-
ECN with QUIC: Challenges in the Wild
Authors:
Constantin Sander,
Ike Kunze,
Leo Blöcher,
Mike Kosek,
Klaus Wehrle
Abstract:
TCP and QUIC can both leverage ECN to avoid congestion loss and its retransmission overhead. However, both protocols require support of their remote endpoints and it took two decades since the initial standardization of ECN for TCP to reach 80% ECN support and more in the wild. In contrast, the QUIC standard mandates ECN support, but there are notable ambiguities that make it unclear if and how EC…
▽ More
TCP and QUIC can both leverage ECN to avoid congestion loss and its retransmission overhead. However, both protocols require support of their remote endpoints and it took two decades since the initial standardization of ECN for TCP to reach 80% ECN support and more in the wild. In contrast, the QUIC standard mandates ECN support, but there are notable ambiguities that make it unclear if and how ECN can actually be used with QUIC on the Internet. Hence, in this paper, we analyze ECN support with QUIC in the wild: We conduct repeated measurements on more than 180M domains to identify HTTP/3 websites and analyze the underlying QUIC connections w.r.t. ECN support. We only find 20% of QUIC hosts, providing 6% of HTTP/3 websites, to mirror client ECN codepoints. Yet, mirroring ECN is only half of what is required for ECN with QUIC, as QUIC validates mirrored ECN codepoints to detect network impairments: We observe that less than 2% of QUIC hosts, providing less than 0.3% of HTTP/3 websites, pass this validation. We identify possible root causes in content providers not supporting ECN via QUIC and network impairments hindering ECN. We thus also characterize ECN with QUIC distributedly to traverse other paths and discuss our results w.r.t. QUIC and ECN innovations beyond QUIC.
△ Less
Submitted 25 September, 2023;
originally announced September 2023.
-
Non-autonomous Julia sets for sequences of polynomials satisfying Kalmár-Walsh theorem
Authors:
Marta Kosek,
Malgorzata Stawiska
Abstract:
We consider a compact, polynomially convex, regular set $K \subset \mathbb{C}$ and a sequence $(p_n)_{n=1}^\infty$ of polynomials with uniformly bounded zeros and such that $\lim_{n \to \infty}\|p_n\|_K^{1/({\rm deg} \ p_n)}={\rm cap}(K)$, where ${\rm cap}(K)$ is the logarithmic capacity of $K$. Taking an arbitrary sequence $(d_k)_{k=1}^\infty$ of integers greater than $1$ we prove that there exis…
▽ More
We consider a compact, polynomially convex, regular set $K \subset \mathbb{C}$ and a sequence $(p_n)_{n=1}^\infty$ of polynomials with uniformly bounded zeros and such that $\lim_{n \to \infty}\|p_n\|_K^{1/({\rm deg} \ p_n)}={\rm cap}(K)$, where ${\rm cap}(K)$ is the logarithmic capacity of $K$. Taking an arbitrary sequence $(d_k)_{k=1}^\infty$ of integers greater than $1$ we prove that there exists a nonempty set $\mathcal{K}[(p_{d_k})_{k=1}^\infty]$, depending only on the sequence $(p_{d_k})_{k=1}^\infty$, such that for any compact polynomially convex regular set $E$ the preimages $(p_{d_k}\circ...\circ p_{d_1})^{-1}(E)$ converge in Klimek's metric to $\mathcal{K}[(p_{d_k})_{k=1}^\infty]$. We call the set $\mathcal{K}[(p_{d_k})_{k=1}^\infty]$ the non-autonomous filled Julia set generated by the polynomial sequence $(p_{d_k})_{k=1}^\infty$. Our toy example is generated by $t_n=\frac{1}{2^{n-1}}T_n,\ n\in\{1,2,...\}$, associated with $K=[-1,1]$, where $T_n$ is the classical Chebyshev polynomial of degree $n$.
△ Less
Submitted 23 September, 2023;
originally announced September 2023.
