The RIPE NCC Community Projects Fund opened its call for applications in May 2022. The application period was open for just over 8 weeks and 39 applications from 20 different countries were submitted to the Selection Committee.
The RIPE NCC Community Projects Fund Selection Committee has reviewed the applications and is happy to announce that the following 8 projects have been selected as the 2022 recipients of the RIPE NCC Community Projects Fund.
Congratulations to the selected projects:
IS3C's project outcomes ensure that global internet security standards are a ubiquitous baseline requirement in any public or private sector procurement and supply chain management policy. It will:
The proposal will prevent potential causes for cybersecurity threats and harms from happening. Through scoping and analysing security standards and procurement challenges and opportunities, relevant and actionable guidance to require security standards in procurement can be provided to all stakeholders. Recommendations and guidelines are accompanied by an action programme and two actionable toolkits that can assist organisations in buying secure by design when procuring ICTs or managing their supply chain. Through this demand, a business case for cyber security by design is created for the ICT industry.
The Internet measurement platforms (IMP), such as RIPE RIS, RIPE Atlas or RouteViews, are invaluable for network operators, who use them to detect routing events, troubleshoot or optimise their networks. The vantage points of IMPs are not uniformly deployed worldwide, and this may lead to measurement limitations or biases. The AI4NetMon projecthas quantified the bias of IMPs and provides guidelines for improving the IMP infrastructure. This AI4NetMon 2.0 project will build upon the outcomes of AI4NetMon and go beyond them. It will focus on a per-measurement scale (rather than on the entire IMP scale) and provide analyses, code and tools to (i) quantify bias at a measurement granularity, (ii) provide recommendations and guidelines for improving a measurement setup, and (iii) analyse and learn from past measurement configurations.
The project will provide tools (e.g., web portal and open-source libraries), where users will define/upload their measurements setup, and obtain information about the underlying biases (to carefully interpret their measurement results), recommendations for potential reconfigurations (e.g., to reduce bias) and insights from common measurement practices of similar setups.
The Internet is evolving, and with it, are technical standards and protocols. Important conversations are taking place across standards development organisations (SDOs) about how the Internet will adjust to meet the needs of future networks and emerging technologies. Some proposals, however, are seeking to radically transform the Internet’s design and, in some cases, move Internet standards and protocol development to multilateral SDOs. Identifying and tracking these types of proposals remains challenging and resource-intensive for the technical community, private sector, and government delegations alike.
The DNS Research Federation (DNSRF) proposes to create an Internet Standards Observatory to support the engagement of stakeholders in the RIPE region of service with proposals that challenge the open, global nature of the Internet. The observatory would scale a DNSRF’s ongoing pilot to automate the identification of proposals at ITU-T that seek to promote vertical layer integration, transform naming and addressing or embed network contracts for purported network efficiency in ways that would challenge the Internet’s interoperability or introduce new forms of tracking and control online. The Observatory will also produce guidelines for stakeholders to assess standard proposals based on potential risks to the open, global Internet and lay out potential avenues to engage with said proposals.
ARTEMIS Lite will be a lightweight version of the ARTEMIS open-source tool based on three fundamental pillars: accessibility, portability, and credibility. The goal of this project is to create a Single-Page Web Application using WebAssembly a new type of code (up to 800% faster in some cases), for better accessibility and portability along with Svelte to build the user interface and improve UI performance. The advantage of this approach is that it can run in any browser without any installation process and can be packed as a library to enable the detection functionality in any other application.
Based on the feedback from the RIPE community, ARTEMIS, due to its demanding installation process and resources, made users feel sceptical to go through it, especially in a proprietary environment. With this project, the team aims to address this critical limitation as well as include new functionalities.
ARTEMIS Lite will support:
The overall goal of this project is to improve the Internet's resilience, create a safer Internet environment, and take practical steps to avoid Internet fragmentation.
The study aims to explore the legal, technical, and social aspects of the problem and to develop some practical recommendations (for government agencies, International organisations, Internet service providers, and users). To achieve this goal, it is planned to conduct surveys of mobile operators, Internet service providers, domain name registrars, as well as Internet users. In parallel, it is planned to analyse the relevant documents of the RIPE NCC, ICANN, ISOC, as well as documents of the UN, EU and national governments. The work also implies the demonstration of technical issues that enlarge the bias in providing information to people.
deSEC, a European non-profit organisation, runs a managed DNSSEC hosting platform that provides secure authoritative DNS service for free. The idea is to spread the use of secure DNS technology in the same way as Let’s Encrypt spreads the use of TLS certificates. The platform currently serves about 20,000 zones.
deSEC also works with standardisation bodies like the IETF to advance the development of related Internet protocols with regard to their security properties. Most notably, they have initiated the authenticated DNSSEC bootstrapping protocol, which allows DNS operators to enable DNSSEC for the domains they operate, without requiring the domain owner to take any manual steps.The project’s purpose is to enable the continued operation of deSEC’s DNS operations and facilitate the platform's technical advancement. In particular, it aims to add DNS-over-QUIC (DoQ) to the technical infrastructure and improve on authorisation settings (API token scoping per owner name/record type, e.g. for ACME challenges used in TLS certificate issuance) and DNS record management (e.g. allow the domain owner to observe replication state).
Recent IETF work has shown renewed interest in taking advantage of IPv6 Extension Headers. Both silicon and standards innovation are promising new opportunities in the way these are supported. However, the success of deploying new mechanisms depends on understanding how current paths support packets that set these headers.
This project will extend existing open-source tooling to provide up-to-date measurement results for the traversal of IPv6 Extension Headers in the Internet, considering a wide variety of paths. The project will also deploy new vantage points to extend the coverage for measurement of the Internet’s core.
The funding will enable the work to be shared with the network community (at a RIPE meeting). This will help understand network operators' perspectives on the data. Results will also be provided to the IETF to support the standardisation of new mechanisms. These results will also provide an AS analysis to identify where along a path IPv6 Extension Headers are blocked/changed, and whether this depends on the type, size or transport protocol used to help understand barriers to IPv6 Extension Header deployment.
Remote fingerprinting of Domain Name System (DNS) servers is essential for security purposes. Security researchers attempt to measure the deployment of different DNS software versions or identify misconfigured or vulnerable DNS servers (e.g., critical zero-days).
The fpdns fingerprinting tool developed more than a decade ago is updated only sporadically and does not consider the fingerprints of new DNS software versions. For example, in 2016, the research team highlighted the problem of non-secure dynamic DNS updates that allow cybercriminals to manipulate DNS entries in the zone files of authoritative nameservers, effectively enabling the hijacking of the domain names of vulnerable nameservers. Using fpdns, they tried to identify the affected software versions but only succeeded for 38% of the nameservers.
This project aims at building an automated fingerprinting technique. The proposed fpdns2 software will rely on a great variety of borderline DNS queries and responses of DNS servers and will not be limited to a set of heuristics as its predecessor. Whenever a new version of DNS software is released, fpdns2 will be able to automatically generate the corresponding ML model that can be incorporated into the software.