The UniNet Express Lane Services

KMUTNB

Assoc. Prof. Vara Varavithya and Peeranon Wattanapong

�1

Contents• Introduction•Problems•Motivation•Body of Knowledge•Contributions•Software-Defined Networks•Research DMZ•Grid Security Infrastructure

!2

Contents•Express Lane Services•The objectives•Architecture•Process Operation•Performance

•Development on Research DMZ•REST APIs•Globus GridFTP•Data Transfer Nodes with 10 Gbps Bandwidth•GSI-enabled ExLane services via SDN packets

•Conclusions•Future work

!3

Problems

Traditional Network

Site B

Overlay Network

Big DataSite A!4

Motivation• User Requirements: high bandwidth, low latency

• Research and Education Network (RENs): UniNet in Thailand

• Provide crucial infrastructure for conducting high quality research and education

• Several network techniques exists

• Resource reservations, dedicated networks, overlay networks and virtual networks

!5

Body of Knowledge•National Research and Education Networks (e.g. ESnet,

Internet2, APAN, TEIN4)

•Today’s Internet Infrastructures in campus

•Thai REN (UniNet) services

•MPLS, L2-VPN (VPLS), L3-VPN

•Science DMZ

•Research DMZ

•Software-Defined Network

•NetFPGA 1G

!6

Body of Knowledge•Express Lane services

•Usage Policy

•Web Application

•Testbeds

•Grid Security Infrastructure

•Proxy Credential (Certificate + Private key)

