<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr">On Mon, Jan 28, 2019 at 1:41 PM Philip Homburg <<a href="mailto:philip.homburg@ripe.net">philip.homburg@ripe.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">On 2019/01/28 14:33 , Rami Al-Dalky wrote:<br>
> When I tried to create a DNS measurement, I found that the only way to<br>
> send DNS query with option is to set default_client_subnet to True.<br>
> However, by setting this option, a DNS query will be sent with <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>> as client subnet. <br>
> <br>
> Is there a reason why ECS is implemented that way? If it for privacy<br>
> issue, the RFC recommends to sent the client IP with /24 prefix for IPv4<br>
> and /56 for IPv6 to preserve the privacy.<br>
<br>
Let me point out that we chose <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> to avoid all privacy issues.<br>
The recommendation just reduces privacy issues.<br>
<br></blockquote><div><br></div><div>What privacy issues are concerned when allowing a measurement creator to specify an ECS value that the probe should send along with DNS queries? Is it that some actors on the Internet might assume that the arbitrary ECS value actually originated the DNS query without any validation? I think this becomes a non-issue if you restrict the ECS prefix length to something sane like <=24.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
At the same time, it was not clear to us what additional benefit it<br>
would bring to RIPE Atlas measurements to include longer prefixes. In<br>
particular, we assumed that the main purpose of this option would be to<br>
measure interference by firewalls or other middle boxes.<br>
<br></blockquote><div><br></div><div>I think the benefit here is somewhat clear for measuring the behavior of recursive resolvers and authoritative nameservers when ECS data is present.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
Philip<br>
<br>
<br>
</blockquote></div></div>