►
From YouTube: MAPRG Interim Meeting 2020-08-05
Description
MAPRG Interim Meeting 2020-08-05
A
Welcome
everyone
for
me:
it's
eight
in
the
morning.
I
know
for
a
number
of
people
on
its
central
european
summer
time
see
you're
in
the
middle
afternoon
and
I'm
sure
we
have
some
people
on
an
evening.
A
Welcome
to
the
joint
measurement
analysis
for
protocols,
research
group
and
measurement
analysis
tools,
working
group
meeting,
I'm
dave
planka.
I
chair
with
miria
coolwin
the
map
rg
group
in
the
irtf
and
our
co-chair
for
this
meeting
is
nina
ferguson
and
she
can
introduce
herself
in
a
minute
when
we
switch
to
her
portion
of
the
content
but
she's
she
co-chairs
with
our
colleague
brian
trammell
the
measurement
analysis
tools,
working
group
for
the
ripe
regional
internet
registry.
A
A
This
is
our
recording
notice.
The
meeting
is
being
recorded
now
and
all
the
presentations
will
be
they'll,
be
it'll,
be
available
on
the
ietf
youtube
channel
and
as
usual
for
map
rg
after
the
meeting
I'll
post
individual
links
to
each
of
the
top
mapper
g
wiki,
which
is
available
through
the
memory
page
linked
here.
A
Someone
has
their
audio
on.
If
you
could
please
mute
it,
it
would
be
helpful
in
minnesota.
For
today,
the
charters
for
these
respective
groups
are
at
these
urls.
This
is
the
first
time
we've
tried
this
experiment
of
a
combined
map,
rg
meeting
with
with
ripe
matt
wg,
and
the
idea
was
that
if
we
did
it
outside
the
ietf
meeting
schedule,
then
maybe
more
people
could
join
between
the
two,
when
both
of
our
groups
have
been
having
a
bit
of
trouble
scheduling
in
the
pandemic
era.
A
Both
the
groups
have
mailing
lists
that
are
mentioned
here
that
you
can
subscribe
to
where,
for
instance,
you
would
have
heard
about
this
meeting
being
scheduled.
Today's
slides
can
be
found
at
that
url
there
and,
of
course
all
you
already
know,
but
the
webex
link
is
available
in
the
agenda
and
in
the
slides
at
that.
A
Url
so
nina,
why
don't
I
pass
it
to
you
and
you
could
introduce
yourself
and
tell
the
folks
about
the
first
part
of
the
agenda.
B
Thank
you.
Do
you
hear
me?
Yes,
yeah
great,
thank
you
yeah,
so
I
am
I'm
nina
barkinson.
I
co-chair
the
reagan,
the
right
working
group
on
measurements,
analysis
and
tools,
along
with
brian
tremel
who's,
also
on
nepal.
Today,
hello,
hey
and
today
we're
gonna
talk
about
so
basically
the
the
wedding
group
mostly
focuses
on
on
measurements
and
on
tooling
and
a
lot
of
the
time.
B
We
also
focus
on
right
atlas
system
and
today
we're
going
to
talk
about
the
mechanisms
and
performance
evaluations
of
the
to
pmax
locations.
But
massimo
is
going
to
talk
and
then
we
will
have
some
measurements
about
what
happened
under
the
the
pandemic
that
we
are
still
running
through,
but
so
far,
and
we
have
vesna
and
lai
is
going
to
give
us
their
observations
on
that.
We
also
thought
that
we
would
have
an
tools
update
from
the
ribbon
cc.
B
People
please
be
mindful
of
muting
their
microphones.
Thank
you,
but
unfortunately
we
we
have
to
cancel
the
tools
update
and
you
will
just
have
to
show
up
at
the
next
right
meeting
to
get
the
latest
news
on
the
atlas
and
other
tools
from
the
vibe
ncc,
but
happy
to
be
here,
and
I'm
really
excited
about
this
joint
meeting
is.
This
is
my
first
itf
meeting.
A
All
right
well
welcome,
nina
and
thank
you
for
that
overview.
A
So,
following
the
portion
that
nina
will
be
running
with
the
the
items
that
she
just
enumerated,
that
were
that
that
were
organized
by
matt,
we'll
switch
to
the
map.
Rg
meeting
proper
and
map
rg
is
in
the
irtf,
and
so
we
have
an
intellectual
property
rights
statement
that
binds
you
to
as
a
presenter.
If
you
have
intellectual
property
regarding
it,
you
should
disclose
that
just
the
canned
portion,
so
this
will
be
an
official
map
rg
meeting
as
well,
and
this
applies
only
to
the
map
rg
portion
of
the
meeting.
A
So
the
second
part
of
the
agenda
that
myria
was
wonderfully
helpful
in
in
putting
together
here
are
the
following:
we'll
have
a
a
presentation
about
measuring
and
analyzing
the
rfcs
themselves,
the
security
sections,
the
sort
of
a
meta-analysis
by
mark
mcfadden,
then
we'll
switch
to
jake
holland.
A
Talking
about
latency
and
aqm
observations
on
the
internet,
then
philip
roon
on
packet,
latencies
and
mobile
networks,
mike
kosek,
is
with
us
to
talk
about
their
paper
and
from
an
academic
conference,
must
don't
care
tcp,
conformance
in
the
wild
and
then
we'll
switch
at
the
it's.
The
last
session
and
portion
of
the
session
to
steven
stros
talking
about
deborganizing,
this
slash
12
prefix,
that
the
rape
ncc
is
now
using
to
before
we
switch
to
some
advertisements
for
various
projects.
A
I'll
talk
a
little
bit
about
how
we're
going
to
run
the
meeting
for
you
to
the
presenters
I'll
switch
you
to
the
best
of
my
ability
to
you
being
the
host
in
the
meeting,
which
will
allow
you
just
to
show
your
slides.
If
you
have
any
trouble
with
that,
no
problem,
let
me
know,
and
I'll
show
them
like,
I'm
going
to
do
for
mark's
presentation
for
those
participants
that
have
questions.
A
Please
use
the
chat
icon,
which
usually
shows
as
a
round
circle
on
your
webex
window,
and
you
can
chat
to
everyone
just
type
plusq
and
that
will
create
a
queue
of
people
that
we
will
invite
you
to
ask
a
question
by
unmuting
yourself
and
doing
so
if
you'd,
rather,
the
chairs,
ask
it
or
someone
else
asking
on
your
behalf
just
type
the
question
in
that
chat
box
to
everyone
so
that
we
can
see
it
and
we'll
have
some
time
between
each
of
the
presentations
to
visit
those
questions.
A
There
maprg
invites
projects
that
are
not
presenting
at
the
meeting
to
also
give
us
advertising
slides
for
their
projects
and
for
this
meeting
yuri
and
I
created
a
couple
because
we
have
not
met
so
far
this
year
because
of
the
the
pandemic
and
scheduling
issues
between
ietf,
107
and
108.
This
is
our
first
meeting
of
the
year.
So
let's
bring
you
up
to
date
on
some
of
the
content
that
we
would
usually
have
hosted
in
map
rg
imc.
A
A
When
and
that's
either
side
of
the
beginning
of
the
pandemic
and
lockdowns
for
most
of
us,
so
what
we
want
to
do
is
remind
you
here
of
a
couple
of
papers,
for
instance
giovanni
offered
these
as
potential
papers
to
present
here,
but
we
decided
not
to
because
they'd
been
presented
at
map
meetings
prior,
but
the
imc
content
is
up
with
the
links
to
the
papers
and
to
videos,
and
I
can
I'm
happy
to
say
that
also
pam
did
a
nice
job
of
recording
the
videos
and
also
making,
I
think,
registration
free
for
that
event
when
it
happened,
so
you
can
check
either
of
those
urls
to
see
these
papers
and
the
others
from
those
two
conferences.
A
Another
one
of
the
permanent
measurement
conferences
was
tma
that
was
held
in
june
of
this
year.
Similarly,
tma
has
had
recordings
or
videos
of
the
of
the
papers,
and
those
papers
are
up
at
that
url
and
gareth.
One
of
the
chairs
has
created
a
youtube
playlist
that
url
for
the
subset
of
papers,
where
the
presenters
gave
permission
to
share
the
video
so
check
those
out.
A
Lastly,
anna
bremstrom
has
offered
to
us
this
this
advertisement
for
a
project
with
she
and
her
authors,
where
they
studied
narrow
band
iot
internet
of
things,
devices
into
major
metropolitan
areas
and
their
my
understanding
is
their
their
interactions,
for
instance
with
lte
and
cellular
in
that
area,
and
we
included
them
here.
Although
they're
not
involving
specifically
an
ietf
protocol
that
they've
released
a
data
set,
so
there's
a
it
could
be
the
basis
for
other
people
to
do.
A
Research
and
ana's
provided
a
link
to
the
paper
on
archive
as
a
presumably
preprint
version
of
the
paper,
so
give
that
a
look
if
you're
interested
in
that
technology.
A
B
Yes,
thank
you
so
much
dave.
That
was
a
really
interesting.
B
C
Perfect
so
hello,
everybody,
so
my
name
is
massimo
candela,
I'm
a
senior
software
engineer
at
ntt.
First
of
all,
I
would
like
to
thank
the
organizers
of
this
event,
because
I
personally
really
miss
the
math
working
group
at
the
last
right
meeting.
So
I'm
really
happy
that
we
could
do
it
here
so
the
presentation
here
today
I
will
show
you
a
mechanism
behind
this
service
called
write,
ipmap
and
also,
I
will
show
you
a
performance
evaluation.
We
did
it
together
with
the
colleagues
from
keda.
C
This
is
a
paper
that
appeared
in
the
issue
of
april
2020
of
computer
communication
reviews
and
well,
let's
start
from
the
beginning.
The
first
thing
is:
what
is
this
write
it
up
so
right,
ipmap
is
a
service
that
has
been
developed
and
is
offered
by
ripenc,
and
it
is
essentially
a
service
that
you
provide
an
ip
address
and
will
try
to
tell
you
where
such
a
p
address
is
g
located
and
so
the
a
bit
of
of
easter
even
this
service.
C
The
first
attempt
to
tackle
the
geolocation
topic
was
presented
in
2013
by
emil
and
essentially
introduced
the
openip
platform,
where
you
can
use
cloud
source
data
to
improve
ipg
location
and
in
2017
in
another
rhyme
meeting
I
introduced
instead
ripe,
I
team
up,
which
is
the
idea
behind.
That
is
a
a
system
that
has
the
possibility
to
run
various
geolocation
approaches
and
offer
this
platform
to
people
that
they
want
to
provide
a
new
geolocation
system.
C
So
each
geolocation
approach
runs
in
an
isolated
fashion
in
something
called
geolocation
engine
that
you
can
see
in
this
chart
at
the
bottom
and
they
produce
some
sort
of
geolocation
in
a
unified
output
format
and
after
they
pass
through
a
reducer
step,
and
the
final
answer
is
computed
for
the
user.
C
So,
a
bit
more
of
information,
I
developed
the
single
radius
engine
while
I
was
arriving
to
see
and
not
any
more
ripe,
ncc
stuff,
but
we
got
some
feedback
that
the
system
works,
and
there
is
also
a
paper
that
reports
on
a
country
accuracy
of
99.9
for
their
use
case,
but
we
needed
a
formal
study
dedicated
to
the
in
particular,
to
single
radius
and
in
particular
also
to
city
level.
Geolocation
and
also
the
mechanism
behind
was
not
for
singer
was
not
formally
described
anywhere.
C
So
at
some
point,
keda
decides
to
study
single
radius
and
the
guy
that
you
see
here
in
the
picture
is
ben
that
he
presented
racy
first
preliminated
herself.
C
The
study
was
a
black
box,
so
at
some
point
they
decided
to
call
me
and
on
board
of
the
team,
to
essentially
provide
more
insight
on
how
his
work
is
working
behind
the
scenes.
The
system,
that's
how
I'm
involved
in
this
research
project,
so
the
just
to
start
with
the
what
what
is
active
geolocation
well,
simply
like
you
want
to
generate
an
ip
address,
and
to
do
that,
you
take
a
host
that
you
know
the
location
of,
and
you
do
a
ping
measurement
to
the
target.
C
In
our
case,
the
host
is,
for
example,
ripotlas
probes
and
after
you
do
a
ping
measurement.
You
know
the
latency,
you
get
the
latency,
you
transform
it
in
a
distance
with
a
coefficient
factor,
usually
expressing
kilometers
per
millisecond.
We
will
see
better
later
and
what
you
know
is
that
the
target
ip
is
going
to
be
around
a
specific
area
around
your
source
of
the
measurement
so
like,
in
this
case
the
circle
so
finger
radius.
Also,
the
as
the
name
says,
does
exactly
this
some
additional
step.
C
So
the
first
thing
is,
there
is
a
an
initial
selection
of
the
probes.
C
This
is
an
important
step
because
a
lot
of
methodologies,
a
lot
of
models
describe,
they
assume
the
possibility
to
select
all
the
probes
possible,
but
maybe
are
based
on
platform
that
they
have
couple
of
hundred
probes
or
any
way
they
are
developed,
not
as
a
production
service,
and
the
main
issue
you
have
is
that
you
cannot
really
select
enough
serious
platforms
like
red
battle.
C
You
cannot
select
like
ten
thousand
probes
for
geolocating
one
single
ip,
because
you
will
do
essentially
a
ddos
every
time
you
would
trigger
a
lot
of
icmp
rate
limiting.
You
would
just
also
stress
the
platform
itself,
so
there
is
an
initial
step
that
we
will
see
for
this
election
after
you
have
the
probes,
you
do
the
ping
measurements
to
the
target.
You
select
a
list
single
radius.
Does
that
you
select
the
closest
the
fastest
of
this
ping
measurement
and
it
has
to
be
also
the
router
type
below
10
milliseconds.
C
We
will
also
see
a
bit
better
what
this
threshold
is,
and
after
you
take
this
run
through
time
and
you
convert
in
distance
by
doing
round
three
time
divided
by
two
multiply
for
two
thirds
of
the
speed
of
light.
C
So
the
round
three
time
divided
by
two
is
the
usual
approximation
that
it's
done
to
calculate
the
one
way
delay,
or
at
least,
as
I
said,
an
approximation
of
it
and
the
two
third
speed
of
light
is
the
upper
bound
of
the
signal
traveling
in
fiber,
which
assumes
that
between
the
source
and
the
target,
there
is
a
straight
fiber
with
no
hop
in
between
them.