-
Secure Middlebox-Assisted QUIC
Authors:
Mike Kosek,
Benedikt Spies,
Jörg Ott
Abstract:
While the evolution of the Internet was driven by the end-to-end model, it has been challenged by many flavors of middleboxes over the decades. Yet, the basic idea is still fundamental: reliability and security are usually realized end-to-end, where the strong trend towards ubiquitous traffic protection supports this notion. However, reasons to break up, or redefine the ends of, end-to-end connect…
▽ More
While the evolution of the Internet was driven by the end-to-end model, it has been challenged by many flavors of middleboxes over the decades. Yet, the basic idea is still fundamental: reliability and security are usually realized end-to-end, where the strong trend towards ubiquitous traffic protection supports this notion. However, reasons to break up, or redefine the ends of, end-to-end connections have always been put forward in order to improve transport layer performance. Yet, the consolidation of the transport layer with the end-to-end security model as introduced by QUIC protects most protocol information from the network, thereby eliminating the ability to modify protocol exchanges. In this paper, we enhance QUIC to selectively expose information to intermediaries, thereby enabling endpoints to consciously insert middleboxes into an end-to-end encrypted QUIC connection while preserving its privacy, integrity, and authenticity. We evaluate our design in a distributed Performance Enhancing Proxy environment over satellite networks, finding that the performance improvements are dependent on the path and application layer properties: the higher the round-trip time and loss, and the more data is transferred over a connection, the higher the benefits of Secure Middlebox-Assisted QUIC.
△ Less
Submitted 28 July, 2023; v1 submitted 17 July, 2023;
originally announced July 2023.
-
Evaluating DNS Resiliency and Responsiveness with Truncation, Fragmentation & DoTCP Fallback
Authors:
Pratyush Dikshit,
Mike Kosek,
Nils Faulhaber,
Jayasree Sengupta,
Vaibhav Bajpai
Abstract:
Since its introduction in 1987, the DNS has become one of the core components of the Internet. While it was designed to work with both TCP and UDP, DNS-over-UDP (DoUDP) has become the default option due to its low overhead. As new Resource Records were introduced, the sizes of DNS responses increased considerably. This expansion of message body has led to truncation and IP fragmentation more often…
▽ More
Since its introduction in 1987, the DNS has become one of the core components of the Internet. While it was designed to work with both TCP and UDP, DNS-over-UDP (DoUDP) has become the default option due to its low overhead. As new Resource Records were introduced, the sizes of DNS responses increased considerably. This expansion of message body has led to truncation and IP fragmentation more often in recent years where large UDP responses make DNS an easy vector for amplifying denial-of-service attacks which can reduce the resiliency of DNS services. This paper investigates the resiliency, responsiveness, and usage of DoTCP and DoUDP over IPv4 and IPv6 for 10 widely used public DNS resolvers. In these experiments, these aspects are investigated from the edge and from the core of the Internet to represent the communication of the resolvers with DNS clients and authoritative name servers. Overall, more than 14M individual measurements from 2527 RIPE Atlas Probes have been analyzed, highlighting that most resolvers show similar resiliency for both DoTCP and DoUDP. While DNS Flag Day 2020 recommended 1232 bytes of buffer sizes yet we find out that 3 out of 10 resolvers mainly announce very large EDNS(0) buffer sizes both from the edge as well as from the core, which potentially causes fragmentation. In reaction to large response sizes from authoritative name servers, we find that resolvers do not fall back to the usage of DoTCP in many cases, bearing the risk of fragmented responses. As the message sizes in the DNS are expected to grow further, this problem will become more urgent in the future.
△ Less
Submitted 12 July, 2023;
originally announced July 2023.
-
On Cross-Layer Interactions of QUIC, Encrypted DNS and HTTP/3: Design, Evaluation and Dataset
Authors:
Jayasree Sengupta,
Mike Kosek,
Justus Fries,
Simone Ferlin,
Pratyush Dikshit,
Vaibhav Bajpai
Abstract:
Every Web session involves a DNS resolution. While, in the last decade, we witnessed a promising trend towards an encrypted Web in general, DNS encryption has only recently gained traction with the standardisation of DNS over TLS (DoT) and DNS over HTTPS (DoH). Meanwhile, the rapid rise of QUIC deployment has now opened up an exciting opportunity to utilise the same protocol to not only encrypt We…
▽ More
Every Web session involves a DNS resolution. While, in the last decade, we witnessed a promising trend towards an encrypted Web in general, DNS encryption has only recently gained traction with the standardisation of DNS over TLS (DoT) and DNS over HTTPS (DoH). Meanwhile, the rapid rise of QUIC deployment has now opened up an exciting opportunity to utilise the same protocol to not only encrypt Web communications, but also DNS. In this paper, we evaluate this benefit of using QUIC to coalesce name resolution via DNS over QUIC (DoQ), and Web content delivery via HTTP/3 (H3) with 0-RTT. We compare this scenario using several possible combinations where H3 is used in conjunction with DoH and DoQ, as well as the unencrypted DNS over UDP (DoUDP). We observe, that when using H3 1-RTT, page load times with DoH can get inflated by $>$30\% over fixed-line and by $>$50\% over mobile when compared to unencrypted DNS with DoUDP. However, this cost of encryption can be drastically reduced when encrypted connections are coalesced (DoQ + H3 0-RTT), thereby reducing the page load times by 1/3 over fixed-line and 1/2 over mobile, overall making connection coalescing with QUIC the best option for encrypted communication on the Internet.
