janet security of service
TRANSCRIPT
7/30/2019 JANET Security of Service
http://slidepdf.com/reader/full/janet-security-of-service 1/33
Copyright JNT Association 2007 UKNOF 8, London. 1
Security of Service
Rob Evans
JANET(UK)
7/30/2019 JANET Security of Service
http://slidepdf.com/reader/full/janet-security-of-service 2/33
Copyright JNT Association 2007 UKNOF 8, London. 2
What this talk is about
• Our experiences of building a resilientnetwork.
• Securing the supply of a service.
7/30/2019 JANET Security of Service
http://slidepdf.com/reader/full/janet-security-of-service 3/33
Copyright JNT Association 2007 UKNOF 8, London. 3
What this talk isn't about
• Title is a legacy from the conference itwas first presented at. This isn't about: – Privacy
– Intrusion Detection – CSIRT-type “Stuff”
• There's more than one way to skin a cat – Your network may be bigger and more
resilient than ours.
7/30/2019 JANET Security of Service
http://slidepdf.com/reader/full/janet-security-of-service 4/33
Copyright JNT Association 2007 UKNOF 8, London. 4
What we had
• SuperJANET4, launched in 2001
• Succeeded in breaking out of the cycleof bandwidth-limited backbones of
previous years• Good capacity
• Resilient
• ...but had some weak spots
7/30/2019 JANET Security of Service
http://slidepdf.com/reader/full/janet-security-of-service 5/33
Copyright JNT Association 2007 UKNOF 8, London. 5
What we had
• Sites connected to Regional Networks
• Regional Networks connected tobackbone
– From 622Mbit/s to 2.5Gbit/s – Mainly protected SDH
– Some Gigabit Ethernet (intra-room)
• Backbone highly resilient• RN links less so
7/30/2019 JANET Security of Service
http://slidepdf.com/reader/full/janet-security-of-service 6/33
Copyright JNT Association 2007 UKNOF 8, London. 6
RN link resilience
• Protected SDH links. – Good, yes?
• Better than unprotected bits of fibre.
• But: – Single router on the backbone
– Single router at the RN
– Lots of scope for the telco to reroute andlose resilience.
– You only find out the protect path isn'tworking when you need it.
7/30/2019 JANET Security of Service
http://slidepdf.com/reader/full/janet-security-of-service 7/33
Copyright JNT Association 2007 UKNOF 8, London. 7
What we wanted
• Greater resilience for Regional Networklinks – Link failure takes off many sites.
• Increased agility for bringing extracircuits up – Capacity
– Bandwidth channels for research work
7/30/2019 JANET Security of Service
http://slidepdf.com/reader/full/janet-security-of-service 8/33
Copyright JNT Association 2007 UKNOF 8, London. 8
Security against...
Photo courtesy of HEAnet
7/30/2019 JANET Security of Service
http://slidepdf.com/reader/full/janet-security-of-service 9/33
Copyright JNT Association 2007 UKNOF 8, London. 9
SJ5 Architecture
7/30/2019 JANET Security of Service
http://slidepdf.com/reader/full/janet-security-of-service 10/33
Copyright JNT Association 2007 UKNOF 8, London. 10
Basics
• Dedicated fibre and DWDM equipment – Not subject to requirements of other
customers
• Ciena CoreStream at the core PoPs• Ciena 4200 for the “collector arcs”
7/30/2019 JANET Security of Service
http://slidepdf.com/reader/full/janet-security-of-service 11/33
Copyright JNT Association 2007 UKNOF 8, London. 11
Regional Connections
• All Regional Networks have two diversefibre connections to the backbone – Same capacity to ensure full resilience
– Two different regional network PoPs – Two different Core PoPs
7/30/2019 JANET Security of Service
http://slidepdf.com/reader/full/janet-security-of-service 12/33
Copyright JNT Association 2007 UKNOF 8, London. 12
Regional Connections
CN4200CN4200Collector
Arc West
Collector
Arc East
Metro SDH
SDH
RN PoP 1
SDH
Gig Eth
RN PoP 2RN Internal
Link
Dedicated
WavelengthIP
IP
Dark Fibre
IP
Channel
SDH connection
Gig Ethernet
7/30/2019 JANET Security of Service
http://slidepdf.com/reader/full/janet-security-of-service 13/33
Copyright JNT Association 2007 UKNOF 8, London. 13
Problems
• Finding truly diverse fibre – Even in metro areas
• Are two fibres in the same duct diverse?
