[Fwd: Community suggestion for ATLAS spoof test]
Dear colleagues, please take a look at the suggestion from Alexander Isavnin. Since he is here in Dublin, we can talk about it during MAT-WG or, if there is not enough time, at the RIPE Atlas community BoF. However, the opinion of the rest of the community counts too, so I ask you to comment on the mailing list, if you are interested. Regards, Vesna -------- Original Message -------- Subject: Community suggestion for ATLAS spoof test Date: Wed, 15 May 2013 21:16:30 +0200 From: Alexander Isavnin <isavnin@netline.ru> To: Vesna Manojlovic <BECHA@ripe.net> Dear Vesna! Could you forward this suggestion to mat-wg mailing list (and other appropriate lists). Due to high requirements to mitigate spoofing there is need to detect one. RIPE community have great distributed networking tool - ATLAS. As first step i suggest to select address from RIPE NCC network and allow all probes (if probe is not behind NAT) to send spoofed packet with this address as source. As first and a half step - allow to send packets with source addresses of anchors (if anchor's host agrees) As second step - allow probe host to permit use his address as spoofed source. Best regards, Alexander Isavnin
Alexander, thank you for writing up this suggestion. Now we have something concrete to talk about. Myself I am very interested in getting hard data about operators that allow spoofing. I am also very interested to see that network operators make spoofing impossible by applying "BCP-38" as much as possible. As many of you will remember I was one of the people who took the initiative for the Anti-Spoofing task force effort. I am also always curious and ready to dive into an experiment. However in this discussion I just *have* to play the devil's advocate and oppose your suggestion. And here is why: We have invested a lot of effort to build RIPE Atlas. Quite some of this effort has gone into convincing probe hosts to install probes and to keep them running. We are planning to convince thousands more to do just that. This requires trust from the hosts that we do no harm to their networks and their Internet connectivity. If we do something that destroys this trust then we will have no RIPE Atlas left. And as you know loosing trust is far easier and far more rapid than gaining trust. For me the question boils down to this: "Can we afford to run the risk of loosing RIPE Atlas for this experiment?" Is the benefit we hope to gain worth loosing the tool that we have built and that will let us discover so many useful things without doing risky things like source address spoofing? I know that you intend to limit the risk by restricting source addresses and of course by getting consent of the probe hosts. I am just afraid that even asking the question will make some hosts doubt that we will not harm their networks and their connectivity. We have to realise that not all the hosts will share our enthusiasm about new experiments and the more hosts we will need to find, the less of them will be as open minded as we are ourselves. All I am asking is that we not blindly charge ahead with an experiment that we all find exciting and useful before we have fully considered the risks and we have a clear consensus that the result is worth the risk. For this we need to evaluate the potential result too. For instance it is important to know the distribution of probes that are not NATed. We also have to consider alternative, less risky methods the achieve the result. Again, thank you for starting the discussion with a concrete suggestion. And please understand that my opposition is not because I think your suggestion is crazy. I think it is exciting and potentially useful. I just want us to consciously consider the risks and agree to accept them before we decide to proceed. Daniel
I know that you intend to limit the risk by restricting source addresses and of course by getting consent of the probe hosts. I am just afraid that even asking the question will make some hosts doubt that we will not harm their networks and their connectivity. We have to realise that not all the hosts will share our enthusiasm about new experiments and the more hosts we will need to find, the less of them will be as open minded as we are ourselves.
I agree that atlas seems like a perfect distributed system to test BCP38 compliance and help operators secure their networks by providing a simple tool to do so. I agree that getting agreement from individual atlas hosts and being careful about the addresses chosen to spoof with is the right model to consider. Perhaps as a first step atlas hosts could be formally surveyed about their willingness to allow spoofing tests from their networks. If any hosts have reservations along the lines of "not harming their networks and their connectivity" then this should be addressed. But at the moment we don't really know what atlas hosts think about allowing spoofing tests. At the same time, Atlas seems like a great platform that could make a substantial contribution to reducing the ability to spoof and the harm that comes from it.
Daniel Karrenberg wrote on 5/16/13 1:13 AM:
I know that you intend to limit the risk by restricting source addresses and of course by getting consent of the probe hosts. I am just afraid that even asking the question will make some hosts doubt that we will not harm their networks and their connectivity.
I understand this concern. But IMO the trust in Atlas probes comes from the way classes of the experiments (and their capabilities) are vetted and agreed, its transparency in particular. I don't think we have a problem here. The evilness of IP-spoofing comes from the ability to spoof traffic to mount a reflector attack. Not sure how "illegal" IP-spoofing is per se. In this respect I don't see how a controlled spoofer test is much different from a ping test. Probably, it is a bit more homeopathic.
