This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[atlas] Probe and firewall settings?

Previous message (by thread): [atlas] Probe and firewall settings?
Next message (by thread): [atlas] Minor changes in the credits transactions API endpoint

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Tim Chown Tim.Chown at jisc.ac.uk
Mon Jan 15 17:12:17 CET 2018

Hi Robert,

> On 15 Jan 2018, at 12:23, Robert Kisteleki <robert at ripe.net> wrote:
> 
> On 2018-01-15 13:09, Tim Chown wrote:
>> Hi,
>> 
>> At https://atlas.ripe.net/about/faq/#so-which-services-do-i-need-for-my-probe-to-work
>> 
>> it says
>> 
>> "The absolute minimum set is DHCP, DNS and outgoing TCP port 443 (HTTPS) in order to allow the probe to connect to the network. However, this in itself is not enough to do measurements, which is the entire focus of RIPE Atlas, so you should also allow ICMP, UDP (DNS + traceroute), TCP for traceroute and HTTP(S)."
>> 
>> What specific ports and protocols are required for routine operation and for inbound or outbound measurements to be configured?  I think the above info could be a little more detailed (having had questions asked of me).
>> 
>> Many thanks,
>> Tim
> 
> Hi,
> 
> The more precise we try to be, the more wrong we'll end up being :-) but
> I'll try to be a bit more specific.
> 
> For incoming traffic: the probes don't provide real accessible services,
> so incoming ICMP/ping and UDP/traceroute is probably enough (assuming
> the probe is otherwise not firewalled / NATed).

I think some probes we'd like to run tests to are behind a firewall, hence the interest on what's required as a minimum for at least basic connectivity tests.  I'll follow up directly with a couple of specific examples rather than cite them here.

> For outgoing traffic: the more you allow, the more measurements will
> have a chance of succeeding. For example, if you only allow TCP/443 out,
> then measurements to other ports (like TCP/traceroute or TLS to non-443)
> will likely fail. Allowing outgoing DNS to any server is a must in order
> to be useful for non-local-resolver queries. And so on.

OK, thanks.  A tweak to the FAQ along those lines would be good, I think :)

> We also have NTP since the writing of the above FAQ entry, and HTTP
> towards anchors. While the requirements (or, I should say,
> recommendations) don't change each day, they do evolve over time.

Understood, and thanks again.

Tim

> 
> Hope this helps!
> Robert
>

Previous message (by thread): [atlas] Probe and firewall settings?
Next message (by thread): [atlas] Minor changes in the credits transactions API endpoint

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ ripe-atlas Archives ]