△ Less
Submitted 31 January, 2024; v1 submitted 20 June, 2023;
originally announced June 2023.
-
DNS Privacy with Speed? Evaluating DNS over QUIC and its Impact on Web Performance
Authors:
Mike Kosek,
Luca Schumann,
Robin Marx,
Trinh Viet Doan,
Vaibhav Bajpai
Abstract:
Over the last decade, Web traffic has significantly shifted towards HTTPS due to an increased awareness for privacy. However, DNS traffic is still largely unencrypted, which allows user profiles to be derived from plaintext DNS queries. While DNS over TLS (DoT) and DNS over HTTPS (DoH) address this problem by leveraging transport encryption for DNS, both protocols are constrained by the underlying…
▽ More
Over the last decade, Web traffic has significantly shifted towards HTTPS due to an increased awareness for privacy. However, DNS traffic is still largely unencrypted, which allows user profiles to be derived from plaintext DNS queries. While DNS over TLS (DoT) and DNS over HTTPS (DoH) address this problem by leveraging transport encryption for DNS, both protocols are constrained by the underlying transport (TCP) and encryption (TLS) protocols, requiring multiple round-trips to establish a secure connection. In contrast, QUIC combines the transport and cryptographic handshake into a single round-trip, which allows the recently standardized DNS over QUIC (DoQ) to provide DNS privacy with minimal latency. In the first study of its kind, we perform distributed DoQ measurements across multiple vantage points to evaluate the impact of DoQ on Web performance. We find that DoQ excels over DoH, leading to significant improvements with up to 10% faster loads for simple webpages. With increasing complexity of webpages, DoQ even catches up to DNS over UDP (DoUDP) as the cost of encryption amortizes: With DoQ being only ~2% slower than DoUDP, encrypted DNS becomes much more appealing for the Web.
△ Less
Submitted 3 May, 2023; v1 submitted 1 May, 2023;
originally announced May 2023.
-
Exploring Proxying QUIC and HTTP/3 for Satellite Communication
Authors:
Mike Kosek,
Hendrik Cech,
Vaibhav Bajpai,
Jörg Ott
Abstract:
Low-Earth Orbit satellites have gained momentum to provide Internet connectivity, augmenting those in the long-established geostationary orbits. At the same time, QUIC has been developed as the new transport protocol for the web. While QUIC traffic is fully encrypted, intermediaries such as performance enhancing proxies (PEPs) - in the past essential for Internet over satellite performance - can n…
▽ More
Low-Earth Orbit satellites have gained momentum to provide Internet connectivity, augmenting those in the long-established geostationary orbits. At the same time, QUIC has been developed as the new transport protocol for the web. While QUIC traffic is fully encrypted, intermediaries such as performance enhancing proxies (PEPs) - in the past essential for Internet over satellite performance - can no longer tamper with and optimize transport connections. In this paper, we present a satellite emulation testbed and use it to compare QUIC and TCP as well as HTTP/3 and HTTP/1.1 with and without minimal PEP functionality. Evaluating goodput over time, we find that the slow start threshold is reached up to 2s faster for QUIC PEP in comparison to QUIC Non-PEP. Moreover, we find that HTTP/3 and HTTP/3-PEP outperform HTTP/1.1 and HTTP/1.1-PEP in multiple web performance scenarios, where HTTP/3-PEP improves over HTTP/3 for Page Load Time by over 7s in edge cases. Hence, our findings hint that these performance gains may warrant exploring PEPs for QUIC.
△ Less
Submitted 1 May, 2023; v1 submitted 3 May, 2022;
originally announced May 2022.