So
they
are
a
really
big
approximation.
C
The
last
step
is
that
single
radius
does
tries
to
bring
a
bit
more
accuracy
to
the
process
is
to
select
inside
that
circle
inside
that
area,
100
cities,
if
there
are
at
least
100
and
ranks
them
based
on
distance
from
the
source
number
of
facilities
and
population,
because
the
main
goal
of
ripe
pimp
is
to
geolocate
infrastructure.
So
these
parameters,
they
kind
of
give
an
indication
of
how
much
internet
infrastructure
is
in
such
steady,
see
this.
C
Essentially
the
goal
here
is
that
you
don't
know
where
the
target
is,
but
you
can
select
probes,
they
are
topologically,
close,
hoping
that
they
are
also
geographically
close,
at
least
that's
the
idea,
and
to
do
that,
you
can
always
do
the
target
ip
convert
it
to
autonomous
system
with
ip2s
lookup
and
use
pgp
topologies
to
infer
the
topology
and
try
to
select
props
nearby.
C
So
one
thing
that
the
single
radius
does
is
selects
like
bgp
neighbors
distance,
one
and
another
thing
that
it
does
is
use
speeding,
db
information
to
detect,
which
exp
the
autonomous
system
of
the
target
is
doing
peering.
So
you
detect
the
cities.
This
is
an
idea
initially
introduced
by
vasilius
that
you
probably
all
know,
and
so
at
the
end,
what
you
do
is
to
have
a
set
of
cities
and
a
set
of.
C
C
So
this
was
the
rest,
as
you
saw,
is
essentially
basic.
C
Basic
active
geolocation,
more
details
are
in
the
article,
but
more
or
less.
We
cover
everything.
So
I'm
going
now
to
the
part
related
to
the
evaluation
we
evaluated
the
accuracy
comparing
with
maximizing
and
attacking,
which
are
the
leaders
in
this
field.
C
We
evaluated
the
effectiveness
effectiveness
of
the
probe
selection
method
that
I
showed
before
we
evaluated
the
coverage
we
evaluated
also
the
rather
level
consistency
where,
essentially,
we
ask
a
single
radius
to
gellocate
ip
addresses
belonging
to
the
same
router
in
byte
and
checking
if
we
got
the
same
essential
location
and
overall,
the
goal
is
to
provide
suggestions
to
rapidly
see
it
to
the
entire
community.
The
one
in
bold
are
the
point
that
I'm
going
to
describe
now.
C
So
the
first
thing
is,
we
need
two
data
set.
One
is
for
the
ground.
The
ground
through
data
set,
is
essentially
a
collection
of
ip
addresses
of
known
location,
and
we
need
this
to
validate
the
accuracy
we
use
the
arc
nodes.
The
nl-nog
ring
nodes,
the
m-lab
pods
and
the
arc
proximity
data
set
in
this
table.
C
You
can
see
the
division
of
ips
by
region
and
also
coverage
in
terms
of
unique
autonomous
systems
and
after
we
filter
out
the
ips
that
they
have
wrong
metadata
or
they
were
offline,
so
not
possible
to
do
geolocation,
and
we
reported
some
cases
of
wrong
or
missed
or
corrupted
metadata
to
the
administrators
of
this
platform.
So
this
was
also
one
of
the
benefit
of
this
of
this
exercise.
C
So
in
the
end
we
had
968
ips
and
for
the
coverage
data
set,
where
we
are
not
interested
in
having
information
about
the
geolocation
itself,
but
we
need
some
responsive
ip
addresses.
We
use
the
manic
interconnection
data
set
produced
by
keda,
which
has
more
than
16
000
ip
addresses
active
and
answering
things
so
go
straight
to
the
accuracy
results.
We
you
see
this
cdf.
The
blue
line
is
single
radius.
C
The
orange
one
is
net
tag
within
the
green
is
max
mind
and
you
see
on
the
x
axis
the
error
in
the
geolocation
in
kilometers,
so
we
consider
a
distance
below
40
kilometers,
accurate
at
city
level
at
distance
above
40
kilometers,
not
any
more
accurate
at
city
level.
This
40
kilometer
is
a
trash
that
is,
has
been
used
multiple
times
in
literature
and
it's
considered
kind
of
average
metropolitan
area
size,
and
we
can
see
that
single
radius
outperforms
the
other
two
platforms
and
reaches
an
accuracy
that
is
80.3
percent.
C
But
the
comparison
is
not
yet
finished,
because
if
we
compare
the
median
75th
percentile
and
the
95th
percentile
of
the
three
platform,
we
see
that,
for
example,
for
single
radius
is
6.
26
and
344.
Kilometers
of
error,
while
for
net
equity
is
1080
and
almost
3
000
and
for
max
mine
is
17
278
and
almost
3
000,
also
so
single
radius.
Even
when
produce
a
an
answer
that
has
an
error
above
the
40
kilometers.
C
So
not
any
more
accurate
at
city
level
for
our
parameter
produces
anyway,
an
error
that
is
considerably
much
smaller,
like
300
kilometers,
compared
to
almost
three
thousand
but
the
problem.
C
Okay,
before
to
go
to
the
ten
milliseconds
threshold
that
we
said
before,
we
analyzed
how
it
would
change,
because
the
threshold
is
essentially
used
in
various
works
and
the
idea
behind
it
is
that
if
you
have
active
measurement
above
10
milliseconds,
the
kilometers
are
so
much
that
it's
not
even
worth
to
try
to
give
a
guessing
of
the
generation.
C
C
Now
the
main
project
problem
of
active
geolocation
compared
to
the
other
systems
is
that
there
is
only
a
finite
amount
of
answer
you
can
give
so
active
geolocation,
usually,
is
not
so
good
in
terms
of
coverage
compared
to
the
other
platform,
because
the
other
platform
can
essentially
provide
an
answer
whatever
it
is
to
whatever
question
you
have,
but
with
active
geolocation,
only
some
ips
are
reachable,
or
only
some
ips
are
inside
a
certain
boundaries
of
distance.
C
So
we
use
the
manic
data
set
to
gellocate
and
we
find
an
answer
for
78.5
of
the
16
000
ips
that
were
there,
and
so
this
is
a
actually
a
a
good
results
in
terms
of
numbers
and
we
also
went
to
analyze
like
we
did
before
what
would
happen
if
we
would
make
it
more
accurate.
C
So
if
we
would
change
that
threshold,
so
if
you
reduce
the
threshold
from
10
to
5
milliseconds,
we
drop
the
coverage
to
51.1
percent,
but
if
we
go
to
2
milliseconds
where
we
would
have
a
90,
50,
percentile
accuracy,
a
city
level,
we
have
a
coverage
of
only
24.,
so
you
do
your
math.
If
it's,
you
can
do
your
tuning.
If
it's
convenient
for
you
or
not.
In
my
opinion,
you
basically
drop.
C
You
increase
a
50
15
percent
accuracy,
but
you
lose
a
55
percent
coverage,
so
I'm
not
sure
how
much
it
is
worth
in
in
our
case.
So
this
is
basically
the
only
part
that
I
want
to
show
for
today,
but
before
too
close,
I
want
to
just
give
some
words
about.
I
think
it's
always
important
to.
C
E
C
The
world,
so
in
our
research
we
do
also
drill
down
for
various
regions
and
we
try
to
split
the
various
results
you
see
here.
Instead,
the
just
the
global
view
for
simplicity,
also
the
ground
truth.
Data
set
of
the
ips
is
really
hard
to
obtain
such
accurate
set
of
ips
that
you
can
test
and
you
know
exactly
location.
So
this
is
also
I
mean
we
had
968,
which
is
a
big
amount
compared
to
a
lot
of
other
works,
but
still
a
small
amount
compared
to
the
entire
address
space.
C
So
I
want
to
thank
the
colleagues
from
cada
which
are
listed
here
for
the
hard
work
and
the
collaboration
that
we
did
and
also
this
is
my
last
slide
and
if
you
have
questions
this
is
the
moment.
I
have
also
hear
my
contact,
so
you
can
also
contact
me
offline
if
you
would
like.
B
Thank
you
for
that
massimo
and-
and
we
do
have
jay
ignacio
in
the
queue
with
a
question.
So
please
unmute
yourself
and
ask
her.
F
Yes,
hi
everybody.
I
I
would
like
to
ask
to
massimo
how
many
times
you
need
to
get
the
the
location-
and
I
have
a
second
question-
is
how
many
pins
you
need
to
send
for
every
proof
to
the
the
location,
the
ip
that
you
want
to
locate.
C
F
F
C
Yeah
perfect,
so
so
to
the
amount
of
time
the
the
the
system
takes
to
gellocate,
it
is
set
on
average
about
three
minutes.
So
after
three
minutes,
the
api
allows
you
to
retrieve
the
data
from
atlas
and
do
the
the
query.
C
So
if
you
look
at
the
measurements
itself,
it
could
be
faster,
but
we
don't
want
to
since
arrive
atlas
has
a
queueing
mechanism
for
the
measurement.
We
don't
want
to
retrieve
data
too
early
and
give
a
wrong
answer.
So
we
wait
the
three
minutes
that
we
calculated
us,
basically,
the
maximum
time
for
a
measurement
to
be
a
one-off
measurement
to
be
executed,
so
that
the
answer
is
is
in
general
three
minutes,
but
the
once
an
ap
is
of
course
calculated.
The
answer
is
cash,
so
it
will
take
milliseconds
to
just
retrieve
it
again.
C
This
is
the
first
answer
for
the
second
question,
so
how
many
ping
measurements
that
depends
on
the
amount
of
probes
that
they
were
selected.
So
the
probe
selection
mechanism
can
basically
has
a
priority
queue
of
measurements
to
sell
probes
to
select
based
on
the
topology.
C
So
we
can
select
one,
but
it
can
select
up
to
500
and
and
after
basically,
you
have
a
usual
thing,
with
three
attempts
to
geolocate
the
the
target.
So
that
depends
on
the
probe
selected.
F
C
G
B
You
yeah,
thank
you
very
much.
So
the
next
question
we
have
is
from
danielle
karenbach
and
he
asked
in
the
chat.
Did
you
outline?
Did
you
not
mention
the
suggestions
that
you
had
to
the
right,
ncc
and
and
what
were
they.
C
No,
the
suggestion
where,
like
the
experiment,
overall,
that
we
had
for
the
for
the
use
of
different
thresholds,
we
did
a
good
amount
of.
We
have
also
a
list
of
them.
They
are
more
in
explicit
in
the
article,
so
we
did
various
things
among
which
the
graph
that
you
see
here
can
be
used
by
the
user
to
essentially
tune
their
own.
The
api
provides
the
run
trip
time
used
as
a
threshold,
so
you
can
use
this
to
give
provide
you
your
own
score.
That
is
one
of
the
suggestions.
C
The
other
suggestion
that
I
have
for
writing
cc
would
be
to,
at
some
point,
implement
a
mechanism
with
multilateration.
We
did
some
preliminary
tests
by
using,
for
example,
regional
coefficient
to
transform
the
distances
and
the
the
results
were
extremely
positive
in
terms
also
of
reduction
of
ambiguity
of
the
geolocation,
but
that
would
work
with
a
multilateration
approach
and
another
another
one
could
be
experimented
is
with
the
removing
the
last
mile,
the
last
mile
latency
from
the
measurement
to
improve
the
the
accuracy.
C
So
this
is
the
overall,
I
would
say
high
level
summary
of
it
and
yeah.
The
material
is
is
public
and
I
will
make
sure
that
all
detailed
suggestions
are
delivered
by
the
way.
This
research
ended
up
also
with
some
patches
that
we
did
to
the
ipmap
source
code
itself.
So,
after
the
analysis.
B
Great,
thank
you.
Thank
you
so
much
massimo
that
was
that
was
really
interesting.
If
you
please
stop
sharing
your
yes.
C
So,
thank
you
very
much.
Stop
sharing.
C
B
You
and
then
we
would
like
to
invite
lesnar
to
share
your
screen
and
do
your
presentation
about
the
observations
of
during
the
pandemic.
E
Hi
everyone,
my
name,
is
vesna,
I'm
from
the
ripe
ncc,
I'm
a
community
builder,
and
I
am
giving
this
presentation
on
behalf
of
my
colleagues,
mainly
emile
aben,
who
couldn't
be
here,
but
these
are
his
slides
mostly,
so
we
have
been
active
in
analyzing
the
data
from
the
ripe,
ncc
measurement
projects
and
publishing
our
findings
on
ripe
labs.
We
have
a
collection
on
a
slash,
kovit
19,
and
you
can
find
all
these
results
that
I'm
going
to
talk
about
there
so
from
the
beginning.
E
Other
operators
also
contributed
to
this
and
also
published
some
of
their
findings
on
rap
labs,
and
we
try
to
move
our
real
hackathon
that
we
wanted
to
have
to
the
virtual
world
and
that
worked
more
or
less
as
much
as
possible.
So
we
also
publish
some
of
the
results
of
that
hackathon
there
and
some
of
the
recommendations
for
the
security
regarding
most
of
the
applications
for
the
tracking
and
so
on.
E
E
So
the
first
one
is
based
on
a
so-called
risk
of
routing
information
service
and,
if
you're
not
familiar
with
that,
it
is
a
little
bit
like
the
route
views
and
I'm
a
bit
sad
to
actually
compare
it
to
the
other
one
which
is
a
competitor.
But
it's
more
well
known.
I
guess-
and
it
has
a
better
name-
I
must
admit
so.
E
E
So
there
are
multiple
ways
to
access
this
data,
and
basically
this
is
an
invitation
for
the
other
researchers
and
the
network
operators
to
use
this
data,
because
it's
open-
and
it's
very
well
documented
how
you
can
use
it.
So
normally
what
you
would
use
that
for
is
to
kind
of
troubleshoot
your
network
and
to
show
how
is
your.
E
The
best
performance
actually
different
from
what
is
happening
in
the
world
and
maybe
also
to
help
you
kind
of
combat
some
of
the
root
hijacks
and
takeovers,
and
all
of
that
you
can
do
by
your
own
analysis,
or
you
can
see
our
views
on
the
stat.tribe.net.
