[phpBB Debug] PHP Notice: in file /viewtopic.php on line 945: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Europe/Helsinki' for 'EET/2.0/no DST' instead
[phpBB Debug] PHP Notice: in file /viewtopic.php on line 945: getdate(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Europe/Helsinki' for 'EET/2.0/no DST' instead
BREN forums • View topic - GÉANT3 - beyond the present state

GÉANT3 - beyond the present state

Пан-Европейската Изследователска и Образователна Мрежа

Moderators: nina, Keva

GÉANT3 - beyond the present state

Postby nina » 19 Mar 2009, 11:56

The NREN community believes that in GÉANT3 the emphasis will be on consolidating the infrastructure into a truly pan-European, robust and stable operational, multi-domain hybrid network. Creating a user provisioned multi-domain hybrid network is a radical step and the first in the world to do it on a continental scale across a very diverse group of NRENs using diverse technologies.

However, user-driven virtual networks are emerging, and this trend may become an important leap forward. Therefore, there will be a constant need to evaluate the significance of advanced technology without compromising the production quality of the GÉANT3 service portfolio.

The GÉANT3 programme includes the Joint Research Actions (JRAs) and corresponding Support Actions (SAs) developing new technologies into network-wide services.

This will drive GÉANT3 towards exciting technology targets, such as:

Hybrid network planning and operation.
GÉANT3 will keep deploying the most advanced hybrid optical technologies available, and adopt cost-effective backbone architectures. Sustainable business models (such as long-term international dark fibre leasing) will be investigated. Network operations will maintain production-quality connectivity and robust multi-domain services by following and perfecting In-Service-Support (ISS) best practices. It is expected that transmission technologies, already enabling DWDM at 40 Gigabit/sec/wavelength, will advance to 100 Gigabit/sec per wavelength within the lifetime of the GÉANT3 project. Many NRENs continuously evaluate, test and deploy cutting-edge technologies at data, control and management levels, and GÉANT3 will act as the coordinator of this effort to encourage European NREN technology.

Many collaborative activities world wide now contribute to the ability to connect circuits for mission-critical applications. Such achievements as the GÉANT2 End to End Coordination Unit (E2ECU) for VPNs like the LHC OPN, the integration of NREN Cross-Border-Fibres (CBFs), the establishment of GÉANT global circuits and the use of lightpath exchanges are all expected to be elements in the architecture of GÉANT3.

Depending on evolving costs and product maturity, topology planning may indicate extensive use of Layer 1 ROADM’s and Layer 2 Carrier Ethernet switching, with Layer 3 IP functionality provided by virtual instances within shared logical routers. The community feels that the GÉANT3 emphasis will be on resilient hybrid connectivity and robust service offerings, managed by NREN NOCs and the GÉANT3 NOC working together in a structure inferred from current best practice.

Support for services using different layers of the network will be key in realising a flexible set of services that will support the R&E community.

Multi-domain services.
R&E networking spans multiple domains. Therefore, services must be established across confederate administrative domains: Campuses, NRENs and international interconnections, composed of GÉANT backbone links enriched with Cross Border Fibre and connections with global peers. Automated multi-domain management is an area where the GÉANT3 community will continue research and development, triggered by end-user requirements and profiting from the collaboration between partner NRENs and their global peers.

Control-plane techniques are needed to manage robust multi-domain paths, VPNs, and OPNs in multi-technology hybrid networks. This enables the exchange and processing of information beyond simple IP reachability and manual path-finding indications. A prerequisite for the success of the GÉANT3 consortium will be the ability of all European players and their global partners to work together in developing and offering multi-domain management services within their diverse technological and cultural environment. For multi-domain operations and services to succeed, GÉANT3 should encourage the adoption of a common network description schema among NRENs, and to deploy enhanced control plane protocols and management plane techniques across domains. This, coupled with vendor and technology diversity amongst domains (GÉANT3, NRENs, end-user campuses, global peers), presents the challenge for the GÉANT3 project to be one of the key players for developing, testing and deploying multi-domain control and management services, and also relaying their experience to standardisation bodies.

