Intelligent trigger for Hyper-K with GPUs Akitaka Ariga University of Bern, Switzerland.
IT-Operation: Case Study (1) - WIDE University · IT-Operation: Case Study (1) Network Operation...
19
1 IT-Operation: Case Study (1) Network Operation examples Network Operation examples and and Real network example Real network example Yasuhiro Ohara Seiji Ariga 2 Contents • Network operation examples – How to expand network – What we are doing in routing area – What is main issue on security operation in these days • Real network example – Keio Univ. Shonan Fujisawa Campus Expansion Capacity Coverage Migration faster OSPF/ISIS balancing Routing stable/useful BGP community Sinkhole Blackhole DDoS secure Scrubbing operation examples operation examples network example network example Design and Implementation of Keio Univ. SFC campus network
Transcript of IT-Operation: Case Study (1) - WIDE University · IT-Operation: Case Study (1) Network Operation...
1
IT-Operation: Case Study (1)
Network Operation examplesNetwork Operation examplesandand
Real network exampleReal network example
Yasuhiro OharaSeiji Ariga
2
Contents
• Network operation examples– How to expand network– What we are doing in routing
area– What is main issue on security
operation in these days• Real network example
– Keio Univ. Shonan Fujisawa Campus
Expansion
Capacity
Coverage
Migration
faster
OSPF/ISIS
balancingRouting
stable/useful
BGP community
Sinkhole
BlackholeDDoS
secure
Scrubbing
operation examplesoperation examples
network examplenetwork example
Design and Implementationof
Keio Univ. SFC campus network
2
Network operation examples
An ISP engineer’s daily(?) life
Expansion
Capacity
Coverage
Migration
faster
OSPF/ISIS
balancingRouting
stable/useful
BGP community
Sinkhole
BlackholeDDoS
secure
Scrubbing
operation examplesoperation examples
network examplenetwork exampleDesign and Implementation
ofKeio Univ. SFC campus network
4
Introduction
• Myself– I’m working at backbone ISP
• Today– I’ll talk about my daily operation/work for an
example of ISP operation– But I don’t know how typical my daily life is …
3
5
Whose network is this ?
• Why do we operate our network ?– for users (in some case, customers) ☺
• What do we have to provide ?– faster network– stable network– secure network– useful network
• Then, let’s think about what we should do
6
Faster network
• Network keeps changing (forever)– To meet user needs, to keep it efficient
• There are some types of expansions– Add more capacity in one place to
accommodate growing traffic– Expand network coverage
geographically for efficient operation– Network migration – If there are some
‘networks’ operated in the same manner, it should be migrated in one network
Expansion
Capacity
Coverage
Migration
faster
OSPF/ISIS
balancingRouting
stable/useful
BGP community
Sinkhole
BlackholeDDoS
secure
Scrubbing
operation examplesoperation examples
network examplenetwork exampleDesign and Implementation
ofKeio Univ. SFC campus network
4
7
Capacity• There are some ways just for upgrading• What we should have in mind
– Equipment constraints (“Is there any free ports ?”)– Operational constraints (“Can we interrupt our service ?”)– Circuit constraints (LAN or WAN)– Budget constraints
• Implementation– In case 3, we have to think about how to balance traffic
FE GE STM1 STM1 x2
case.1 case.2
STM4STM1
&STM4
case.3
8
Coverage
users
users
First of all, networkwill serve only inone place
users
But sooner or later,users will appearwant to connectfrom far away
Then putaccommodationrouter to connectremote users andwe can save circuitsbetween remote siteand existing site
In this way, network keepsexpanding its existencegeographically by putting moreand more routers
5
9
Migration• In some cases, we need to shrink network
– user decreased, redundant nodes, budget• What we have to care is to minimize
– down time– impact on routing, etc.
users users users users users users
10
Stable and Useful network
Expansion
Capacity
Coverage
Migration
faster
OSPF/ISIS
balancingRouting
stable/useful
BGP community
Sinkhole
BlackholeDDoS
secure
Scrubbing
operation examplesoperation examples
network examplenetwork exampleDesign and Implementation
ofKeio Univ. SFC campus network
• What is stability– No interruption
• All sort of cause for interruption– I’m not vendor or L1 guy, so let me
focus on Layer 3, “Routing”• What is usefulness
– There will be broad meaning• Fast, Secure, QoS, Multicast, …
– In this session, I want to define as
– How to give control to users ?• ex. BGP community
“Users can control their trafficto some extent”
6
11
IGP
• IGP metric design is very important– especially in large/sparse network
• Many protocols depends on IGP– just one small tweak will shift large amount of traffic and
saturation starts suddenly(the same as BGP local-preference)
• For example,– D want to reach B via C– Try not to use A-E and C-E– But A don’t want to use D to reach C
10
30
?
?
100100
A
B C
D
E
12
IGP (cont.)