E
So
when
we
looked
at
the
corvid
impact
on
the
global
bgp,
we
thought
well,
it's
going
to
flare
up,
because
people
can't
travel
to
their
distant
points
of
presence
to
actually
do
the
maintenance
and
there
was
the
restricted
access
to
data
centers.
So
we
thought
oh
now.
This
is
going
to
actually
explode,
but
we
were
wrong.
So
basically
internet
is
stable,
at
least
on
the
routing
level.
E
So
this
is
the
the
global
view
over
time
and
you
can
see
that
in
yeah
from
november
until
july,
so
november,
last
year,
until
july
this
year,
there
weren't
many
changes.
E
So
the
other
way
to
look
at
it
is
by
the
type
of
the
announcement
so
either
by
adding
the
prefixes
or
removing
the
prefixes
or
the
origin
changes
again.
There
were
some
flares,
but
it
was
nothing
systematic
and
actually
it
didn't
coincide
too
much
with
the
lockdowns
per
country
or
anything
because
you
could
see
that
in
december
previous
years.
Actually
there
were
similar
events,
so
our
conclusions
are
that
the
pandemic
didn't
impact
the
internet
on
the
global
routing
table
level.
E
So,
as
usual,
we
can
see
these
weekly
patterns,
and
so
apparently
all
the
operators
are
working
very
hard
to
maintain
the
internet.
Now
when
it
became
even
more
important
for
even
more
people
who
are
working
remotely
and
and
schooling
remotely.
E
E
How
can
I
call
it
like
a
dashboard
where
you
can
choose
a
country
and
then
we
have
pre-coded
some
dates
of
the
very
clear
lockdown
times
per
country
and
then
looked
at
the
month
before
and
at
that
time,
the
month
after
the
lockdown
to
compare.
E
But
now
you
can
also
get
them
the
latest
data,
and
so
this
is
just
a
a
very
quick
overview
per
country.
And
again
you
can
put
your
own
country
when
analyzing
data
in
your
own
way
or
a
different
time
period
and
so
per
country.
We
also
showed
her
a
specific
provider.
What
were
the
changes
in
latency?
This
is
based
on
the
ripe
atlas
data,
so
the
pings,
the
ping
measurements,
and
so
this
is
the
the
rtt
that
you
can
see
here
and
again.
E
There
are
some
spikes
for
some
providers,
but
for
us,
looking
from
a
distance,
we
couldn't
really
see
a
very
clear
reason
why
something
would
happen,
but
the
people
from
a
specific
country
probably
can
actually
analyze
it
more
related
to
their
political
situation
or
the
lockdown
details
and
so
on,
and
so
the
other
example
is
a
little
bit
more
busy
when
you
just
look
at
it
as
a
picture
as
an
illustration,
and
so
there
are
much
clearer
differences
from
before
the
lockdown
during
and
what
is
the
situation
now
when
the
providers
have
actually
increased,
maybe
their
capacity
or
found
a
way
to
deal
with
the
increased
load.
E
So
there
are
conclusions
to
be
drawn
here,
but
we
didn't
go
into
the
very
specific
details
ourselves.
This
is
more
to
show
what
can
be
what
is
possible
and
to
give
like
a
very
quick
overview
per
country.
How
does
rypatla
see
the
networks
and
how
they
are
impacted
with
the
heightened
usage,
so
the
good
news
is
internet
is
doing
fine
and
if
you
would
like
to
explore
it
yourself
here
are
the
links
to
the
interface
and
to
the
projects
that
I
mentioned.
E
So
this
is
something
that
I
added
since
I've
sent
the
slides.
This
is
not
in
the
slides
that
I
uploaded
so
pay
very
close
attention.
E
We
also
opened
some
weeks
ago,
a
community
projects
fund
call
for
suggestions,
so
rypncc
is
decided
some
years
ago
to
start
funding
the
projects
that
are
for
the
good
of
the
internet,
so
the
main
criteria
is
that
they
are
based
on
the
open
source
and
the
open
data,
and
so
the
projects
that
contribute
to
the
resilience
or
sustainability
of
the
internet
can
receive
money,
and
we
have
already
highlighted
some
of
the
winners
from
the
previous
project
fund
on
the
ripe
labs
and
for
this
year
you
still
have
a
few
days
few
weeks
to
apply.
E
So
please
approach
your
communities
and
spread
the
news,
because
we
would
like
to
support
the
existing
projects
or
the
new
ideas
that
work
on
the
good
of
the
internet
contact
us.
If
you
have
any
questions
there
are
my
email
addresses
emails
and
a
lot
of
twitter
details
and
rap
labs.
Thank
you
very
much.
B
F
Yes,
thank
you
thanks
for
for
the
presentation
I
I
have
been
doing
also
measurements
in
latin
america
and
using
brightpearls
here.
The
problem
is
we
have
a
few
troops
among
400
spread
in
latin
america.
Some
countries
have
very
few
and
so
on,
but
we
we
try
to
identify.
F
We
we
concentrate
in
argentina
and
from
argentina
to
concentrate
to
identify
the
the
path,
the
routes
through
the
cdns
just
to
most
use
obsidians,
which
are
the
the
the
where
dominates
the
traffic
into
internet.
F
And
after
that
we
performed
some
measurements,
basically
traceroute,
because
we
want
to
to
analyze
the
the
the
traffic
inside
different
parts
of
the
network.
We
we
just
see
the
results,
not
so
much
analyzed
for
for
the
moment,
because
we
we
need
people
to
do
that,
and
it's
a
little
bitty
moment
at
that
time,
because
the
pandemic
makes
so
complicate
everything
and
but
the
mind.
F
E
Yes,
I
would
be
interested
and
if
you
publish
something
we
can
republish
that
in
ripe
labs
and
promote
in
our
community
and
then
maybe
you
can
get
somebody
to
cooperate
with
you
and
help
you
out
and
another
comment
on
this
is
in
the
regions
where
we
have
fewer
probes
it.
It
might
be
possible
to
install
the
so-called
software
probes.
I
have
posted
the
link
in
the
chat
and
that's
just
easier
from
the
logistics
point
of
view.
So
please
consider
that.
B
Thank
you
so
much
and
the
next
one
we
have
is
dave.
A
A
Thank
you
thanks
vezna,
I
I
noticed
in
a
couple
of
your
slides.
You
had,
for
instance,
details
like
18th
of
march,
belgium
went
on
lockdown.
E
Yes,
so
this
was
the
first
attempt
to
to
work
on
this
and
it
was
quite
early
in
the,
and
then
we
were
hopeful
that
there
will
be
one
lockdown,
one
date
per
country
and
then
later
on,
we
realized
like.
Oh,
that
was
not
so
obvious.
E
Yes,
it
is
listed
in
that
article
by
roma,
where
we
have
looked
up
the
dates,
but
he
had
to
actually
hard
code,
those
dates
per
country
and
that's
a
lot
of
manual
work.
So
I
think
if
we
would
to
automate
this
to
the
next
level,
it
should
just
be
easier
than
that.
B
Great,
thank
you
so
much.
Thank
you,
vajna.
That
was
really
cool.
Next
I'd
like
to
invite
li.
Why
is
that?
I
hope
that's
the
correct
pronunciation
of
yours.
A
I
And
we
can
see
them
yes,
okay,
great
so
hi.
My
name
is
olsen.
I'm
the
project
director
of
measurement
lab
thanks
for
having
us
similar
to
vesna
we're
here,
I'm
here
to
just
share
the
fact
that
our
data
exists
and
give
an
overview
of
how
it's
generated
so
that
researchers
here
can
can
take
it
and
run
with
it.
So
talking
about
what
is
mlab
just
to
speak
briefly
about
the
the
goals
of
our
project,
some
of
you
may
be
already
familiar,
so
apologies.
I
If
so,
but
for
those
of
you
who
haven't
been
introduced,
our
mission
is
to
measure
the
internet,
save
the
data
and
make
it
universally
accessible
and
useful.
I
am
preaching
to
the
choir
that
there
are
many
ways
to
do
this,
and
by
no
means
do
we
claim
to
do
all
of
them,
but
we
do
focus
on
principles
of
openness
and
transparency,
so
all
of
our
data
is
open
and
free
to
access
and
I'll
talk
more
about
how
that
works.
I
I
always
think
it's
useful
to
when
talking
about
measurable
measurement
lab
as
a
project
to
think
about
the
problems
that
it
was
trying
to
solve.
The
project
was
started
in
2008,
so
it's
been
around
for
12
years
and
it
was
responding
to
a
widely
reported
problem
of
not
being
able
to
not
having
access
to
commercially
maintained,
servers
that
were
widely
deployed
enough
with
and
with
ample
connectivity
to
support
the
kind
of
experiments
that
internet
researchers
wanted
to
perform.
I
I
So
these
are
the
two
kind
of
problem
sets
that
the
project
set
out
to
solve,
and
then,
if
you
fast
forward
12
years,
we
have
a
platform
that
I'll
talk
more
about
a
pipeline
that
archives
all
of
the
data
that
the
platform
that
the
experiments
generate
and
then
the
data
itself
that
we
make
publicly
available.
We
also
maintain
a
suite
of
tools
that
are
focused
on
community-based
data
collection,
and
we,
of
course,
also
try
and
foster
our
community
much
like
ripe
to
get
researchers
involved
in
in
using
our
data.
I
Our
team
is
based
at
code
for
science
and
society,
which
is
an
open
data
and
open
science,
fiscal
sponsor.
We
also
have
google
as
a
core
contributor
and
one
of
the
things
they
do
to
contribute.
Is
they
donate
the
time
of
a
team
of
software
engineers?
So
our
team
is
made
up
of
two
organizations
of
core
contributors
so
getting
into
the
the
nitty-gritty
of
how
the
platform
works
just
to
get
the
sense.
I
The
currently
we
host
about
500
or
so
servers
in
60
plus
metro
areas
and
off
net
service
providers,
and
for
us
off
that
we
define
as
tier
1
data
centers,
where
the
they're
serving
more
content
than
people
so
essentially
outside
of
access
networks.
I
On
these
servers
we
host
measurement
services
and
they're,
basically
the
server-side
code,
then
clients
are
developed
to
run
tests
against
them.
So
we
see
this
as
measuring
the
inter
part
of
the
internet
going
past
the
the
eyeball
network
so
to
speak
and
having
the
clients
test
against
servers
that
are
within
the
backbone
anyone
can
develop
clients.
So
our
the
the
server-side
experiments
are
approved
are
mostly
written
by
academic
researchers
and
approved
by
our
experiment
review
committee.
But
anyone
can
write
this
the
client-side
code.
I
One
example
is
the
uni
application,
runs
an
entity
test
and
we'll
talk
more
about
ndt,
the
google
search
client
as
well
as
one
of
the
integrators.
So
if
you,
google,
how
fast
is
my
internet?
We
are
what
pops
up
we're
in
the
ndt
test
that
is
hosted
on
mlab
is
what
pops
up
by
nature
of
ndt
being
on
the
project
the
longest.
I
We
have
the
most
data
for
that
test
or
for
that
measurement
service,
and
so
often,
when
you
hear
about
mlab
data,
we're
actually
probably
talking
about
ndt
data,
and
so
and
for
that
reason
I'll
talk
about
that
a
little
bit
more.
These
slides
are
kind
of
my
standard
slide.
So
I
get
into
a
lot
of
nuances
here
that
actually,
maybe
folks
here
are
more
familiar
with
than
most,
but
to
break
it
down.
Just
briefly
ndt,
which
is
one
of
the
measurement
services
that
we
host
is
measuring.
I
The
single
stream
performance
of
bulk
transport
capacity.
Bulk
transport
capacity
is
trying
to
look
at
the
the
reliability
or
the
ability
to
deliver
packets
reliably
across
that
link.
Just
have
some
notes
here
about
how
often
this
term
is
conflated
with
link
capacity.
I
feel
like
this
is
the
audience
that
understands
the
difference,
but
it's
suffice
to
say
often
both
are
completed
with
speed,
and
so
it's
often
thought
of
as
a
speed
test.
I
It's
also
measuring
the
single
stream
performance
as
a
way
to
effectively
measure
the
baseline
of
the
bulk
stream
or
sorry,
the
volca
transport
capacity
and
put
these
together
and
you
get
ndt
and
so
a
question
that
we
often
get
from
from
kind
of
end
users
is.
Why
is
my
you
know,
speed
test
different
than
other
speed
tests
and
it's
just
an
overview
of
what
ndt
specifically
is
trying
to
measure
and
then
in
combination
with
our
offnet
platform?
That's
giving
you
a
vantage
point
outside
of
the
access
network.
I
I
One
thing
to
note
is
that
ndt
7,
which
we're
actually
in
the
process
of
migrating
the
majority
of
our
clients
to
supports
bbr
so
has
a
better
ability
to
model
the
network
that
it's
based,
basing
its
congestion
control
off
of.
It
also
runs
over
tls
and
uses
modern
web
sockets,
and
actually
today
we're
releasing
a
blog
post
talking
about
the
comparisons
between
ndt7
and
ndt5,
our
previous
protocol
and
there's
some
links
there
too.
If
you're
wanting
to
know
more
about
either
bbr
or
nbc7,
you
can
also
run
your
own
mdp
server.
I
I
These
are
more
slides
about
our
other
measurement
services
that
I
encourage
you
to
look
at
in
the
slides
that
I
uploaded,
but
the
the
main
thing
that
I
wanted
to
get
there's
like
one
thing
that
I
can
communicate
today
is
that
there
is
a
ton
of
this
data
and
it
has
been
being
collected
through
all
through
the
pandemic
and
longer
for
10
for
12
years
to
be
specific,
and
as
of
today
about
3
million
new
ndt
measurements
are
added
per
day
or
produced
per
day
and
as
of
2020
worthless,
just
2
billion
rows
of
ndt
rows
in
our
nbc
table
through
the
pandemic
as
well,
more
people
are
testing,
more
people
are
home,
more
people
are
trying
to
figure
out
what's
going
on
with
their
connection
and
we
have
been
able
to,
and
you
can
see,
almost
double
the
size
of
testing,
and
this
is
just
the
us,
but
this
has
been
a
a
common
behavior
across
countries,
so
there
is
more
data
than
ever
and
I
think
the
the
the
takeaway
here
is
that
we
would
we
really
invite
researchers
to
to
join
us
in
analyzing
it,
and
we
don't.