The most important advanced services to be developed and deployed on wide scale are:
I. International circuit stitching (e.g. the GÉANT2 E2ECU, which also incorporates NREN Cross-Border-Fibres, global circuits and lightpath exchanges).
II. Distributed monitoring architectures (perfSONAR jointly developed by GÉANT and the US Internet2 & ESnet).
III. Automated Trans-Continental provisioning by coordinating the GÉANT2 AutoBAHN with NREN, vendors, the US Internet2 Dynamic Circuit Network (DCN) tools.

For the above multi-domain functions the following set of tools is required:

I. Federated Authentication and Authorisation Infrastructures (AAI) for NREN & GÉANT NOC access (eduGAIN federations)

II. Specification of a common Network Description Schema, I-Share, incorporating multi-layer, multi-domain aspects. In essence this is complementary to the current cNIS service. cNIS could be either fully adopted by an NREN for its intra-domain needs, or at least be part of its obligation to export network description primitives in a common format to enable multi-domain management (e.g. monitoring and provisioning).

III. Global inter-domain control protocol suite (IDC jointly developed by the DICE group - DANTE, Internet2, CANARIE & ESnet)

IV. Promotion of cross-domain security incident reporting, coordinated intrusion and anomaly detection, and establishment of distributed trouble-ticketing workflow services and coordinate NREN PERTs (Performance Emergency Response Teams). This will encourage the further development of NREN PERTs whilst improving the coordination of PERT activities.

Network of the future.
The provisioning of a robust, high-performance R&E infrastructure, is a dominant requirement for the GÈANT activity. However, the GÉANT3 consortium will now also be able to provide advanced testing facilities to academic and industrial researchers, while contributing with its research agenda to new protocols, coordinated security and service virtualisation.

Security activities in GN3 can be described in two broad categories:-
- Those intended to stop, mitigate and counteract intrusions and unwanted activities performed for malicious reasons. This is a mixture of reactive and proactive actions. These are covered in SA2 T4 and the JRA2 T4 developments.

- Those intended to ensure that services and resources are accessible only to those who have the correct rights of access. This is a mixture of enabling and protecting. Access and resources and it is covered by a wider set of SAs tasks, enhanced by the complementary JRAs.

The general rationale behind security is to develop management and protection (the second category of activities) in order to minimise the requirement for policing and observation (the first category of activities). The development and introduction of Authentication and Authorization Infrastructure activities in GN3 is therefore considered essential for the deployment of Services. An additional difficulty is the multidomain environment which mandates the deployment and research of ways to exchange secure information

To enable and protect services the following elements are required:-

- services providing an identity and a "role" to users. These are called "identity provider". They reside close to the end user, within the single institutions where they belong. They can, and already do, use a wide range of protective methods such as password, smart cards, onetime keys, and biometric identification. Public key infrastructure X.509 certificates as issued by certification authorities (CA) represent yet another possible tool for authentication. These are implemented via various protocols and devices such as LDAP, RADIUS, and SSL connections.

- network services, which are offered, need to demand authentication from users and must have the ability to accept identities provided by the identity providers, and to decide who can use them.

- national/local services able to federate (e.g. technical methods to enable cross trust) the identity provided, and the service providers.

- international confederations, joining together national/local federations.

These activities must collaborate closely and need to be coordinated to ensure a homogeneous implementation and overall ease of use of the services by the end-user. A Security Coordination role has been identified in the GN3 Project Office and has been appointed to facilitate this.

In the context of the GN3 project the following is important:
- Support Actions task is to run the operations of international confederations and the presence of national federations.
- Joint Research Activities tasks to fill the missing technical interfaces between existing "identity providers" and "services provided" and the federation protocols and requirements.

The technically possible bits are various, and although they might seem uncorrelated, they should all be enabled to belong to a single federation and confederation. In some cases also the AAI methods and functionalities in the services are technically different:

- The eduRoam service connects directly the identity provider at the user home , via an encrypted tunnel. The answer is either "OK" or "NO" and the while logic remains in the home Identity Provider.
- eduGAIN uses the classical certificate-based AAI model, where the role and attributes of the users are transferred to the service which is being accessed, and the service decides what to do.
User avatar
Posts: 29
Joined: 17 Feb 2009, 18:27

Return to Проект GÉANT

Who is online

Users browsing this forum: No registered users and 1 guest