GANT Global Service Outreach For Ubuntu Net Alliance
GÉANT Global Service Outreach For Ubuntu. Net Alliance Tom Fryer Head of International Relations Antananarivo, Madagascar Wednesday, 30 October 2019 www. geant. org 1 | www. geant. org
GÉANT Global Service Collaboration – A Brief History • Outreach in the past: • Services carry out own outreach/sharing (e. g. eduroam/edu. GAIN) • Opportunities also identified by individual conversations, but not coordinated. • GN 3 plus NA 4 T 1 (2014) • Analysis of global status of GÉANT services; made some recommendation and was an attempt at better coordination. Few resources available for detailed follow-up. • EU-funded Red. CLARA-led projects focused on eduroam and edu. GAIN: • ELCIRA (Latin America): 2012 -2014 – focused on Latin America • MAGIC (Global): 2015 -2017 – global focus, including the ASREN community 2 | www. geant. org
GÉANT Global Service Outreach • Aim is to: • Understand which GÉANT services can be of benefit to R&E networking partners around the world • Develop a deployment plan for services with interest outside Europe • We do this by: • Reviewing all services to understand their possibilities for global sharing • Describe services and how they can be shared with Global Partners • Develop a plan for global deployment based on feedback from all Global Partners 3 | www. geant. org
Potential Service Deployment Options Service not available/relevant for Global Partners Service available via interconnection Access from GÉANT but not via interconnection Local Deployment Capacity Building / Training Sharing of Best Practices Participation in community activity Dissemination support Raise awareness (e. g. service not yet ready for global deployment but has potential in the future) • Other • • • 4 | www. geant. org
Network Services Available via GÉANT Interconnection www. geant. org 5 | www. geant. org
GÉANT-Ubuntu. Net Interconnectivity • Ubuntu. Net connects to GÉANT in LON & AMS: • 2 x 10 Gbps for IP & point-to-point 6 | www. geant. org
GÉANT-Ubuntu. Net Community Interconnectivity Gives access to: • GÉANT IP Backbone • Over 40 European countries • 10, 000+ institutions • 50 million users • GÉANT Plus point-to-point service (L 2 VPN): • To GÉANT NRENs, usually at no charge • To Global Partners, charge may apply (currently not) 7 | www. geant. org
GÉANT-ASREN - Global Community Access • Global transit for Ubuntu. Net to: • North America: CANARIE, ESnet, Internet 2, NISN (NASA) • Latin America: Red. CLARA • Africa: ASREN, WACREN • Central Asia: CAREN* • Asia-Pacific: TEIN, CERNET, CSTNET, SINET, etc. 8 | www. geant. org
Other Connectivity Services Available via Interconnection • Layer-3 VPN to GÉANT NRENs or Global Partners (where reciprocated): • Charges may apply • GÉANT Lambda • Private, transparent wavelengths on GÉANT dark fibre • Charges will apply 9 | www. geant. org
Other Connectivity Services Available via Interconnection • GÉANT Open: • Neutral Exchange facility in Dublin, London, Marseilles & Paris • Enables connectors to peer directly with other connectors • Current Pricing: • € 3, 000 for 1 Gbps • € 6, 000 for 10 Gbps • € 24, 000 for 100 Gbps Once connected there is no additional charge for individual peerings • Current Connectors: • London: • GÉANT, AARNet (Australia), ESnet (USA), HBKU/Qatar Foundation (Qatar); Indiana University (USA); Internet 2 (USA); NORDUnet (Nordic Countries), PSNC (Poland), Sing. AREN (Singapore); SURFnet (Netherlands); TENET (South Africa), WACREN (London) • Paris: • GÉANT; HBKU/Qatar Foundation (Qatar); SURFnet (Netherlands) 10 | www. geant. org
Other Network Services Not Available via GÉANT / Potential for Local Deployment / Technology Share www. geant. org 11 | www. geant. org
MD-VPN • Multi-domain Virtual Private Network • End-to-end VPN service that enables users across multiple sites and domains to collaborate via a common private network infrastructure • Benefit of native user is that NRENs can set up VPNs across the Regional Network without operations work needed by the Regional Network • Service outreach option: • Technology Share for Local Deployment 12 | www. geant. org
GÉANT Testbed Service (GTS) • GTS delivers integrated virtual environments as "testbeds" for network researchers in the community. • GÉANT GTS is limited to use by European community. • Service outreach option: • Technology Share for Local Deployment 13 | www. geant. org