I
We
don't
have
a
research
team,
so
we
would
love
to
work
with
you
to
support
your
research
and
your
use
of
this
data
just
going
through
some
of
the
other
slides.
These
are
just
getting
at
that.
It's
all
open
and
free
and
I'll
actually
go
on
to
the
what
the
slides
about
accessing
the
data,
so
the
most
common
way
is
through
our
visualization
site.
I
I'm
not
gonna
exit
out
of
the
presentation,
but
if
you
go
to
that
site
actually
right
now,
there's
data
studio
dashboards
that
make
it
really
easy
to
just
piece
through
what
country
you're
interested
in
as
well
as
what
city
and
asn
and
and
look
at
the
data
through
the
pandemic
week
by
week,
there's
also,
but
the
most
the
next
most
popular
way
of
accessing
the
data,
and
probably
for
most
folks
here
who
are
look
interested
in
looking
at
lower
level.
I
Metrics
is
to
use
bigquery
and
that's
just
a
sign
up
on
our
on
our
discuss
mailing
list
and
you
get
a
login
and
it's
free
to
free
to
run
queries
as
well.
So
if
there's
any
questions
on
how
to
access
that,
we're,
always
here
at
support
measurement
lab.net
to
support
your
your
analysis,
I
think
I'll,
just
close
by
talking
about
just
even
outside
of
the
the
cover
19
pandemic.
We're
really
interested
in
engaging
with
this
group,
specifically
actually.
So.
I
This
is
a
really
great
opportunity
to
be
introduced
to
you
all,
and
I
would
defer
to
your
expertise
in
terms
of
how
we
can
be
useful
or
how
we
can
contribute
to
this
working
group.
Some
ideas,
if
you
are
part
of
a
of
a
service
provider,
we'd,
be
happy
to
talk
to
you
about
pod
sponsorship
for
extending
our
platform.
I
I
So
if
you
have
an
experiment
that
would
scale
well
on
the
ml
platform
and
benefit
from
using
it,
as
well
as
generating
open
data,
that's
something
we're
really
interested
in
talking
about
specifically
with
this
group,
and
I
think
again,
the
invitation
is
to
please
use
the
mlab
data
and
let
us
know
how
we
can
make
it
more
useful
to
you,
and
here
are
some
examples
actually
of
the
researchers
that
have
used
it
so
far
to
analyze
the
code
of
the
19
impact.
I
B
Great,
thank
you
elie.
We
do
not
have
any
questions
in
the
in
the
chat.
There's
a
there's,
a
discussion
about
the
previous
presentation,
and
I
wonder
if
that
is
something
that
we
want
to.
We
want
to
talk
about
now
or
we
want
to
push
that
to
an
offline
discussion
at
some
later
point.
A
You
know
we're
just
about
on
schedule
right
now.
Yes,
so
if
we
I
I
bet,
we
might
have
some
time
before
the
meeting
ends
which
I'm
happy
to
come
back
to
it.
Otherwise,
we'll
do
it
on
the
mailing
list.
B
I
J
B
Robert
robert
joined
joined
the
meeting
so
and,
and
then
he
found
out
that
he
was
set
to
present
so
kindly
enough
he's
gonna
he's
gonna,
give
us
a
a
small
update
on
the
current
state
of
the
the
write
ntc
tools.
So
if
you
can,
please
dave
make
robert
sturkey.
K
Yeah
I
have
no
slides
so,
okay,
if
you
can
hear
me
anyway,
then
I
don't,
we
can
hear
you
just
yeah
just
go
ahead
thanks
robert
excellent.
So
yes
thank
you
very
much
for
for
putting
me
on
the
spot
here,
but
it's
fine.
I
unfortunately
will
not
have
slides
to
to
show
you
what
I'm
talking
about,
but
still
probably
I
will
try
to
be
cohering.
K
So
this
is
the
ripencc
tools
update
and
I
usually
begin
with
ripe
atlas.
It's
still
stable
and
still
growing.
We
at
the
moment
are
floating
around
10
000
results
per
second
coming
in
to
the
system.
So
that's
a
lot
of
result.
Data
from
all
over
the
world.
We
have
about
11
000,
a
bit
more
than
11
000,
end
devices
that
we
call
probes
and
we
also
have
600
650
ripe
atlas
anchors,
which
are
somewhat
bigger
machines
that
you
can
also
target.
K
If
you
are,
if
you
want
to
measure
something
and
you're
looking
for
a
target
in
the
network
now
this
is
a
lot
of
data
that
we're
collecting.
So
one
of
the
feedback
that
we
got
recently-
or
I
should
say
continuously-
is
that
if
you
really
want
to
work
with
all
of
that
data-
that's
relatively
hard,
so
what
we're
doing
nowadays
is
putting
all
of
that
data,
or
almost
all
of
that
data
onto
google
bigquery
somewhat
similar.
K
That
measurement
lab
does,
and
we
plan
to
open
that
up
to
the
whole
world,
to
the
research
community
in
particular,
so
that
you
can
get
access
and
with
the
bigquery
interface,
you
can
really
really
dig
deep
and
very
quickly
into
details
if
you
want
to
so
that's
ongoing,
and
I
expect
that
we
can
make
some
announcements
soon,
probably
or
hopefully
before
the
next
writing.
If
not,
then
the
one
after
meaning
everyone
can
have
access
to
all
of
that
data.
K
This
is
in
addition
to
the
way
we
present
and
make
our
data
available
to
the
community.
Anyway,
on
the
labs
platform,
it's
just
making
it
easier
for
anyone
to
to
analyze
that,
as
you
may
have
heard,
from
vesna,
we
are
working
on
what
we
call
software
probes.
So
these
are
basically
software
packages
that
you
can
deploy
anywhere.
You
want
on
your
home,
router
or
or
your
web
server
or
your
any
kind
of
server
that
basically
acts
as
a
ripe
atlas
probe.
K
It
does
exactly
the
same
thing,
except
that
you
don't
need
to
deploy
the
hardware
itself,
so
in
some
situations,
especially
if
hardware
is
difficult
to
ship
to
a
target,
this
can
come
really
handy,
so
vesna
posted
the
link,
but
it's
relatively
easy
to
find.
Anyway.
K
K
We
are
working
on
improving
the
the
actual
measurement
software.
There
are
some
new
measurements
coming
up
and
we're
trying
to
improve
the
existing
measurements.
So
it
has
been
pointed
out
to
us,
for
example,
that
the
trace
routes
measurements
could
be
more
efficient,
which
is
on
the
agenda
for
us
now.
K
The
vm
anchors
are
still
growing.
We
are
doing
some
life
cycle
replacements,
as
you
can
imagine.
If
you
deploy
hardware
every
now,
and
then
you
have
to
refresh
that-
and
these
are
rec
mounted
pcs
so
every
now
and
then
that
needs
to
be
done
somewhat.
Interestingly,
10
years
of
ripe
atlas
is
coming
up.
It's
it's
surprising
even
to
me
that
we've
been
doing
this
for
10
years,
but
it's
almost
10
years
now
the
exact
date
is
october,
end
of
october
or
mid-november,
depending
on
which
number
you
want
to
look
at.
K
I
think
that
for
a
measurement
platform,
10
years
is
a
lot
and
I'm
sure
the
measurement
lab
is
is
also
in
this
ballpark
and
also
if,
for
this
event,
you
would
like
to
appear
and
show
us
what
you
did
with
ripe
atlas.
So
if
you
can
have
something
like
a
testimonial
that
you
think
was
is
worth
sharing
with
others,
then
please
reach
out
to
us
on
the
usual
channels
and
we'll
try
to
include
you
in
the
information
that
we
will
put
out.
K
Also,
if
you
would
like
to
sponsor
atlas,
that's
always
possible
right
that
that's
one
of
the
tools
that
has
not
been
mentioned
today.
Just
yet
so
that's
our
resource,
explanation
service!
If
you
ask
what
do
you
know
about
an
as
number
or
an
ip
prefix
or
an
address,
then
we'll
spit
back
a
whole
lot
of
information
about
geolocation,
routing,
dns
and
so
on.
This
service
receives
more
than
100
million
queries
a
day,
all
of
which
require
some
number
crunching
on
our
ends.
K
So
that's
that's
a
challenge
to
keep
up,
but
the
team
is
luckily
very
agile
on
that
also
they
are
really
trying
to
do
their
best
to
do
this.
K
The
user
interface
will
be
revamped,
probably
still
this
year,
maybe
early
next
year.
So
we
will
have
something.
That's
nicer
and
works
better
on
mobile
platforms,
which
more
and
more
and
more
people
ask.
So
if
you
want
to
know
something
about
an
ip
address
on
the
road,
you
can
do
that
very
quickly,
ipmap.
That
has
been
mentioned
both
by
massimo
and,
I
think,
also
by
vestner.
K
Indeed,
we're
still
working
on
that
and,
as
massimo
mentioned,
the
system's
point
is
to
provide
infrastructure
geolocation
information
by
combining
multiple
inputs
to
such
a
question
which
we,
which
we
call
engines,
so
the
engines
work
independently.
K
They
make
their
own
decisions
about
what
they
think
that
particular
ip
address
is,
and
then
the
system
presents
a
unified
output
of
that
the
the
engine
that
massimo
described
is
one
of
those,
but
we're
still
working
on
more
of
those
to
make
it
more
useful
for
people.
Ris
has
been
mentioned
by
vesna
as
well.
So
that's
our
routing
information
service.
K
There
is
some
internal
thinking
about
you
know
what's
next
for
risk
and
we
we
really
wanted
to
cooperate
with
people
who
actually
want
to
cooperate
with
risk
as
well,
so
both
in
terms
of
peering
at
risk
providing
data
to
the
system,
but
also
running
route
collectors.
If
you're
so
inclined,
that's
one
of
the
features
that
we
would
like
to
explore
a
bit
more.
K
One
of
the
features
that
I
would
like
to
mention
here
is
which,
which
is
risk
live,
which
is
basically
the
streaming
access
to
the
risk
data
set,
which
is
real-time
access
to
the
data
that
we
have
and
massimo
in
his
other
working
time
has
been
working
on
some
alerting
tools
based
on
there
is
live
data,
so
if
you're
interested
in
real-time
routing
information
and
normally
detection
must
go
on,
then
I
encourage
you
to
check
out
this
live
and
the
bgp
alert
that
seymour
has
built,
and
in
other
news
we
have
an
arm
that
does
research
within
the
the
ripen
cc.
K
Western
couple
examples,
and
one
more
is
coming
up
at
the
end
of
this
session.
So
that's
measuring
about
2810
12
in
the
ipv6
space,
but
in
general,
if
you
wanted
to
be
up
to
date
about
what
kind
of
interesting
information
we
found
or
are
looking
at
now,
you
can
always
just
look
at
white
labs
and
we
will
publish
most
or
all
of
our
researchers
there.
K
So
I'm
hoping
that
I
was
more
or
less
coherent
and
you
could
follow
and
if
you
have
any
questions,
then
by
all
means
contact
us
right
here
right
now
or
on
the
usual
channels.
Thank
you.
B
Thank
you
so
much
robert.
That
was
that
was
incredible
on
the
spot
like
that.
J
B
Great-
and
this
was
actually
the
end
of
the
of
the
of
the
right
mit
working
group
part
of
the
program,
so
I'm
going
to
hand
over
to
dave
who
will
take
you
through
the
next
part
of
the
of
the
session
today.
Thank
you
so
much.
A
No,
yes,
oh
you
can't
okay,
good
thanks
for
joining
us
during
your
holiday
robert.
I
think
I
take
better
holidays
than
you.
The
the
this
is
the
intellectual
property
rights
statement
to
just
to
notify
the
following
presenters.
If
you
have
ipr
claims
regarding
your
work
to
disclose
them
in
a
timely
fashion,
what
we
so
we're
running
about
10
minutes
later
than
we
thought
we
would
but
that's
good,
because
we
thought
we
would
need
an
extra
10
minutes,
so
we
should
be
able
to
fit
this
in
time.
A
These
are
the
upcoming
presentations
that
miria
and
I
arranged
for
the
measurement
analysis
for
protocols.
Research
group
and
mark
is
up
first
and
mark
has
asked
me
to
run
the
slides
for
him.
So
I'm
going
to
stop
sharing
this
and
start
sharing
that
one.
A
To
you
all
right,
take
it
away
mark.
A
A
Stop
hearing
that
for
a
second,
so
I
can
go
back
and
see
mark
your
shown
is
unmuted
in
the
participants
list.
For
me.
A
I'm
muted
now
try
one
more
time
yeah.
I
can't
hear
you
why?
Don't
you
try
disconnecting
and
reconnecting
to
the
webex
and
and
we'll
switch
to?
I
think
the
next
presentation
in
the
meantime
and
come
back
to
you.
Does
that
make
sense.
A
D
Okay,
I
will
all
right,
you
can
see
my
slides,
I
hope
and
hear
me
yep.
We
can
see
it
great
hi,
I'm
jake
holland.
D
I
work
for
akamai
I'll,
be
talking
about
some
observations
about
latency
and
aqm
that
I
started
in
about
february
I'll,
go
over
a
little
bit
of
the
background
and
goals
behind
what
I
was
aiming
for
here,
a
couple
of
somewhat
tentative
conclusions
that
I
have
from
the
observations
I've
made
and
just
give
a
little
pitch
for
you
know
I'm
mostly
looking
for
a
collaborator
here,
because
I'm
probably
not
going
to
do
a
whole
lot
more
with
this
unless
unless
there's
interest,
but
I
think
that
the
just
because
it's
not
very
actionable
for
us
from
where
we're
sitting
as
akamai,
but
but
I
think,
there's
some
worthwhile
stuff
in
this
data
that
that
could
bear
some
some
improved
analysis.
D
If
anybody
can
be
enticed
into
into
hooking
up
with
me,
I
put
a
bunch
of
stuff
in
the
backup
slides
also.
So,
if
there's
more,
you
want
to
know,
take
a
look
through.
D
Those
this
is,
we
enabled
ecn
in
february,
and
so
we
started
looking
at
what
we
can
see
now.
That
ecn
has
enabled
in
some
sense
I'm
using
observation
of
the
ce
mark
as
a
proxy
for
for
existence
of
an
aqm.