-
Measuring DNS over TCP in the Era of Increasing DNS Response Sizes: A View from the Edge
Authors:
Mike Kosek,
Trinh Viet Doan,
Simon Huber,
Vaibhav Bajpai
Abstract:
The Domain Name System (DNS) is one of the most crucial parts of the Internet. Although the original standard defined the usage of DNS over UDP (DoUDP) as well as DNS over TCP (DoTCP), UDP has become the predominant protocol used in the DNS. With the introduction of new Resource Records (RRs), the sizes of DNS responses have increased considerably. Since this can lead to truncation or IP fragmenta…
▽ More
The Domain Name System (DNS) is one of the most crucial parts of the Internet. Although the original standard defined the usage of DNS over UDP (DoUDP) as well as DNS over TCP (DoTCP), UDP has become the predominant protocol used in the DNS. With the introduction of new Resource Records (RRs), the sizes of DNS responses have increased considerably. Since this can lead to truncation or IP fragmentation, the fallback to DoTCP as required by the standard ensures successful DNS responses by overcoming the size limitations of DoUDP. However, the effects of the usage of DoTCP by stub resolvers are not extensively studied to this date. We close this gap by presenting a view at DoTCP from the Edge, issuing 12.1M DNS requests from 2,500 probes toward Public as well as Probe DNS recursive resolvers. In our measurement study, we observe that DoTCP is generally slower than DoUDP, where the relative increase in Response Time is less than 37% for most resolvers. While optimizations to DoTCP can be leveraged to further reduce the response times, we show that support on Public resolvers is still missing, hence leaving room for optimizations in the future. Moreover, we also find that Public resolvers generally have comparable reliability for DoTCP and DoUDP. However, Probe resolvers show a significantly different behavior: DoTCP queries targeting Probe resolvers fail in 3 out of 4 cases, and, therefore, do not comply with the standard. This problem will only aggravate in the future: As DNS response sizes will continue to grow, the need for DoTCP will solidify.
△ Less
Submitted 18 July, 2022; v1 submitted 2 May, 2022;
originally announced May 2022.
-
One to Rule them All? A First Look at DNS over QUIC
Authors:
Mike Kosek,
Trinh Viet Doan,
Malte Granderath,
Vaibhav Bajpai
Abstract:
The DNS is one of the most crucial parts of the Internet. Since the original DNS specifications defined UDP and TCP as the underlying transport protocols, DNS queries are inherently unencrypted, making them vulnerable to eavesdrop** and on-path manipulations. Consequently, concerns about DNS privacy have gained attention in recent years, which resulted in the introduction of the encrypted protoc…
▽ More
The DNS is one of the most crucial parts of the Internet. Since the original DNS specifications defined UDP and TCP as the underlying transport protocols, DNS queries are inherently unencrypted, making them vulnerable to eavesdrop** and on-path manipulations. Consequently, concerns about DNS privacy have gained attention in recent years, which resulted in the introduction of the encrypted protocols DNS over TLS (DoT) and DNS over HTTPS (DoH). Although these protocols address the key issues of adding privacy to the DNS, they are inherently restrained by their underlying transport protocols, which are at strife with, e.g., IP fragmentation or multi-RTT handshakes - challenges which are addressed by QUIC. As such, the recent addition of DNS over QUIC (DoQ) promises to improve upon the established DNS protocols. However, no studies focusing on DoQ, its adoption, or its response times exist to this date - a gap we close with our study. Our active measurements show a slowly but steadily increasing adoption of DoQ and reveal a high week-over-week fluctuation, which reflects the ongoing development process: As DoQ is still in standardization, implementations and services undergo rapid changes. Analyzing the response times of DoQ, we find that roughly 40% of measurements show considerably higher handshake times than expected, which traces back to the enforcement of the traffic amplification limit despite successful validation of the client's address. However, DoQ already outperforms DoT as well as DoH, which makes it the best choice for encrypted DNS to date.
△ Less
Submitted 23 March, 2022; v1 submitted 7 February, 2022;
originally announced February 2022.
