You are here: Home > Get Support > Community Projects Fund > Funding Recipients 2020

Funding Recipients 2020

The RIPE NCC Community Projects Fund opened its call for applications in June 2020. The application period was open for just over eight weeks and 35 applications from 21 different countries were received.

The RIPE NCC Community Projects Fund Selection Committee has reviewed the applications and is happy to announce the following eight projects have been selected as the 2020 recipients of the RIPE NCC Community Projects Fund. We’d like to thank everyone that showed interest in the fund.

Congratulations to the selected projects:

BGP Hijacking Observatory

University of California San Diego’s Center for Applied Internet Data Analysis (CAIDA) 

The 'BGP Hijacking Observatory' prototype is a modular platform continuously monitoring BGP to detect and classify prefix hijacking events globally (i.e., affecting *any* AS). While tools like ARTEMIS or BGPalerter help an operator to detect events affecting its own prefixes, victims of BGP hijacking also include all (the users from) the other operators who exchange traffic with an affected prefix. The Observatory fills this gap, providing a public source of data based on much more advanced (and open) methods than services such as bgpstream.com. The Observatory:

  • Continuously listens for BGP data from RIPE RIS and RouteViews collectors to detect classes of events that might be associated with prefix hijacking;
  • Tags these events based on various databases and criteria;
  • Executes traceroutes from RIPE Atlas vantage points towards the affected prefix while the event is still occurring, thus effectively combining control- and data-plane data;
  • Attempts a final inference of the event (e.g., benign vs suspicious, misconfiguration) providing rationale for the inference;
  • Provides a dashboard with data visualizations and search functionalities.

With RIPE funding, the team would like to engage the operator community to improve and share data from this platform. A prototype under development can be viewed here.

Closed Resolver Project

Grenoble Alpes University, Computer Science Laboratory (LIG Lab)

Source Address Validation (SAV) is a standard aimed at discarding packets with spoofed source IP addresses. The absence of SAV at the network edge for outgoing traffic has been known as a root cause of Distributed Denial-of-Service attacks and received widespread attention. While less obvious, the absence of inbound filtering enables an attacker to appear as an internal host of a network and may reveal valuable information about the network infrastructure. Inbound IP spoofing may amplify other attack vectors such as DNS cache poisoning or the recently discovered CVE-2020-1350 and NXNSAttack.

The Closed Resolver Project tries to mitigage the problem of inbound IP spoofing. Closed and open DNS resolvers that accept spoofed requests coming from the outside of their network have been identified. Measurements made covered over 55% of IPv4 ASes and 27% of IPv6 ASes and revealed that the great majority of them are fully or partially vulnerable to inbound spoofing.

The project aims at undertaking longitudinal Internet-scale measurements to infer the SAV deployment in entire IPv4 and targeted IPv6 address spaces, identify DNSSEC-aware validating resolvers (both open and closed) and perform notification campaigns to remediate the problem of inbound spoofing.

Cryptofuzz

Guido Vranken

Cryptofuzz is an open-source tool that uses fuzzing to find bugs in cryptographic libraries. It compares the result of two or more libraries performing the same operation (like computing a SHA256 digest, or encrypting a message using AES, or computing the modular exponentiation of some numbers). This is called differential fuzzing and is useful to find differences in two or more code bases that ought to produce the same result. In the process, it also uncovers memory bugs like buffer overflows, branching on uninitialized memory, NULL pointer dereferences, infinite loops, integer overflows and so on. Several instances of Cryptofuzz run continuously Google’s servers as part of their OSS-Fuzz project and cryptographic library maintainers receive e-mail as soon as a bug is discovered. Currently, around 200,000 lines of code are covered, and the coverage report can be found here.

Apart from finding existing bugs, OSS-Fuzz is also useful to find new bugs as soon as they are committed to the development branch of a cryptographic library. This project received RIPE NCC Community project funding last year as well. Last year, the project had found about 25 bugs at the time of submitting their funding application. Currently, close to 70 bugs have been found:
https://github.com/guidovranken/cryptofuzz

A blog post from last year that goes into the technical details can be read here.