D
I
know
that's
a
lower
bound,
we,
you
know
many
aqms
do
not
do
marking,
but,
but
I
nonetheless
did
a
little
bit
of
comparing
between
aqm
and
not
within
the
same
isps,
and
there
were
a
few
questions
I
wanted
to
get
at
first,
which
were
how
much
are
we
seeing
ecn,
usage
and
utilization,
and
the
key
one
which
we
did
consider
possibly
actionable
was
whether
home
router
solutions
can
really
address
the
problem
or
not
we're
looking
for
whether
we
can
get
it
down
to
a
reliable
45
milliseconds
to
support
end-to-end
gaming,
and
for
that
reason
this
is
not
really.
D
I
was
I'll
get
into
what
I
was
looking
looking
at
there
when
I
get
to
that
bit
of
it,
but
just
put
a
pin
in
that
and
my
time
to
work
on
this
was
pretty
limited,
but
so
there
might
be
some
interesting
yet
unaddressed
questions.
So
my
first
conclusion
is
that
ce
marking
is
not
very
prevalent,
I'm
seeing
now
about
about
0.3
prevalence
last
march,
when
you
know
after
most
of
the
shutdowns
had
begun.
But
before
I
had
done
a
lot,
you
know.
D
Also
after
we
started
being
able
to
see
the
data
it
was
closer
to
0.02
percent.
I
think
we're
probably
seeing
some
isp
managed
adoption
go
over
a
little
bit.
Why?
I
think
that
this
was
partially
inspired
by
a
prior
talk.
There's
links
in
the
slide
in
the
slides.
D
This
is
the
apple's
talk
from
a
few
years
ago,
but
we're
measuring
from
the
server
side
and
we're
basically
looking
only
at
the
downstream,
and
I
organized
it
by
asn
instead
of
by
country,
because
it
seemed
more
meaningful
after
kind
of
looking
at
it.
If
you
follow
the
slides
you'll
see
that
it
had
a
big
observation
in
argentina,
but
that
was
later
discovered
to
be
not
relevant.
D
So
I
was
looking
to
see
if
I
could
replicate
this
by
the
way-
and
I
couldn't
really-
and
I
think
part
of
this
is
because
we're
getting
a
different
view
on
the
on
the
marking,
because.
D
When
you're
the
client
trying
to
download
something,
then
when
you
you
get
a
better
chance
to
see
if,
if
there
was
any
congestion
ever
to
that
client,
then
then
we
do
from
the
server
side,
because
we
only
will
see
congestion
some
of
the
time,
especially
if
we
are
not
actually
inducing
congestion,
which
often
we
don't
so
here's
a
chart.
D
What
we're
looking
at
here
is
the
proportion
of
the
clients
that
ever
asked
for
ecn
that
actually
saw
ce
marks
and
sorted
by
by
asn,
and
then
this
the
size
of
the
asm
corresponds
to
the
size
of
the
data
point.
So
this
is
just
the
top
35
or
so
asn's,
and
you
can
see
that
it
drops
off
quite
quickly.
There's
a
few
asn's
that
seem
to
have
deployed
something
clearly
managed
by
the
asms
that
are
sort
of
up
in
the
or
by
the
isp.
D
That's
you
know
up
in
the
80
90
percentile
percent
of
clients
who
ask
for
a
seat
for
ecn,
do
sometimes
see
marks
during
a
day
and
but
it
drops
off
pretty
quickly,
there's
a
sort
of
middle
ground
here.
So
you
know
here
at
three
percent,
or
so
it's
still
quite
about
you
know
ten
times
higher
than
the
than
the
global
typical
count.
D
So
I'm
not
totally
sure
what
to
make
of
this,
but
my
guesses
are
written
here
on
the
slide.
I
think
that
you
know
for
these
larger
isps
that
are
seeing
you
know.
Seven
percent
of
paths
or
of
client
ips
do
sometimes
see.
D
Because
it's
it's
quite
a
lot
more
people
than
then
you
might
otherwise
guess
the
smaller
ones,
so
the
the
largest
dot
on
this
chart
is
103k.
Client
ips
in
the
asn
and
the
smallest
is
is
510,
so
some
of
these
tiny
ones
are
are
really
pretty
small.
There's
another
filter.
I
didn't
mention
here.
D
This
also
is
a
little
bit
covered
in
the
backup,
slides,
there's
a
I'm
filtering
for
isps
that
had
at
least
100
clients
that
ever
asked
for
ecn,
and
so
even
in
the
500
ips,
we
have
at
least
100
clients
that
that
sometimes
ask
for
ecn,
but
so
the
three
percent
that
you're
seeing
here
could
be
as
low
as
three
for
a
very
small.
You
know
three
individuals
for
a
very
small
ips,
so
I
don't
think
that's
particularly
indicative
of
anything.
D
It
also
should
be
noted
that
the
what
we
can
see
is
a
lower
bound.
So
these
are.
These
are
connections
that
are
client
ips
that
actually
on
some
of
their
connections,
did
cce
marking
and
so
there's
the
july
line
and
the
march
line.
D
You
can
see
that
between
march
and
july,
it
increased
quite
a
bit
and
that
we
get
a
lot
more
in
the
way
of
large
isps
that
have
done
something
you
know
the.
D
D
But
if
you
look
at
the
top
hundreds
so
that
you
know
it
continues
down
to
a
smaller
long
tail
here,
but
but
out
of
the
top
hundred
of
the
you
know,
800
or
a
thousand
isps
that
passed
the
filters
that
only
represents
140th
of
the
ce
marking
paths
on
the
internet.
So
so
I'm
concluding
that
most
ce
paths
on
the
internet
are
not
isp
managed.
Most
of
them
are
probably
these
home
router
kind
of
deployments,
they're
widely
available,
but
but
of
the
ones
that
are
isp
managed.
D
The
reason
I'm
distinguishing
between
isp,
managed
or
not
is
because
we
were
interested
in
the
question
of
whether
a
home,
router
deployment
would
be
able
to
address
the
the
latency
issue
mostly
or
whether
it
really
would
need
something
done
by
the
isp,
and
my
tentative
conclusion
here
is
that
it
probably
needs
something
done
by
the
isp.
It's
not
good
enough
to
do
it
in
home,
routers
predominantly
so.
D
What
I'm
looking
at
here
is
the
the
samples
that
I'll
be
presenting
are
all
just
the
the
sin
to
the
the
synax
to
the
ack.
So
this
is
just
a
snapshot.
D
One
per
connection,
that's
right
when
the
when
the
connection
opens
and
I'm
not
saying
anything
about
the
home,
router's
aqm
impact
on
on
self
congestion
during
an
active
tcp
flow,
I'm
looking
for
mostly
like
what
you
would
see
in
a
gaming
scenario
where
you've
got
a
lot
of
chatty
back
and
forth,
but
not
a
great
deal
of
bandwidth,
and
I
took
the
tcp
handshake
as
a
decent
proxy
for
this.
For
this
kind
of
measurement,.
D
So
and
what
I'm
seeing
is
that
ce
marking
paths
still
experience
a
pretty
high
latency
variation
according
to
the
to
the
asn
that
they're
in
that
is
different,
depending
on
which
asm,
which
asn
they're
in.
D
So
the
the
charts
I'm
showing
are
for
one
day
of
data.
I
was
doing
one
day
at
a
time
just
partly
because
the
way
it's
partitioned
for
for
my
access,
this
covers
I've
done
done
this
separately
on
a
few
different
days,
but
not
in
a
really.
You
know
consistent
and
organized
way.
So
I
just
sort
of
did
spot
checks
for
consistency
between
days
and
and
kind
of
qualitative
judgment
of
the.
D
Done
any
like
putting
the
days
together
to
make
good
sense
out
of
them,
so
I
picked
two
particular
asn's
to
to
go
over.
These
are
chosen
to
be
just
sort
of
from
the
kind
of
leading
edge
and
from
the
middle
of
the
pack
of
the
asms
I
had
available,
and
then
also
I
wanted
to
give
a
shout
out
to
the
presentation
also
a
couple
years
ago
about.
D
I
think
it
it
got
me
thinking
about
the
right
way
to
do
that.
Links
there.
That's
a
good
one,
so
what
I
filtered
for,
I
was
looking
for
the
trying
to
to
isolate
the
effect
on
the
access
network,
so
as
a
cdn
that
has
a
large
edge
deployment.
D
We
were
looking
for
like
what
is
the
impact
that
we
cannot
address
by
sort
of
mapping
better
or
or
having
more
edge
servers
out
there
like.
What
are
we
going
to
be
seeing,
even
if
we
do
the
everything
perfect
on
the
server
side
and
I'm
looking
for
the
latency
span.
D
So
I
took
only
client
ips,
where
I
had
at
least
50
samples
from
the
same
data
center
to
the
same
client
ip
in
the
same
day,
and
I
topped
it
out
at
300
samples
from
any
data
center
to
the
client
ip
and
the
reason
for
that
is
to
exclude
care
grade
gnats
and
vpns,
which
have
you
know
a
very
wide
variety
of
paths
and
again
in
the
backup,
slides,
there's
a
chart
that
shows
like
why
I
think
300
is
about
the
right
cut.
D
D
So
the
the
data
also
one
other
point
to
make
is
that
I
talk
about
client
ips,
because
that's
kind
of
an
easier
way
to
think
about
it.
But
each
of
these
each
of
the
points
in
the
charts
is
actually
looking
at
a
data
center
to
client
ip
pair.
D
So
there
might
be
multiple
different
data
centers
that
talk
to
the
same
client
ip,
but
but
those
would
show
up
as
separate
points
in
the
chart,
but
the
same
client
ip
cannot
appear
more
than
six
times
and
probably
not
more
than
five,
because
it
would
not
have
passed
the
filters
if
it
did
that
so
I'll
be
the
charts,
say
pairs
but
I'll
be
talking,
probably
about
client
ips.
Instead,.
D
So
the
the
quote:
good
isp-
this
is
kind
of
what
I
see
so
there's
there's
eight
different
cdfs
here
essentially,
and
what
they
are
is
the
solid
line
is
the
50th
percentile
of
the
client
ips
ban
of
the
latency
span.
They
observed
over
the
over
the
day.
So,
however
many
samples
they
had
you
know,
we've
got
a
client
ip.
That's
that's
was
in
the
middle
here
and
their
50th
percentile
was
had
an
rtt.
D
That
was
you
know
at
this
value,
the
the
you
know,
and
then
we
have
the
same
chart
for
the
75th
percentile,
the
91st
percentile
in
the
98th
percentile.
D
And
at
least
the
top
outlier,
but
these
98
percentiles
values
of
the
of
the
latency
span
for
the
client
ip.
Then
each
of
those
clients
would
would
represent
some
point
on
this
chart
and
another
point
worth
noting
is
that
the
same
client
might
have
you
know
a
98
percentile
up
here
and
a
91st
percentile
down
here:
they're,
not
necessarily
the
same
client.
D
All
the
way
across
the
only
real
restriction
would
would
be
that
within
the
client,
it's
it's
monotonic,
but
so,
given
that
what
we've
got
is
the
the
the
green
charts
are
the
baseline.
So
that's
all
of
the
all
of
the
data
points
within
that
asn
and
the
blue
ones
are
just
the
ce
marking
paths,
whether
or
not
the
third
mark
any
client
ip.
That
ever
in
the
day
saw
cme
ce
mark
is
included
in
the
blue
chart.
D
So
you
can
see
that
this
is.
This
is
what
about
point
two
percent
ish
of
of
the
of
the
ips
that
were
in
the
that
were
in
the
filter.
So
these
are
all
within
the
same
asn.
D
And
one
interesting
thing
to
note
is
that
in
this
case
it
looks
like
some
of
the
ce
marked.
D
Some
of
the
ce
marking
paths
actually
had
a
worse
98th
percentile
than
than
the
overall
paths,
I'm
not
sure
if
that's
selection
bias
or
if
it's
an
artifact
from
running
an
aqm,
but
this
represents
an
isp
where
we
think
it's
not.
There's
not
an
isp
managed
marketing
deployment,
and
you
know
these
are.
These
are
the
kinds
of
numbers
I
have
for
this.
D
I
have
probably
what
1500
of
these
charts-
I
guess
you
know
so
I
just
picked
one
out
to
to
be
illustrative
here
per
day
that
I
run
so.
A
middle
isp
is
just
chosen
from
the
middle
of
the
pack
according
to
their
91st
and
98th
percentile,
and
this
is
about
what
we
see
there,
where
the
it's
the
same
thing,
but
the
the
pink
line
is
ce
marking
and
the
orange
line
is,
is
the
overall
latency
spans
that
we
see
and
the
the
conclusion
comes
from?
D
If
you
just
look
at
the
overall
values
of
the
good
isp
versus
the
middle
isp,
it's
pretty
clear
that
this
is,
you
know
being
in
the
good.
Isp
is
dramatically
better
than
doing
ce
marking
in
the
middle
isp.
So
this
is
pretty
typical.
It's
not
universal
and
again
I
have
a
another
chart
in
the
backup
slides
of
a
different
middle
isp,
where
it
was
a
better,
a
better
value
for
marking
ce
for
ce
marking
paths.
D
But
this
is
sort
of
the
evidence
that
I'm
using
to
conclude
that
we
cannot
solve
the
latency
problem
by
doing
home,
router
deployments.
So
for
you
know,
where
do
I
want
to
take
this
next?
I
feel
like
there's
a
lot
of
unexplored
questions
in
this
data,
but
it's
you
know.
D
So
yeah
do
that
if
you
think
it
should
be
developed
further
and
you
have
some
ideas
on
how
to
do
so.
I
just
wanted
to
get
that
out
there
and
let
people
know
kind
of
what
things
we're
seeing
and
I
will
take
questions
if
there
are
any.
A
All
right
thanks,
jake
yeah,
there
are
a
few
we've
got
three
questions
for
you
that
I'm
going
to
ask
on
the
questioner's
behalf.
Bob
briscoe
first
asked
the
question
back
on
your
slide.
Five,
you
were
showing
c
marking
prevalence
and
bob
asked.
A
Is
there
any
check
in
your
work
to
look
to
determine
if
it's
real
ecn,
marking
and
not
field
tingling?
I
did
do.
D
Some
spot
checks.
You
know,
there's
there's
a
few
points
of
evidence
that
that
I
have
I
I
don't
it's
not
great
evidence.
