The RIPE NCC Community Projects Fund opened its call for applications in June 2021. The application period was open for over six weeks and 20 applications from 16 different countries were received.
The RIPE NCC Community Projects Fund Selection Committee has reviewed the applications and is happy to announce that the following projects have been selected as the 2021 recipients of the RIPE NCC Community Projects Fund. We’d like to thank everyone that showed interest in the fund.
Congratulations to the selected projects:
CAcert.org is the longest-running international open-source project aimed at a free and unlimited issuance of X.509 certificates for securing Internet transmissions, accurately identifying and securing Internet web sites, encrypting e-mails and signing documents, contracts and binary applications. CAcert uniquely certifies individuals and legal entities performed by our network of trained volunteers. Their true names are linked to the certificates CAcert issues for them at their request. Usages where true ID certification is required can only grow, for instance, for having documents and online contracts be non-repudiated. CAcert is looking at evolving its tools and services to make itself useful for new usages to come. For this purpose, CAcert is proposing this project to extend the existing X.509 certificate capabilities to include the OpenID Connect protocol, used by many web sites and large organisations to properly identify their users, and also to provide Single Sign On capabilities for those organisations.
Cryptofuzz is an open-source tool that uses fuzzing to find bugs in cryptographic libraries. It compares the result of two or more libraries performing the same operation (like computing a SHA256 digest, or encrypting a message using AES, or computing the modular exponentiation of some numbers). This is called differential fuzzing and is useful to find differences in two or more code bases that ought to produce the same result. In the process, it also uncovers memory bugs like buffer overflows, branching on uninitialised memory, NULL pointer dereferences, infinite loops, integer overflows and so on. Several instances of Cryptofuzz run continuously Google’s servers as part of their OSS-Fuzz project and cryptographic library maintainers receive e-mail as soon as a bug is discovered.
The VSIG course called "Introduction to Internet Governance (VSIG)” is a free and multilingual online interactive training programme open to anyone, anywhere, with ten core modules. The format of this online course is a Massive Open Online Course (MOOC), with the goal of networking with peers across the world. The course tests the participant knowledge and if they meet all the requirements a certificate of completion will be produced. Weekly synchronous sessions for interactive conversations are encouraged amongst and between teachers and students.
Develop an open-source FreeBSD/Linux implementation of TCP-AO to facilitate and encourage wider adoption of the protocol on the Internet.
Deliverables: FreeBSD reference implementation and Linux port.
Source Address Validation (SAV) is a standard aimed at discarding packets with spoofed IP addresses. The absence of SAV at the network edge for outgoing traffic has been known as a root cause of DDoS attacks. While less pronounced, the absence of inbound filtering enables an attacker to appear as an internal host of a network and may reveal valuable information about the network infrastructure.
The Closed Resolver Project tries to mitigate the problem of inbound IP spoofing. Our preliminary measurements covered over 55% IPv4 and 27% IPv6 ASes and revealed that most of them are fully or partially vulnerable to inbound spoofing. The project uncovered 4.25 M IPv4 closed resolvers that may pose significant security threats. We undertook longitudinal Internet-scale measurements to infer SAV deployment and developed a technique to identify closed DNSSEC-validating resolvers.
This project aims at building a scalable platform for longitudinal measurements and notifications composed of a personalised web panel for individual operators. They will be able to identify exposed resolvers for their networks. After deploying SAV, using the platform, they may automatically trigger scans to verify whether SAV was implemented correctly.
By this project, 900 unskilled people who are in the society (Gboko) will be trained to get empowered technologically and have free Internet access through acquiring skill training on Internet, blogging, design, hosting, digital marketing, zoom meetings (virtual meetings), basic knowledge for job and will get jobs linkage to various job providers. Also, a community ICT center will be established where the general public will get computer access and Internet use and have free access to global issues online in the community. Above all, Internet freedom will be guarantee through this project.
At the Green Web Foundation, we seek to increase the Internet’s energy efficiency and speed a transition away from fossil fuels. As part of this vision, we propose the project “A Carbon-Aware Internet”. Using real-time data about electricity around the world, we will annotate network connections with carbon-intensity. With this information, any digital infrastructure provider can move their compute workloads to greener regions.
Results include:
DNSThought is a DNS measurement and data analysis platform that provides longitudinal insight into resolvers and their capabilities. The project started at a RIPE DNS hackathon in 2017 and uses the RIPE Atlas measurement infrastructure for data collection. Measurements of resolver capabilities are performed hourly since April 2017 and ongoing.
A unique feature of the DNSThought project is that by continuous measurements, researchers and operational engineers can study the status of standards and resolver functionality over time. There are many applications for the analysis of the collected data, for example the successful adoption of DNS privacy enhancement standards on the Internet, the deployment of new DNSSEC algorithms or measuring the DNSSEC root key(s) used by resolvers during the DNSSEC root key rollover in 2018.
Currently all the diagrams in DNSThought are created as static images. We would like to provide more value for our users by creating a more interactive web user interface, as well as a better separated backend API, preferably a well-known cloud provided store/API, like Google BigQuery. The backend is open to any user via the API and by using a cloud provider. Data is readily available worldwide.
RIPE members range from large network operators to small or even very small networks (the “long tail”). Common to all of them, is that they have publicly routed and active IP addresses and devices which are reachable from the Internet. With Internet-wide scanning tools (shodan, etc.), any vulnerable device is discoverable with a click of a button for any malicious actor. While large network operators can spend a lot on IT security-incidence response (IR), network hygiene and incident report handling, smaller ones can’t. In our experience, these smaller networks very selectively deal with IR. Many of the reports sent by national CERTs are ignored due to the lack of personnel, skills or resources. The effect being that Internet hygiene is suboptimal in the long tail. Which in turn, creates more hacked devices, DDoS amplifiers, etc. and poses more threats to the global network.
Our project aims at bringing the best of breed open-source technology as a turn-key package to the “long tail” networks to plug into their customer contacts database (CRM) system on the one side and to the global feeds of threat intelligence and scanning alerts (such as shadowserver.org). Automate the IR, improve network hygiene!