20 research outputs found
Assessing the Privacy Benefits of Domain Name Encryption
As Internet users have become more savvy about the potential for their
Internet communication to be observed, the use of network traffic encryption
technologies (e.g., HTTPS/TLS) is on the rise. However, even when encryption is
enabled, users leak information about the domains they visit via DNS queries
and via the Server Name Indication (SNI) extension of TLS. Two recent proposals
to ameliorate this issue are DNS over HTTPS/TLS (DoH/DoT) and Encrypted SNI
(ESNI). In this paper we aim to assess the privacy benefits of these proposals
by considering the relationship between hostnames and IP addresses, the latter
of which are still exposed. We perform DNS queries from nine vantage points
around the globe to characterize this relationship. We quantify the privacy
gain offered by ESNI for different hosting and CDN providers using two
different metrics, the k-anonymity degree due to co-hosting and the dynamics of
IP address changes. We find that 20% of the domains studied will not gain any
privacy benefit since they have a one-to-one mapping between their hostname and
IP address. On the other hand, 30% will gain a significant privacy benefit with
a k value greater than 100, since these domains are co-hosted with more than
100 other domains. Domains whose visitors' privacy will meaningfully improve
are far less popular, while for popular domains the benefit is not significant.
Analyzing the dynamics of IP addresses of long-lived domains, we find that only
7.7% of them change their hosting IP addresses on a daily basis. We conclude by
discussing potential approaches for website owners and hosting/CDN providers
for maximizing the privacy benefits of ESNI.Comment: In Proceedings of the 15th ACM Asia Conference on Computer and
Communications Security (ASIA CCS '20), October 5-9, 2020, Taipei, Taiwa
Discovering IPv6-in-IPv4 Tunnels in the Internet
Tunnels are widely used to improve security and to expand networks without having to deploy native infrastructure, and play an important role in the migration to IPv6. In this paper we introduce a number of techniques to detect, and collect information about, IPv6in-IPv4 tunnels. We also show how a known tunnel can be used as a “vantage point ” to launch third-party tunnel-discovery explorations, scaling up the discovery process. We describe our Tunneltrace tool, which implements the proposed techniques, and validate them by means of a wide experimentation on the 6bone tunneled network, on the GARR network, and through the test boxes deployed worldwide by the RIPE NCC as part of the Test Traffic Measurements Service. We assess to what extent 6bone registry information is coherent with the actual network topology, and we provide the first experimental results on the current distribution of IPv6-in-IPv4 tunnels in the Internet, showing that even “native” networks reach more than 60 % of all IPv6 prefixes through tunnels
An active approach to measuring routing dynamics induced by autonomous systems
We present an active measurement study of the routing dynamics induced by AS-path prepending, a common method for controlling the inbound traffic of a multi-homed ISP. Unlike other inter-domain inbound traffic engineering methods, AS-path prepending not only provides network resilience but does not increase routing table size. Unfortunately, ISPs often perform prepending on a trail-and-error basis, which can lead to suboptimal results and to a large amount of network churn. We study these effects by actively injecting prepended routes into the Internet routing system using the RIPE NCC RIS route collectors and observing the resulting changes from almost 200 publicly-accessible sources of BGP information. Our results show that our prepending methods are simple and effective and that a small number of ASes is often responsible for large amounts of the route changes caused by prepending. Furthermore, we show that our methods are able to reveal hidden prepending policies to prepending and tie-breaking decisions made by ASes; this is useful for further predicting the behavior of prepending.
IPv6-in-IPv4 tunnel discovery: methods and experimental results
Tunnels are widely used to improve security and to expand
networks without having to deploy native infrastructure. They
play an important role in the migration to IPv6, which relies
on IPv6-in-IPv4 tunnels where native connectivity is not available.
However, tunnels offer lower performance and are less
reliable than native links. In this paper we introduce a number
of techniques to detect, and collect information about, IPv6-
in-IPv4 tunnels, and show how a known tunnel can be used as
a “vantage point” to launch third-party tunnel-discovery
explorations, scaling up the discovery process. We describe
our Tunneltrace tool, which implements the proposed techniques,
and validate them by means of a wide experimentation
on the 6bone tunneled network, on native networks in Italy,
the Netherlands, and Japan, and through the test boxes
deployed worldwide by the RIPE NCC as part of the Test
Traffic Measurements Service. We assess to what extent
6bone registry information is coherent with the actual network
topology, and we provide the first experimental results on the
current distribution of IPv6-in-IPv4 tunnels in the Internet,
showing that even “native” networks reach more than 60 percent
of all IPv6 prefixes through tunnels. Furthermore, we
provide historical data on the migration to native IPv6, showing
that the impact of tunnels in the IPv6 Internet did not significantly
decrease over a six-month period. Finally, we briefly
touch on the security issues posed by IPv6-in-IPv4 tunnels,
discussing possible threats and countermeasures.
Discovering IPv6-in-IPv4 Tunnels in the Internet
Tunnels are widely used to improve security and to expand networks without having to deploy native infrastructure, and play an important role in the migration to IPv6. In this paper we introduce a number of techniques to detect, and collect information about, IPv6-in-IPv4 tunnels. We also show how, once a tunnel has been discovered, it can be used as a “vantage point ” to launch third-party tunnel-discovery explorations, scaling up the discovery process. We describe the Tunneltrace tool which implements the proposed techniques, and validate them by means of a wide experimentation on the 6bone tunneled network, on the Italian Academic and Research network, and through the test boxes deployed worldwide by the RIPE NCC as part of the Test Traffic Measurements Service. We assess to what extent 6bone registry information is coherent with the actual network topology, and we provide the first experimental results on the current distribution of IPv6-in-IPv4 tunnels in the Internet, showing that tunnels are very common: even the “native ” networks we tested reach more than 60 % of all IPv6 prefixes through tunnels