Based in Paris (France)
Articles
Likes on articles
I work at AFNIC (the registry of .fr domain names), in the R&D department, on, among other things, DNS, security, statistics.
Website: http://www.bortzmeyer.org/
In theory, all IP addresses are the same, and you can allocate them at random without a problem. 192.168.1.2 is certainly not better or worse than 192.168.1.15, right? But, in practice, certain IP addresses are regarded as "special" by some implementations and do not yield the same user experience.…
To check the connectivity of an IPv6 device with RIPE Atlas, one typically asks N probes to ping the target and deduces the reachability of the target from the percentage of failures. But RIPE Atlas probes, like many IPv6 devices, often believe they are IPv6-connected while they are not.
A DNS anycast name server has several physical instances, all behind the same IP address. Which one is used by a RIPE Atlas probe depends on the location of the probe in the BGP space. RIPE Atlas can query the physical identity of the probe and therefore help to determine which instances have the l…
Great (and a good answer to the people who would like the packets to stay inside human borders) but small typo: the IETF working group on DNS privacy is DPRIVE, not DPRIV.
“This is a very important issue that researchers should keep in mind when running RIPE Atlas measurements. They may want to select their probe origins carefully, keeping in mind that some DNS or HTTP requests would cause trouble for the probe host. While RIPE Atlas already has relevant measures to prevent eventual misuse, but some normal requests may trigger alerts in some networks that is undesired for probe hosts. On the other hand I believe people hosting probes should also be aware of such potential issues, when deploying in networks with strict policies (or have IDS monitoring their traffic) or in regions with restrictive regulations.”
@Babak HTTP requests cannot create a problem today, since they are directed only to the Anchors. Indeed, one of the reasons of this limitation is precisely the risk for the probe owner. DNS requests can be more dangerous. Today, they are less often monitored than HTTP requests in most cases, so they are often "under the radar", but this may change in the future (NSA's MoreCowBell and so on). Warning probe owners of the potential risks is certainly a good thing. We must be aware that it will mean, in the future, less probes in what are precisely the most interesting countries :-(
One can note that such an incident with censorship already happened in Denmark http://www.computerworld.dk/art/214431/koks-hos-dansk-politi-spaerrer-for-8-000-websites Unfortunately, on the Internet, the experience is useless :-(
Showing 43 comment(s)