Other GÉANT Network-related Services – For Information • GÉANT World Service: • Commodity internet access with multiple suppliers and multiple peerings to maximise redundancy for GÉANT Members! • Commercial Peerings: • Access to as wide a number of Internet prefixes as possible (e. g. Yahoo!, Twitter, Wikipedia, Google, Microsoft, + many, many more) • Cloud Peerings: • Access to Cloud Service Providers (e. g. Amazon, Exoscale, Microsoft, TSystems, Dimension Data) • GÉANT MS Express. Routes • Enables Azure users to access their resources hosted in MS data centres via a private circuit rather than via the Internet. • Implemented by GÉANT as a GÉANT Plus service Service outreach options: • For information – recommend local deployment where appropriate (GÉANT can provide advice/best practices). 14 | www. geant. org
Network Support Services www. geant. org 15 | www. geant. org
perf. SONAR & perf. SONAR PMP • perf. SONAR: • Open-source, modular, flexible architecture for active network performance monitoring (throughput, packet loss, delays and jitter, and record network route and path changes) across multiple domains • Allows NOC and PERT engineers to seamlessly analyse and diagnose network behaviours across the entire end-to-end path. • perf. SONAR Consultancy and Expertise • perf. SONAR deployment, usage and best practices • Performance Measurement Platform (PMP) Service outreach option: • Technology Share / Local Deployment • Training / Best Practices • Low-cost hardware nodes with pre-installed perf. SONAR software and deployed in GÉANT collaborating organisations in Europe and Africa. • Central components including a central Measurement Archive (MA) and a Dashboard. 16 | www. geant. org
edu. PERT • edu. PERT Knowledge Base • Discussion / Forum - e-mail - pert-discuss@lists. geant. org Service outreach option: • Community Participation • Participation in Training Activities 17 | www. geant. org
Other Network Support Services (i) – Future Potential • Orchestration: • Automated Network Configuration • In consensus-building phase and currently under review. • GÉANT Connection Service • Successor to Bandwidth on Demand. L 2 automated connections. Software package to be installed. Not in production yet. • Internal tool for GÉANT at present. • Net. Mon (Network Monitoring) • High-performance (100 G) version of perf. SONAR, though not replacement • Suite of tools to help isolate issues in a multidomain environment • Building consensus and learning about community requirements 18 | www. geant. org
Other Network Support Services (ii) – Future Potential • Campus Monitoring as a Service (WP 6): • Early stage development. • Managed campus network monitoring that NREN deploys (cloud NOC) • NMaa. S (Network Management as a Service) • Cloud-based solution for NRENs, aimed at supporting smaller NRENs. • Currently for GÉANT NRENs only, but may have potential for wider use • Outreach Options: • Local Deployment • Capacity Building • Sharing of Best Practices • Campus Network Management • Early stage development. Managed campus network monitoring that NREN deploys (cloud NOC). • Relates to Campus Monitoring as a Service. Will require more resource from the local NREN. 19 | www. geant. org
Other Network Support Services (i) – Future Potential • Spectrum as a Service • Requires GN 4 -3 N network to be deployed. Service not yet defined. • Quantum Key Distribution / Encryption • Current at research stage • Time and Frequency Distribution • Associated with external parties, including CLOnet • White Box (Generic CPE & Open Operating System) • Consensus building programme in GÉANT project. Very early stages. Low cost hardware with open source software • Wifi. Mon • Wifi network performance monitoring. • Research Stage – was demoed at TNC 19 20 | www. geant. org
Trust & Identity Services www. geant. org 21 | www. geant. org
• eduroam • Roaming Operators: • Ethiopia, Kenya, Madagascar, Malawi, Mozambique, South Africa, Tanzania, Uganda, Zambia • Pilots: • Somalia, Sudan • Aim: eduroam in all countries and at all institutions! Service outreach option: • Local Deployment • Capacity Building / Training • Sharing of Best Practices • Marketing Material 22 | www. geant. org