D
I
looked
for
any
any
ce
or
or
ecn
markings
on
paths
that
did
not
negotiate
ce
or
ecn
markings,
and
I
never
saw
any
of
those
over
this
band
that
I
looked
for
them.
Okay,
you.
D
That
there's
I'm
not
sure
that
it
never
happens.
Obviously
it
you
know
these
things
could
happen,
and
I've
mentioned
it.
Maybe
they'll
start
happening
who
knows,
but
nobody
was
doing
this
as
far
as
I
could
ever
see
during
the
time
I
was
I
was
looking
at
this.
I
don't
have
you
know
if
you're
talking
about
the
kinds
of
of
traffic
that
was
reported
previously,
where
ecn
mark
were
happening
on
every
packet
or
something?
D
No,
that
also
was
definitely
not
happening
most
of
the
time.
What
we're
seeing
is
a
small
number
of
of
blows
ever
get
ce
marked,
even
in
the
even
on
the
path
they're
doing
highly
prevalent
ce
markings,
but
we
did
not
observe
a
lot
in
the
way
of
you
know
we're
a
lot
we're
relying
on
the
on
the
client
heuristics
that
apple
talked
about
for
when
they
see
a
problem
where,
like
every
packet
is,
is
marked,
then
they
will
sort
of
cut
off
the
negotiation
of
ecn.
D
We're
we're
not
doing
that
actively
on
the
server
side,
because
we
know
it's
it's
out
there
on
the
client,
we're
not
behaving
differently
from
other
servers,
and
it's
also
like
way
harder
to
do
that
from
the
server
side.
As
far
as
I
could
tell.
A
Okay,
let's
jump
to
the
other.
The
other
two
questions,
jay
ignacio,
asked
us
simply:
are
the
ecn
observations
all
in
ipv4?
Do
they
also
include
v6?
This
includes
v6
as
well,
okay
and
then,
and
then
the
third
question
was
also
from
bob
and
he's
asking
could
increase
in
congestion.
Experience
be
due
more
to
congestion
over
an
existing
ecn
node
rather
than
an
isp
having
newly
deployed
ecn.
D
This
is
possible,
it's
a
little
hard
to
tell
from
where
I'm
standing.
You
know
there.
There
were
more
samples
on
the
on
the
day
I
chose
in
july
than
in
march.
D
Part
of
this
can
be
attributed
to
the
normal
growth
that
we
see
in
traffic
over
time,
but
you
know
in
both
cases.
The
days
I
picked
here
were
sundays.
Since
kovid
started,
you
know
it's,
it's
not
yeah.
I
I
don't
have
a
solid
yes
or
no
on
that,
but
I'm
rating
it
relatively
unlikely,
but
but
not
with
great
evidence
to
do
so.
So
I
would,
I
would
say,
if
I
had
contrary
evidence,
then
I
would
you
know
I
would
change
my
mind
on
that.
A
Okay,
okay,
thanks
jake,
so
just
to
reiterate
jake
is
saying
you
know:
if
there's
a
collaborator,
that's
interested
both
he
and
I
have
worked
on
some
of
the
stuff
in
the
past.
Maybe
it's
something
we
can
do
with
map
rg
in
the
hackathon
and
all
right.
What
I'd
like
to
do
now
is
I'm
gonna
switch
to
making
myself
the
presenter
again
and
then
we're
gonna
check
in
with
mark
mcfadden
and
see
if
we
can
hear
him,
because
we
can
just
squeeze
that.
Can
you
hear
me?
A
Yes,
we
can
very
good.
So
I'm
going
to
bring
up
mark,
slides.
A
Okay,
take
it
away
mark.
L
All
right,
thanks
dave,
this
will
be
quick.
This
is
completely
different
from
the
other
presentations
that
we've
had
today.
This
has
been
motivated
by
some
work
that
is
going
on.
L
Okay,
anyway,
there
we
go.
L
That
one
right
there
so
thanks,
so
this
has
been
motivated
by
some
work,
that's
going
on
in
the
iab,
and
it
was
a
sort
of
thought
experiment.
Originally,
a
very
old
rfc,
rfc
3552
gives
guidance
to
authors
in
terms
of
crafting
language
for
security
considerations,
but
that
is
actually
pretty
old.
L
If
you
think
about
it,
and
so
what
we
thought
was
what,
if
you
actually
examined
the
rfc
since
2003,
looked
at
the
securities
consideration
sections
and
tried
to
determine
whether
or
not
there
were
fundamental
and
crucial
changes
to
the
threat
model
for
the
internet
and
also
a
significant
changes
to
the
way
that
people
are
writing
this
security
consideration
section,
and
this
isn't
just
a
sort
of
piece
of
independent
research.
The
idea
was
really
to
inform
some
of
the
other
work.
That's
going
on
in
the
iab.
So
next
slide
dave.
L
Yeah,
so
the
iab
has
already
talked
about
potential
revision
to
3552.
The
iab
currently
has
a
piece
of
work
underway
right
now
called
cleverly
enough
model.
T
that's
talking
about
changes
to
the
threat
model
that
are
in
it.
That's
in
rfc,
3552
and
really
the
the
body
of
work
since
rfc
3552
is
actually
fairly
substantial
since
we're
we're
in
the
neighborhood
now
of
having
five
and
a
half
thousand
more
rfcs
to
look
at
so
next
slide.
L
Thanks
so
there's
two
things
going
on
here:
first
of
all,
I
published
a
draft
that
actually
talked
about
a
possible
methodology
for
doing
research
on
the
security
considerations,
text
that
are
in
rfcs,
and
it
really
proposes
a
pair
of
components.
L
One
is
a
quantitative
component
and
more
about
that
later,
the
quantitative
mode
component
is
really
a
textual
analysis
of
the
the
words
that
are
in
the
rcs
and
then
a
qualitative
analysis,
and
so
what
what
the
draft
was,
what
the
proposed
piece
of
research
does
is
propose
this
methodology,
and
what
you'll
see
in
a
moment
is
that
this
proposed
methodology,
one
part
of
it,
we've
done
an
experiment
on
so
the
next
slide.
Please
dave.
L
So
what
the
methodology
is
in
search
of
is
comments
for
improvement,
basically,
except
for
an
experiment
that
I'll
report
on
in
a
minute,
the
actual
methodology
hasn't
been
implemented.
Yet
there's
no
one
who's
actually
executed
it.
Although
there
have
been
volunteers,
who've
stepped
up
to
the
plate
and
said
they'd
be
interested
in
doing
it.
L
L
Perfect,
so
what
my
co-author
did-
and
we
worked
on
in
the
summer
and
fall
of
last
year-
is
that
we
did
a
word
by
word
textual
analysis
of
the
security
considerations
of
all
the
rfcs
since
2003.
L
the
thought
was
here,
the
the
hypothesis
was.
Would
you
detect
changes
in
the
words
that
are
actually
being
used
to
indicate
the
threats
and
the
threat
models?
I
mean,
how
is
it
if
you
look
over
the
period
of
17
years?
Has
that
changed
and
would
you
find
patterns
that
indicate
that
some
terms
have
become
more
important
to
protocol
designers
by
virtue
of
appearing
more
often
in
rfc
text,
and
then
one
of
the
things
that
this
last
bullet
on
this
slide?
L
My
co-author
was
exceptionally
interested
in,
was
taking
a
look
at
whether
or
not
security
in
large
scale.
Security
incidents
on
the
public
internet
had
changed
the
way
that
the
pro
that
protocol
designers
had
written
the
security
considerations
of
their
documents.
The
idea
was:
do
events
in
the
real
world
on
the
public
internet
affect
the
way
that
protocol
designers
do
their
work
and
express
that
work
through
the
security
considerations
sections
of
these
documents?
L
It
uses
a
set
of
python
scripts
to
extract
the
security
considerations
document
out
of
the
texts
of
all
of
the
rfcs
and
then
parse
each
one
of
them
and
get
word
frequency
counts
for
each
it's
a
little
more
complicated
than
that
there,
for
instance,
it
supports
stop
words,
we
omit
words
and
you'll,
see
in
a
second
that
we
conducted
a
second
ex
second
experiment
to
see
what
the
indication
of
normative
words
were
in
security
considerations.
L
So
the
parser
that
we
used
was
a
basically
an
open
source
parser
it
it
removed
all
non-textual
material
and
it
removed
what
we
call
stop
words,
words
that
are
either
words
like
a
and
those
sorts
of
things,
or
other
words
that
wouldn't
wouldn't,
in
our
judgment,
be
related
to
the
protocol
itself.
It
also
removed
some
other
materials,
for
instance
rfc
references
and
anchor
urls
and
so
forth.
L
Then
it
took
all
of
that
text
and
it
parsed
it
into
files
by
year,
so
the
rfc
was
actually
parsed
year
by
year
to
so
that
we
could
actually
have
sort
of
a
time
series
of
what
the
rfcs
looked
like
or
the
security
consideration
sections
of
the
rfcs
and
then
for
each
one
of
those
years.
It
built
a
frequency
list
of
all
the
words
that
weren't
in
the
designated
list
of
stop
words.
So
next
slide.
L
L
Do
new
words
start
to
appear
as
we
as
we
move
forward
in
the
years
or
in
response
to
particular
attacks
and
the
second,
a
second
thing
we
did
was
to
actually
do
an
rfc
count
of
how
many
security
sections
actually
referred
back
to
previous
rfcs,
what
those
rfcs
were
and
what
the
count,
what
the
quantitative
data
was
for
that
so
dave.
Could
I
go
to
the
next
slide.
L
So
here
are
some
examples,
just
so
that
you
can
see
this
is
actually
taken
directly
from
the
internet
draft.
You
can
see
some
word.
I
won't.
L
I
think
that's
interesting
input
to
the
model
t
effort,
for
instance,
it
shows
that
that
our
c
people
who
are
drafting
rfcs
are
tending
to
use
the
same
words
despite
the
fact
that
the
internet
is
evolving
significantly
so
again,
there's
more
details
in
the
internet
draft,
but
this
gives
you
a
feel
for
what
the
top
10
word
counts
are
in
four
sample
years,
separated
by
five
years.
So
next
slide.
L
One
of
the
things
we
did
that
we
sort
of
discovered
was
that
there
were
many
security
sections
that
had
normative
language
in
them,
and
so
I
have
two
slides
about
this.
L
L
So
a
couple
results
here.
This
slide
may
or
may
not
be
interesting,
but
when
we
took
a
look
at
what
the
most
common
words
were
over
the
entire
period
of
17
years,
that's
in
the
first
bullet
there
and
then
over.
That's
the
the
same
17
years.
Here's
a
list
of
in
order
of
their
frequency.
L
What
the
75
most
frequent
words
are
we
compared
this
then
to
the
year
to
by
year
one-
and
this
is
kind
of
how
we
reach
our
conclusion-
that
not
much
has
changed
in
security,
consideration,
sections
and
again
the
results
are
in
appendix
b
of
the
internet
draft.
One
more
slide,
then,.
L
And
so
here
are
some
conclusions
we
draw
we
drew
and
I've
already
talked
about
them.
So
I
won't.
I
won't
in
the
interest
of
time
bash
this
too
much,
but
there
really
isn't
much
in
the
way
of
major
changes
if
you're
just
doing
word
accounts
of
the
security
consideration,
sections
and
act.
Look
at
that
in
the
draft
proposes
that
you
also
do
a
qualitative
analysis
and
my
co-author-
and
I
have
not
done
that.
L
Yet
it
turns
out
that
the
word
may
appears
more
often
than
any
other
normative
language
in
security
consideration
sections.
We
found
that
to
be
extraordinary
that
that
that
the
word
may
instead
of,
must
appears
and
appears
much
more
often
in
security,
consideration
sections,
and
so
that
also
is
input
to
the
iab
and
input
to
other
conversations
about
the
internet
threat
model,
and
my
last
slide
is
just
contact
details
dave
I'm
happy
to
first
of
all
have
comments.
L
Second
of
all,
if
anyone
wants
to
talk
about
helping
with
the
qualitative
analysis
of
the
data
happy
to
talk
about
that
as
well.
Thanks
dave.
A
Okay,
thanks
mark
nina,
did
you
see
any
questions
in
there?
A
If
not,
I
I
I
just
have
one
I.
I
love
the
idea
of
using
the
artifact,
that
is
the
rfcs
as
a
way
to
determine
whether
the
engineering
is
moving
with
the
real
internet.
Was
there
any
any
real
life
internet
phenomenon
that
that
you
could
correlate
with
the
change
in
either
quantity
of
words
or
just
the
quantity
of
the
security
considerations
itself
I
mean
you
think
you'd
see
evidence
of
the
iab
or
the
ietf's
policy
changes
even
on.
L
L
Certain
changes
to
a
certain
maintenance
for
tcp.
We
would
have
seen
changes
to
the
wording
there
and
we
didn't-
and
we
also
looked
at
the
latency
issue
right
so,
for
instance,
dave.
If
we
look
at
as
an
example,
the
dynatech
one
of
the
things
we
said
was
well.
We
wouldn't
start
to
see
changes
in
the
rfcs
until
about
a
year,
18
months
later
because
of
the
publication,
the
the
pace
of
publication
right.
L
But
when
we
looked
at
that
particular
example,
we
didn't
see
much
in
the
way
of
change
and
we
actually
went
back
and
looked
at.
We
targeted
particular
series
of
rfcs.
For
instance,
we
went
to
a
ietf
area
and
then
limited
the
examination
to
just,
for
instance,
the
internet
area
or,
and
the
results
were
pretty
much
the
same
so
and
I
see
in
the
chat
room
that
bob
suggests
that
you
know
privacy
should
have
been
appearing
more
and
I
agree
with
you
bob,
but
it
it
simply
doesn't
show
up
when
you
do.
L
The
word
count-
and
the
word
pervasive
surprisingly
appears
in
very
few
rfcs,
even
after
the
iab
statement
on
pervasive
monitoring.
So
while
we
have
a
very,
very
strong
statement
from
the
iab
about
pervasive
monitoring,
we
actually
don't
see
those
words
showing
up
in
the
rfcs.
A
Afterwards,
all
right,
thank
you,
we're
going
to
have
to
move
on
because
we
have
just
enough
time
to
get
the
rest
of
the
presentations
in
so
we're
going
to
switch
to
philip
bruhn.
