$Id: archipelago_amp_node_usage.xml,v 1.1 2006/10/19 18:39:27 youngh Exp $

We are currently seeking participants for our upcoming next generation measurement infrastructure, named Archipelago, which will replace the skitter infrastructure that we have run for more than 8 years. In particular, your organization has hosted an AMP node in the past, and we are interested in re-using this decommissioned node for Archipelago.

The primary goals of Archipelago are to achieve greater scalability and flexibility than our existing infrastructure and to provide a step toward a community-oriented measurement infrastructure by allowing vetted collaborators to run their measurement tasks on a security-hardened platform. Note, unlike PlanetLab and some other distributed experimental platforms, Archipelago is tailored specifically for network measurement, allowing for increased control over what runs on the machines and a cleaner environment for measurement experiments.

Because of the differences in goal between AMP and Archipelago, there are important differences in the way measurement nodes will be used, and this necessitates a (one-time) re-evaluation of the permissible activities granted by you, the hosting organization. The remainder of this text describes the anticipated requirements and uses of measurement nodes under Archipelago, as well as some safeguards that will be in place to prevent abuse. Please let us know if you are interested in participating and whether you approve of the broader usage under Archipelago. Also, please let us know if you find certain specific usages to be unacceptable (for example, because of the AUP you yourself must work under) but are otherwise willing to participate. In most cases, we can work with you to define a narrower set of acceptable activities for your particular node.

Some anticipated requirements and uses of Archipelago nodes are as follows:

• Support probing outside the former AMP mesh to the broader commercial Internet, to destinations such as end hosts, web servers, DNS servers, and routers.
• Support open-ended set of active measurements, including traceroute, ping, one-way loss, jitter, bandwidth estimation, DNS latency measurements, DNS open resolver surveys, router interface alias resolution, RTT triangulation studies, OS fingerprinting, and future research topics.
• Allow CAIDA collaborators to use the infrastructure for vetted active measurement experiments.
• Support publicly-accessible traceroute server and/or other carefully controlled (and rate-limited) public measurement services.
• Allow highly-restricted public access to measurement infrastructure in the manner of Scriptroute (that is, provide a secure and resource-restricted environment that allows the public to only execute safe measurment operations). [See http://www.cs.washington.edu/research/networking/scriptroute/]
• Allow a changing set of ports to be open on the measurement node, which requires liberal firewall rules, or disabling of the firewall on the node entirely. At a minimum, the node must allow SSH and a few well-defined ports used by the Archipelago system components. Other open ports may be needed by deployed measurement tools, such as bandwidth estimation tools, that open their own server port.

Archipelago is designed from the ground up with security in mind, and provides the following safeguards against misuse:

• System communication between nodes is protected with SSL and client and server certificates.
• Authorization for privileged measurement operations can be checked.
• Measurement operations can be forced to run in a secure execution environment (built upon FreeBSD jails), in which gaining even root access doesn't compromise a measurement node as a whole.
• Measurements can be rate limited.
• A filter can be used to prevent the sending of certain types of packets (for example, packets with spoofed source addresses, or TCP SYN packets).
• A filter can be used to prevent the sending of packets to hosts, servers, and routers in the hosting organization's network (the network to which a measurement node is attached). This prevents a measurement node from being used as a launching point for attacks or for reconnaissance.
• End users who receive measurement traffic can opt out of future measurements by request, and a system-wide list of "no probe" addresses is maintained to respect these requests. We have maintained a "no probe" list over the last 8 years for our skitter measurements.