IRTF Open Meeting @ IETF-84 Vancouver, Canada TUESDAY, July 31, 2012 1300-1500 Afternoon Session I Room Regency C State of the IRTF Lars Eggert 15+15 min IRTF IPR policy. IRTF follows IETF policy, but more descriptive. Join irtf-open or irtf-discuss mailing lists. RG Status: CFRG, DTNRG, ICCRG all active. ICNRG formed, meeting first time, very busy agenda. Most not very active: * ASRG discussing with MAAWG, do more academic work; close if energy doesn't increase. * NCRG network complexity. List very dead. Chair here. Planning Atlanta, and trying to engage list. * NMRG network management. Silent of late, busy in spring, had interim in Paris. * P2PRG p2p, closing down. Two drafts remaining. * RRG, routing. Chair repeatedly sent topics query to list. Then asked about going dormant or close. At the moment, that's the plan. In a year may, ask if things have changed in routing research topics. SAMRG, similar to P@PRG. Remaining documents not quite ready for IRSG, but then close. HIPRG and MOBOPTS closed since last meeting. RFC stream is not too busy. See slides. Two more meetings of interest to researchers this week: software defined networking research group proposal. Happening tomorrow, not a research group yet. But following the new approach to start research groups, talked about it last time. Say "do something on foo", if you can explain it coherently; I will give you rooms for a year, put on agenda, act like a research group. Create presentations, discussions... After a year, will come together and see if group trajectory is good. Try with SDNRG. ICNRG, latter phases worked well. Second one is energy efficiency. Bar BOF Wed night. Not so concrete. Let's see if anything is here. ANRP: One prize winner here now, two other ANRP prize winners identified, talks in Atlanta. New cycle. Selecting once a year, rather than for every IETF meeting. Will try to do a talk every meeting. 20 nominations for 2012. All good quality, picked three winners. Asked prize winners which one, Alberto said he could come. Call for 2013 starting this fall. Aug/Sep, open for 2 months. If you have read papers that are good work, nominate the author. Nominations can't just be done by selection committee. Select Dec/Jan. Press for time, spring IETF is early. Run next one fall 2014. See plaque for Alberto. Appeared in IMC last November. Applied Networking Prize (ANRP) Award Talk 20+10 min *** Alberto Dainotti *** for his research into Internet communication disruptions due to filtering: Alberto Dainotti, Claudio Squarcella, Emile Aben, K.C. Claffy, Marco Chiesa, Michele Russo and Antonio Pescape. Analysis of Country-wide Internet Outages Caused by Censorship. Proc. ACM SIGCOMM/SIGMETRICS Internet Measurement Conference (IMC), November 2011, Berlin, Germany. In the first months of 2011, Internet communications were disrupted in several North African countries in response to civilian protests and threats of civil war. In this work we analyze episodes of these disruptions in two countries: Egypt and Libya. Our analysis relies on multiple sources of large-scale data already available to academic researchers: BGP control plane data; unsolicited data plane traffic to unassigned address space; active macroscopic traceroute measurements. Using both control plane and data plane data sets in combination allowed us to narrow down which forms of Internet access disruption were implemented in a given region over time. Please ask questions during talk. not too pressed for time, so discuss away. Context Analysis of macroscopic internet events Measurements from different sources Active probing BGP Internet background radiation... from malware/misconfiguration or Internet background rubbish Collect through darknets / network telescopes IBR used for malware understanding. (see timeline) This time, internet outages/blackouts. -- The events During so-called arab spring, protests and reactions from government. Disconnections of networks at different levels. Egypt: 25-Jan-2011 protests start; 27-Jan 22:34 UTC disconnect from Internet for about 5.5 days. Reports: BGP withdrawals. Libya: 17-Feb protest start 18-19-Feb, "internet curfew". 3-Mar, last for 7 days. Countries are next to each other, but very different in Internet penetration. E: 51 AS, 3165 IPv4 6 IPv6 prefix. filtering by BGP only. L: 3 AS, 13 IPv4, 0 IPv6 prefix. dominated by state telecom. Filtering by BGP, packet filtering, satellite jamming. -- What did this study do? BGP updates from RIPE NCC RIS and RouteViews merged into single DB. Used Active probing of traceroutes, Archipelago (ARK) infrastructure. Also can understand topological changes. IBR: from UCSD Network Telescope. /8 darknet. huge amount of IBR. [(IPv6?)] -- Data select Look at official delegations; commercial geolocation database at country level, accuracy of geolocation is high. Useful because learn more about satellite operators... Unofficial IP addresses used by satellite operators. Gather prefixes to be monitored from BGP announcements. Look for exact match or longer prefixes. Otherwise, look at longest prefix that covers. -- BGP reachability. lhs, start of blackout, see prefixes go down rhs, restart IPv6 routes stayed up :) Used visualization tools to identify period, consider a larger time frame than reported. Good granularity. Construct the routing history of all peers of collector. 