RIPE Atlas!A “Real Big” Measurement Network   Robert KistelekiScience Group Manager, RIPE NCCrobert@ripe.net
RIPE TTM            2
Light Map             3
Intuition: 1000 Probes                          4
Intuition: 5000 Probes                          5
Intuition: 10k Probes                         6
Intuition: 20k Probes                         7
Intuition: 50k Probes                         8
Intuition: 10k Probes & 1 AS                                9
Ambitious Community Effort Instead of building small, separate,   individual & private infrastructures,                   ...
Ambitious Community Effort•  Individual   Benefits  -  Lessexpensive than rolling your own  -  More vantage points availabl...
Intuition -> Plan•    For accurate maps we need more probes•    Deploying very many TTM boxes too expensive•    Smaller pr...
Probe Deployments                     13
Probe Capabilities•    Version 0      -  Ping to fixed targets (IPv4 & IPv6) ✔      -  Traceroute to 1st two upstream hops ...
Hosting = Credits = Measurements                                    15
Hosting = Credits = Measurements                                    16
Hosting = Credits = Measurements                                    17
Hosting = Credits = Measurements                                    18
Hosting = Credits = Measurements                                    19
Hosting = Credits = Measurements                             updated hourly on                                            ...
Hosting = Credits = Measurements•  More    probes expected in Q1 2011•  Apply   for one on atlas.ripe.net                 ...
Hosting = Credits = Measurements                                    22
Hosting = Credits = Measurements                                    23
Sponsorship = Credits = Measurements                                        24
Sponsorship = Credits = Measurements                                        25
Technicalities                  26
RIPE Atlas - Overall Architecture                                     27
RIPE Atlas - Overall Architecture•    All components in the hierarchy maintain their     connections using secure channels...
RIPE Atlas - Overall Architecture•    Registration Server:      -  The (only) trusted entry point for         Probes      ...
RIPE Atlas - Overall Architecture•    Central database:      -  Administrativestore      -  Measurement store (active stor...
RIPE Atlas - Overall Architecture•    User Interface      -  Allows              the users to actually use       the servi...
RIPE Atlas - Overall Architecture•    Brain:      -  Responsible   for higher order       functions:         -  Coordinate...
RIPE Atlas - Overall Architecture•    Controller:      -  Responsible to talk to Probes      -  Assigns Probes to requeste...
RIPE Atlas - Overall Architecture•    Probe:      -  Listens to measurement         commands from Controllers      -  Exec...
RIPE Atlas - Overall Architecture        Operated by         RIPE NCC    Likely operated      by RIPE NCC  Not operated   ...
RIPE Atlas - Probes•    Probe (v1 / generation 1):      -  Lantronix XPortPro      -  Very low power usage      -  8MB RAM...
RIPE Atlas - Security aspects•    All components in the hierarchy maintain their     connections using secure channels wit...
RIPE Atlas - Security aspects•    Probes have hardwired trust material!     (registration server addresses / keys)      - ...
RIPE Atlas - Security aspects•    Probes don’t listen to local traffic, there are no     passive measurements running      ...
RIPE Atlas - Other Bits and Pieces•    IPv6 support:      -  The   system in general supports IPv6         -  We already d...
RIPE Atlas - Other Bits and Pieces•    The Probe has no direct user interface to     configure anything on it      -  So DH...
Questions?
Spare Slides / Anticipated Questions Spare Slides                                                     43
Why Hardware and not Software Probe ?•    Comparable and Reliable Measurements      -  Known and uniform environment      ...
Is this the RIPE Botnet ?•    No•    Architecture is security conscious -> MAT WG•    Probes do not offer services, no ope...
Private Measurements ?•    We are not offering this as a service for private     and confidential measurements•    All resu...
Upcoming SlideShare
Loading in …5
×

RIPE Atlas - A Real Big Measurement Network

1,664 views
1,524 views

Published on

presentation given by Róbert Kisteleki at UKNOF 18 on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,664
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

