On 6 November 2013 15:56, Randy Bush <randy@psg.com> wrote:
To ensure that RIPE Atlas is not used (intentionally or not) as a distributed attack system we could consider: - limiting # of probes simultaneously running such measurements to a low number. - requiring explicit permission of the probe owner to run such UDM.
this seems prudent, though i worry that the last point does not scale well.
Thinking about how we could make this last point scale better... I can see there are situations where some probe owners just wouldn't want to get involved in such measurements at all, and cases where a receptive probe owner may have probes in many different networks (on which they have varying levels of privilege), and therefore while wanting to take part may need probe-by probe granularity to ensure that they don't, for instance, break a customer's network. Probe owners could be given an option to opt-out on an account-wide basis, or opt-in some or all of their probes, but this doesn't automatically mean they consent to every "special" measurement, just that they will consider requests for consent. Then requests asking for consent to use a probe for controversial/risky measurements - containing details of what the measurement is - are sent only to opted-in probe owners. This would avoid the issue of sending requests for consent into a black hole, it's only sent to receptive probe owners. Some probe owners will be very liberal, so they could have an option to a) opt-in all probes and b) auto-consent. Do folk see where I'm going with this? Mike