The 40th NMRG meeting is a workshop on Measurement-Based Network Management, organized by Ricardo Schmidt (University of Twente, NL) and Ramin Sadre (Université catholique de Louvain, B). Compared to previous instances of the workshop which were specifically on Netflow/IPFIX-based techniques for network management, its topic has been extended to all kinds of measurement-based techniques used in network management for 2016. With 52 people attending the workshop, the participation was considerably higher than in 2015. ===== Room Tiergarten 14:00-14:05 Introduction by Ramin Sadre ===== Pedro Isolani, now PhD student at the University of Antwerp, presents his work on "Interactive Monitoring, Visualization, and Configuration of OpenFlow-Based SDN", done as part of his master thesis. Ricardo: You considered only a scenario with one controller. How would you imagine an SDN-implementation using multiple controllers? Pedro: We should implement more drivers, to be able to retrieve the same information from different controller types. Ricardo: Did you use traffic measurements capabilities of the OpenFlow switch? Pedro: Only used the control traffic. ===== Jan Pluskal from CESNET gives a presentation on the "Detection and Analysis of SIP Fraud Attack on 100Gb Ethernet with NEMEA system". Alexander: Padding attack against your system? Is your system susceptible to it? Jan: Depends on the monitoring mechanism of the IDS, whether it can be detected on flow level. Not tested yet, we have focused on the most common attacks. Jeronimo (UFlorida): You used a network tap. Planned to filter/divert the traffic? Jan: We are currently developing a solution that will be able to filter/divert the traffic containing the attack. ? (Cisco): Also able to classify any meta data related to VM/container provisioned in a virtual machine? Jan: Can be tested in a virtual machine, for smaller networks. All tools are Open source. ?: No configuration coming from the hyper-visor? Jan: No. Ramin: You cannot detect the protocol, so you cannot have different number of packets for different protocols, right? Jan: We can detect the protocol by primitive means, like port number, but nothing advanced. ===== Cristian Varas (Speedchecker Ltd.) presents their measurements on the "Connectivity in the LAC region". ? (Comcast): RIPE Atlas hardware is very consistent, you have a software stack. Have you done any studies to see how this is affecting your data? Cristian: Not until now. We are currently extending the network. Hardware is indeed very diverse and quality depends on it. Jeronimo (UFlorida): Have you considered testing the last-mile connectivity of the user? For example, Wifi might easily add 20ms. Cristian: Not done. Because the user's point of view is: what is between them and the server. But it is a very interesting to do, of course. ?: How did you deploy your software probe? Is it public? Cristian: We have a website, speedchecker.xyz. You can download your own probe. The probe does nothing most of the time until receiving a measurement command. We offer the user measurement of their connectivity in exchange for the measurement data from the user. Alexander: Do you provide a service similar to RIPE, i.e., getting access to all RIPE probes when running a probe, getting credits? Cristian: Right now, we are not offering that. But we are open to researchers using our platform for free. A: Is it possible to customize the measurements? Cristian: Probes can do different kind of measurements (page load, ping,...), offering an API. Umberto: Comments: (1) nic.br is in a similar project to perform measurements. Would be nice to also get their data. (2) Some operators in Latin America have direct connections from Bazil to Columbia, from Sao Paulo to San Diego passing through Argentina. Maybe they are not included in your studied. Giovane (SIDN): You did measurements using ICMP. There are a lot of criticisms against using ICMP because it is shaped. Have you considered using other protocols? Cristian: ICMP was used in a cooperation with Lacnic. We are normally using time to first byte. Bert (Huawei), Ricardo: Feel free to contact RIPE NCC to get more probes for Latin America. Ricardo: Is your measurement running continuously? Cristian: Not continuously, single tests that you can repeat. ===== Giovane C.M. Moura (SIDN) presents "ENTRADA: Enabling DNS Big Data Applications". Ricardo: All open source? Giovane: Yes. Ricardo: How much data can provide for open access? Giovane: We provide aggregated data on our stats web page. Data for researchers is provided case by case. Ricardo: Ratio between number of registered domains and malicious domains? Giovane: 10-15 suspicious domains per day. But depends on definition of "malicious". Ricardo: Relationship between number of malicious domains and certain events? Giovane: We have seen some politically motivated web sites after terrorist attacks, becoming popular on the first day because of such events. We are working on extending this project to incorporate registration data to account for such behavior and focus on those which actually try to be malicious. ===== 15:25-15:30 Closing by Ricardo Schmidt, Ramin Sadre and Laurent Ciavaglia