•Public Key Cryptography

•MyProxy

!7

Contributions

• REST APIs on Express Lane services

• Globus GridFTP service on Express Lane services

• Data Transfer Nodes with 10 Gbps Bandwidth

• GSI-enabled ExLane services with SDN packets

!8

Control plane

Data plane

OpenFlow

Software-Defined Networks: Concepts

• Directly programmable

• Agile: dynamically adjust network-wide traffic flow

• Centrally managed

• Programmatically configured

• Open standards-based and vendor-neutral

9

OSGi

App

Internal application

App App

ODL / MD-SAL

OSGi

App

External application

App App

ODL / MD-SAL

REST calls

Software-Defined Networks: Concepts

Proactive application

Device

REST calls

Proactive application

External events

Controller

ControllerProactive application

Device

Reactive application

External events Packet

listenerActions flows

10

Research DMZBorder Router

Site / CampusLAN

Site / CampusLAN

WAN

High performanceData Transfer Node

With high-speed storage

Science DMZSwitch/Router

perfSONAR

perfSONAR

Enterprise BorderRouter/Firewall

High-bandwidthto/from WAN

Site/CampusAccess to Science

DMZ resources

Dedicatedpath for virtualcircuit traffic

Per-serviceSecurity policycontrol points

!11

Research DMZ

uniNet_DMZ

UniNet

campus

campus

campus

campus

UniNet_L2VPN_X

DMZ Application Server

SDNCtr_Node

SDN_Node

campus uniNet_Intra_DMZ

Internal VLANto UniNet

to UniNet_L2VPN_X

Research DMZ Concept!12

Grid Security Infrastructure• Credential

• Certificate + Private Key

• Certificate Authority: SimpleCA

• MyProxy

Obtain Certificate

StoreProxy

RetrieveProxy

Access

Access

Grid

CertificateAuthority

User MyProxyServer

User

User

Subject: Peeranon Wattanapong

Issuer’s name (CA): SimpleCA

Owner’s public keyIssuer’s Signature

!13

Express Lane Services

• Provide high speed on-demand service for REN institutes using SDN and L2-VPN

• Implemented on UniNet: an overlay network for REN

• Provide requesting services via website

• Support REST APIs

• Performance monitoring: perfSONAR

!14

The Objectives

• Enabling researchers from different institutes to collaborate

• Transferring data from desk-to-desk at high data rate

• Flexibility in management

• Facilitate to request service

15

Express Lane Services: Architecture

UniNet

SDN Overlay Network

Firewall Firewall

ExpressLaneService

RYU Controller

User

UserUser

User

SDN SW SDN SW

Ubuntu 14.04Python 2.7

RYU Controller

Globus Service

Ubuntu 14.04MySQLNode JS

Node MailerNagios XI

ExpressLane App

Fedora 13NetFPGA

Openflow-Switch.bit

Openflow 1.0 protocol

Globus ClientGlobus Server

Globus-GridFTP

Ubuntu 14.04Myproxy-server

Globus-GSIGlobus-GRAM5

Ubuntu 14.04Myproxy

Globus-GRAM5Globus-GridFTP

DMZ

Local Network

DMZ

Local Network

!16

Express Lane Services: Architecture

Geographically distributed of 7 Sites installation

RMUTTResearch DMZ

DTN

BSEResearch DMZ

DTN

KKUResearch DMZ

DTN

RMUTSBResearch DMZ

DTN

SLAResearch DMZ

DTN

PYT2Research DMZ

DTN

PYT1Research DMZ

DTN

12 km

26 km 3 km

9 km

77 km

450 km

BSERMUTSB

SLA PYT2 KKU

PYT1

RMUTT

!17

Express Lane Services: Process Operation

END_TIME

START_TIME

DST_IP

SRC_MAC

DST_MAC

SRC_IP

Request

END_TIME

START_TIME

DST_IP

SRC_MAC

DST_MAC

SRC_IP

Write

END_TIME

START_TIME

DST_IP

SRC_MAC

DST_MAC

SRC_IP

Read

DatabaseApplication

Server

ApprovedServiceTable

ActiveServiceTable

OpenFlowSwitch

BSE

OpenFlowSwitch

PYT1

OpenFlowSwitch

PYT2

OpenFlowSwitch

SLA

OpenFlowSwitch

RMUTSB

OpenFlowSwitch

RMUTT

OpenFlowSwitch

KKU

RYU Controller

DST_IP

SRC_IP

Accept

!18

Express Lane Services: User Interface

!19

• On-service testing using ping and iPerf• Testing between SLA and KKU nodes• Duration: 8-12 AM

Express Lane Services: Performance

04 AM 08 AM 12 AM 02 PM

2

4

6

8

0

Tim

e (m

s)

10Request Service

SLA - KKU[Start_Time - End_Time]User A: [08 AM - 12 AM]

Unreachable Unreachable04 AM 08 AM 12 AM 02 PM

200

400

600

800

0

Thro

ughp

ut (M

bps)

1000 Request ServiceSLA - KKU

[Start_Time - End_Time]User A: [08 AM - 12 AM]

!20

• Transfer 10 GB file using SFTP• Average bandwidth about 300 Mbps

Express Lane Services: Performance

Band

wid

th (M

bps)

0

100

200

300

400

PYT1 PYT2 BSE SLA RMUTT RMUTSB KKU

PYT1 PYT2 BSE SLA RMUTT RMUTSB KKU

!21

Development on Research DMZ: REST APIs

22

Development on Research DMZ: REST APIs

REST APIs

User Management

[1] Profiles

[2] Reset Password

[10] User Request List

[11] User Request Accept

[12] User Edit

[13] User Delete

[14] User All List

[15] User Access Logs

[16] User Sign Up

Service Management

[3] Node Status

[4] User Services All

[5] User Services State

[6] User Services History

[7] Services Requested

[8] Services Approved

[9] Services Activated

[17] Access REST Logs

[18] Services Add

[19] Services Edit

[20] Services Delete

[21] Services Accept

Globus Service[22] Globus Add Service

[23] Globus My Requested

[24] Globus History Logs

23

Development on Research DMZ: Globus GridFTP

Globus Client

RMUTSB NodeBSE NodeUniNet

MPLS Service

Globus Server

24

Globus GridFTP: User Interface

!25

• Using FTP, SFTP and GridFTP• Single-port GridFTP

Globus GridFTP: Performance Testing

Band

wid

th (M

bps)

