike in the participants lists here and we have a little bit of uh as mike gets set up, uh I'm going to paste in the chat right now, a link to an ether pad that miria mike my co-chair who's on top of things better than I am reminded me we're supposed to be maintaining what are the blue sheets where, basically you just sign your name and your organization and say you were at the meeting.

A

So it would be a big help to us. If you would visit that url. I just posted there. The etherpad map, our g url and just add your name and affiliation there. uh So we get a list that approximates the what I saw about 74 participants on today and we've got 56 right now. So in the next half hour, if you sign that that would be great just like you would, if we were at a real ietf meeting mike I'm going to hand it over to you, you're ready.

G

To.

A

Go.

G

All right, thank you dave. So this is a quick recap on our work of tcp conformance, which has been presented at palm in march of this year. So dfb has been analyzed in the past decades. However, every study focused on different aspects of tcp and tcp extensions, and our question was okay: how is the conformance to the minimum requirements so the basic requirements which are phrased by the must keywords in the rcs and for this we chose an active scanning approach. We did control testbed environment measurements.

G

First of all, we followed up with a large scale measurement campaign, and for this we use the tracebox approach to also detect metal box interference with these minimum requirements here.

G

So for our test cases, we looked at the rc 793 abyss, the giraffe 14 version, and we looked at different aspects. So we checked if the check sounds are correctly validated if uh options which are unknown are correctly ignored. If the mss, which are stated are the rc stated defaults, if the effective sent mss is honored. If result, flags are ignored in zeros and if the urgent pointer could be processed segments of arbitrary links. So with these test cases we started out- and this is something we could of course only be observed on the wire.

G

So there are a lot of more more requirements in the rc draft and we started with this because they yeah low hanging fruit. I would say, first of all, we do it's some control, desperate measurements.

G

What we see here is that only linux and lightweight ips showed full conformance to our test cases. When we look at windows 10, then we see that the mssd4 stated in the rc are used as a lower bound. So you cannot actually, in this rear, handshake use something lower than it's stated in the rc for mac os. The 1024 bytes are used as a default, regardless of the ip version, so this falls short of the ipv6 and exceeds the ipv4 defaults on micro, ip.

G

We actually observed some pressures, and this was done on urgent pointer data, which was pointing beyond the segment size, and we issued a pull request for this. uh This was especially interesting as contiguous and contig. Os are also vulnerable from this issue, and this pull request got merged and is fixed. Now, for a c-star, we saw that the holster s is supported of offline to check some features is not verified.

G

We we reported this issue. However, to this stage we did not get any response from this all right for our live scale measurement campaign. We looked at different target hosts from the http archive we sampled cdn targets. There are 28k unique targets house we took around 476 000 unique target holes from the alexa top run million list and on sensors, which provides antenna white squad port scans. We took around 3.2 million targets, so let me start with the notation here in our three columns.

G

We see the three data sets and in each sub column we see the different results which are presented as a percentage. So for u and k sub column here this is unknown. These are not clearly determinable results. This can have multiple issues. For example, if a pre-test was successful, but the actual test of the feature we wanted to check, uh we did not get a response to our sun packet.

G

Then we have f target which shows non-conformities raised by the targets and faker pass, shows non-conformities raised by metal boxes.

G

Okay, digging right in first of all, we have the checksum test. We did this in two ways. First of all, which we chose a random incorrect checksum, and we also did the test with zero checksum and for checksum. We saw that the cdn shows the lowest failure rates overall and actually no on path, modifications, which is quite good news. However, alexander senses each show around three percent target failure. So in around three percent of the targets, they did not validate the checksum and responded to our false false checksum package.

G

Next of all, we have option unknown, and so no singer s really stands out here, but we observe that the highest figure rates are within isp networks, and this is exactly the same behavior as we saw in the mss missing test. So for mss missing we saw around 0.4 percent percent failure on the path of the census data set, and these are also primarily located in isp networks and digging down on this. We saw that the mss is inserted here, and this is most likely due to the pppoe encapsulation done by access rotors.

G

Next up, we have reserve flex and we see up to 1.8 percent target failure on census year, so um they actually did not response to our probing packets at all, and this is really bad news for extendability, as yeah using these flags really doesn't uh provide any connection to these targets at all.