• eduroam Managed Id. P • Focusing on smaller organisations that lack technical capabilities to have deploy Id. P • Outsources the technical setup of eduroam Id. P functions to the eduroam Operations Team • Already available in 20 countries; no charge to Roaming Operators. • eduroam CAT • Configuration tool • eduroam Companion App • Where’s the nearest eduroam access point? • eduroam Visitor Access • Service from Dutch NREN, SURFnet • Enables institutions to provide temporary eduroam access for visitors 23 | www. geant. org
• edu. GAIN Service outreach options: • Local Deployment • Capacity Building / Training • Sharing of Best Practices • Marketing Material • Interconnects identity federations around the world, simplifying access to content, services and resources for the global research and education community. • edu. GAIN technology involves a “metadata service”, which regularly retrieves and aggregates information from participating federations about Service and Identity Providers, and makes this information available to federations • Participants: • Mozambique, South Africa, Uganda, Zambia, • Candidates: • Malawi • Aims: • ID Federations in all countries, and all edu. GAIN participants! • All institutions members of national ID Federations, and maximal Service Provider membership 24 | www. geant. org
edu. TEAMS • Leverages edu. GAIN federated identities to support Virtual Organisation (VO) collaboration; access also via some commercial Id. Ps • Enables teams to be created and managed flexibly and securely. • Provides consistent access and sharing polices across VOs. • Single Point of Management for community managers to add and remove users and services. Service outreach options: • Access from GÉANT (not via interconnection) • Local deployment 25 | www. geant. org
In. Academia – Future Potential • Validates to other services that user is student or affiliated member of the academic community. • Helps service providers offer academic discounts online and in real time. • In pilot with one commercial & one non-commercial • Encouraging service to be accessed via national ID Feds so students can benefit. • Interested providers (commercial or non) invited to join trial. Commercials must have valid EU VAT number. In. Academia team aims to make the service global, but EU VAT number is currently a restriction. 26 | www. geant. org
Federation as a Service • For NRENs developing or in early stage of operating a Web. SSO Identity federation. • Supports NRENs in building an identity federation. • Provides a hosted set of tools to operate the identity federation. • Designed with special care on security. • Service outreach options: • Local Deployment • Capacity Building / Training • Sharing of Best Practices 27 | www. geant. org
Other T&I Support Services – For Local Deployment • TCS – Trusted Certificate Service: • Bulk purchasing arrangement • Participating NRENs may issue close to unlimited numbers of certificates provided by a commercial Certificate Authority (Digi. Cert) at a significantly reduced price. • Five types of certificate available: • SSL certificates – for authenticating servers and establishing secure sessions with end clients. • Grid certificates – for authenticating Grid hosts and services (IGTF compliant). • Client certificates – for identifying individual users and securing email communications. • Code signing certificates – for authenticating software distributed over the internet. • Document signing certificates – for authenticating documents from Adobe PDF, Microsoft Office, Open. Office, and Libre. Office. • Service outreach options: • Share best practices 28 | www. geant. org
T&I Services – Community Activities • Trusted Introducer • Acts as a clearinghouse for all computer security incident response teams (CSIRTs), building a ‘web of trust’ by listing known teams • Accredits and certifies teams according to their demonstrated and checked level of maturity • Linked to TF-CSIRT; grew to outside NREN community - commercial, governmental and geographic. • Linked to RIPE NCC (Europe plus Africa) region. Exceptions can be made. • Membership requirements: • Must attend one physical meeting per year. • First step, must demonstrate team has been created, and two teams need to approve new team’s membership. No charge. • To be accredited/certified, team needs to pass standardised criteria, demonstrate processes, who people are. Charge applies. • Service run by external organisation (procured by GÉANT). • Service outreach options: • Community Participation 29 | www. geant. org