-
Beyond QUIC v1: A First Look at Recent Transport Layer IETF Standardization Efforts
Authors:
Mike Kosek,
Tanya Shreedhar,
Vaibhav Bajpai
Abstract:
The transport layer is ossified. With most of the research and deployment efforts in the past decade focussing on the Transmission Control Protocol (TCP) and its extensions, the QUIC standardization by the Internet Engineering Task Force (IETF) is to be finalized in early 2021. In addition to addressing the most urgent issues of TCP, QUIC ensures its future extendibility and is destined to drastic…
▽ More
The transport layer is ossified. With most of the research and deployment efforts in the past decade focussing on the Transmission Control Protocol (TCP) and its extensions, the QUIC standardization by the Internet Engineering Task Force (IETF) is to be finalized in early 2021. In addition to addressing the most urgent issues of TCP, QUIC ensures its future extendibility and is destined to drastically change the transport protocol landscape. In this work, we present a first look at emerging protocols and their IETF standardization efforts beyond QUIC v1. While multiple proposed extensions improve on QUIC itself, Multiplexed Application Substrate over QUIC Encryption (MASQUE) as well as WebTransport present different approaches to address long-standing problems, and their interplay extends on QUIC's take to address transport layer ossification challenges.
△ Less
Submitted 20 May, 2021; v1 submitted 15 February, 2021;
originally announced February 2021.
-
MUST, SHOULD, DON'T CARE: TCP Conformance in the Wild
Authors:
Mike Kosek,
Leo Blöcher,
Jan Rüth,
Torsten Zimmermann,
Oliver Hohlfeld
Abstract:
Standards govern the SHOULD and MUST requirements for protocol implementers for interoperability. In case of TCP that carries the bulk of the Internets' traffic, these requirements are defined in RFCs. While it is known that not all optional features are implemented and nonconformance exists, one would assume that TCP implementations at least conform to the minimum set of MUST requirements. In thi…
▽ More
Standards govern the SHOULD and MUST requirements for protocol implementers for interoperability. In case of TCP that carries the bulk of the Internets' traffic, these requirements are defined in RFCs. While it is known that not all optional features are implemented and nonconformance exists, one would assume that TCP implementations at least conform to the minimum set of MUST requirements. In this paper, we use Internet-wide scans to show how Internet hosts and paths conform to these basic requirements. We uncover a non-negligible set of hosts and paths that do not adhere to even basic requirements. For example, we observe hosts that do not correctly handle checksums and cases of middlebox interference for TCP options. We identify hosts that drop packets when the urgent pointer is set or simply crash. Our publicly available results highlight that conformance to even fundamental protocol requirements should not be taken for granted but instead checked regularly.
△ Less
Submitted 19 March, 2020; v1 submitted 13 February, 2020;
originally announced February 2020.
-
On Lagrange polynomials and the rate of approximation of planar sets by polynomial Julia sets
Authors:
Leokadia Bialas-Ciez,
Marta Kosek,
Malgorzata Stawiska
Abstract:
We revisit the approximation of nonempty compact planar sets by filled-in Julia sets of polynomials developed by Lindsey and Younsi and analyze the rate of approximation. We use slightly modified fundamental Lagrange interpolation polynomials and show that taking certain classes of nodes with subexponential growth of Lebesgue constants improves the approximation rate. To this end we investigate pr…
▽ More
We revisit the approximation of nonempty compact planar sets by filled-in Julia sets of polynomials developed by Lindsey and Younsi and analyze the rate of approximation. We use slightly modified fundamental Lagrange interpolation polynomials and show that taking certain classes of nodes with subexponential growth of Lebesgue constants improves the approximation rate. To this end we investigate properties of some arrays of points in $\mathbb{C}$. In particular we prove subexponential growth of Lebesgue constants for pseudo Leja sequences with bounded Edrei growth on finite unions of quasiconformal arcs. Finally, for some classes of sets we estimate more precisely the rate of approximation by filled-in Julia sets in Hausdorff and Klimek metrics.
△ Less
Submitted 6 April, 2018; v1 submitted 19 September, 2017;
originally announced September 2017.
-
Extremal Graphs Without 4-Cycles
Authors:
Frank A. Firke,
Peter M. Kosek,
Evan D. Nash,
Jason Williford
Abstract:
We prove an upper bound for the number of edges a C4-free graph on q^2 + q vertices can contain for q even. This upper bound is achieved whenever there is an orthogonal polarity graph of a plane of even order q.
We prove an upper bound for the number of edges a C4-free graph on q^2 + q vertices can contain for q even. This upper bound is achieved whenever there is an orthogonal polarity graph of a plane of even order q.
△ Less
Submitted 23 January, 2012;
originally announced January 2012.