G

However, when looking at the rc, we see that ignoring and zeroing, the reserve flex is actually no formal must requirement. So for this we propose to add this at a formal mastery requirement within the rc 793 bis version.

G

Lastly, we have the urgent pointer and the urgent pointer shows the overall heist failure rates with up to 7.3 percent uh failure on the census data set, and these census fakes are primarily located in isp networks again and around 99 of these failures are just silently discarded, so the data, so no connection is possible using the urgent pointer with these holes, the rc states for the urgent pointer that the usage is actually discouraged, but the implementation is still mandatory and it might be a id id here to remove this mandatory implementation requirement to reflect its deprecation in the rcs.

G

Alright, so that's for our quick recap: please have a look at our paper if you're interested there are a lot of more test cases and more details in there. We also released our data set and we released our code, so our tool called tcp reg, is on github feel free to contribute, feel free to share your results. I'm happy to progress this further. Thank you.

A

Thanks mike- and we have a couple of minutes for questions, the first one that was in the chat was uh jay ignacio asked. How did you determine this was during your results? Presentation, for instance, the results slide two. How did you determine the middle box errors instead of uh determine the middle box errors instead, targets.

G

Yes, let me just bring up my backup slide here uh in our methodology, so uh we used the tracebox approach um where we encoded the ttl in multiple fields and just sent out multiple, increasing ttl probes and listen for the icmp time exceeded messages, and we did this test case specific.

G

So, for example, if we wanted to test if on a path the uh the tcp checks on is corrected, then we would get a reply with a corrector checks, checks on with this approach, and then we could say: okay, this was a failure that actually happened on the path and not on the target, and we did this for all of our test cases. So this was a lot of handcrafting. There's no general approach here. Besides the tracebox approach, which generally can give you a hint if there is a metal box or not.

A

All right, um yeah, thanks mike, uh I don't see any other questions there and we're just on time so uh and j ignacio says thanks. So I'm going to switch the uh presentation to switch to the presenter being steven stroz uh for the last presentation of the session stephen, you should be the presenter now all right.

A

There one last reminder: uh uh please visit that url that I posted in the chat uh to sign up for the uh blue sheets we've got about. I think 60 of the folks have signed up so far. I'm sorry go ahead. Stephen.

M

All right, uh thanks dave- um this is a this- is a summary talk of uh work that we've presented already uh tma on nrw, and this covers the deborganization of 12. For a little bit of context. This was the first slash 12 allocated by the ayanna to any of the registries in at the time I think 13 or nearly 13 years, which is long enough, for you know, writer configurations to become stale and thanks for you know to be baked into the writing system.

M

So before we issued it to members, we wanted to light that up, get that announced out there and um generally try and do some uh checking to make sure that it wasn't packed with pollution, which was unlikely, but you don't until you measure so the timeline for this was we actually got the slash 12 back in late 2019, but in early 2020, the uh previous slash 12 was nearly done. We were eminently about to start allocating from 28 slash 12, so we had about one week to advertise this and collect what we could.

M

We announced nine prefixes in total, the full slash twelve, then four, slash thirty twos and four slash four to eight. Each of these were configured slightly differently in terms of whether they had a routing right object in the writing database or whether they had an rpki row and the 32s and 48s all had a responsive target. So each of them, each of the eight addresses in total, would respond to icmp echo requests.

M

This has mostly already been covered in the tma paper and the nrw paper presented last week, so links to the papers and the videos uh for the papers both there. If you want to go, follow up on particular details for the rest of this I'm going to cover basically the summary version of what we found.

M

um The the bulk of the tma paper is basically traffic analysis and the way that we kind of think about this is with the ipv4 space. You could listen to, for example, a slash eight. If you have a field slash eight lying around and depending on some of the behavior, you may be able to draw general conclusions about background noise to the ipv4 space. Like each v4, slash, 8 is going to be different in terms of what it attracts, but the v4 space is also small enough that you're going to see internet-wide quote-unquote scans.

M

The v6 space is quite different. It's a bit more like taking a telescope and pointing at the sky and simply observing what you see in that part of the sky. There may be something generalizable there, but it's more likely that you can report on what you saw in that corner, so that slash 12 is a lot of address space, but it's still a very small part of the v6 address in total.

M

So what we got is what we got and I'll be careful with drawing general conclusions around that um the the part that's kind of a good start is the bulk of the traffic that we actually captured was our own traffic. uh We sent a lot of measurements into this space to the responsive targets from the right atlas platform, and so the vast majority in my head. I'm thinking that looks like around about 90 to 95 percent of the traffic that we captured was generated by ripe atlas.

