Vesna Manojlovic

Proposing Making RIPE Atlas Data More Public

Vesna Manojlovic
7

RIPE Atlas is now three years old, and is moving from a prototype to production service. Based on our experience so far, observing typical usage and listening to user feedback, we suggest opening up the publication of measurement data further. In this article we aim to clarify the current situation regarding privacy, and ask for community input about our suggested plan to move forward.


One of the main purposes of RIPE Atlas is to share information about Internet performance, which we collect via the active measurements performed by the thousands of probes in the RIPE Atlas network. 

The RIPE NCC collects this information and develops interesting results and analyses based on the aggregated data, such as latency maps . The more measurement data that's collected, the better the results, such as greater resolution of the maps. 

Users can contribute by running their own user-defined measurements and sharing this data by marking the results "public". Users also have the option of making their measurement data less publicly available. Currently:

  • ~3,447 out of 4,540 probes are marked "public" (76%)
  • ~93% of all user-defined measurements are marked "public"

As RIPE Atlas becomes a full production service, we'd like to suggest making all future measurement data fully public, while keeping users' personal information private.

At the end of the article you can find a table showing an overview of the current situation and the proposed changes.

The second goal of this article is to explain exactly what is and isn't public in the current system.

Current practice

At the beginning of the RIPE Atlas project, we thought it would be a good idea to make it possible for users to choose whether to mark their probe and measurements as "public" or not. This was done in case, for some reason, certain users did not want to openly share their measurement results with others.  

We want to explain in detail the consequences of marking measurements and probes "public" or not, in order to prevent unrealistic expectations. 

Measurements not marked "public"

By default, a user-defined measurement (UDM) is marked "public", although the user can explicitly uncheck this field. When a UDM is not marked "public", it is not included in the lists of all public measurements for all other users to see.

However, since each UDM is performed from multiple probes hosted by different users, hosts of those probes involved in the measurement will be able to see this specific UDM in their "Assigned UDMs" list when logged in to RIPE Atlas. The name of the person who started the measurement will not be shown, but the  IP address of the destination, or the hostname if that was used as a target, will be visible. It is also possible for the host of the probe being used for the measurement to download the UDM results. 

For example, if you have used my RIPE Atlas probe for your measurement that is not marked "public", this is what I will be able to see (under My Atlas) when logged in: 

Assigned UDMs "Assigned UDMs" as seen by the owner of the probe being used for that UDM

Probes not marked "public"

It is possible to choose not to list your probe as "public", in which case it will not appear in the list visible to all RIPE Atlas users.  

Probes not marked "public" are still used for the built-in measurements that the RIPE NCC runs, and results are used to create maps and in an aggregated form for other analyses. Information about these probes on the map will not show their IP addresses. However, the IP address of the probe cannot be hidden in the aggregated data. For example, in the analysis of the Hurricane Sandy impact , aggregated data from built-in measurements was used, including non-"public" probes. As seen in the figure below, in the interactive map for visualising effects of Hurricane Sandy, the traceroutes do reveal the IP addresses of probes, even if those probes were not marked "public".  

Screenshot Traceroute data Traceroute results used in analysis of effects of Hurricane Sandy 

Probes not marked "public" can also be used by other RIPE Atlas users to perform their own UDMs. Those users will see the IP addresses of these probes used in their UDMs as a "source IP". In case of traceroute measurements, internal hop IP addresses are also displayed. 

"Public" probes

When a probe is marked "public", it is listed in the display of all the public probes (available under My Atlas > Probes). Logged-in users can see the built-in measurements the probe is involved in, as well as result logs, probe IDs, uptime information, assigned user-defined measurements, and the probe's last 25 connections to the RIPE Atlas infrastructure. 

Personal information

Even if the probe is marked "public", the personal details of the probe host are never revealed . RIPE Atlas users cannot see configuration settings, MAC addresses, DNS entries or email addresses for any probe in the RIPE Atlas network. 