0

250

500

750

1000

File Size

1 GB 10 GB 100 GB

FTP SFTP GridFTP

!26

Development on Research DMZ: DTN with 10 Gbps Bandwidth

Host@BSE Host@RMUTT

TrafficShaper

TrafficShaperFirewallFirewall

EdgeRouter

EdgeRouter

MainSwitch

MainSwitch

ComputerCenterRMUTT

Department of ComputerEngineering

ComputerCenterBSE

Faculty ofEngineering

UniNetMPLS Services

27

DTN with 10 Gbps Bandwidth: Campus Internal Connectivity

Host@BSE Faculty ofEngineering

bldg. 81

ComputerCenter

bldg. 84

ComputerCenterBSE

UniNet’sRouter

LC FC FC FC FC ST LC SC

Host@RMUTTDepartment of Computer

Engineering

ComputerCenterRMUTT

UniNet’sRouter

SC FC ST FC FC LC

28

DTN with 10 Gbps Bandwidth: Performance Testing

ต่อตรง ต่อผ่านเครือข่าย UniNet 29

DTN with 10 Gbps Bandwidth: Performance Testing

30

DTN with 10 Gbps Bandwidth: Performance Testing

31

DTN with 10 Gbps Bandwidth: Performance Testing

32

Development on Research DMZ: GSI-enabled ExLane services

via SDN packetsRYU

Controller

OFS 2

Host 2

OFS 1

Host 1

MyProxyServer

RetrieveProxy

RetrieveProxy

33

GSI-enabled ExLane services via SDN packets:

Tri-Key Packet Encryption

• Command “myproxy-logon -s elephant.globus.org”

• Return a proxy certificate, private key and rest of cert.

•Host 1 Host 2 Start

TimeEnd Time

Time Stamp[E

PVH1

[

Host 1 Public key 1Host 2 Start

TimeEnd Time

Time Stamp

Public key 2

Public key Ctr

EPV

Proxy[ [

C1

C3

C2

GSI-enabled ExLane services via SDN packets:

Tri-Key Tunnel Packet

Access Certificate

Proxy Certificate

GSI CertificateHeader

C1 C2 C3

Life Time

Time

Session

GSI-enabled ExLane services via SDN packets:

Argus

• Argus Authorization Service

• Renders consistent authorization decisions for distributed services (e.g., user interfaces, portals, computing elements, storage elements)

• Based on the XACML standard

• Uses authorization policies

• To allowed or denied a user to perform an action

GSI-enabled ExLane services via SDN packets:

Argus• Argus Authorization Service

• “X perform action Y on resource Z”

• Attribute-based system

• pepcli --pepd !http://127.0.0.1:8154/authz --resourceid "http://example.org" --actionid "http://example.org/action" --certchain CERT_PATH

ID Datatype Valuesubject-id string peeranon

org string KMUTNBaffiliation string student

vo string CU, KU

ID Datatype Valueaction-id string submit-jobpilot-job boolean FALSE

executable string /usr/bin/myexecduration integer 10

GSI-enabled ExLane services via SDN packets:

Software Architecture

MyProxyClient

UDP Server.py UDP Client.py

Host 1 Host 2 MyProxyServer

RYUController

RYU Controller

Ubuntu 14.04

Python 2.7

Mininet

Myproxy-server

Centos 6.8XTERM XTERM

38

GSI-enabled ExLane services via SDN packets:

Process Operation

RYU Controller

OFS 2

Host 2

OFS 1

Host 1

MyProxyServer

RetrieveProxy

RetrieveProxy

1

2

3

4

5

6

39

GSI-enabled ExLane services via SDN packets: Functional Testing

40

GSI-enabled ExLane services via SDN packets: Functional Testing

41

GSI-enabled ExLane services via SDN packets: Functional Testing

42

RMUTTResearch DMZ

DTN

BSEResearch DMZ

DTN

KKUResearch DMZ

DTN

RMUTSBResearch DMZ

DTN

SLAResearch DMZ

DTN

PYT2Research DMZ

DTN

UniNetMPLS Services

PYT1Research DMZ

DTN

Conclusions• Express Lane services provide premium network

services for researchers in a certain period of time

• 7 nodes deployment in the UniNet

• Desk-to-Desk data transferring can achieve up to 900 Mbps

• UniNet can launch this service to the research community

!43

RMUTTResearch DMZ

DTN

BSEResearch DMZ

DTN

KKUResearch DMZ

DTN

RMUTSBResearch DMZ

DTN

SLAResearch DMZ

DTN

PYT2Research DMZ

DTN

UniNetMPLS Services

PYT1Research DMZ

DTN

Future Work• Improve core functions for more efficiency and stability

• Create more services for RENs

• Variety communication access using REST APIs

• Experiment more the research DMZ testbed

• Integrate Tri-Key Cert. and Argus with SDN

• Publish to the research community

!44

Question & Answer

!45

Thank you for your attention.

!46