Next,
I'm
going
to
make
you
the
presenter
phillip.
H
H
Yeah,
so
I'm
phillip
and
I'm
working
for
ericsson,
I
want
to
tell
you
something
about
the
behavior
of
tcp
cubic
that
we
have
discovered
in
the
context
of
my
master
thesis
when
doing
measurements
with
cubic
connections
on
mobile
radio
networks.
H
H
H
When
we
then
plotted
the
empirical
cdf
for
two
different
file
sizes,
we
were
actually
surprised
to
see
that
the
file
should
the
file
throughput
shows
such
a
significant
variance.
So,
for
example,
for
a
five
megabyte
file,
we
have
samples
between
30
megabits
per
second
and
50
megabits
per
second.
H
H
H
H
H
I
have
summarized
the
delay
increase
condition
down
here,
and
the
value
of
theta
is
actually
defined
as
the
minimum
round
to
time
divided
by
8,
but
is
clamped
between
the
values
of
4
and
16..
So
since
in
our
measurements,
the
the
round
trip
time
is
small,
theta
actually
always
takes
the
value
of
4..
H
So
then,
going
back
to
this
condition
here
we
can.
We
can
actually
identify
two
reasons
why
this
condition
can
become
true,
so
either
we
already
have
found
our
minimum
roundup
time
and
then
the
current
runtime
time
increases
making
this
condition
true
or
we
are
outside
of
the
sampling
phase
of
around
so
beyond
the
first
8x
of
around.
H
H
So
here
I
have
plotted
the
roundup
time
samples
that
correspond
to
different
packets
and
so
for
the
first
round-
and
here
I
have
to
say
that
the
definition
of
a
round
from
the
high
start
point
of
view
actually
contains
a
bug.
So
high
start
considers
the
first
11
packets
to
belong
to
the
first
round
instead
of
the
first
10
packets.
H
But
actually
what's
the
case
is
since
the
initial
window
size
is
10.
The
sender
sends
10
packets
in
the
first
round,
not
11.,
but
let's
stick
with
this.
For
for
this
example,
so
first
of
all,
we
have
to
find
the
minimum
rounded
time
plus
theta,
so
the
threshold
value
that
we
compare
the
current
round
time
against,
and
then
we
find
our
current
rounded
time
as
the
minimum
round
to
time
during
the
sampling
phase,
which
is
here
shown
in
gray.
H
Each
time
we
go
for
another
round,
we
head
and
reset
the
current
round
tip
time,
and
then
again
we
find
our
threshold,
which
then
here
drops
on
the
31st
packet,
and
we
find
our
current
rounded
time,
which
is
this
time
20..
So
again,
the
dashed
line
is
above
the
solid
line,
so
we
go
for
the
for.
So
we
again
reset
the
current
round
trip
time
then
and
go
for
the
third
round.
H
H
H
this
in
the
the
example
for
the
second
reason,
is
actually
pretty
similar,
so
in
the
first
round
nothing
else
happens
in
the
second
round.
We
again
see
the
drop
on
31st
packet,
but
this
time
the
round
trip
time
of
the
15th
packet
is
higher
than
before.
So
now
the
current
rounded
time
is
22
instead
of
20,
which
then
makes
the
drop
on
the
31st
packet
to
force.
H
So
now
we
have
understood
these
two
reasons
and
we
want
to.
We
wanted
to
know
okay,
how
likely
are
there?
How
likely
are
these
two
reasons
so,
therefore,
we
did
another
experiment
and
actually
figured
out
that
the
probability
that
we
leave
the
high
start
due
to
an
increasing
roundup
time,
which
is
actually
how
the
delay
increase
mechanism
is
supposed
to
work,
only
happens
in
30
percent
of
the
cases,
but
in
70
percent
of
the
cases
we
leave
the
high
start
when
the
round
time
decreased.
H
H
So
in
a
mobile
radio
network,
the
radio
access
network
actually
controls
all
the
transmissions
so
also
the
uplink
transmissions.
So
the
modem
needs
uplink
resources
in
order
to
transmit
its
data,
or
in
this
case
the
x.
So
then
there
are
two
cases
so
either
the
modem
already
has
some
some
uplink
resources.
H
Consider
the
modem
to
be
idle
from
a
transmission
point
of
view.
So
then
the
modem
has
to
cue
these
10x
and
wait
for
the
next
opportunity
to
send
a
scheduling
request
after
some
time.
The
modem,
the
radio
access
network
will
then
respond
with
a
small
amount
of
with
a
scheduling
ground
that
grants
a
small
amount
of
resources.
H
H
H
So
when
you
look
at
this
graph
here
this
time,
I
have
plotted
the
mean
round
to
time
of
individual
packets
and
by
looking
at
the
first
10
packets.
Here,
you
can
pres
precisely
see
what
I
just
explained
so
the
first
two
packets
have
a
smaller
roundup
time
and
then
the
rounded
time
ramps
up
by
about
eight
milliseconds
on
on
the
third
packet.
H
H
H
H
So
the
jitter,
the
overall
detail,
was
reduced,
even
though
still
have
our
strong
outliers.
So
this
is
because
there
are
still
some
effects
that
are
not
compensated
by
either
the
bug
fix
or
the
kernel
patch.
H
So
since
highstat
still
does
not
consider
the
round
to
time
variance,
it
may
still
not
be
well
suited
for
mobile
radio
networks
and,
in
the
end,
it's
important
to
say
that,
even
though
we
conducted
our
drive
with
lte,
we
presume
that
the
same
effects
will
also
happen
on
5g.
Since
there
we
use
the
same
kind
of
uplink
scheduling,
principles.
A
All
right,
philip,
thank
you.
So
much
there's
been
a
a
little
bit
of
a
lively
discussion
about
about
high
start
in
the
chat
session
and
I'll
I'll
suggest
that
those
folks
do
what
you
just
suggested.
Take
it
offline
with
you
by
email
or
you
can
use
the
maprg
mailing
list
as
well.
A
For
instance,
bob
comment:
bob
briscoe
commented
that
high
start
is
on
by
default
in
linux
cubic,
but
according
to
a
mini
survey,
he
says
he
did
a
four
to
five
cdn's
about
a
year
and
a
half
ago,
for
instance,
google,
microsoft
and
apple
all,
but
won
a
disabled
high
start.
Do
you
have
a
comment?
Fellow
before
we
wrap
up.
H
A
Okay,
thanks
so
in
the
interest
of
time,
because
we
just
have
25
minutes
for
25
minutes
of
presentations
left
we're
going
to
switch
to
mike
kosek
being
the
presenter,
and
let
me
do
that
by
finding
mike
in
the
participants
lists
here
and
we
have
a
little
bit
of
as
mike
gets
set
up,
I'm
going
to
paste
in
the
chat
right
now,
a
link
to
an
ether
pad
that
miria
mike
my
co-chair
who's
on
top
of
things
better
than
I
am
reminded
me
we're
supposed
to
be
maintaining
what
are
the
blue
sheets
where,
basically
you
just
sign
your
name
and
your
organization
and
say
you
were
at
the
meeting.
A
So
it
would
be
a
big
help
to
us.
If
you
would
visit
that
url.
I
just
posted
there.
The
etherpad
map,
our
g
url
and
just
add
your
name
and
affiliation
there.
So
we
get
a
list
that
approximates
the
what
I
saw
about
74
participants
on
today
and
we've
got
56
right
now.
So
in
the
next
half
hour,
if
you
sign
that
that
would
be
great
just
like
you
would,
if
we
were
at
a
real
ietf
meeting
mike
I'm
going
to
hand
it
over
to
you,
you're
ready.
G
A
G
All
right,
thank
you
dave.
So
this
is
a
quick
recap
on
our
work
of
tcp
conformance,
which
has
been
presented
at
palm
in
march
of
this
year.
So
dfb
has
been
analyzed
in
the
past
decades.
However,
every
study
focused
on
different
aspects
of
tcp
and
tcp
extensions,
and
our
question
was
okay:
how
is
the
conformance
to
the
minimum
requirements
so
the
basic
requirements
which
are
phrased
by
the
must
keywords
in
the
rcs
and
for
this
we
chose
an
active
scanning
approach.
We
did
control
testbed
environment
measurements.
G
So
for
our
test
cases,
we
looked
at
the
rc
793
abyss,
the
giraffe
14
version,
and
we
looked
at
different
aspects.
So
we
checked
if
the
check
sounds
are
correctly
validated
if
options
which
are
unknown
are
correctly
ignored.
If
the
mss,
which
are
stated
are
the
rc
stated
defaults,
if
the
effective
sent
mss
is
honored.
If
result,
flags
are
ignored
in
zeros
and
if
the
urgent
pointer
could
be
processed
segments
of
arbitrary
links.
So
with
these
test
cases
we
started
out-
and
this
is
something
we
could
of
course
only
be
observed
on
the
wire.
G
G
What
we
see
here
is
that
only
linux
and
lightweight
ips
showed
full
conformance
to
our
test
cases.
When
we
look
at
windows
10,
then
we
see
that
the
mssd4
stated
in
the
rc
are
used
as
a
lower
bound.
So
you
cannot
actually,
in
this
rear,
handshake
use
something
lower
than
it's
stated
in
the
rc
for
mac
os.
The
1024
bytes
are
used
as
a
default,
regardless
of
the
ip
version,
so
this
falls
short
of
the
ipv6
and
exceeds
the
ipv4
defaults
on
micro,
ip.
G
We
actually
observed
some
pressures,
and
this
was
done
on
urgent
pointer
data,
which
was
pointing
beyond
the
segment
size,
and
we
issued
a
pull
request
for
this.
This
was
especially
interesting
as
contiguous
and
contig.
Os
are
also
vulnerable
from
this
issue,
and
this
pull
request
got
merged
and
is
fixed.
Now,
for
a
c-star,
we
saw
that
the
holster
s
is
supported
of
offline
to
check
some
features
is
not
verified.
G
We
we
reported
this
issue.
However,
to
this
stage
we
did
not
get
any
response
from
this
all
right
for
our
live
scale
measurement
campaign.
We
looked
at
different
target
hosts
from
the
http
archive
we
sampled
cdn
targets.
There
are
28k
unique
targets
house
we
took
around
476
000
unique
target
holes
from
the
alexa
top
run
million
list
and
on
sensors,
which
provides
antenna
white
squad
port
scans.
We
took
around
3.2
million
targets,
so
let
me
start
with
the
notation
here
in
our
three
columns.
G
We
see
the
three
data
sets
and
in
each
sub
column
we
see
the
different
results
which
are
presented
as
a
percentage.
So
for
u
and
k
sub
column
here
this
is
unknown.
These
are
not
clearly
determinable
results.
This
can
have
multiple
issues.
For
example,
if
a
pre-test
was
successful,
but
the
actual
test
of
the
feature
we
wanted
to
check,
we
did
not
get
a
response
to
our
sun
packet.
G
Okay,
digging
right
in
first
of
all,
we
have
the
checksum
test.
We
did
this
in
two
ways.
First
of
all,
which
we
chose
a
random
incorrect
checksum,
and
we
also
did
the
test
with
zero
checksum
and
for
checksum.
We
saw
that
the
cdn
shows
the
lowest
failure
rates
overall
and
actually
no
on
path,
modifications,
which
is
quite
good
news.
However,
alexander
senses
each
show
around
three
percent
target
failure.
So
in
around
three
percent
of
the
targets,
they
did
not
validate
the
checksum
and
responded
to
our
false
false
checksum
package.
G
Next
of
all,
we
have
option
unknown,
and
so
no
singer
s
really
stands
out
here,
but
we
observe
that
the
highest
figure
rates
are
within
isp
networks,
and
this
is
exactly
the
same
behavior
as
we
saw
in
the
mss
missing
test.
So
for
mss
missing
we
saw
around
0.4
percent
percent
failure
on
the
path
of
the
census
data
set,
and
these
are
also
primarily
located
in
isp
networks
and
digging
down
on
this.
We
saw
that
the
mss
is
inserted
here,
and
this
is
most
likely
due
to
the
pppoe
encapsulation
done
by
access
rotors.
G
Next
up,
we
have
reserve
flex
and
we
see
up
to
1.8
percent
target
failure
on
census
year,
so
they
actually
did
not
response
to
our
probing
packets
at
all,
and
this
is
really
bad
news
for
extendability,
as
yeah
using
these
flags
really
doesn't
provide
any
connection
to
these
targets
at
all.
G
G
Lastly,
we
have
the
urgent
pointer
and
the
urgent
pointer
shows
the
overall
heist
failure
rates
with
up
to
7.3
percent
failure
on
the
census
data
set,
and
these
census
fakes
are
primarily
located
in
isp
networks
again
and
around
99
of
these
failures
are
just
silently
discarded,
so
the
data,
so
no
connection
is
possible
using
the
urgent
pointer
with
these
holes,
the
rc
states
for
the
urgent
pointer
that
the
usage
is
actually
discouraged,
but
the
implementation
is
still
mandatory
and
it
might
be
a
id
id
here
to
remove
this
mandatory
implementation
requirement
to
reflect
its
deprecation
in
the
rcs.
G
Alright,
so
that's
for
our
quick
recap:
please
have
a
look
at
our
paper
if
you're
interested
there
are
a
lot
of
more
test
cases
and
more
details
in
there.
We
also
released
our
data
set
and
we
released
our
code,
so
our
tool
called
tcp
reg,
is
on
github
feel
free
to
contribute,
feel
free
to
share
your
results.
I'm
happy
to
progress
this
further.
Thank
you.
A
Thanks
mike-
and
we
have
a
couple
of
minutes
for
questions,
the
first
one
that
was
in
the
chat
was
jay
ignacio
asked.
How
did
you
determine
this
was
during
your
results?
Presentation,
for
instance,
the
results
slide
two.
How
did
you
determine
the
middle
box
errors
instead
of
determine
the
middle
box
errors
instead,
targets.
G
Yes,
let
me
just
bring
up
my
backup
slide
here
in
our
methodology,
so
we
used
the
tracebox
approach
where
we
encoded
the
ttl
in
multiple
fields
and
just
sent
out
multiple,
increasing
ttl
probes
and
listen
for
the
icmp
time
exceeded
messages,
and
we
did
this
test
case
specific.
