RE: Announcement of Experiments

[Adam Thompson <athompson () merlin mb ca>]

I am not claiming any of this is official MERLIN position on the matter, these are merely my thoughts so far based on 
the incomplete knowledge & data I have:

IMHO, it's somewhat the same as if I made public statements that started with "Well, I talked to Randy Bush and he said 
XXXX".  I'm clearly the one articulating that sentence, but I'm nonetheless attributing to you something that is 
(presumably) false.
This will, I think, taint historical time-series data (e.g. RIPEStat) for any ASNs the experimenters use, and I could 
easily see in my organization being called upon to ask "Why were we transiting x.x.x.x/y in May 2022?" and not having 
any answer.
The operational impact will probably be somewhere between zero and negligible, assuming the experiment is run 
correctly, but operational impacts aren't the only impacts: reputational risks are very important to some organizations.

In addition to people not fully understanding AS_PATH, which even here will be a non-zero number, there will also be a 
number of people (myself included in this number) who have no idea what the PEERING testbed is, nor how it works, nor 
the effects it can produce.  I'm in alignment with several other commenters in that I should not have to go spend time 
to learn about Yet Another Piece of Technology just to assess the risks, operational and reputational, I now face.

> From my limited understanding of the experiment, I agree that opt-in would kind of defeat the purpose, but at the same 
> time, the opt-out email bordered on insulting/careless: "hey, we're going to simulate a crime scene with your 
> fingerprints unless you tell us not to within a week" wouldn't fly most places.  If they had run their experiment 
> without telling anyone, possibly 5 or 10 people/orgs worldwide would have noticed, assumed someone was doing something 
> naughty (or incompetent), and gone on with their lives.  But no notice would arguably have been even more wrong than 
> the notice we did get here.

Is it possible to run such an experiment ethically without tainting the data in advance by announcing it?  I don't know.


Adam Thompson
Consultant, Infrastructure Services
MERLIN
100 - 135 Innovation Drive
Winnipeg, MB R3T 6A8
(204) 977-6824 or 1-800-430-6404 (MB only)
https://www.merlin.mb.ca
Chat with me on Teams: athompson () merlin mb ca

> -----Original Message-----
> From: NANOG <nanog-bounces+athompson=merlin.mb.ca () nanog org> On
> Behalf Of Randy Bush
> Sent: Monday, May 2, 2022 3:50 PM
> To: Alexandros Milolidakis <amilolid () gmail com>
> Cc: nanog () nanog org
> Subject: Re: Announcement of Experiments
>
> > We are a group of researchers from the KTH Royal Institute of Technology
> > (Sweden).
> >
> > Starting from May 9 until May 31, we plan to conduct a research study
> > involving AS-PATH poisoning to measure how reliable route collectors
> > are to report BGP poisoned routes.
> >
> > We will use the PEERING Testbed [1] to announce the following two
> > prefixes:
> >
> >  - 184.164.236.0/24
> >
> >  - 184.164.237.0/24
> >
> > for our AS-path poisoning experiments.
> >
> > The above experimental prefixes do not host any production services,
> > hence user traffic will *not* be affected.
> >
> > Furthermore, we will always start the AS-PATH with the correct ASN as the
> > origin.
> >
> > Lastly, to keep the AS-PATH short, we will announce no more than four
> > Poisoned ASNs per announcement. The frequency of the announcements
> > will not exceed four per hour.
>
> seems quite harmless.  though i am sure folk who do not really
> understand AS_PATH will get their nickers in a twist.
>
> randy