All I am asking is that we not blindly charge ahead with an experiment that we all find exciting and useful before we have fully considered the risks and we have a clear consensus that the result is worth the risk. For this we need to evaluate the potential result too. For instance it is important to know the distribution of probes that are not NATed. We also have to consider alternative, less risky methods the achieve the result.
Without credible data I don't see how we can increase peer pressure and accountability. And without that - how to address the problem. So I think the value of such data collection is high. But the devil is in the details. Perhaps we can start describing the experiment in more concrete terms. What would be the best way to do this? Andrei
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Op 16-05-13 19:53, Andrei Robachevsky schreef:
Daniel Karrenberg wrote on 5/16/13 1:13 AM:
I know that you intend to limit the risk by restricting source addresses and of course by getting consent of the probe hosts. I am just afraid that even asking the question will make some hosts doubt that we will not harm their networks and their connectivity.
If all we want to know is an oversight of the state of spoofing now, and in a year's time, can't we just ask the Atlas users (AKA the mailinglist) that want to know to do a 1 time spoofing test on http://spoofer.csail.mit.edu/summary.php from their atlas probe network? IMHO that is less work than to ask Atlas users for permission. - -- Antoin Verschuren Technical Policy Advisor SIDN Meander 501, PO Box 5022, 6802 EA Arnhem, The Netherlands P: +31 26 3525500 M: +31 6 23368970 Mailto: antoin.verschuren@sidn.nl XMPP: antoin.verschuren@jabber.sidn.nl HTTP://www.sidn.nl/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBAgAGBQJRlmx4AAoJEDqHrM883AgnzmQIANu4eHp4Gujt0eFKI6f7ss98 MXE4czhs16A0WcWNCy64SnEUOLgJ6vV8uVP/nzAPSHiWo0ZgpfKynj6b6NgMFNPx H56RmdyGXObusWDAEFQoqYstPskT4fixjBu/ka/U4cIjyzuy27EMawvKAqCkDhhJ /Q8/lCTRFfvGZnh99ENJun22wEusPBOgHImrX3T9WglCHeYQSQXCp+uyY7f011sT D4DTyZwNeLzeMK7cHUj86GtqDWVvgFG6dTNzePNWBbZ/rQQdj2Btd4w5kiUd+lEp 3bor/yxLprI/vCmMbARDdX/BFe7OI6LqejETojofFGArTQ/wFkBWzzzLDj0zr8w= =RvFd -----END PGP SIGNATURE-----
Restating my comments on the mike at the MAT WG meeting here on the mailing list. On 5/16/13 1:13 AM, Daniel Karrenberg wrote:
I know that you intend to limit the risk by restricting source addresses and of course by getting consent of the probe hosts. I am just afraid that even asking the question will make some hosts doubt that we will not harm their networks and their connectivity. We have to realise that not all the hosts will share our enthusiasm about new experiments and the more hosts we will need to find, the less of them will be as open minded as we are ourselves.
I understand the concern of some operators in allowing spoofed packets on their networks. The use of Atlas probes as origin of spoofed packets, and its impact on trust and confidence in these probes, need careful consideration. But in this discussion of using Atlas for spoofed traffic analysis, the goals of the experiment, the scope, data gathering and analysis are also important. If we can define them well, we (the RIPE community at large) can communicate the experiment and its impact clearly with operators, and gain sufficient acceptance to run a relevant (statistically) experiment. The goals of anti-spoofing experiments can be diverse, but in recent discussions on mailing lists and RIPE meeting, it mostly amounts to raising BCP38 (ingress filtering) awareness, gathering aggregated statistics, and informing network operators about security risks (in their networks). Even though as a network researcher I would be quite happy to run these experiments myself, I can understand that it would be more credible (reasonable/acceptable) that only a limited experiment is run by one group of people. The group of people and the limited experiment can be under examination of the RIPE Atlas community. This group of people can be RIPE NCC staff, a representative group from MAT WG participants, or (most probably) a mix of both. The limited experiment is a well-defined experiment in which Atlas probes use spoofed IP addresses from one or more specific prefix blocks, during a specific time period (e.g. a week), and with a specific frequency (e.g. twice a year---a month before a RIPE meeting). And finally, we have to discuss the availability of the measurement data. Open to everyone for analysis, after some post-processing, or aggregated statistics. Personally for me, data access as open as possible. During the MAT WG there was also an opt-in/opt-out discussion. And as was stated by Randy (different wording, but in essence---please correct me), is that with opt-in we only see the networks that are confident and have BCP38 in place. Opt-out would be preferred to ensure (or make it more likely) we see a more representative part of the network (hosting an Atlas probe). -- Benno -- Benno J. Overeinder NLnet Labs http://www.nlnetlabs.nl/
participants (6)
-
Andrei Robachevsky -
Antoin Verschuren -
Benno Overeinder -
Daniel Karrenberg -
Matthew Luckie -
Vesna Manojlovic