Archipelago Acceptable Use Policy (AUP)

In the design of the Archipelago software, we primarily sought to achieve greater scalability and flexibility for our existing hardware infrastructure and to take steps toward a community-oriented measurement infrastructure that allows vetted collaborators to run their measurement tasks on a security-hardened platform. To differentiate ourselves from other distributed experimental platforms such as PlanetLab, we tailored Archipelago specifically for network measurement, allowing for increased control over which processes run on the machines and a cleaner environment for measurement experiments.

The remainder of this text describes the anticipated requirements and uses of measurement nodes under Archipelago, as well as some safeguards that we put in place to prevent abuse. Please send a message to ark-info@caida.org if you are interested in participating and whether you approve of the broader usage under Archipelago. Also, please let us know if you find certain specific usages to be unacceptable (for example, because of the AUP you yourself must work under) but are otherwise willing to participate. In most cases, we can work with you to define a narrower set of acceptable activities for your particular node.

Some anticipated requirements and uses of Archipelago nodes are as follows:

• Support open-ended set of active measurements, including traceroute, ping, one-way loss, jitter, bandwidth estimation, DNS latency measurements, DNS open resolver surveys, router interface alias resolution, RTT triangulation studies, OS fingerprinting, and future research topics.
• Allow CAIDA collaborators to use the infrastructure for vetted active measurement experiments.
• Support publicly-accessible traceroute server and/or other carefully controlled (and rate-limited) public measurement services.
• Allow highly-restricted public access to measurement infrastructure in the manner of Scriptroute (that is, provide a secure and resource-restricted environment that allows the public to only execute safe measurment operations). [See http://www.cs.washington.edu/research/networking/scriptroute/]
• Allow a changing set of ports to be open on the measurement node, which requires liberal firewall rules, or disabling of the firewall on the node entirely. At a minimum, the node must allow SSH and a few well-defined ports used by the Archipelago system components. Other open ports may be needed by deployed measurement tools, such as bandwidth estimation tools, that open their own server port.

Archipelago is designed from the ground up with security in mind, and provides the following safeguards against misuse:

• System communication between nodes is protected with SSL and client and server certificates.
• Authorization for privileged measurement operations can be checked.
• Measurement operations can be forced to run in a secure execution environment (built upon FreeBSD jails), in which gaining even root access doesn't compromise a measurement node as a whole.
• Measurements can be rate limited.
• A filter can be used to prevent the sending of certain types of packets (for example, packets with spoofed source addresses, or TCP SYN packets).
• A filter can be used to prevent the sending of packets to hosts, servers, and routers in the hosting organization's network (the network to which a measurement node is attached). This prevents a measurement node from being used as a launching point for attacks or for reconnaissance.
• End users who receive measurement traffic can opt out of future measurements by request, and a system-wide list of "no probe" addresses is maintained to respect these requests. We have maintained a "no probe" list over the last 9 years for our skitter measurements.