Skip to main content

MAT Working Group Minutes - RIPE 92

Date: Tuesday, 19 May 16:00 - 17:30 (UTC+1)
Working Group Chairs: Massimo Candela, Nina Bargisen, Stephen Strowes
Scribe: Tim Bruijnzeels, Hans Bakker

View the stenography transcript

View the chat log

Welcome

Working Group Chairs

The presentation slides are available at:

https://pretalx.ripe.net/media/ripe-92/submissions/WKLF78/resources/mat_ripe92_chair_ope_bqYqrwq.pdf

Presentation:

https://ripe92.ripe.net/media/videos/na_welcome_main_20260519-160117.mp4

Stephen Strowes opened the session by welcoming attendees and sharing a local anecdote. He introduced a local map of 1862 Edinburgh, solving 2 problems: measuring one-way latency and speed of light restrictions. After this, Stephen introduced the co-chairs Nina Bargisen and Massimo Candela and shared the session’s agenda.

Measuring DNS over IPv6

Geoff Huston, APNIC

Presentation slides:

https://pretalx.ripe.net/media/ripe-92/submissions/AF9FFQ/resources/2026-05-14-v6-dns_EYFYQFT.pdf

Presentation:

https://ripe92.ripe.net/media/videos/geoff-huston_measuring-dns-over-ipv6_main_20260519-160707.mp4

Geoff Huston examined whether the DNS ecosystem is ready to rely on IPv6 transport, a key assumption behind proposed updates to DNS operational guidelines.

He explained why DNS measurement is difficult due to resolver diversity, query duplication, and the lack of visibility into the resolution process. Using APNIC’s ad-based measurement platform, he compared web-based and DNS-only techniques, including a glueless delegation method for testing IPv6 reachability.

The results showed that DNS-only measurements were generally more effective, while significant anomalies highlighted the complexity and unpredictability of real-world DNS behaviour.

Benno Overeinder, NLnet Labs, commented that NS queries are not always answered in cases where A and AAAA queries work, possibly impacting the measurements.

Petr Špaček, Internet Systems Consortium, commented that after many years, he is still surprised that the DNS works at all.

Scanning the IPv6 Internet Using Subnet-Router Anycast Probing

Maynard Koch, TU Dresden

The presentation slides:

https://pretalx.ripe.net/media/ripe-92/submissions/UJPUPM/resources/RIPE92-SRA-probing-f_gEQfFKP.pdf

Presentation:

https://ripe92.ripe.net/media/videos/maynard-koch_scanning-the-ipv6-internet-using-subnet-router-anycast-probing_main_20260519-162639.mp4

Maynard Koch presented Subnet-Router Anycast (SRA) probing as a new technique for discovering active IPv6 infrastructure. Addressing the challenge of exploring the vast IPv6 address space, he compared SRA probing with random probing and existing IPv6 discovery methods. The results showed that SRA probing found around 10% more router addresses than random probing and was significantly less affected by ICMP rate limiting, while also uncovering many previously unseen routers. Maynard concluded that SRA probing is a valuable addition to the IPv6 measurement toolbox and highlighted routing loops and scan-induced network issues as important operational concerns.

Warren Kumari, Google, questioned the assumption that network deployments are typically hierarchical. While he acknowledged that this is true in some cases, he noted that it is not universally applicable. He explained that prefixes are often used for backbone networks or large connectivity domains, where the resulting structure is not necessarily hierarchical.

Jen Linkova, Google, referred to RFC 4291 and questioned how additional devices could be discovered behind a router if the router had already indicated that no further subnet exists beyond it. Maynard responded that the primary goal of the work is to improve upon the current random scanning approach and achieve more stable results.

Éric Vyncke, Cisco, asked a clarifying question about the order in which subnets are scanned.

