Archipelago Acceptable Use Policy (AUP): CAIDA Affiliate Only

In the design of the Archipelago software, we primarily sought to achieve greater scalability and flexibility for our existing hardware infrastructure and to take steps toward a community-oriented measurement infrastructure that allows vetted collaborators to run their measurement tasks on a security-hardened platform. To differentiate ourselves from other distributed experimental platforms such as PlanetLab, we tailored Archipelago specifically for network measurement, allowing for increased control over which processes run on the machines and a cleaner environment for measurement experiments.

The remainder of this text describes the anticipated requirements and uses of measurement nodes sited at <<YOUR_ORGANIZATION_NAME>> under Archipelago control, as well as some safeguards that we put in place to prevent abuse. Please let us know if you are interested in participating and whether you approve of the usage described below.

CAIDA plans to use the <<YOUR_ORGANIZATION_NAME>> Archipelago nodes to:

• Support open-ended set of active measurements, including traceroute, ping, one-way loss, jitter, bandwidth estimation, DNS latency measurements, DNS open resolver surveys, router interface alias resolution, RTT triangulation studies, OS fingerprinting, and future research topics.
• Support a traceroute server and/or other carefully controlled (and rate-limited) measurement services.
• Allow a changing set of ports to be open on the measurement node, which requires liberal firewall rules, or disabling of the firewall on the node entirely. At a minimum, the node must allow SSH and a few well-defined ports used by the Archipelago system components. Other open ports may be needed by deployed measurement tools, such as bandwidth estimation tools, that open their own server port.
• Allow vetted CAIDA collaborators to use the infrastructure for vetted active measurement experiments.

Archipelago is designed from the ground up with security in mind, and provides the following safeguards against misuse:

• System communication between nodes is protected with SSL and client and server certificates.
• Authorization for privileged measurement operations can be checked.
• Measurement operations can be forced to run in a secure execution environment (built upon FreeBSD jails), in which gaining even root access doesn't compromise a measurement node as a whole.
• Measurements can be rate limited.
• A filter can be used to prevent the sending of certain types of packets (for example, packets with spoofed source addresses, or TCP SYN packets).
• A filter can be used to prevent the sending of packets to hosts, servers, and routers in the hosting organization's network (the network to which a measurement node is attached). This prevents a measurement node from being used as a launching point for attacks or for reconnaissance.
• End users who receive measurement traffic can opt out of future measurements by request, and a system-wide list of "no probe" addresses is maintained to respect these requests. We have maintained a "no probe" list over the last 9 years for our skitter measurements.