G
So,
for
example,
if
we
wanted
to
test
if
on
a
path
the
the
tcp
checks
on
is
corrected,
then
we
would
get
a
reply
with
a
corrector
checks,
checks
on
with
this
approach,
and
then
we
could
say:
okay,
this
was
a
failure
that
actually
happened
on
the
path
and
not
on
the
target,
and
we
did
this
for
all
of
our
test
cases.
So
this
was
a
lot
of
handcrafting.
There's
no
general
approach
here.
Besides
the
tracebox
approach,
which
generally
can
give
you
a
hint
if
there
is
a
metal
box
or
not.
A
All
right,
yeah,
thanks
mike,
I
don't
see
any
other
questions
there
and
we're
just
on
time
so
and
j
ignacio
says
thanks.
So
I'm
going
to
switch
the
presentation
to
switch
to
the
presenter
being
steven
stroz
for
the
last
presentation
of
the
session
stephen,
you
should
be
the
presenter
now
all
right.
A
There
one
last
reminder:
please
visit
that
url
that
I
posted
in
the
chat
to
sign
up
for
the
blue
sheets
we've
got
about.
I
think
60
of
the
folks
have
signed
up
so
far.
I'm
sorry
go
ahead.
Stephen.
M
All
right,
thanks
dave-
this
is
a
this-
is
a
summary
talk
of
work
that
we've
presented
already
tma
on
nrw,
and
this
covers
the
deborganization
of
12.
For
a
little
bit
of
context.
This
was
the
first
slash
12
allocated
by
the
ayanna
to
any
of
the
registries
in
at
the
time
I
think
13
or
nearly
13
years,
which
is
long
enough,
for
you
know,
writer
configurations
to
become
stale
and
thanks
for
you
know
to
be
baked
into
the
writing
system.
M
So
before
we
issued
it
to
members,
we
wanted
to
light
that
up,
get
that
announced
out
there
and
generally
try
and
do
some
checking
to
make
sure
that
it
wasn't
packed
with
pollution,
which
was
unlikely,
but
you
don't
until
you
measure
so
the
timeline
for
this
was
we
actually
got
the
slash
12
back
in
late
2019,
but
in
early
2020,
the
previous
slash
12
was
nearly
done.
We
were
eminently
about
to
start
allocating
from
28
slash
12,
so
we
had
about
one
week
to
advertise
this
and
collect
what
we
could.
M
We
announced
nine
prefixes
in
total,
the
full
slash
twelve,
then
four,
slash
thirty
twos
and
four
slash
four
to
eight.
Each
of
these
were
configured
slightly
differently
in
terms
of
whether
they
had
a
routing
right
object
in
the
writing
database
or
whether
they
had
an
rpki
row
and
the
32s
and
48s
all
had
a
responsive
target.
So
each
of
them,
each
of
the
eight
addresses
in
total,
would
respond
to
icmp
echo
requests.
M
M
The
the
bulk
of
the
tma
paper
is
basically
traffic
analysis
and
the
way
that
we
kind
of
think
about
this
is
with
the
ipv4
space.
You
could
listen
to,
for
example,
a
slash
eight.
If
you
have
a
field
slash
eight
lying
around
and
depending
on
some
of
the
behavior,
you
may
be
able
to
draw
general
conclusions
about
background
noise
to
the
ipv4
space.
Like
each
v4,
slash,
8
is
going
to
be
different
in
terms
of
what
it
attracts,
but
the
v4
space
is
also
small
enough
that
you're
going
to
see
internet-wide
quote-unquote
scans.
M
The
v6
space
is
quite
different.
It's
a
bit
more
like
taking
a
telescope
and
pointing
at
the
sky
and
simply
observing
what
you
see
in
that
part
of
the
sky.
There
may
be
something
generalizable
there,
but
it's
more
likely
that
you
can
report
on
what
you
saw
in
that
corner,
so
that
slash
12
is
a
lot
of
address
space,
but
it's
still
a
very
small
part
of
the
v6
address
in
total.
M
So
what
we
got
is
what
we
got
and
I'll
be
careful
with
drawing
general
conclusions
around
that
the
the
part
that's
kind
of
a
good
start
is
the
bulk
of
the
traffic
that
we
actually
captured
was
our
own
traffic.
We
sent
a
lot
of
measurements
into
this
space
to
the
responsive
targets
from
the
right
atlas
platform,
and
so
the
vast
majority
in
my
head.
I'm
thinking
that
looks
like
around
about
90
to
95
percent
of
the
traffic
that
we
captured
was
generated
by
ripe
atlas.
M
M
The
traffic
can
be
carved
out
in
a
couple
of
broad
categories.
The
bulk
of
the
tcp
traffic
was
what
looked
like
an
orchestrated,
traceroute
campaign
to
locate
responsive
well
to
do
I
guess
to
do
two
things
to
map
out
topology
and
then
find
anything.
That's
responding
in
port
80,
the
dns
sorry,
the
udp
traffic
was
around
about
50
dns
and
the
bulk
of
the
icmp
traffic
was
solicited.
Echo
requests
to
the
addresses
that
we
set
up
so
for
each
of
those
in
turn
around.
E
M
And
a
half
million
of
the
packets
contain
the
tcp
payload
and
they
were
doing
some
kind
of
tcp
traceroute
right
so
trying
to
repeatedly
reach
the
same
target,
but
with
an
ever-increasing
ttl
until
it
eventually
gives
up
all
of
that.
Traffic
has
the
same
basic
characteristics
so,
like
the
same
source,
port
no
payload
send
flag
is
set,
nothing
else
is
active
in
the
packet.
The
msf
value
is
set
as
if
it's
configured
for
an
ipv4
world
there's
a
couple
of
glitches
like
that
and
most
of
this
traffic
in
the
activity.
M
M
Whatever
that
thing
is,
it
was
never
expecting
to
see
a
dress
face
that
large
and
something
bugs
out
in
whatever
the
platform
was,
and
it
started
sending
far
too
many
packets
into
the
space,
and
my
gut
feeling
for
that.
The
reason
I
have
that
gut
feeling
is
that
once
we
let
up
the
32s
and
48s,
there
were
specific
traceroutes
into
those
addresses,
but
at
a
much
lower
volume.
M
So
those
let
up
very
quickly
and
then
stopped
very
quickly,
which
was
good.
Basically,
they
bounced
around
in
the
random
addresses,
though
we
there
was
a
distinct
port
scanning
operation
from
one
origin
to
around
about
sorry,
I
have
targeted
addresses
in
the
next
slide,
around
164
000,
packets,
doing
port
scanning
for
one
origin
and
then
like
tens
of
thousands
with
the
destination
portfolio,
three,
the
night
flags.
M
It's,
I
can't
remember
if
they
have
payloads,
but
I
figure
something
is
either
backscatter
or
is
bouncing
around
looking
for
resets
rather
than
synax
and
there's
a
lot
of
general
noise.
That's
otherwise
uninteresting
beyond
that
point
for
the
traceroute
campaign,
the
addresses
that
that
campaign
selected
appear
to
be
random
bits,
filling
the
bottom
120
sorry
116
bits
of
each
address
and
the
assertion
there
comes
from,
like
the
campaign
selects
in
total
261
000
targets
spread
across
261,
000
64..
M
It's
like
it's
not
trying
to
do
anything
smart
with
particular
addresses
and
say
the
slash.
64
is
just
trying
to
get
something
whether
it's
topology,
mapping
or
not.
The
remaining
targets
are
pretty
well
distributed.
This
graph
on
the
right
is
ranked
like
most
popular
64
target,
I'm
going
down
from
there,
but
there's
133
000
targets,
and
this
forms
a
very,
very
long
tail,
where
many
of
the
addresses
are
targeted.
Maybe
once
or
twice
the
top
target
in
that
list
was
targeted,
the
most
for
the
port
scanning
campaign
from
from
one
origin.
M
The
and
the
center
city
is
again
reasonably
broad,
like
there
aren't
like
there's,
not
much
evidence
of
sources.
Doing
things
like
address
cycling
within
its
own,
slash
64.,
like
sources
pop
up
and
then
vanish.
M
The
port
numbers
that
were
targeted
are
a
little
bit
interesting,
maybe
like
I've.
I've
taken
poor
ac
out
of
this
plot
because
it
would
swamp
everything
with
the
traceroute
campaign
and
what's
left,
it's
kind
of
broad
like
at
some
point.
Basically,
everything
is
is
attempted
by
something
there's
a
lot
of
noise.
M
The
most
popular
target
is
port
443
and
then
from
there
it
hits
and
I'm
going
to
go
by
memory
here,
6379,
which
I
think
is
redis
5222
is
maybe
xmpp
and
I
lose
the
track
from
there
there's
quite
a
lot
of
traffic
with
the
tcp
for
zero
set,
but
this
is
aside
from
a
general
leaning
towards
the
low
numbers
that
the
port
scanning
does.
A
lot
of
this
is
like
random,
randomized,
payloads
and
weird
targets.
M
The
udp
traffic
was
much
less
interesting.
I
guess
there
wasn't
much
of
it.
50
percent
of
the
dna,
the
udp
that
we
captured
contained
a
dns
payload
that
looked
like
legitimate
dns,
like
there
were
dns
queries
for
like
for
a
and
quality
records
for
popular
names
like
google.com
or
various
cdnc
names
or
whatever
else
this
this
one.
M
We
did
actually
approach
the
network
operator
and
they
found
the
person
who
was
running
a
dns
resolver,
which
was
misconfigured
and
was
sending
these
queries
into
our
address
space,
so
that
one
was
in
theory
fixed,
but
we're
no
longer
announcing
that
address
space.
So
we
can't
verify
that
it
was
actually
fixed.
M
The
this
is
again
a
on
the
right,
our
ranking
of
the
most
popular
targets
and
the
top
eight
targets
are
the
the
eight
basically
reflect
the
eight
responsive
targets
we
created
and
we
requested
the
network
operator.
Send
our
traffic
to
this
graph
is
ignoring
the
ripe
atlas
traffic.
Also,
so
most
of
the
icmp
goes
to
where
we
asked
people
to
send
icmp
echo
requests
the
next
most
popular
is
2810
with
all
the
zeros,
which
was
unresponsive,
but
a
lot
of
people
selected
that
one
rather
than
a
column
called
one.
M
Maybe
people
truly
are
that
lazy,
I'm
not
sure
and
there's
a
long
tale
of
otherwise
essentially
randomized
traffic
targets.
Again,
a
bunch
of
these
in
the
remaining
targets
are
like
genuinely
what
appears
to
be
randomized
payloads
with
invalids,
icmp
types
and
codes
so
forth.
So
a
lot
of
that
stuff
is
just
weird
and
it's
the
numbers
at
that
point
get
so
vanishingly
small
that
we
basically
draw
under
draw
a
line
under
it
and
declare
it
to
be
acceptable.
M
M
We
cover
aspects
of
the
writing
state
in
both
the
tma
and
the
nrw
papers.
Although
not
in
a
spectacular
amount
of
detail,
we
wanted
to
make
sure
that
first,
the
space
was
basically
routable
and
then
from
there
we
used
the
ripe
atlas
measurement
platform
to
ensure
that
it
was
actively
reachable.
If
we
tried
to
get
there
and
in
general
it
was.
M
We
got
about
99
hit
rates
on
our
pings
and
trace
routes,
which
is
basically
typical
apart
from
a
couple
cases,
including
yes,
8881,
which
I
think
is
versatile
in
germany.
M
M
So
that's
completely
okay
and
on
those
ones
we
didn't
see
the
echo
requests
arriving
at
the
at
the
right
collector
that
was
announcing
the
space
so
for
those
ones
they
are
filtering
the
routes
at,
I
guess
3320,
so
our
current
status
and
where
we
are
with
this.
This
was
a
study
in
january.
This
is
basically
historic
at
this
point.
The
ripe
atlas
data
and
the
risk
writing
data
is,
of
course,
all
public.
The
writing
data
in
particular.
You
can
also.
M
It
would
be
interesting
to
look
at
from
other
vantage
points,
such
as
route
views
or
pch
data,
or
whatever
else,
and
now
that
some
time
has
passed
we
might
be
able
to
get
to
the
point
of
actually
releasing
the
captured
data
is
something
that
we
want
to
do,
but
it's
it's
the
it's
trying
to
do
that
balance
between
how
much
of
this
is
weird
data
that
nobody
cares
about
and
how
much
of
it
is
like
identifiable
data
that
tells
us
something.
M
M
Yep
sure
so
I'm
about
done
so
the
the
2810
slash
12
is
now
in
use
soon
after
we
ended
the
study,
so
the
week
in
january
is
on
the
left
hand
side
soon
after
we
ended
that
was
issued
to
members
and
then
those
prefixes
started
lighting
up.
The
only
reason
that
the
numbers
go
up
and
to
the
right
is
that
risk
continues
to
add
new
peers.
M
So
we
have
more
peers
simply
listening
to
and
receiving
these
announcements
and
the
address
space
that
we
allocated
our
eights
thirty
thousand
forty
eight
from
was
put
into
the
quarantine
did
because
we
did
active
measurements
to
it
and
we
solicited
traffic
to
it.
That
space
is
now
out
of
quarantine.
The
standard
is
six
months,
so
the
space
has
now
been
reissued
and
it
I
haven't,
checked
today,
but
it's
likely
to
show
up
in
the
wild
soon
if
it's
been
allocated
to
somebody.
M
So
there's
a
potential
comparison
there
between
the
address
space
announced
from
our
red
collector
system
and
the
address
space
announced
from
somebody
else.
If
somebody
wants
an
interesting
writing
site
study-
and
these
are
only
my
endnotes
indicating
what
we
did
here-
there
isn't
anything
in
this
space-
that's
entirely
problematic.
The
writing
and
reachability
seemed
to
be
good,
and
so
we
were
completely
happy
going
ahead
and
issuing
that
address
space
to
our
members,
and
that
is
my
high
level
summary
of
these
two
papers.
A
A
Let
us
know
I
want
to
thank
brian
and
nina
for
doing
this
experiment
with
us,
this
joint
meeting,
let
either
them
or
us
miria-
and
I
know
if
you,
if
you
like
the
joint
meeting
and
and
how
you,
how
would
you
like
us
to
meet
in
the
future-
and
I
want
to
specially
thank
maria
for
encouraging
presentations
and
helping
curate
the
content,
because
she
did
a
line
sure
of
it.
This
time
again
have
a
good
day.
Folks,.