FRRouting Fuzzing

Sartura 

FRRouting is an IP routing protocol suite for Linux and Unix platforms which includes protocol daemons for BGP, IS-IS, LDP, OSPF, PIM, and RIP. Fuzzing (or fuzz testing) is a software testing process that uses specially prepared inputs with the goal of finding unusual behaviour and crashes. FRRouting Fuzzing project is an R&D project, to be initiated within Sartura, that aims to significantly improve the security of the FRRouting ecosystem by setting up fuzz testing processes for several FRRouting ecosystem components and utilities, reporting collected issues to FRRouting developers and – where applicable – providing fixes for a selected set of issues.

Improve Tails for Censorship Circumvention

Riseup Labs

Tails is a portable operating system that protects the user's privacy and helps avoid censorship. Users can use their Tails USB stick to temporarily turn their computer into a secure machine or to stay safe while using the computer of somebody else. All Internet traffic from Tails goes through the Tor network to protect users from online surveillance, tracking and censorship. As a digital security toolbox, Tails includes a selection of state-of-the-art privacy tools, which are configured with safe defaults to prevent mistakes. To protect from search and seizure, it leaves no trace on the computer when shut down. Users can create an encrypted Persistent Storage on the Tails USB stick to store some personal files and configuration.

Users in places where the access to Tor is blocked can use Tor 'bridges' to circumvent this blocking and access censored content. Tails already has a basic feature to configure Tor bridges but it suffers from important usability and reliability issues. This project aims to fix the most critical of these issues. It will make Tails usable by more people in repressive countries with heavy network censorship and grant them access to an uncensored Internet.

NRTM v4

Sasha Romijn, DashCare B.V.

The Near Real Time Mirroring (NRTM) protocol is used to distribute updates from authoritative IRR sources to mirrors of those IRR databases. Current versions (v2 and v3) of NRTM are dated. They are tied to the whois protocol, implementations are inconsistent, and standardisation and documentation are poor or missing. A new version of NRTM, NRTM version 4, would solve many of the current issues and improve the quality and reliability of IRR mirroring services. NRTM v4 will take inspiration from the RPKI DELTA protocol (RFC 8182), with modifications and simplifications to make NRTM v4 suitable for IRR data.

The scope of this project includes the design process for an NRTM version 4 protocol and fully implementing this in the Internet Routing Registry Daemon (IRRD) version 4. IRRDv4 is a modern BSD-licensed feature-rich and functional IRR server, currently used by NTT, ARIN, LACNIC and others.

Some Congestion Experienced (SCE)

netDEF

The goal of the project is to expand SCE high-fidelity congestion control signalling beyond the edge and into core networks and aggregation points. To accomplish this goal, the team will develop a new SCE queueing discipline (qdisc) that can operate using a small and fixed number of FIFO queues, for when fair queueing is not available. This new qdisc will provide approximate fairness between SCE, RFC3168 ECN and non-ECN flows, some isolation for latency-sensitive flows, and mitigation for unresponsive flows.

Along with the new qdisc, an expanded suite of tests and tools, addressing an appropriate set of congestion control concerns from RFC5033 will be developed. Source code and test results will be added to their open-source repositories, and a new I-D (Internet-Draft) will be submitted, along with any updates to existing Internet Drafts. If possible, the results will be presented to the Transport Area Working Group (tsvwg) in the IETF.

Virtual School of Internet Governance

Foundation for Building Sustainable Communities

The Virtual School of Internet Governance is a free MOOC (Massive Open Online Courseware) dedicated to the key pillars of Internet Governance. Due to COVID-19 schools of Internet Governance have either been halted or seriously postponed. This project aims to create online courseware to provide integrated taxonomy from the novice to the advanced student to learn the basics of Internet Governance.

The course uses Moodle which provides the framework including student registration, online forums, Bluejean chats, student assignments, quizzes and more. The rich content focuses on the primary learning objectives as found in face-to-face schools of Internet Governance. The course includes learning modules that are supported by quizzes, online forums, live chats and end user feedback so learning experience can be enhanced. The team will be working closely with the IGF DC3 Coalition for Schools of Internet Governance which supports the face to face schools around the world.