Skip to main content

MAT Working Group Minutes - RIPE 91

Date: Tuesday, 21 October 2025, 16:00 – 17:30 (UTC +3)
Working Group Chairs: Massimo Candela, Stephen Strowes, Nina Bargisen
Scribe: Stephen Suess
Status: Draft

View the recordings
View the stenography transcript
View the chat log

Opening Remarks

The presentation is available at:
https://pretalx.ripe.net/media/ripe91/submissions/BK87KX/resources/mat_ripe91_chair_2_yREHTwh.pdf

Massimo Candela welcomed attendees to the session, joined by co‑chairs Nina Bargisen and Stephen Strowes. He reminded participants that the MAT WG serves as a bridge between researchers and network operators to exchange insights, feedback, and data‑driven analysis. He encouraged the audience to provide feedback after the session. Massimo noted that 38% of submissions were accepted, with five talks scheduled. He introduced the first speaker, Geoff Huston of APNIC.

Network Measurement in the Dark

Speaker: Geoff Huston, APNIC

The presentation is available at:
https://pretalx.ripe.net/media/ripe91/submissions/DGX8XV/resources/2025-10-21-darknetwor_R3K3kvE.pdf

Geoff Huston discussed the increasing encryption of Internet traffic and its consequences for network measurements. He highlighted the shift toward encrypted transport protocols such as QUIC and DNS‑over‑HTTPS, which significantly reduce network visibility.

He argued that as more application‑level encryption is adopted, traditional packet‑level measurement becomes obsolete, forcing researchers to focus on endpoint and application‑based observations. He concluded that measurement must adapt to this privacy‑driven transformation of the Internet.

Questions

Ondřej Surý, ISC, noted that QUIC implementations remain inaccessible for smaller developers and argued that the protocol benefits large players.

Geoff acknowledged the concern and agreed that growing complexity centralises power among major operators.

Mirja Kühlewind, Ericsson, suggested that endpoint measurements could offer new opportunities if designed with privacy preservation in mind. Geoff responded that user‑side measurement remains biased and ethically challenging, as only technically inclined participants tend to join platforms like RIPE Atlas.

Ulrich Wisser, ICANN, argued that users do care about privacy, even if they rarely express it explicitly. He compared it to public trust in bridge safety, that people don’t check the bridge before crossing, but they expect it to be secure by default.

Geoff Huston agreed that expectations exist but added that willingness to fund privacy measures remains low, citing Apple’s Private Relay feature as an example where adoption is far below universal.

Disrupting the Internet in the Name of Copyright: An Italian Story

Raffaele Sommese, University of Twente

The presentation is available at:
https://pretalx.ripe.net/media/ripe91/submissions/WK3AQH/resources/RIPE91_-_Piracy_Shiel_HveKWZg.pdf

Raffaele presented an analysis of Italy’s Piracy Shield system, which enabled copyright holders to request the blocking of IPs and FQDNs (targeting illegal football streaming) within 30 minutes. He reconstructed blocking activity from a leaked list and a public ‘is-it-blocked’ checker, validating ~10,000 IPv4 addresses and ~40,000 FQDNs blocked between Feb 2024 - Jun 2025, originating from 3,782 takedown requests. By June 2025, 98% of IPs and 44% of FQDNs remained blocked.

He showed evidence of collateral damage (shared/virtual hosting side effects, Anycast-address blocks, mail delivery disruptions), including cases where hundreds of non-streaming sites and email services were affected, and one oddity in which an Anycast IP used to serve the Piracy Shield block page was itself blocked. He noted that in practice IPv6 wasn’t being blocked, so many targets shifted to IPv6 or new IPv4s (often outpacing the system). He recommended revising the platform (avoid IP-level blocking, time-limit FQDN blocks, publish a release/appeal mechanism, and notify operators).

Questions

Max Tulyev, NetAssist, asked whether anyone, NGOs or other organisations, was fighting the Piracy Shield system through legal or public channels, or if the situation was simply being accepted in Italy.

Raffaele replied that because there was no public list of blocked resources, affected companies and users rarely even know their assets are being blocked, making any legal challenge extremely difficult. He said his research was likely the first systematic attempt to highlight the issue publicly.

Mick O'Donovan, HEAnet CLG, suggested that the topic also fit the Security working group and recommended informing the WG’s mailing list about the work, noting the MAT and Security working groups were happening concurrently.

Raffaele agreed that it sat at the intersection of measurement and security and would raise it with the Security WG community.

Rüdiger Volk, no affiliation, asked whether this should be taken up through cooperation channels.

Raffaele said the problem needed solving and hoped the work would prompt action.

Marco d’Itri, Seeweb | DHH, said that cooperation on the issue had proven impossible, explaining that Italian ISPs had been unable to influence the process despite attempts to engage. He contrasted this with experiences in other countries, noting that, for instance, the Russian regulator notifies operators before blocking domains or IP addresses, while the Italian regulator does not.

An Empirical Evaluation of Longitudinal Anycast Catchment Stability

Remi Hendriks, University of Twente

The presentation is available at: https://pretalx.ripe.net/media/ripe91/submissions/RQBH3N/resources/anycast_stability_RIP_q1Xz8KX.pdf

Remi Hendriks presented a longitudinal study of Anycast catchment stability using daily measurements over six months. The research deployed probes at 32 sites across six continents to examine how routing shifts affect Anycast performance.

