Preliminary Minutes IRTF Open Meeting @ IETF-94 Yokohama, Japan Tuesday, November 3, 2015 (JST) 17:10-18:40 Tuesday Afternoon session III State of the IRTF Lars Eggert https://www.ietf.org/proceedings/94/slides/slides-94-irtfopen-2.pdf Applied Networking Prize (ANRP) Award Talks Xiao Sophia Wang on a systematic study of web page load times under SPDY: Xiao Sophia Wang, Aruna Balasubramanian, Arvind Krishnamurthy and David Wetherall. How Speedy is SPDY? Proc. USENIX Symposium on Networked Systems Design and Implementation (NSDI), Seattle, WA, USA, April 2-4, 2014. https://www.ietf.org/proceedings/94/slides/slides-94-irtfopen-1.pdf Dirk Kutscher: 80% improvement for server push with caching or without? Sophia: without Dirk: are you thinking about optimization between client and server further (so that it works well with caching)? Sophia: yes ?: question on epload tool -- how to validate accuracy: Sophia: recording process records actual behavior, record specific instance Yoshifumi Nishida: tried multiple TCP implementations Sophia: only cubic, others may yield different performance Bob Briscoe: importance of factors, tells you impact of each factor. Could be interesting to analyze typical characterization of workloads Sophia: Yes Bob Briscoe: yes, it would also be good to look at what network characteristics are common Roland van Rijswijk-Deij on a detailed measurement study on a large dataset of DNSSEC-signed domains: Roland van Rijswijk-Deij, Anna Sperotto, and Aiko Pras. DNSSEC and its Potential for DDoS Attacks: A Comprehensive Measurement Study. Proc. ACM Internet Measurement Conference (IMC), Vancouver, BC, Canada, November 2014. https://www.ietf.org/proceedings/94/slides/slides-94-irtfopen-0.pdf Olaf Kolkmann: page 8, seems to eDNS not DNSSEC Roland: yes ?: did you send to authoritative servers? Roland: (slide 7), we determined set of authoritative servers and send requests to them, send a set of series to each of them and measured the response size -- you can download data sets ?: regarding mitigation mechanisms, response rate limiting should have a positive effect Roland: response rate limiting does not really solve the issue. Attacks can still go through open resolvers. Deployment of RRL is far from universal. Some software does not support it yet. RRL was implemented in a batch to BIND, but is not mainstream yet Comment (Francis Dupont): RRL is included in the current version (some version of BIND-9.9) ?: question was whether measurement include RRL Roland: do not have exact figures ?: did you analyze data in DNS servers, such as TLD servers? You should also look at who sent ANY queries to authoritative name servers Roland: good question, we looked at that. We monitor ANY queries to find out who is doing them. What we see is that in ANY queries that we get now, they are spiked -- could be because of experiments Johan: how would you compare the potential for damage from authoritative NSs and open resolvers? Roland: open resolvers are big problem, number of those is increasing Roland: if you send ANY query to resolver, it can either send you anything or do full recursion (implementation-dependent). Can also cache ANY response (potentially big answer). NSEC3 can set cache removal timeout to 0 sec.