RIPE 68 MAT Working Group Minutes

Date: 15 May, 16:00 – 17:30
Chairs: Richard Barnes and Christian Kaufmann
Scribe: Suzanne Taylor Muzzin

A. Introduction (5 mins)

•    Welcome
•    Scribe
•    Jabber
•    Agenda

Richard Barnes welcomed everyone to the session and announced that Vesna Manojlovic, RIPE NCC, would switch the order of her two presentations. There were no other changes to the agenda.

Richard said that the RIPE 67 MAT Working Group minutes had been sent around on the mailing list some time ago and asked if they could be approved. There were no objections.

B. Results: Interconnection Density in IPv4/IPv6 (15 mins)

Christian Kaufmann, RIPE NCC Executive Board

This presentation is available at:
https://ripe68.ripe.net/presentations/386-20140515_MAT_WG_RIPE68_CK_Interconnection_density.pdf

Geoff Huston, APNIC, asked during the presentation how Christian knows an IPv4 is the same as an IPv6 address when doing traceroutes. Christian replied that he was looking at hops within an AS, not routers, so he doesn’t actually know whether they’re the same. He also clarified a point in his talk in which he saw the same number of hops in IPv4 and IPv6 and so assumed they were the same.

Jen Linkova, Google, asked how Christian excluded anycast. Christian responded that he looked them up in hosts and traceroutes, and that it was a manual process and took some time.

There were no further questions.

C. RIPEstat Update (15 mins)

Vesna Manojlovic, RIPE NCC

This presentation is available at:
https://ripe68.ripe.net/presentations/379-RIPEstat_MAT-WG_RIPE68_BECHA.pdf

(During the presentation, Vesna asked how many of those in attendance were familiar with RIPEstat and the majority of attendees raised their hands. She asked how many needed an introduction, and only a handful of people raised their hand.)

Blake Willis, L33 Networks, thanked Vesna for including BGPlay in RIPEstat and making it available once again, saying it’s useful to explain things to customers using the tool.

Job Snijders repeated a request to have announcements originating/transmitted from a particular AS Number displayed in RIPEstat, and Vesna said she would add this to the list of feature requests.

Wilfried Wöber, Univie/ACOnet/VIX, asked about RIS data collection and whether there would be changes in the hardware or software. Kaveh Ranjbar, RIPE NCC, said the developers are trying to find a cheaper and easier-to-maintain hardware solution along with new software to obtain near real-time results. He said the RIPE NCC has not started working on this yet but that it’s in their planning, and that he would report back on progress at the next RIPE Meeting.

There were no further questions.

D. Lessons Learned From Using the RIPE Atlas Platform for Measurement Research (20 mins)

Vaibhav Bajpai, Jacobs University

This presentation is available at:
https://ripe68.ripe.net/presentations/382-ripe68-matwg-ripeatlas-slides.pdf

Kaveh Ranjbar, RIPE NCC, thanked Vaibhav for his useful presentation and explained that RIPE Atlas is also a diagnostic tool for the community, and that the developers are always trying to find a balance between what’s useful for different types of users. He explained that firmware updates are necessary, and that they want to keep the network useful to both network operators and researchers.

Robert Kisteleki, RIPE NCC, said that a probe host can now tag their probes (e.g. NAT, IPv4, tunnel, etc.). He said the next step is to be able to use those tags for filtering when selecting a subset of probes to conduct user-defined measurements.

Philip Homburg, RIPE NCC, thanked Vaibhav for publishing his latency measurements. He said that originally the developers used existing BusyBox code, but over time, they have completely rewritten it and that all the RIPE Atlas code is now unique. He also said that version 1 and 2 probes are really slow, and adding code has a noticeable effect on the latency, up to several milliseconds.

Vaibhav said that 65% of the probes they looked at were in fact version 1 or 2, so that would have an impact on the measurements.

Baptiste Jonglez, ENS de Lyon, noted that Vaibhav mentioned a method to detect wireless listening, but that in some cases, it wouldn’t appear as a hub, so there could still be wireless listening taking place.  

Vaibhav said that they should talk offline.

Kaveh said that they would like to achieve better distribution of RIPE Atlas probes over a wider number of ASNs and that there are certain methods in place to help that happen.

There were no further questions.

