System: sea3-us

Configure what sorts of Internet measurements are permitted on the CAIDA Archipelago vantage point: sea3-us

Host site's firewall:

Please configure your firewall to allow the Ark node to initiate outbound Internet communcation with all packet types to all Internet IP address destinations. The ark node implements an internal firewall based on the settings you select on this web page.

If you observe unwanted network traffic from your Ark node, please do not block it with a firewall. Instead, disconnect the network cable (leave it powered on) and contact security@caida.org for additional help.
Archipelago supports two types of firewalling scenarios: an open Internet connection with a public IP address (i.e. not 192.168.x.x) or installation behind a network address translation (NAT) firewall where it has a private IP address. In both cases, your ark node must be able to originate packets to the Internet without obstruction by the host site's firewall.

Obstructing the packets your Ark node originates without CAIDA's knowledge corrupts our data when we compile it with everyone else's Ark node. So please don't. Really. We'd prefer to have no data from your location than data altered by your use of a firewall.

Your ark node uses the settings you select on this web page to control what sort of measurements will be allowed. It rejects experiments which require permission you have not granted, and enforces these restrictions on the experiments it accepts with an internal firewall (Linux iptables). In addition, the internal firewall drops measurement software packets targeted at restricted addresses (except the default router). These are: 0.0.0.0/8, 10.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/3. IPv6 destination addresses except for 2000::/3 are also dropped.

That said, when you deploy an ark node to an enterprise network, you should avoid placing it in the network interior. Place it outside the firewall or in a DMZ instead.

If you observe unwanted network traffic from your Ark node, please do not block it with a firewall. Instead, disconnect the network cable (leave it powered on) and contact security@caida.org for help.

Bandwidth: megabits per second, gigabytes per day.

Granting CAIDA additional bandwidth allows academics and experimenters to do more sophisticated measurements such as bandwidth measurements. We use rate shapers and schedule measurements to respect the amount of network capacity you're willing to give us.

The numbers here are the maximum bandwidth we'll use. Our typical usage is lower.

Packets allowed:

Your ark node implements an internal firewall and related controls to prevent measurement experiments from emitting unwanted packets on your network. For example, should an experiment accidentally emit packets to restricted IP addresses, those packets will be dropped. Restrict addresses are: 0.0.0.0/8, 10.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/3 and IPv6 addresses except for 2000::/3.

No Restriction: Your ark node will emit any packets that a measurement experiment sends.

Some Restriction: CAIDA will apply a small set of technical restrictions to prevent an unauthorized measurement experiment from using your ark node as an Internet virus transmitter.

Custom: Fine tune the restrictions on what measurement experiments can do.

TCP:

The Transmission Control Protocol (TCP) is used to send most Internet data such as web pages, email and Netflix.

Allowed: Measurements may originate TCP packets to any IP address and TCP port.

Web: Measurements may access common Web and DNS TCP ports including but not limited to 53, 80, and 443.

Whitelisted: Measurements may originate TCP packets to any IP address using only TCP destination ports in the allowed list.

Administrative: The Ark node may contact addresses on CAIDA's administrative network using TCP. General Internet access with TCP is blocked.

Whitelisted TCP ports:

Comma separated list of TCP ports to allow. Use a hyphen to specify a range of ports. E.g.: "80, 443, 8000-8080"

UDP:

The User Datagram Protocol (UDP) is used to send critical Internet data such as name to IP address lookups (DNS) and Voice over IP phone calls.

Allowed: Measurements may originate UDP packets to any IP address and UDP port.

Whitelisted: Measurements may originate UDP packets to any IP address using only UDP destination ports in the allowed list.

Administrative: The Ark node may contact addresses on CAIDA's administrative network using UDP. General Internet access with UDP is blocked.

Whitelisted UDP ports:

Comma separated list of UDP ports to allow. Use a hyphen to specify a range of ports. E.g.: "80, 443, 8000-8080"

DNS:

The Domain Name System is used to translate computer names (such as www.google.com) to the servers' IP addresses. It operates on UDP and TCP ports 53. The settings for the DNS here will apply regardless of what you selected for TCP and UDP above.

