NCKU
advertisement
Taiwan Advanced Research and Education Network (TWAREN) Current status & Future Plan Dr. Te-Lung Liu Researcher National Center for High-Performance Computing tlliu@nchc.narl.org.tw Outline TWAREN Network Overview Development and Research Technologies 2 TWAREN Network Overview Development and Research Technologies 3 4 What is TWAREN A physical network serves multiple purposes and logical networks TANet, connects to commodity Internet TWAREN research network experiment, testbed, special research Provisioning services on multiple layers L1 lightpaths L2 VLAN L3 IP has been successfully migrated from old backbone in Oct 2006 5 TWAREN Architecture • 4 core nodes • 20G backbone • 12 GigaPops • Connects HPC resources in North and South Taiwan 6 Goals of TWAREN TWAREN is part of “Challenge 2008”, a comprehensive sixyear national development plan formulated by the government Build a highly reliable, stable and flexible R&E network for academic and research community in TW Provide advanced network services to satisfy the needs of academia field in TW. Increase the International and domestic collaboration Future infrastructure drives today’s research agenda 7 TWAREN GigaPoPs 8 TWAREN Services ■ ■ ■ ■ ■ ■ ■ ■ Broadband Connection Service International Research Network Transit (Internet2) Measurement / Network Management Multimedia / Multicast Lightpath provisioning Virtual Private Network(VPN) Native IPv6 Service Internet access MCU Proxy Server SourceForge File Download Center Consultation Applications support 9 TWAREN Achivements High reliability & availability (99.9% 99.99%) fault tolerance automatic protection if possible automatic failure detection and locating Better performance: minimum number of routers between GigaPoPs Flexible: can be easily and quickly to set up a logical network per user’s request People skills: Optical network OAM 10 Optical Backbone ASCC NTU STM-64 STM-16 NIU NCU NDHU TP NCTU TC HC NCHU TN NTHU ONS15600 ONS15454 NSYSU NCKU CCU 11 Interconnecting with L2/L3 devices STM64 STM16 10GE GE NTU ASCC NCCU NIU NDHU NCU NCNU NHLTC Taipei Hsinchu Taichung NCTU Tainan NCHU NTTU NTHU NSYSU NCKU CCU ONS15600 7609 ONS15454 6509 GSR 3750 12 Protection Mechanism Circuit break: 2 levels of protection By carriers: SDH protected By architecture: Link b/w core nodes: VLAN are reconfigured with rapid spanning-tree protocol. (5s) Link b/w GigaPOP and core node: the backup SNCP lightpaths are configured for automatic failover. (50ms) 13 Protection Mechanism Equipment protection Core node failure: Manually configure emergency lightpaths to re-route traffic from affected GigaPoPs to another core node. Emergency lightpaths need to be designed and documented. GigaPoP failure: Spare line cards 14 Normal Traffic Flows STM64 STM16 10GE GE NTU ASCC NCCU NIU NDHU NCU NCNU NHLTC Taipei Hsinchu Taichung NCTU Tainan NCHU NTTU NTHU NSYSU NCKU CCU ONS15600 7609 ONS15454 6509 GSR 3750 15 In case of circuit break... STM64 STM16 10GE GE NTU ASCC NCCU NIU NDHU NCU NCNU NHLTC Taipei Hsinchu Taichung NCTU Tainan NCHU NTTU NTHU NSYSU NCKU CCU ONS15600 7609 ONS15454 6509 GSR 3750 16 In case of core node failure... STM64 STM16 10GE GE NTU ASCC NCCU NIU NDHU NCU NCNU NHLTC Taipei Hsinchu Taichung NCTU Tainan NCHU NTTU NTHU NSYSU NCKU CCU ONS15600 7609 ONS15454 6509 GSR 3750 17 TWAREN NOC NOC (Network Operation Center) Located at NCHC southern business unit in Tainan Science Park Goals: To ensure the 7x24 network operation Major works: Providing 7x24 network maintenance and operation Enhance the security capacity Provide network service Peering Light path provision Network architecture design TWAREN NOC 18 TANet VPN MOEcc6509 NDHU6509 NCCU6509 NHLUE6509 NTU6509 One Subnet L2 VLAN NCU6509 NCHU6509 TP7609C L2 Switch HC7609 TANet VLAN TC7609 TC7609C L2 Switch HC7609C L2 Switch NCTU6509 TN7609C L2 Switch NTHU6509 NSYSU6509 CCU6509 NTTU6509 TN7609P NCKU6509 19 TWAREN Research VPN TANet (MOEcc6509) TAIWANLight