T&I Services – Community Activities • Transits Training Volunteer-driven CERT training Level 1 for CSIRT personnel, people in IT / security etc. Level 2 for more advanced personnel - e. g. forensics. Training organised by GÉANT in April and November. Participation is open; price is approx. € 1000. Need to apply / justify application to participate. • Note: attendance always oversubscribed. • However: two modules of Level 1 are available under creative commons so courses can be run by others. Two more modules to be published also. • GÉANT has helped arrange one-off sessions in Africa & Middle East. • • • Service outreach options: • Community Participation in training activities • GÉANT can assist in identifying trainers 30 | www. geant. org
Other T&I Support Services – Future Potential • Campus Id. P: • Making it easy for institutions to set up their own Id. P via a Virtual Machine toolkit. • edu. GAIN - Assurance/Multi-factor Authentication • Standardisation effort in edu. GAIN to define assurance level of authentication methods. • Feature as opposed to service, currently in pilot • Service providers can potentially ask for specific assurance levels. • Benefit relates to likes of Google/Facebook, where primary identity is not as assured. "Factors of Trust". 31 | www. geant. org
Security Services www. geant. org 32 | www. geant. org
Security Services (i) • edu. VPN • Secure and privacy preserving access from public networks • Institute access to private networks, a “corporate VPN” solution; can also be used to connect different campuses or networks (VLANs) within a single institution. • Software deployable by NRENs or institutes • Service outreach options: • Local deployment • Share best practices • NSHARP Suite: • A set of security features as features of the IP network. • Deployed by the regional network; Fo. D can be deployed by local NREN also. • Firewall on Demand • Potential for local deployment, though some checks (including legal) needed before making available • Alerts • For information only: Issue with false positives of attacks: GÉANT is looking to replace the Alerts service • Remote Trigger to Black Hole • Is a network configuration. Process can be shared for local deployment 33 | www. geant. org
Security Services (ii) – For Information • Scrubbing Centre: • Centralised cleansing centre to remove malicious traffic • Currently in development at GÉANT • Flow. Mon • Security Operation Centre (SOC) • Tools complemented by training and documentation to adopt available solutions in different operational infrastructures • Initial stages: In Q 4 2019 survey due on tools used by GéANT NREN SOCs 34 | www. geant. org
File. Sender – Local Deployment • File. Sender: • Developed by consortium of NRENs, AARNet, SURFnet, etc. • Web-based application that allows authenticated users to securely and easily send arbitrarily large files to other users. • For more info: https: //filesender. org/ 35 | www. geant. org
Real-time Communications Services www. geant. org 36 | www. geant. org
Real-time Communications (RTC) Services – For Information • Web RTC • • Currently in development Just use the browser. No client software required. Expected to have less functionality than Zoom, e. g. , not recordable, can't restrain who goes in. 37 | www. geant. org
Community Activities www. geant. org 38 | www. geant. org
Special Interest Groups 39 | www. geant. org
Task Forces 40 | www. geant. org
GÉANT Interactive Map https: //map. geant. org Modifications to Tom. Fryer@geant. org 41 | www. geant. org
Global Interactive Map Initiative • Builds on GÉANT map principles. Aims to: • Build repository for all NRENs to provide network data in userfriendly manner • Include all region-to-region links • Include interactive map data at national level • Create fully interactive map • Make data repository available to all contributors so they can use it to build their own maps (static or interactive) • Global community initiative: • NRENs welcome to participate in activity: • https: //wiki. geant. org/display/Global. Map • Contact: Tom. Fryer@geant. org & Ryan. Davies@canarie. ca 42 | www. geant. org
Global Cloud Service Collaboration • Regional legal restrictions mean NRENs cannot procure cloud services at a global level. • Collaboration group exists to: • Share best practices • Develop common global set of requirements • For more information, and to participate: • Contact Tom. Fryer@geant. org 43 | www. geant. org
Thank you! www. geant. org 44 | www. geant. org
- Slides: 44