Skip to main content

MAT Working Group Minutes - RIPE 86

Chairs: Massimo CandelaNina BargisenStephen Strowes
Scribe: Bahadir Basaran
Status: Final

A Digital Twin-based Framework to Enable "What-If" Analysis in BGP Optimization

Marco Polverini, Sapienza University of Rome

The presentation is available at:

Massimo asked Marco if they had a software framework and if they opened it for external use. Marco said they used a freely downloadable tool called "Kathara Network Emulator”, which was software based on Docker containers which uses software switches to replicate the control plane of an IP router.

Randy Bush, IIJ and Arrcus, asked Marco if he had a newer router vendor with a different CLI. Marco said that the framework created a digital twin of an autonomous system in the Kathara emulator, but that it was also possible to use a different type of emulation framework like GNS3, which allowed using images of real routers.

Jeroen Bulten, SIDN, asked Marco whether they allowed automatic result collection and presented results in an automatically parsable format. Marco said that everything must be ran manually but that they thought they could automate this process and even more. They could create a graphical user interface to interact with the tool.

David Schweizer, NETDEF, asked Marco if they had any provision which they used with the framework to capture traffic from their real-world application on one end and on another, and then if they replayed that in digital twin to analyze if there was any difference. Marco said that it was not possible to assume everything was fully identical between a physical system and its digital twin, because they had to work in different time scales and the resources of a digital twin was much lower compared to its physical counterpart. They therefore had to rely on a sort of high-level description of the system's physical infrastructure.

Internet Yellow Pages

Romain Fontugne, IIJ Research Lab

The presentation is available at:

Alexandros Milolidakis, KTH, asked about the accuracy of the database when mixing up the datasets. Romain said that they did not control data, but imported it, and therefore they knew what it was. If it looked like rubbish, they did not import it at all. He said that as soon as they saw interesting data, they integrated it into the Yellow Pages, and as soon as they found a problem in the data, they asked the person that produced the data to correct it.

Intercept and Inject: DNS Response Manipulation in the Wild

Yevheniya Nosyk, Université Grenoble Alpes

The presentation is available at:

An audience speaker told Yevheniya that such injections could be avoided and asked if a recursive DNS resolver should be implemented into each customer device. Yevheniya said that this approach would not help since the injections did not take place in client-end networks, but rather far from them, and that they had no control over what was happening in those networks. She said she believed those countermeasures could decrease the probability of receiving injected responses. The audience speaker said that if injections were performed on public DNS servers, they needed to make direct requests to root servers. Yevheniya said it was not often allowed to query particular DNS servers. The audience speaker asked if they were working on safe DNS requests, and Yevheniya confirmed.

Kostas Zorbadelos, Canal+, asked Yevheniya if they could find a pattern of Atlas probes that were affected by those injections in specific autonomous systems in specific countries, and if they could manage to categorise them. Yevheniya said, that in their measurements, they had seen probes located in 66 different countries and that RIPE Atlas probes resided in at least 170 countries.

Christopher Amin, RIPE NCC, said they had 30,002 built-in measurements which used locally configured probe resolvers with popular domain targets. Since that would not be useful in this case because it is using whichever resolver probes have configured. Christopher asked the presenter if she thought having a similar built-in measurement which was rotating through popular domains but also rotating through the root servers directly would be useful. Yevheniya said that the problem was not about contacting the root servers but contacting any particular DNS server. It specified that this type of measurement could be carried out without necessarily targeting root servers, i.e. it could be any DNS server that was not preconfigured.

Our (in)Secure Web: Understanding Update Behaviour of Websites and its Impact on Security

Nurullah Demir, Institute for Internet Security

The presentation is available at:

Massimo asked what were the most common vulnerabilities they found, what they were able to do in practice, and if Nurullah could show how they detected a specific vulnerable version of the software. Nurullah said they had a list of the most common vulnerabilities, which almost matched with the industry standard “OS Top 10”, including absent input validation, XSS, CSRF, SQL Injection, and buffer overflow. Nurullah also said that there was a CPE standard, and entries in NVD databases were in CVE format. He also said that when someone had a vulnerability for WordPress and it had an identifier in CPE format, there would be a unique assignment to each software product.

RIS Routing Beacons Discussion and Tools Updates

Emile Aben - Robert Kisteleki, RIPE NCC

The presentations are available at:

There were no questions.