[mat-wg] [Fwd: Community suggestion for ATLAS spoof test]

Restating my comments on the mike at the MAT WG meeting here on the
mailing list.

On 5/16/13 1:13 AM, Daniel Karrenberg wrote:
> I know that you intend to limit the risk by restricting source
> addresses and of course by getting consent of the probe hosts. I am
> just afraid that even asking the question will make some hosts doubt
> that we will not harm their networks and their connectivity. We have
> to realise that not all the hosts will share our enthusiasm about new
> experiments and the more hosts we will need to find, the less of them
> will be as open minded as we are ourselves.

I understand the concern of some operators in allowing spoofed packets
on their networks.  The use of Atlas probes as origin of spoofed
packets, and its impact on trust and confidence in these probes, need
careful consideration.  But in this discussion of using Atlas for
spoofed traffic analysis, the goals of the experiment, the scope, data
gathering and analysis are also important.  If we can define them well,
we (the RIPE community at large) can communicate the experiment and its
impact clearly with operators, and gain sufficient acceptance to run a
relevant (statistically) experiment.

The goals of anti-spoofing experiments can be diverse, but in recent
discussions on mailing lists and RIPE meeting, it mostly amounts to
raising BCP38 (ingress filtering) awareness, gathering aggregated
statistics, and informing network operators about security risks (in
their networks).  Even though as a network researcher I would be quite
happy to run these experiments myself, I can understand that it would be
more credible (reasonable/acceptable) that only a limited experiment is
run by one group of people.

The group of people and the limited experiment can be under examination
of the RIPE Atlas community.  This group of people can be RIPE NCC
staff, a representative group from MAT WG participants, or (most
probably) a mix of both.   The limited experiment is a well-defined
experiment in which Atlas probes use spoofed IP addresses from one or
more specific prefix blocks, during a specific time period (e.g. a
week), and with a specific frequency (e.g. twice a year---a month before
a RIPE meeting).  And finally, we have to discuss the availability of
the measurement data.  Open to everyone for analysis, after some
post-processing, or aggregated statistics.  Personally for me, data
access as open as possible.

During the MAT WG there was also an opt-in/opt-out discussion.  And as
was stated by Randy (different wording, but in essence---please correct
me), is that with opt-in we only see the networks that are confident and
have BCP38 in place.  Opt-out would be preferred to ensure (or make it
more likely) we see a more representative part of the network (hosting
an Atlas probe).

-- Benno

-- 
Benno J. Overeinder
NLnet Labs
http://www.nlnetlabs.nl/