sea3-us node permissions

Please configure your firewall to allow the Ark node to initiate outbound Internet communcation with all packet types to all Internet IP address destinations. The ark node implements an internal firewall based on the settings you select on this web page.

If you observe unwanted network traffic from your Ark node, please do not block it with a firewall. Instead, disconnect the network cable (leave it powered on) and contact security@caida.org for additional help.

Archipelago supports two types of firewalling scenarios: an open Internet connection with a public IP address, or installation behind a network address translation (NAT) firewall where it has a private IP address (e.g., 192.168.x.x). In both cases, your ark node must be able to originate packets to the Internet without obstruction by the host site's firewall.

Your ark node uses the settings you select on this web page to control what sort of measurements will be allowed. It will not conduct measurements which require permission that you have not granted.

If you observe unwanted network traffic from your Ark node, please do not block it with a firewall. Instead, disconnect the network cable (leave it powered on) and contact security@caida.org for help.

Granting CAIDA additional bandwidth allows academics and experimenters to do more sophisticated measurements such as bandwidth measurements. We schedule measurements to respect the amount of network capacity you're willing to give us.

The numbers here are the maximum bandwidth we'll use. Our typical usage is lower.

Some Restriction (the default): Your ark node can send measurements using any protocol, and can send packets with a spoofed source IP address provided the legitimate holder of that address has consented to doing so.

No Restriction: Your ark node will emit any packets that a measurement experiment sends.

Custom: Fine tune the restrictions on what measurement experiments can do.

TCP:

The Transmission Control Protocol (TCP) is used to send most Internet data such as web pages, email and Netflix.

Allowed: Measurements may originate TCP packets to any IP address and TCP port.

Web: Measurements may access common Web and DNS TCP ports including but not limited to 53, 80, and 443.

Whitelisted: Measurements may originate TCP packets to any IP address using only TCP destination ports in the allowed list.

Administrative: The Ark node may contact addresses on CAIDA's administrative network using TCP. General Internet access with TCP is blocked.

Whitelisted TCP ports:

Comma separated list of TCP ports to allow. Use a hyphen to specify a range of ports. E.g.: "80, 443, 8000-8080"

UDP:

The User Datagram Protocol (UDP) is used to send critical Internet data such as name to IP address lookups (DNS) and Voice over IP phone calls.

Allowed: Measurements may originate UDP packets to any IP address and UDP port.

Whitelisted: Measurements may originate UDP packets to any IP address using only UDP destination ports in the allowed list.

Administrative: The Ark node may contact addresses on CAIDA's administrative network using UDP. General Internet access with UDP is blocked.

Whitelisted UDP ports:

Comma separated list of UDP ports to allow. Use a hyphen to specify a range of ports. E.g.: "80, 443, 8000-8080"

DNS:

The Domain Name System is used to translate computer names (such as www.google.com) to the servers' IP addresses. It operates on UDP and TCP ports 53. The settings for the DNS here will apply regardless of what you selected for TCP and UDP above.

Allowed: Measurements may originate DNS queries to any IP address on the Internet requesting DNS records for any name.

Configured: Measurements may originate DNS queries to the locally configured DNS server for any name.

Whitelist: The Ark node will fulfill DNS queries only for queries matching a CAIDA-approved pattern of safe names using the locally configured DNS server.

Unless this site is located in an area where the government is unusually sesitive to the names of web sites people ask for, we urge you to set this to Allow.

ICMP:

The Internet Control Message Protocol (ICMP) is used to convey low-level status information between computers on the Internet.

All: Measurements may send and receive ICMP packets. This includes uncommon message types such as Timestamp and ICMP message types which have not been defined by the IETF.

Required: CAIDA performs a minimum set of required measurements from Ark nodes employing ICMP messages including echo-request, echo-reply, destination unreachable, TTL exceeded and packet too big. If you choose to operate an Ark node, these measurements can not be disabled.

Note that except for restricted IP addresses, your ark node can send ICMP packets to and receive them from any destination on the Internet. This is the minimum requirement for operation of an Ark node and cannot be further tuned. These restricted addresses are: 0.0.0.0/8, 10.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/3. IPv6 destination addresses except for 2000::/3 are also dropped.

Other protocols:

There are dozens of additional Internet protocols besides TCP, UDP and ICMP. For example, IPSec has its own protocol directly above IP. Few user-visible services employ them and they are not generally compatible with NAT firewalls.

Unless you selected "none" for Firewall above, no measurements will be done with protocols other than ICMP, UDP and TCP regardless of what you select here.

Spoofing:

Source address spoofing means that the ark node may send packets from an IP address that you have not assigned it. That IP address belongs to someone else. This is a security problem and should not be allowed. Unfortunately, it often is allowed.

Sending packets with spoofed IP addresses is a security issue. A diligent ISP will notice the transmission of these false packets and may, as a result, conclude you have contracted an Internet virus.

Allowed: CAIDA may assess whether your Internet provider is one of the ones that incorrectly allows spoofed packets by sending packets with false source addresses to one of our collectors.

Cooperating: IP addresses belonging to organizations which have given CAIDA explicit permission to use them as spoofed source addresses. CAIDA will use only these addresses and the ones you explicitly assign to your ark node.

RFC 1918: Packets sourced from "private" IP address space including 10.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16 and fc00::/7.

Blocked: The Ark node will only emit IP packets from the addresses you assign to it.

CAIDA endeavors to steer unusual measurement experiments to sites willing to host them. While we will do everything practical to respect your wishes, be aware that we cannot technically enforce these policies. Instead, we demand experimenters respect them and respond to complaints should an experimenter fail to. If something absolutely must not happen from your site, please make use of the technical packet restrictions above.

Hacky: Measurement experiments which generate invalid packets for the purpose of assessing their routability on the general Internet.

Censorship studies: Measurement experiments which assess the reachability of commonly banned Internet sites.

Security studies: Measurement experiments which assess the security properties of network protocols.

Innocuous: Measurements like pings and traceroutes which pose little or no risk of offending anybody.

Non-profit (the default): third parties vetted by CAIDA. This may include professors and graduate students at universities around the world.

CAIDA only: individuals operating under direct CAIDA supervision.

All: third parties vetted by CAIDA. This may include for-profit third parties who sell the information they compile from the collected data. They generally agree to share the collected raw data with CAIDA in exchange for access to the Ark infrastructure.

We strongly encourage you to at least allow academics to design and run measurement experiments on your ark node. CAIDA applies hard security limits to all such experiments, based on the permissions you've granted above.

System: sea3-us