E. Fast Internet-wide Scanning and Its Security and Measurement Applications (20 mins)

Zakir Durumeric, University of Michigan

Keith Mitchell, DNS-OARC, referred to Zakir’s comment during his presentation that there’s no way for websites to indicate that they don’t want to be probed, pointing out that in fact DNS-OARC has been operating a “don’t probe” database for some time.

Robert Kisteleki, RIPE NCC, said that the research presented was really interesting and really scary. He said that 1% of the Internet being vulnerable means there is a lot of work left to do in terms of protecting data. He also said it’s difficult to know who to share the research data with in terms of who can be trusted.

Zakir responded that they contacted manufacturers’ security teams to get things patched, along with CERT teams in different countries to find contacts, and sent emails to abuse contacts. However, he said, as researchers, they can’t contact every single person. He said they released the data in broad terms to raise awareness, but not the specific IP addresses of those who are vulnerable.

Robert said he thought it might not be in everyone’s best interest to release the data they have. Zakir said RIPE might be in a position to help, and agreed that it’s difficult to know who to talk to, as many abuse contacts bounce.

Richard asked about the two negative comments Zakir received. Zakir responded that he was told by those organisations that he didn’t have permission to scan their networks and they asked him to get off their IP space. The researchers excluded those organisations from their research.  

Sebastian Castro, .nz Registry Services, said he enjoyed the presentation and that, when the Heartbleed bug appeared, they asked their community to scan the .nz networks, and were told by the law enforcement agencies that they couldn’t do that, suggesting that those trying to use the data to improve the situation may be at a disadvantage compared to those who want to exploit these vulnerabilities.

Zakir responded that they started scanning two days after Heartbleed because they weren’t willing to actually exploit the vulnerability, both on ethical and legal grounds. After testing, however, they realised they could detect whether networks were vulnerable without actually exploiting them, and believed they could help people by making their findings known.

Dmitry Kohmanyuk, Hostmaster Ltd, asked for clarification about some of Zakir’s numbers on a slide not adding up, and Zakir clarified that these were in the positive pile.

Dmitry asked whether Zakir was aware that he would be considered a criminal in some countries, and Zakir responded that he did realise that, but as far as he is aware, what he is doing is legal in the United States. He emphasised that they do not look at logins, pull private data or exploit vulnerabilities. He said they look at public certificates and who issued them, but no private data.

There were no further questions.

F. RIPE Atlas Update (15 mins)

Vesna Manojlovic, RIPE NCC

This presentation is available at:
https://ripe68.ripe.net/presentations/380-RIPE_Atlas_MAT-WG_RIPE68_BECHA.pdf

Jen Linkova, speaking as a RIPE Atlas ambassador, thanked Vesna for the IPv6 extension header support and asked those who couldn’t receive probes to check their local customs regulations. She also asked about two spikes in the number of measurements done using the RIPE Atlas network. Robert Kisteleki, RIPE NCC, explained that some of it was due to zone monitoring of the new DNSMON service, which was integrated into RIPE Atlas.

An attendee pointed out that Vesna’s map of the RIPE Atlas network cut off the most southern RIPE Atlas probe in Chile. Vesna said she would include a new screenshot next time. Emile Aben, RIPE NCC, pointed out that the most northern probe, in Svalbard, is visible on the map. Robert also asked whether anyone could help place a probe in Antarctica.

There were no further questions.

Z. AOB

Emile Aben, RIPE NCC, said that the closing plenary would include a presentation about infrastructure geolocation of IP addresses, an idea presented at the last MAT Working Group session. He said he was looking for some rough consensus on how to move forward, and he could give a live demo at the back of the room after the session ends.

Romeo Zwart, RIPE NCC, gave attendees an update on the state of the TTM project. He said there have been announcements about the decommissioning of the service, and that this hasn’t happened yet because of feedback the RIPE NCC has received. He said those concerns have now been addressed, and that there is a new DNSMON service that is no longer dependent on TTM, which will allow for the total shutdown of TTM by the end of June 2014. He ensured everyone that proper announcements about this will be made through appropriate channels, including the MAT-WG Mailing List. He also said many people have contacted the RIPE NCC about using the TTM collectors as NTP sources, which is possible, and an announcement about that will be made shortly as well.

Chris Buckridge, RIPE NCC, announced that RIPE Academic Cooperation Initiative (RACI) attendees would be giving lightning talks about their research following the MAT Working Group session and encouraged everyone to attend.

There was no further discussion. Christian thanked everyone for attending and encouraged everyone to attend RIPE 69 in London in November.