– How about the same trench? – Opposite sides of the road?
– Parallel roads?
• Is the information accurate...
7/30/2019 JANET Security of Service
http://slidepdf.com/reader/full/janet-security-of-service 14/33
Copyright JNT Association 2007 UKNOF 8, London. 14
Fibre Routing
Photo from http://www.flickr.com/photos/samjudson/
7/30/2019 JANET Security of Service
http://slidepdf.com/reader/full/janet-security-of-service 15/33
Copyright JNT Association 2007 UKNOF 8, London. 15
Fibre Routing
Photo from http://www.flickr.com/photos/samjudson/
7/30/2019 JANET Security of Service
http://slidepdf.com/reader/full/janet-security-of-service 16/33
Copyright JNT Association 2007 UKNOF 8, London. 16
Design Choices
• Mandated SDH for Regional Networkconnections to the backbone – SDH notices faults, brings down interface,
triggers IP routing changes – BFD not mature and widely deployed
– Ethernet OAM not yet available
– No SDH “ring” for optical protection
– Quick failover essential for streamingmedia
• Complaints about cost required centralfunding for RN interfaces.
7/30/2019 JANET Security of Service
http://slidepdf.com/reader/full/janet-security-of-service 17/33
Copyright JNT Association 2007 UKNOF 8, London. 17
Core and Regional
• Regional Networks have previously hadgreat autonomy in designing their ownnetworks
– Mismatch between services offered on coreand on RN.
– Difficult to roll out new services• Backbone has been IPv4/IPv6 dual stack since
2003.
• Some RNs still aren't (but will be soon as it iscoming into the SLA)
7/30/2019 JANET Security of Service
http://slidepdf.com/reader/full/janet-security-of-service 18/33
Copyright JNT Association 2007 UKNOF 8, London. 18
Core and Regional
• Introducing a “Technical Design Authority”
• Works with all the Regional Networks on
their design and procurement.• Ensure consistent access to new
services – IPv6
– Lightpaths
7/30/2019 JANET Security of Service
http://slidepdf.com/reader/full/janet-security-of-service 19/33
Copyright JNT Association 2007 UKNOF 8, London. 19
Core: Bandwidth
• Single large pipes rather than load-sharing over smaller circuits. – Simpler
– Currently still 10Gbit/s – One trial link at 40Gbit/s
– Backbone-wide within a couple of years• Hopefully.
• PMD is SEP (sorta)
7/30/2019 JANET Security of Service
http://slidepdf.com/reader/full/janet-security-of-service 20/33
Copyright JNT Association 2007 UKNOF 8, London. 20
Core: Bandwidth
• Separate large or disruptive flows outonto dedicated channels – “Lightpaths”
– Not only high bandwidth, but also specialistrequirements• Large Hadron Collider, CERN
– Separate the requirements of a research
network from the need to run a highlyavailable IP service for the rest of thecustomers
7/30/2019 JANET Security of Service
http://slidepdf.com/reader/full/janet-security-of-service 21/33
Copyright JNT Association 2007 UKNOF 8, London. 21
Core: Bandwidth
• Add additional channels at marginal cost – Fixed price between any two core PoPs
– Proven useful for external connectivity
– Also being used to provide GEANT(network linking R&E networks acrossEurope) with additional capacity to Dublin
7/30/2019 JANET Security of Service
http://slidepdf.com/reader/full/janet-security-of-service 22/33
Copyright JNT Association 2007 UKNOF 8, London. 22
Core: Routers
• Reduced number of routers on core – SJ4 differentiated between “core” and
“access” routers
– Required due to functionality of routingequipment when it was designed• Difficult to do filtering and high-speed routing at
the same time
– Also useful for link monitoring. JANETrouter at the remote end of each link.