TWGATE Internet ASCC APAN ISP Peering TP12816R iBGP RR TP12816P NDHU7609P NIU7609P ASCC7609P NCTU7609P NTU7609P NCU7609P TP7609C Switch NCHU7609P TC12816P TC7609C Switch Research VLAN HC12816P HC7609C Switch HC12816R TC12816R TN7609C Switch NCNU7609P HC7609P NTHU7609P NSYSU7609P CCU7609P TN7609P TN12816R iBGP RR TAIWANLight NCKU7609P TN12816P TAIWANLight ISP Peering 20 VPN Services Multipoint-to-Multipoint Layer2 VPN (VPLS) Multiple VPNs over single architecture Cross-area campuses and offices can be connected within single administrative domain Provide dynamic creation of VPNs for Nationalwide integrated projects User-based SSL VPN Access Access to different VPN according to login name and password authentication Researchers and Professors could access their own research resources from home or outside 21 VPLS Architecture 22 User-Based SSL VPN Access Core node@ HsinChu Users Org 1 SSL VPN Org 2 TWAREN VPLS Backbone Web Browser Org 3 SSL VPN 。 。 。 Core node@ Tainan Org n 23 TWAREN’s International Connections Pacific Crossing to USA’s west coast upgraded to 5 Gb/s Connections between LA, Palo Alto, Chicago, and New York are 2.5 Gb/s Connects to the rest of the world via the U.S.’s Abilene Network Connection expanded to Europe in 2006 (IEEAF donated 622 Mbps of bandwidth/fiber optic cable) 24 Combined TWAREN/TAIWANLight Lambda Testbed NCTU-15454 NCU-15454 NTU-15454 ASCC-15454 NTHU-15454 Chicago 15454 TP-15454 HC-15454 HC-15600 TP-15600 NIU-15454 TN-15454 TN-15600 Palo Alto 15454 NY 15454 TC-15454 NDHU-15454 NCSYSU15454 NCKU-15454 CCU-15454 TWAREN Optical Network NCHU-15454 LA 15454 TAIWANLight 25 TWAREN’s International Peerings TWAREN made peerings with international NRENs at Los Angeles, Chicago, New York and Seattle (through Pacific Wave). 26 TWAREN’s Direct Peerings Coverage TWAREN's direct peering covers most area in America, Asia, Australia and New Zealand, and will soon be expanded to Europe. 27 TWAREN/TAIWANLight and GLIF TWAREN is a member of GLIF (Global Lambda Integrated Facility) TAIWANLight is an official optical exchange GOLE (GLIF Open Lightpath Exchange) 28 TWAREN Network Overview Development and Research Technologies 29 Future Internet Testbed @ Taiwan 30 Future Internet There are many serious limitations in current Internet. Scalability Security QoS Virtualization Future Internet is a summarizing term for worldwide research activities dedicated to the further development of the original Internet. (From Wiki) 31 Future Internet Testbed For innovations and researches in Future Internet, the testbed requires some advanced concepts: Programmability Virtualization End-to-end slice 32 OpenFlow Make deployed networks programmable Makes innovation easier No more special purpose test-beds Validate your experiments on production network at full line speed 33 TWAREN OpenFlow Testbed in 2010 NOX NCHC OpenFlow Switch OpenFlow Network @KUAS iCAIR Capsulator TWAREN L3 Network Capsulator Capsulator OpenFlow Network @NCKU NCKU and KUAS are pilot universities that connected with the Testbed The OpenFlow Testbed is extended to iGENI@iCAIR Capsulator (Ethernet-in-IP tunnel) is used to emulate pure L2 network for OpenFlow 34 34 TWAREN OpenFlow Testbed in 2011 NCU NCHC OpenFlow Switch OpenFlow Switch TWAREN VPLS Capsulator NCKU KUAS OpenFlow Switch OpenFlow Switch OpenFlow Switch NTUST OpenFlow Switch CHT-TL OpenFlow Switch Capsulator NTUST, NCU and CHT-TL joined the Testbed. For TWAREN connectors (NCKU, KUAS and NCU), a dedicated VPLS VLAN is allocated for better transmission performance. 