M

So we can ignore that for most of the rest, the remaining traffic consists around six and a half million captured packets, which, if it was on an average, which is not, it would be around about 10 packets per second, which is you know at that point? Nobody cares anymore.

M

The traffic can be carved out in a couple of broad categories. The bulk of the tcp traffic was what looked like an orchestrated, traceroute campaign to locate responsive uh well to do I guess to do two things to map out topology and then find anything. That's responding in port 80, um the dns sorry, the udp traffic was around about 50 dns and the bulk of the icmp traffic was solicited. Echo requests to the addresses that we set up so for each of those in turn around.

E

Five.

M

And a half million of the packets contain the tcp payload and they were doing some kind of tcp traceroute right so um trying to repeatedly reach the same target, but with an ever-increasing ttl until it eventually gives up all of that. Traffic has the same basic characteristics so, like the same source, port no payload send flag is set, nothing else is active in the packet. The msf value is set as if it's configured for an ipv4 world there's a couple of glitches like that and most of this traffic in the activity.

M

Graphs that are in the tma paper, arrived in a couple of short periods very near the start of the study so like very soon after the full slash 12 was advertised this great this tcp scanners lit up um my gut feeling. Is that whatever this thing is, I don't know who's running it really.

M

Whatever that thing is, it was never expecting to see a dress face that large and uh something bugs out in whatever the platform was, and it started sending far too many packets into the space, and my gut feeling for that. The reason I have that gut feeling is that once we let up the 32s and 48s, there were specific traceroutes into those addresses, but at a much lower volume.

M

um So those let up very quickly and then stopped very quickly, which was good. Basically, they bounced around in the random addresses, though um we there was a distinct port scanning operation from one origin to around about uh uh sorry, I have targeted addresses in the next slide, around 164 000, packets, uh doing port scanning for one origin and then like tens of thousands uh with the destination portfolio, three, the night flags.

M

It's, I can't remember if they have payloads, but I figure something is either backscatter or is bouncing around looking for resets rather than synax um and there's a lot of general noise. That's otherwise uninteresting beyond that point for the traceroute campaign, the addresses that that campaign selected appear to be uh random bits, filling the bottom 120 uh sorry 116 bits of each address and the assertion there comes from, like the campaign selects in total 261 000 targets spread across 261, 000 64..

M

It's like it's not trying to do anything smart with uh particular addresses and say the slash. 64 is just trying to get something whether it's topology, mapping or not. The remaining targets are pretty well distributed. This graph on the right is ranked like most popular 64 target, um I'm going down from there, but there's 133 000 targets, and this forms a very, very long tail, where many of the addresses are targeted. Maybe once or twice the top target in that list was targeted, the most for the port scanning campaign from from one origin.

M

um The and the center city is again reasonably broad, like there aren't uh like there's, not much evidence of sources. Doing things like address cycling within its own, slash 64., like sources pop up and then vanish.

M

The port numbers that were targeted are a little bit uh interesting, maybe like I've. I've taken poor ac out of this plot because it would swamp everything with the traceroute campaign and what's left, it's kind of broad like at some point. Basically, everything is is attempted by something there's a lot of noise.

M

The most popular target is port 443 and then from there it hits uh and I'm going to go by memory here, 6379, which I think is redis 5222 is maybe xmpp and I lose the track from there there's quite a lot of traffic with the tcp for zero set, but this is aside from a general leaning towards the low numbers that the port scanning does. A lot of this is like random, randomized, payloads and weird targets.

M

The udp traffic was much less interesting. I guess there wasn't much of it. 50 percent of the dna, the udp that we captured contained a dns payload that looked like legitimate dns, like there were dns queries for like for a and quality records for popular names like google.com or various cdnc names or whatever else this this one.

M

We did actually approach the network operator and they found the person who was running a dns resolver, which was misconfigured and was sending uh these queries into our address space, so that one was in theory fixed, but we're no longer announcing that address space. So we can't verify that it was actually fixed.

M

The icmp traffic was largely solicited.