7/30/2019 JANET Security of Service
http://slidepdf.com/reader/full/janet-security-of-service 23/33
Copyright JNT Association 2007 UKNOF 8, London. 23
Core: Routers
• SJ5 collapses both functions onto thebackbone routers – Fewer boxes to manage and upgrade
– More than 20 fewer routers in SJ5• Use optical equipment for link
monitoring
• Still a few wrinkles – Sampled netflow (1/10) on 10Gbit/s+ hard
to do with current equipment
7/30/2019 JANET Security of Service
http://slidepdf.com/reader/full/janet-security-of-service 24/33
Copyright JNT Association 2007 UKNOF 8, London. 24
External connectivity
• Two locations in London's Docklands – Difficult to get high-speed transit elsewhere
– Even if you do, it is usually long-lined from
Docklands• Each site has 10Gbit/s to two backbone
nodes
• Required bandwidth growing ahead of 40Gbit/s availability
• In process of upgrading each site with10G to four backbone nodes.
7/30/2019 JANET Security of Service
http://slidepdf.com/reader/full/janet-security-of-service 25/33
Copyright JNT Association 2007 UKNOF 8, London. 25
External Connectivity
• Multiple transit providers in eachlocation
• Different IXP LANs
• Private peerings in both locations• Primary and backup GEANT
connections spread over the two sites
7/30/2019 JANET Security of Service
http://slidepdf.com/reader/full/janet-security-of-service 26/33
Copyright JNT Association 2007 UKNOF 8, London. 26
Thursday, May 18th, 2006
7/30/2019 JANET Security of Service
http://slidepdf.com/reader/full/janet-security-of-service 27/33
Copyright JNT Association 2007 UKNOF 8, London. 27
Thursday, May 17th, 2007
7/30/2019 JANET Security of Service
http://slidepdf.com/reader/full/janet-security-of-service 28/33
Copyright JNT Association 2007 UKNOF 8, London. 28
Operations
• Historically subcontracted to externalparty – University of London Computer Centre
• If you look out the window on the left-handside...
• In-house as of January 1st, 2007. – Reduce risk
• Still based in London – Main JANET office is near Oxford
– but...
7/30/2019 JANET Security of Service
http://slidepdf.com/reader/full/janet-security-of-service 29/33
Copyright JNT Association 2007 UKNOF 8, London. 29
Operations
• Just built a new Network OperationsCentre – Redundant access circuits to diverse
backbone PoPs
– UPS & Diesel generator • >20 hours before refuelling
• Second emergency NOC across river
– Different electrical supplies, access circuits,etc.
• Service Desk phone number can bedirected to Oxford or London as needed
7/30/2019 JANET Security of Service
http://slidepdf.com/reader/full/janet-security-of-service 30/33
Copyright JNT Association 2007 UKNOF 8, London. 30
Some statistics
• 5,851 Km of dark fibre
• 90 circuits (60 at 10Gbit/s)
• 112 sites housing optical equipment
• Longest unregenerated link: 554 Km• Longest single span: 243.6 Km, 51.2 dB
loss
7/30/2019 JANET Security of Service
http://slidepdf.com/reader/full/janet-security-of-service 31/33
Copyright JNT Association 2007 UKNOF 8, London. 31
Still one problem to solve
• Operator error
• ...but we have a solution for that too...
7/30/2019 JANET Security of Service
http://slidepdf.com/reader/full/janet-security-of-service 32/33
Copyright JNT Association 2007 UKNOF 8, London. 32