Public probe View of a RIPE Atlas probe marked "public" 

Reasons to have open measurement data

We believe there are several compelling philosophical reasons to move towards a system in which all probes and measurements are "public": 

  • Sharing information about Internet performance is at the heart of collaborative efforts such as RIPE Atlas
  • Public measurement data adds the greatest value to everyone taking part in RIPE Atlas: other users, network operators, researchers and the wider Internet community 
  • Having open measurement data, in addition to the already open measurement source code, would strengthen the growing "open" movement , which we believe is worth supporting
open data
There are also practical, operational reasons for making all RIPE Atlas measurements public: 
  • To help limit the load on individual probes, users need to be able to see all the measurements running to the target of their choice 
  • Collecting non-"public" measurement data mixed with "public" data results in additional operational overhead 
  • The details of what is considered "public" and non-"public" are complex, and removing the distinction would help clarify the documentation and communication that we provide for our users
  • Allowing for non-"public" measurement data is extremely operationally expensive
  • The more public measurement data that is collected, the more useful the results and services we can provide to the whole Internet community

Users' personal data and privacy

Although we believe that having public measurement data contributes the most to the goal of RIPE Atlas, the RIPE NCC greatly values our users' privacy. Therefore: 

  • The name, personal details (home address) and contact details (email address) of probe hosts are not shared with other users, third parties or the general public
  • The names and contact details of the users involved in a particular measurement are not publicly available 
  • RIPE Atlas does not use the email addresses specified as the username for the RIPE NCC account for regular communication with probe hosts (except for operational reasons); instead, we have an opt-in mailing list for probe hosts, and there is an option to specify a separate email address for system notifications
We plan to keep all these measures in place in order to continue protecting our users' privacy, and if you have other suggestions about how we can improve on these measures, please let us know.
 
However, for the technical reasons mentioned above, it is important for RIPE Atlas probe hosts to realise that the IP addresses and hostnames of the source and destination of every measurement can be seen by a subset of other probe hosts.
 
Also, we may include your name and country location on the "Community" pages to promote the most active users and new probe hosts.

Suggested changes

As RIPE Atlas becomes a full production service, we would like to move towards making the probes and measurement data as open as possible. In order to reach that goal, we suggest the following steps:

  1. From a future date onwards, make all new probes "public", and make  new measurements "public" both for new and existing RIPE Atlas users (i.e. no longer offer the option to not mark new probes and new measurements as "public")
  2. The proposed date to implement these changes is mid-April 2014 
  3. We are looking for your comments and feedback by 1 February 2014 
This means that all probes and measurements that were not marked "public" by April 2014 would remain non-"public" (with all the caveats stated above), but all new probes and measurements will be public by default.

 
The table below provides an overview of the current situation and the proposed changes.

Always private Private (now) Public (now) Public (future)
Probe

marked public
Email address


MAC address


DNS entry


Config details
IP address


List of built-in measurements


List of UDMs


IP address (on the map)
All

new

probes included in "Public Probes" list


Source IP in other people's UDMs


Internal hop IPs in traceroutes
Probe

NOT

marked public
Same as above IP address

(on the map)



Not included in "Public Probes" list
Source IP in other people's UDMs


Internal hop IPs in traceroutes
Same as before (only for


old


probes)
Measurement marked public Username of the owner Results


Source & destination
All

new

measurements included in "Public Measurements" list


Results,

source & destination IP/hostname
Measurement

NOT

marked public
Username of the owner Not included in "Public Measurements" list Listed as "Assigned UDM" on probes involved: source IP and target hostname visible Same as before (only for


old


measurements)

Your feedback

We are looking for the opinions of RIPE Atlas users and the RIPE community, and will not make any changes to the current situation until we get your feedback and decide together the best way forward. Please let us know whether you agree with our plan or whether you have other suggestions.

Please send us your feedback by 1 February 2014.
 
Please let us know what you think on the MAT Working Group Mailing List.
 
For private feedback, please contact Vesna  Manojlovic, Senior Community Builder, at .
 
7

You may also like

View more

About the author

Vesna Manojlovic is Community Builder at RIPE NCC. Vesna joined the RIPE NCC as a Trainer in 1999. In 2003, she took responsibility for developing and delivering advanced courses, such as RPSL, Routing Registry, DNSSEC and IPv6. In 2008, she lead efforts to establish IPv6 RIPEness as a measure of IPv6 deployment among LIRs. In 2011, she joined the Science Division as Manager of the Measurements Community Building team; in 2015 she moved to Communications Department as Senior Community Builder, with a focus on organising hackathons. Vesna gives presentations at many technical conferences and workshops, and enjoys visiting hackerspaces. Vesna received a Batchelor of Sciences Degree in Computer Science and Informatics from the School of Electrical Engineering, University of Belgrade. She has three children.

Comments 7