Lots of Free Data! The RPKISPOOL Format Data Materialisation as Used in RPKIViews

Job Snijders

The presentation slides:

https://pretalx.ripe.net/media/ripe-92/submissions/J3DLVL/resources/RIPE92_The_RPKISPOOL_Jf4bZdv.pdf

Presentation:

https://ripe92.ripe.net/media/videos/job-snijders_lots-of-free-data-the-rpkispool-format-data-materialization-as-used-in-rpkiview_main_20260519-164047.mp4

Job Snijders presented RPKIViews and its new “RPKI spool” format for capturing and storing global RPKI data in a complete, accessible way. He explained that, unlike BGP, RPKI data is finite but rapidly growing, making traditional full snapshots inefficient and difficult for researchers to use. RPKI spool addresses this by recording a daily checkpoint plus incremental changes, using standard formats and heavy compression to enable scalable long-term archiving. With globally distributed collectors, it captures diverse validation states and supports analysis of consistency, backdating, and operational issues. Job concluded that this approach makes large-scale RPKI analysis practical and openly available to the research community.

Pawel Foremski, IITiS PAN, asked whether Job had considered using off-the-shelf databases for this purpose. Job answered that he did, but he was wondering what would happen when those are not available 20 years from now. Job said he prefers to do this based on open standards.

Silvan Gebhardt, Openfactory, asked if the daily snapshot was needed, considering the costs. Job answered that a single snapshot per day is a compromise to provide a starting point relatively cheaply.

Detecting and Characterising DDoS Scrubbing from Global BGP Routing:​ Insights from Five Leading Scrubbers​

Shyam Krishna Khadka, University of Twente

The presentation slides:

https://pretalx.ripe.net/media/ripe-92/submissions/QKVKRR/resources/Detecting-scrubbing-_bc4ad2b.pdf

Presentation: https://ripe92.ripe.net/media/videos/shyam-krishna-khadka_detecting-and-characterizing-ddos-scrubbing-from-global-bgp-routing-insights_main_20260519-170727.mp4

Shyam Krishna Khadka presented a method to detect and characterise BGP-based DDoS scrubbing using public routing data. By analysing 30 days of RIPE RIS BGP updates and RIBs, he inferred when traffic is redirected through scrubbing providers such as Cloudflare and Akamai. He identified two main modes: always-on scrubbing, where traffic permanently passes through a scrubber, and on-demand scrubbing, activated only during attacks via upstream or origin changes. Results show that always-on protection is more common, while on-demand activations vary across providers. He also found that some scrubbed prefixes are announced without valid RPKI ROAs, raising routing security concerns.

Ivan Beveridge commented that organisations carrying high-value traffic are more likely to deploy always-on DDoS mitigation services. He noted that some of the resulting data could potentially be used to infer operational information, such as the timing of maintenance windows.

Exploring Iran's Internet Shutdowns Using Cloudflare Radar

David Belson, Cloudflare

The presentation slides:

https://pretalx.ripe.net/media/ripe-92/submissions/W398FN/resources/Exploring_the_Iran_I_dS6bEAq.pdf

Presentation:

https://ripe92.ripe.net/media/videos/david-belson_exploring-irans-internet-shutdowns-using-cloudflare-radar_main_20260519-171654.mp4

David Belson presented an analysis of two major nationwide Internet shutdowns in Iran during early 2026 using data from Cloudflare Radar. He demonstrated how traffic, DNS, and routing signals changed before, during, and after the disruptions. Among the early indicators he identified were shifts in DNS-over-HTTPS and QUIC usage, as well as a near-complete withdrawal of IPv6 announcements shortly before the January shutdown.

Both events resulted in sharp declines in Internet traffic, followed by partial and uneven recovery across major Iranian ASNs. David also highlighted evidence of attempts to circumvent the restrictions and noted that connectivity remained significantly reduced throughout much of 2026, with persistent restrictions affecting Internet access across the country.

Warren Kumari, Google, asked whether David could explain the difference between total traffic volume and HTTP traffic volume shown in the data. David replied that the difference was likely attributable to DNS-related traffic.

Shane Kerr, IBM, asked whether the increase in TXT record traffic could be related to IP-over-DNS or similar techniques. David said he was not sure.

Blake Willis, L33 Networks, asked whether there was any visibility into VPN usage and how successful such services had been during the shutdowns. David responded that he did not have that information available, but noted that known VPN provider ASNs could potentially be analysed to gain further insight into the use of third-party VPN services.

Closing

Nina Bargisen thanked the presenters and attendees. Attendees were encouraged to rate talks and continue discussions via the MAT WG mailing list. Also, Nina announced that after many years, this would be her last RIPE meeting as a Working Group Chair for the MAT Working Group.

The session closed with a reminder to join the next MAT WG at RIPE 93 in Sofia.