35 35 Emulab/ProtoGENI Testbed TWISC (Taiwan Information Security Research and Education Center) operats 206 nodes of Emulab Testbed in Taiwan. Third largest Emulab in the world Testbed@TWISC is operated by NCKU team and co-located in NCHC A portion of the testbed is planned to try ProtoGENI test with University of Utah. A lightpath is provisioned between NCHC and iCAIR shared by both OpenFlow and Emulab/ProtoGENI Control Network Firewall Firewall Firewall Firewall Experiment Network Experiment Network BOSS OPS Experiment Switch 36 36 Lightpath and VLAN setup Lab Vlan 2782 iCAIR Trunk Vlan 462 Vlan 2782 7609P@HC Vlan 462 Vlan 2782 Vlan 462 Vlan 2782 Vlan 1548 Vlan 1555 7609P@TN Vlan 462 Vlan 1548 7609V NCKU Vlan 462 Trunk port Emulab/ProtoGENI – Vlan 462 iCAIR OF (with NCKU) – Vlan 2782 Vlan 1548 Vlan 1555 Vlan 2782 NCKU Emulab @NCHC OF sw A NCHC OF sw B 7609V NCKU EE Vlan 462 Vlan 1548 Emulab/ProtoGENI – Vlan 462 NCKU OF (with iCAIR) – Vlan 1548 37 37 iGENI - Taiwan Integrated Research Network 38 38 Multi-Domain OpenFlow Management Each network domain has its own OF Controller Each Controller manages topology and flow provisioning inside the domain Inter-domain flow could be made by connecting partial flows provisioned by controllers of each cloud Lack of global view for inter-domain flows No loops allowed for inter-domain topology Difficult to support QoS or SLA functions across domains Inter-domain topology auto-discovery is required for multi-domain management 39 39 Inter-Domain Topology Discovery (I) OpenFlow Controller just only knows its directly connected switches. ENVI is a useful GUI tool to show OpenFlow topology under single controller. OFA OFB OFC OFD Controller1 Controller2 Topology of Domain1 Topology of Domain2 Domain UI OFA OFB OFC OFD 40 40 Inter-Domain Topology Discovery (II) We add additional contents in LLDP packet to let Controllers have its neighbors’ connectivity details. ENVI is also modified to show the whole topology. OFA OFB OFC Controller1 OFD Controller2 Domain UI Topology of Domain1 & 2 OFA OFB OFC OFD 41 41 Results Multi-Domain Network Topology shown in GUI Physical OpenFlow Network Topology 42 42 GLIF & SC11 Demo Joint Demo among NCHC/TW, iCair/US, and CRC/Canada 43 Information Security Activity Detection over High-Speed Backbone 44 Security Detection over HighSpeed Backbone Normally, we don’t install IDS/IDP in backbone for performance issue. IDS/IDP are placed at user’s local sites Backbone traffic is hard to mirroring due to its large amount and high-speed It’s impossible to do packet analysis Packet header analysis is available with Netflow/sFlow Information Security Activity Detection over High-Speed Backbone Integrate fast packet header analysis with attack information from user’s local site 45 System Architecture Invasion and attack info from user’s local sites Netflow Data from Backbone/User Routers Users’ IDS/IDP Users’ HoneyPot Users’ Log analyzer Security Detection @Backbone Collect Backbone’s Netflow data Users’ Netflow data Search Notify User with Suspicious Activities Orientation Trace-back Notification Block Backbone network, peering partner, User network 46 Design Concepts Distributed Computing For monitoring netflow data in real-time Fast Search Effective Tree-Searching algorithm Expandable Simply add more machines when larger data analysis is required Remote Backup Separate different computing nodes in order to provide robust analysis service Single Portal All input can be submit to single portal with Global Server LoadBalancing technology Cooperate with Researchers/Developers Will design an open API for developers to contribute their own ideas 47 Design Blocks Router1 Router2 Router3 RouterN Netflow packet Netflow packet Netflow packet Filter 1 Filter 2 Filter 3 Matched Netflow raw Analyzer 1 Blacklist Search Tree Distributor 2 Distributor 1 Filter N Matched Netflow raw Analyzer 2 Analyzer 3 Analyzer 1 P3333 Analyzer 2 P4444 Analyzer 3 P5555 Analyzer N Update Search Tree result result result Controller 1 Controller 2 IDS/IDP Honey... Syslog Update Blacklist Blacklist IP Port Type Analyzer Analyzer Port A.A.A.A 1234 botnet 1 3333 B.B.B.B 4321 Fake-IP 2 4444 C.C.C.C 1122 Cracker 3 5555 …… 48 Numerical Results of Tree Creation 49 Numerical Results of Real-time Matching 50 51 52 53 54 55 56 57 Thank You ! For more information, please see : www.twaren.net - 2011 - 58