Results showed significant catchment volatility, with around 40% of prefixes changing their preferred point‑of‑presence within two months. IPv6 catchments appeared somewhat more stable. He recommended operators refresh mapping analyses weekly and further investigate causes of rerouting events.

Questions

Wolfgang Tremmel, DE-CIX, thanked Remi for the presentation and asked whether the analysis showed similar results across different Internet Exchange Points (IXPs) around the world, or if the patterns were unique to Europe.

Remi replied that the study observed similar catchment behaviour at other large IXPs, mentioning that AMS-IX also attracted substantial traffic. He added that in one notable case, a remote-peering link between a Chinese network (China Unicom) and DE-CIX explained why many Chinese prefixes were routed to Frankfurt.

Shane Kerr, IBM, asked how the team’s peering and connectivity were arranged for the Anycast sites, whether they managed routing policies directly or relied on their hosting provider’s default setup.

Remi explained that connectivity was managed by the Vulture platform on which the nodes were deployed; no explicit traffic-engineering was applied. He added that other operators using the same platform could expect similar network characteristics.

Querying the DFZ

Ties de Kock, RIPE NCC

The presentation is available at:
https://pretalx.ripe.net/media/ripe91/submissions/3Q7AUL/resources/20251020_querying_the_VpHijNI.pdf

Ties de Kock introduced a new dataset derived from RIPE RIS, providing indexed Parquet files for efficient querying of BGP data. He demonstrated use cases for researchers and operators, including analysing route dynamics, upstream changes, and noisy prefixes using SQL or data‑science workflows. This approach drastically reduces processing time compared to parsing MRT files directly. The pilot dataset is publicly available for twelve months, pending community feedback.

Questions

Gert Döring, SpaceNet AG, commented that he had long collected IPv6 BGP data ‘since the ancient ARC days’ and that this new approach to structuring RIS data as queryable Parquet files gave him many new ideas for building a proper database out of his historical archives.

Who is "Really" Running Email?

Willem Toorop, NLnet Labs

The presentation is available at:
https://pretalx.ripe.net/media/ripe91/submissions/FF88V7/resources/who-is-really-running_RBdlfJO.pdf

Willem Toorop presented work analysing the centralisation of global email hosting using real DNS traffic observed at one of Quad9’s public recursive resolvers.

He built on a master’s thesis by Tobias Seijsener, University of Amsterdam, which analysed MX records in several ccTLDs (.ch, .ee, .fr, .se, .sk) using OpenINTEL data. This earlier study suggested that although big cloud mail providers such as Outlook and Google were gaining a share, each country’s largest email provider was still a local one.

Toorop’s new study sought to see which providers were actually used in practice, not merely listed in MX records. By examining MX queries seen at Quad9’s Amsterdam PoP (20 % sample rate, aggregated and anonymised), he measured relative query volumes to different MX hosts.

Results showed that Outlook.com and Google.com together accounted for over a quarter of all MX query traffic, with YahooDNS, h-email.net, artegic.net, and gmx.net following. The rest was split among thousands of smaller domains. Geo-IP analysis found most traffic originating from Europe, notably NL and DE, but with queries for many non-local TLDs, confirming that MX registrations in a TLD don’t necessarily reflect that country’s operational email hosting.

He compared his findings with Seijsener’s original OpenINTEL numbers, showing that for all five ccTLDs, large global providers handled a much greater share of actual traffic than suggested by domain-level counts. He concluded that resolver-side observation offers valuable insight into real usage but should be supplemented with authoritative data for completeness. He acknowledged that further work is needed to disentangle caching effects and private infrastructure use.

Questions

Marco d’Itri, Seeweb, questioned the validity of the method, arguing that Quad9’s data was not representative of SMTP traffic because public resolvers are blocked by Spamhaus and generally not used by mail servers.

Willem acknowledged this limitation and said the goal was to explore what insight can be gleaned from resolver-side signals. He suggested future measurements using other resolvers, such as the planned DNS4EU service.

Marco d’Itri followed up, adding that he did not believe any public resolver would ever see mail-server traffic, since all properly run mail systems use local resolvers.

Sebastian Castro, .IE, noted that his team had been tracking email provider trends for Ireland for several years and warned that many ‘local providers’ in ccTLD data are default cookie-cutter domains not actually used for email. He recommended augmenting resolver data with authoritative-side logs or RPKI statistics, which are available for some national zones and would show actual query activity.

Toorop agreed that combining resolver and authoritative perspectives would produce a more accurate view.

Jim Reid, independent, praised the research as fascinating but methodologically flawed. He argued that DNSSEC metrics and resolver-based measurements are distorted by caching and visibility bias, since many organisations use private resolvers whose queries will never reach Quad9.

Toorop replied that resolver-side query capture can still offer useful trends because it observes uncached queries from clients, though he agreed that bias and TTL effects need careful handling.

Jim added a second point that many email providers depend on cloud back-ends such as AWS, so the true operators of email infrastructure might be those cloud platforms rather than the mail brands themselves. He suggested that understanding this layering would require additional data about hosting and infrastructure relationships.

Toorop agreed and said that examining IP ownership and hosting correlations could be a fruitful direction for future work.

Closing Remarks

The Chairs thanked all presenters and attendees for their participation and Massimo reminded the audience to rate talks and provide feedback.