30 or so from all over world. When withdrawn from all for time period, look at first withdrawal [to last add?] 2900 or so prefixes. Some withdrawn early, but most happen in 20 min to 200. Similar in reverse, in 20-30 min get most prefixes back. then long tail. -- Broke down updates by AS Graphs for 6 top AS. Anonymize names of AS although distinguish - state telecom from others - satellite ops Strong synchronization. -- Correlate with IBR Graph on left, ones that geolocate to Egypt. Very large drop (pps from 100 to <20.) Traffic returns to original rate when reconnect. But still some background traffic, not negligible. Graph on right, Libya. Smaller penetration, rate is low. (8pps top) Number affected smaller, but still can see same trend. a, b, c - 3 outages. 2 curfews, 4 days. After 4 day restoration, was war, so doesn't return precisely. But: large spikes. Last for several hours. Two denial of service attacks. Backscatter. Randomly spoofed denial-of-service attack. So get TCP SYN-ACK replies. -- Classified telescope traffic "conficker-like" backscatter other Most of it is the conficker-like traffic... and what is shown when Egypt is disconnected. Spikes in backscatter, are small DoS attacks to government computers. Note: some prefixes not withdrawn. One of the operators that was kept alive for beginning of outage, - egyptian stock exchange - national bank of Egypt Eventually withdrew those too. Some networks still had outbound connectivity. Could send packets out using default routes... Did not receive replies because BGP withdrawals. Conficker-like packets are just spewed out randomly. "Other" is nearly 0 during blackout and once reconnected, is larger than before. Looked harder, large portion is botnet scan, that started a day before Egypt reappeared. Large number of hosts in Egypt. Conficker random. Botnet needed command and control before spewing. Because of spew during outage, know dataplane was not disconnected, still saw diurnal cycles. -- Telescope vs. BGP Looking at one AS, correlation good. "perfect match" -- Telescope vs. BGP Look at two Internet curfews Prefixes announced by ASes State telecom advertises 12 of 13 prefixes. Perfect match the first time. Second outage, BGP withdrawal lasted a lot less, one hour only. But still disconnected for entire night. So... there must be packet filtering. "Big firewall in libya" Also in 3rd 4 day outage, there were a few /24s still sending -- Now add active measurements - ARK Granularity is low. Have a few ideas how to cope... perhaps some on-demand measurement when get indications otherwise. Missed some Libyan. In Egypt, do see outage. -- But, confirms packet firewalling technique in 3rd outage. And some strategic /24s still responded -- Satellite connectivity Probable signal jamming European operator As expected, routes of operator are untouched. No control over that, but: during outage only a small amount of traffic reaches telescope. Rate to almost 0. Hypothesis: government performing satellite signal jamming. [why not disconnect this one?] Several sources reported satellite TV jamming, so consistent. -- Conclusion Part of larger project. Network disasters, tsunami, earthquake. Use of IBR allowed us to find several things not visible through other data sources. Back to IPv6. Was left untouched. "nothing there, didn't care" 1/6 (/32 advertised) and some subprefix also advertised. 20 /48s Current work: - Use this approach to build system to monitor in real time (or close to it) - On-demand active measurements - AS-level topology from two POV. Topology changes during outages Understand from AS level, how much topology and level of connectivity of second area of country make more easy/difficult. QUESTIONS Tim Chown: Darknets... big enough to be useful. Said /8. Where it comes from? Alberto: The precise assigned to some non-profit org allowing small portion is used for legit purposes. Ham radio community and large part is dark for that. Most of you can probably figure out out, but don't want to write down precise number. Blacklisting the darknet. Malware folks would like to do in some cases, there are a couple other darknets around, blacklisted by malware writers. Conficker blacklisting some running honeynets. For now lucky, trying to prep for future, thinking that may happen that these darknets are going to be blacklisted. And transition to IPv6, scanning activity completely change. Wouldn't make the same sense. Not just a single chunk of config space. Thinking about collecting from operational networks. Large portion of this traffic, looking for one-way flows. Tim Chown: Preempted second question. IETF draft, greynets. Might be interesting. Benno Overeinder: Can you ask folks now that it's later? Or need some real world validation? Alberto: We would love to talk more about this to other operators. The amount of data analyzed is a lot after end of Libyan regime, found some of this equipment, so found some confirmation. Were very well equipped to control communication by disruption and satellite jamming. Some companies were European or North America. Mat Ford: Interested in last bullet. Believe bar BOF meeting this week on technical approaches to dealing with media censorship. If you have licensed operators