Allowed: Measurements may originate DNS queries to any IP address on the Internet requesting DNS records for any name.

Configured: Measurements may originate DNS queries to the locally configured DNS server for any name.

Whitelist: The Ark node will fulfill DNS queries only for queries matching a CAIDA-approved pattern of safe names using the locally configured DNS server.

Unless this site is located in an area where the government is unusually sesitive to the names of web sites people ask for, we urge you to set this to Allow.

ICMP:

The Internet Control Message Protocol (ICMP) is used to convey low-level status information between computers on the Internet.

All: Measurements may send and receive ICMP packets. This includes uncommon message types such as Timestamp and ICMP message types which have not been defined by the IETF.

Required: CAIDA performs a minimum set of required measurements from Ark nodes employing ICMP messages including echo-request, echo-reply, destination unreachable, TTL exceeded and packet too big. If you choose to operate an Ark node, these measurements can not be disabled.

Note that except for restricted IP addresses, your ark node can send ICMP packets to and receive them from any destination on the Internet. This is the minimum requirement for operation of an Ark node and cannot be further tuned. These restricted addresses are: 0.0.0.0/8, 10.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/3. IPv6 destination addresses except for 2000::/3 are also dropped.

Other protocols:

There are dozens of additional Internet protocols besides TCP, UDP and ICMP. For example, IPSec has its own protocol directly above IP. Few user-visible services employ them and they are not generally compatible with NAT firewalls.

Unless you selected "none" for Firewall above, no measurements will be done with protocols other than ICMP, UDP and TCP regardless of what you select here.

Spoofing:

Source address spoofing means that the ark node may send packets from an IP address that you have not assigned it. That IP address belongs to someone else. This is a security problem and should not be allowed. Unfortunately, it often is allowed.

Sending packets with spoofed IP addresses is a security issue. A diligent ISP will notice the transmission of these false packets and may, as a result, conclude you have contracted an Internet virus.

Allowed: CAIDA may assess whether your Internet provider is one of the ones that incorrectly allows spoofed packets by sending packets with false source addresses to one of our collectors.

Cooperating: IP addresses belonging to organizations which have given CAIDA explicit permission to use them as spoofed source addresses. CAIDA will use only these addresses and the ones you explicitly assign to your ark node.

RFC 1918: Packets sourced from "private" IP address space including 10.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16 and fc00::/7.

Blocked: The Ark node will only emit IP packets from the addresses you assign to it.

Measurement Policies:

CAIDA endeavors to steer unusual measurement experiments to sites willing to host them. While we will do everything practical to respect your wishes, be aware that we cannot technically enforce these policies. Instead, we demand experimenters respect them and respond to complaints should an experimenter fail to. If something absolutely must not happen from your site, please make use of the technical packet restrictions above.

Hacky: Measurement experiments which generate invalid packets for the purpose of assessing their routability on the general Internet.

Censorship studies: Measurement experiments which assess the reachability of commonly banned Internet sites.

Security studies: Measurement experiments which assess the usability of network protocols with security issues.

Innocuous: Measurements like pings and traceroutes which pose little or no risk of offending anybody.

Authorized experimenters:

CAIDA only: individuals operating under direct CAIDA supervision.

Non-profit: third parties vetted by CAIDA who design measurement experiments and write software CAIDA has not directly reviewed. This may include professors and graduate students at universities around the world.

All: third parties vetted by CAIDA who design measurement experiments CAIDA has not directly reviewed. This may include for-profit third parties who sell the information they compile from the collected data. They generally agree to share the collected raw data with CAIDA in exchange for access to the Ark infrastructure.

We strongly encourage you to at least allow academics to design and run measurement experiments on your ark node. CAIDA applies hard security limits to all such experiements, based on the permissions you've granted above.

Note that the above is predicated on the implementation of the ark framework described here, not the existing depolyed ark system.