M

The this is again a on the right, our ranking of the most popular targets and the top eight targets are the the eight uh basically reflect the eight responsive targets we created and we requested the network operator. Send our traffic to this graph is ignoring the ripe atlas traffic. Also, so most of the icmp goes to where we asked people to send icmp echo requests the next most popular is 2810 with all the zeros, which was unresponsive, but a lot of people selected that one rather than a column called one.

M

Maybe people truly are that lazy, I'm not sure and there's a long tale of otherwise essentially randomized traffic uh targets. Again, a bunch of these uh in the remaining targets are like genuinely what appears to be randomized payloads with uh invalids, icmp types and codes so forth. So a lot of that stuff is just weird and it's the numbers at that point get so vanishingly small that we basically draw under draw a line under it and declare it to be acceptable.

M

Noise, like there's nothing that we observe in this data that that spoke to us, there's nothing that we observe in this data. That would make us say: okay, this particular slice of the address space. We want to withhold from the membership, and that was part of the purpose of the study.

M

We cover aspects of the writing state in both the tma and the nrw papers. uh Although not in a spectacular amount of detail, we wanted to make sure that first, the space was basically routable and then from there we used the ripe atlas measurement platform to ensure that it was actively reachable. If we tried to get there and in general it was.

M

We got about 99 hit rates on our pings and trace routes, which is basically uh typical apart from a couple cases, uh including um yes, 8881, which I think is versatile in germany.

M

Couldn't we got no responses to any of the targets on that one, and I think we inspected the pcap data and that one is uh inbound filtering. So we saw the echo requests at the targets, but the probes themselves never received their responses and the other more interesting one.

M

Maybe is as33320, which is deutsche telekom, and then asns that appeared to be routing via as3320 could reach a subset of the targets and for those ones they were only the probes were unable to reach the responsive, addresses inside the prefixes that were configured to be the least routable, so the prefix prefixes that had neither the route objects nor the rpki ruler, which is kind of fine, like those are the ones that we would expect to be less reachable.

M

So that's completely okay and on those ones we didn't see the echo requests arriving at the um at the right collector that was announcing the space so for those ones they are filtering the routes at, I guess 3320, so our current status and where we are with this. This was a study in january. This is basically historic at this point. The ripe atlas data and the risk writing data is, of course, all public. uh The writing data in particular. You can also.

M

It would be interesting to look at from other vantage points, such as route views or pch data, or whatever else, and now that some time has passed we might be able to get to the point of actually releasing the captured data is something that we want to do, but it's uh it's the it's trying to do that balance between how much of this is weird uh data that nobody cares about and how much of it is like identifiable data that tells us something.

M

So we need to look at how we mask our data or whether we strip, payloads or or what we do with it to be cool, but six months have passed. So um time is on our side. The address.

A

So steven we just have about a minute left in the official time I'm happy to go over, but I just wanted to let you know in case people have to leave.

M

Yep sure um so I'm about done so the the 2810 slash 12 is now in use soon after we ended the study, um so the week in january is on the left hand side soon after we ended that was issued to members and then those prefixes started lighting up. The only reason that the numbers go up and to the right is that risk continues to add new peers.

M

So we have more peers simply listening to and receiving these announcements and the address space that we allocated our eights thirty thousand forty eight from was put into the quarantine did because we did active measurements to it and we solicited traffic to it. That space is now out of quarantine. The standard is six months, so the space has now been reissued and it I haven't, checked today, but it's likely to show up in the wild soon if it's been allocated to somebody.

M

So there's a potential comparison there between um the address space announced from our red collector system and the address space announced from somebody else. If somebody wants an interesting writing site study- and these are only my endnotes indicating what we did here- there isn't anything in this space- that's entirely problematic. The writing and reachability seemed to be good, and so we were completely happy going ahead and issuing that address space to our members, and that is uh my high level summary of these two papers.

M

So that's that's what I have so I'm super happy to take questions.

A

All right thanks! So much stephen, I don't see anyone in the queue in the chat session, so I think we'll wrap it up thanks so much to you and all the presenters for participating in our measurement community and bringing this interim meeting together.

A

uh Let us know I want to thank brian and nina for doing this experiment with us, this joint meeting, let either them or us miria- and I know if you, if you like the joint meeting uh and uh and how you, how would you like us to meet in the future- um and I want to specially thank maria for encouraging uh presentations and helping curate the content, because she did a line sure of it. This time again um have a good day. Folks,.

M

All right, thank you. Thanks, bye, bye,.