and government mandate to turn off, not sure diverse topology makes much difference. Is there any technical fix to censorship? Alberto: If government wants to shutdown, probably will succeed. Too difficult to answer yes or no. Analysis related to different kinds of disruption. With government censorship, hard to measure. Most effective way would not make this kind of "noise". Say Chinese, more effective, more silent. This raised attention of others and population. [ANRP talk ends. Lars uses the time during which the next speaker sets up for another bit of IRTF news.] Lars Eggert: One other thing ongoing. I re-read RFC2014. It predates 2026, 2019. Lot of stuff in there is simply not accurate. I submitted a bis version. -00 is same text as 2014, modulo changes caused by XML conversion and boilerplate. -01 fixes obvious things. Like the IRTF reporting in the Internet monthly reports (which don't exist anymore), RG chairs using ftp server (which doesn't exist anymore), RGs only having one or two chairs (changed to "a small number"). Don't intend to make substantive changes, more bringing it back into congruence with reality. Take a look, talk about it on irtf-discuss. DTNRG Status Update Kevin Fall 20+10 min (see slides) Results of DTNRG meeting at google last week. 2 to 3 chairs. Protocols that tolerate long latencies and disruptions. History back to some NASA and spacecraft, and "interplanetary internet" Thu, Fri, hosted by Vint Cerf. Lots of NASA participation [travel restrictions?] Use cases and environments. Sensors and monitoring info. Once upon a time, was DARPA disruption tolerant networking new program information centric networking. Multicast distribution was of interest. No work until just now. Did work on web-style interfaces that were delay tolerant people interested in HTTP-based transactions thru intermediary nodes with persistent storage. Main protocol is bundle protocol, RFC5050. Separate security doc. Routing has been the recent dominant activity. Have a URI scheme to be defined in more detail. Network management... if used to SNMP and MIB, imagine propagation of an hour or a couple of days. So, send executables [peril!] or options on how to react to measurements. Time has been an issue. Design so far, requires some degree of synchronized time. Many do have some time available, but contingent, esp. small devices sensors, that don't. Right now, first-create and expire timestamps. Draft now on how to keep aggregate amount of time message alive. Not so good if stored. Work on content searching. Are extension blocks (a-la IPv6). Put search strings in there. Relationship to content-centric networking. A half-dozen different implementations exist today. Different features, performance. Trying to get together and try it out. -- RG will operate similar to WG (at least for some subset). Eaw notes avail at website. Certain subset of work items want to finish. Doc authors may be replaced. Will evolve RFC5050. Have some things that want to change... Dictionary. Will not try to do anything standards track. Naming (dtn: URI) will be finished off. There is a draft on things you could do; will be finished. Could route on URIs. "next two weeks" Particular attention to multicast delivery. Idea of custody transfer (store and forward). When doing content distribution, and multiple depots, how describe and what does custody transfer mean. That's the multicast being worked on. Have protocols defined for "pedestrian use of security". But how do key management? Distribution, allocation. Have some folks that want to work on it. Starting with IKE. Received a public service announcement from inter planetary networking special interest group; reenergizing, updating web site, looking to do lectures. IPNSIG. -- More detail (see slides for all) MBARI: aquatic research institute. Lots of implementation and experience. Honeywell/India doing something similar to Zebranet/Princeton. "black bucks". Qualcomm working on web variant. Boeing, security. NASA: another standards org, want to keep in synch. MITRE has been implementing protocols... LTS: tests around UMD, and games. Crypto work. Deliverables. "xxxCL" - convergence layer. Map bundles onto other protocols. One for TCP. LTP (Licklider transport protocol), datagrams. ECOS - extended class of service. NASA wants more bits. MIB. Naming. Sitting for a while. Have dtn: allocated. Way baseline routing works is on strings/URIs. Longest matching prefix send one hop, replicate, ... Papers published... Single and multiple copy scheme. One in, erasure coded chunks out... One idea: use DTN scheme as prefix before a whole other URI. Out of same research group, IPN, with compressed bundle header encoding want short IDs. RFC6260. -- Sergey Brin came in to talk about reinventing Internet economic incentives to share, but everyone hostile. Felt like doing some of it. http://www.dtnrg.org or http://down.dsg.cs.tcd.ie/dtnrg-at-google-12/ Dan Romascano: Observation. Network management set/get for an hour. There is a incipient work in ops area on constrained management. COMAN. Right now mailing list. A bunch of people side meeting in morning slot. Scope of work: include management of restrained devices or constrained networks. This looks like possible use case for constrained networks. coman@ietf.org