RIPE Atlas - A Real Big Measurement Network

  1. 1. RIPE Atlas!A “Real Big” Measurement Network Robert KistelekiScience Group Manager, RIPE NCCrobert@ripe.net
  2. 2. RIPE TTM 2
  3. 3. Light Map 3
  4. 4. Intuition: 1000 Probes 4
  5. 5. Intuition: 5000 Probes 5
  6. 6. Intuition: 10k Probes 6
  7. 7. Intuition: 20k Probes 7
  8. 8. Intuition: 50k Probes 8
  9. 9. Intuition: 10k Probes & 1 AS 9
  10. 10. Ambitious Community Effort Instead of building small, separate, individual & private infrastructures, build a huge common infrastructure that serves both the private goals and the community goals. 10
  11. 11. Ambitious Community Effort•  Individual Benefits -  Lessexpensive than rolling your own -  More vantage points available -  More data available•  Community Benefits -  Unprecedented situational awareness -  Wealth of data, … 11
  12. 12. Intuition -> Plan•  For accurate maps we need more probes•  Deploying very many TTM boxes too expensive•  Smaller probes •  Easily deployable•  USB powered•  24 x 365 capable 12
  13. 13. Probe Deployments 13
  14. 14. Probe Capabilities•  Version 0 -  Ping to fixed targets (IPv4 & IPv6) ✔ -  Traceroute to 1st two upstream hops ✔•  Version 1 -  Ping& Traceroute to variable targets -  DNS queries to variable targets•  Version 2 -  Your ideas ?•  Upgrades are automatic 14
  15. 15. Hosting = Credits = Measurements 15
  16. 16. Hosting = Credits = Measurements 16
  17. 17. Hosting = Credits = Measurements 17
  18. 18. Hosting = Credits = Measurements 18
  19. 19. Hosting = Credits = Measurements 19
  20. 20. Hosting = Credits = Measurements updated hourly on 20
  21. 21. Hosting = Credits = Measurements•  More probes expected in Q1 2011•  Apply for one on atlas.ripe.net 21
  22. 22. Hosting = Credits = Measurements 22
  23. 23. Hosting = Credits = Measurements 23
  24. 24. Sponsorship = Credits = Measurements 24
  25. 25. Sponsorship = Credits = Measurements 25
  26. 26. Technicalities 26
  27. 27. RIPE Atlas - Overall Architecture 27
  28. 28. RIPE Atlas - Overall Architecture•  All components in the hierarchy maintain their connections using secure channels with mutual authentication.•  Theoretically, any component can be scaled up independently from the others•  Hierarchy allows for data aggregation•  In order to be scalable, data flow is based on “need to know” 28
  29. 29. RIPE Atlas - Overall Architecture•  Registration Server: -  The (only) trusted entry point for Probes -  Welcomes all Probes and directs! them to a suitable Controller: -  Asclose as possible to the! Probe -  Not too busy -  It has a high level overview on the current state of the system 29
  30. 30. RIPE Atlas - Overall Architecture•  Central database: -  Administrativestore -  Measurement store (active store) -  Data store -  Credit store 30
  31. 31. RIPE Atlas - Overall Architecture•  User Interface -  Allows the users to actually use the service and look at: -  Probe statuses -  Measurement results -  Community aspects 31
  32. 32. RIPE Atlas - Overall Architecture•  Brain: -  Responsible for higher order functions: -  Coordinate measurements -  Process ultimate results -  Draw conclusions, maybe even act on them -  Incorporateother sources of information, like BGP 32
  33. 33. RIPE Atlas - Overall Architecture•  Controller: -  Responsible to talk to Probes -  Assigns Probes to requested measurements based on: -  Available Probe capacity -  Probe locations -  Collects intermediate results and aggregates if needed -  Regularly reports to Brain 33
  34. 34. RIPE Atlas - Overall Architecture•  Probe: -  Listens to measurement commands from Controllers -  Executes built-in and dynamic measurements -  Reports results to Controller -  Other: -  Self-upgrades if needed -  Maintains state as much as possible 34
  35. 35. RIPE Atlas - Overall Architecture Operated by RIPE NCC Likely operated by RIPE NCC Not operated by RIPE NCC 35
  36. 36. RIPE Atlas - Probes•  Probe (v1 / generation 1): -  Lantronix XPortPro -  Very low power usage -  8MB RAM, 16MB flash -  Runs uClinux -  No FPU, no MMU -  A reboot costs <15 seconds -  An SSH connection costs ~30 seconds -  We can remotely update the firmware 36
  37. 37. RIPE Atlas - Security aspects•  All components in the hierarchy maintain their connections using secure channels with mutual authentication.•  All information exchanges happen via channels inside a single (secure) connection. 37
  38. 38. RIPE Atlas - Security aspects•  Probes have hardwired trust material! (registration server addresses / keys) -  Upon registration, the registration server informs the probe about its future controller, and vice versa•  The probes don’t have any open ports -  They only initiate connections -  This works fine with NATs too 38
  39. 39. RIPE Atlas - Security aspects•  Probes don’t listen to local traffic, there are no passive measurements running -  There’s no snooping around•  We suspect we’ll lose some probes because of “deep interest in how they really work”. That is: -  Some will be disassembled -  Some will be hacked locally, modified and used for something else -  But there is no shared key material on the Probes… 39
  40. 40. RIPE Atlas - Other Bits and Pieces•  IPv6 support: -  The system in general supports IPv6 -  We already do IPv6 measurements -  However, only RA is supported, so no DNS in v6 only mode yet :-( 40
  41. 41. RIPE Atlas - Other Bits and Pieces•  The Probe has no direct user interface to configure anything on it -  So DHCP is a must for IPv4, RA is needed for IPv6 -  Deployment in places without DHCP is not yet supported -  But we do have ideas on how to solve this 41
  42. 42. Questions?
  43. 43. Spare Slides / Anticipated Questions Spare Slides 43
  44. 44. Why Hardware and not Software Probe ?•  Comparable and Reliable Measurements -  Known and uniform environment -  Tamper resistant•  24 x 365 -  Install and Forget -  Not dependent on host system, needs little power•  Security -  Not attractive nor easy target for botnet herders -  Not introducing potential weakness in host systems 44
  45. 45. Is this the RIPE Botnet ?•  No•  Architecture is security conscious -> MAT WG•  Probes do not offer services, no open ports•  Probes are not interesting targets -  Very special environment -  Not really powerful either•  Infrastructure is designed with security in mind•  Measurements will be rate limited …. 45
  46. 46. Private Measurements ?•  We are not offering this as a service for private and confidential measurements•  All results should benefit the community, also those of individually configured measurements -  Modalitiesto be discussed -> MAT WG -  Embargo periods -  Aggregation -  Anonymisation•  If you want to keep it very secret, run your own. 46

×