• There is no way to find “ideal” metric anyway– Try to pick all requirements up– From broad view point, try to find any impact on each change
• Traffic flow itself• Effect on other protocols : PIM, MPLS, BGP …
10
30
10
10
100100
A
B C
D
E
10
30
40
10
100100
A
B C
D
E
10
30
140
100
100100
A
B C
D
E
7
13
Traffic Balancing• There are many ways to do traffic balancing depends
on the situation• We will use following valuables for example
– ASN– Prefix– BGP Community
• We’re also able to use MPLS to some extent
asymmetricbandwidth
asymmetricbandwidth
in geographicallysparse network
>
imbalanceinput
latency will bevery different
saturation
14
Traffic control by users
• Many ISP provide some ways to control users’traffic by themselves– mostly using BGP community
(ex. http://info.us.bb.verio.net/routing.html)– example
• prepend• stop announcing routes
to certain party• change Local Preference
• Some ISP provide trigger for enabling filtering in case of, for example, DDoS attack
user will advertise their routes with special BGP community
based on the community, ISP will change some BGP attribute in users routes
8
15
Secure network
Expansion
Capacity
Coverage
Migration
faster
OSPF/ISIS
balancingRouting
stable/useful
BGP community
Sinkhole
BlackholeDDoS
secure
Scrubbing
operation examplesoperation examples
network examplenetwork exampleDesign and Implementation
ofKeio Univ. SFC campus network
• Nowadays, DDoS (Distributed Denial Service) attack is getting worse and worse …– Virus Botnet DDoS Phishing
• ISP are try hard to mitigate junk traffic and save their users– They try to analyze/filter/clean up
junk traffic
16
Sinkhole (analyze)
• Redirect attack traffic to certain place to analyze traffic– announcing more specific routes
x.x.y.y/32
x.x.y.y/32x.x.y.y/32
x.x.y.y/32
x.x.0.0/16
9
17
Blackhole (filtering)
• Discard attack packets at border routers– set null routed static on each border routers– announce specific route with BGP NextHop destined
to that null routed static
x.x.y.y/32
x.x.y.y/32x.x.y.y/32
x.x.y.y/32
x.x.0.0/16
18
Scrubbing (clean up)• Try to clean attack traffic up
– By using sinkhole/blackhole, communication to victim host is still incapable. This means DoS succeeded anyway.
– By using scrubbing box, valid traffic can go to victim host during filtering attack traffic
x.x.y.y/32
x.x.y.y/32x.x.y.y/32
x.x.y.y/32
x.x.0.0/16
10
19
Summary for “Operation examples”
• Network operation is very interesting ☺– There are a lot of things to do (and will be forever)– Try to have micro/macro point of view at the same
time– Be nice to users
• They’re selfish, but they kindly help us to make things better at the same time
• Network operation is very boring – There are still a lot of primitive/routine work– But we can eliminate them and improve quality of
network and life
Real network example
Design and Implementationof
Keio Univ. SFC campus network
Expansion
Capacity
Coverage
Migration
faster
OSPF/ISIS
balancingRouting
stable/useful
BGP community
Sinkhole
BlackholeDDoS
secure
Scrubbing
operation exampleoperation example
network examplenetwork exampleDesign and Implementation
ofKeio Univ. SFC campus network
11
21
Keio Univ. and its SFC campus• Keio Univ.
– Private university, since 1858 (First university in Japan)
– 8 Campuses: • Mita, Hiyoshi, Shinanomachi, Yagami, Shonan Fujsiawa
(SFC), Tsuruoka, Kawasaki(K2), Marunouchi (MCC)
• SFC campus– Since 1990, Junior, Senior High school, 3 faculties
and graduate school– Area: over 230,000 square meters, 17 bldg– approx. #students:
• Bachelor 4,430 • Master 370• Doctoral 170
22
explanatory note
campusnetwork
Inter-campus network equipment
Backbone outsidethe campus
Inter-campus router
WDM
ATM Switch
WDM network
ATM network
ATM VCcampus network
Other Inter-campus network
Outsidenetwork
KBS
KEIO high
Elementary school
K2
SHIKI high
Kindergarten
Middle school
Girl’s high
100baseFX
100baseFX
MITA
HIYOSHI
YAGAMI
SFC
SHINANOMACHI
NTT 1.5M
NTT 1.5M
NTT 1.5M
FDDI,Fast Ethernet
GigabitEthernet
NTT 1.5M
FDDI,Fast Ethernet
GigabitEthernet
NTT WDMGEC10G
NTT ATM80M
FUJISAWA HighFDDI,
Fast EthernetGigabit
Ethernet
10BaseFL
Medical & Care10BaseFL
100BaseLX
The Internet
FDDI,Fast Ethernet
GigabitEthernet
10BaseFL
Medical & Care2 year univ.
TSUKINOSE
NTT 64k
Fiber ATM 622M
GSEC MCC TSURUOKA
NTT ATM100M
WIDE Backbone/JB
1000BaseLX
TOHOKUKOEKIBUNKAUNIV.
FDDI,Fast Ethernet
GigabitEthernet
NTT ATM60M
NTT 1.5M
NTT ATM10M
WDMGEC10G
NTT ATM 2M
To WIDEOtemachi NOC (10M)
NTT WDMGEC10GATM
155M
NTT ATM70M
NTT ATM135M
NTT ATM10M
Based on the figure <http://www.itc.keio.ac.jp/image/keio-network-2001-6.gif>
12
23
design policy and its goalfor SFC campus
1. usability / flexibility– various research labs have various demand– loose policy to respond to them
2. Security– public trend, provides least security
3. cost performance balance– operational cost will lead employment cost– trade-offs: which is preferred above 1 or 2 ?– trade-offs: a few fine devices or poor but many
devices?
24
Keio Univ. SFC Campus
13
25
Centralized operation model (Media Center)
Faculty of Policy Management & Environmental Information Faculty of Medical Care
Ethernet port
Classroom / Research Lab / Graduate School
Media Center
Wireless LAN
Ethernet port
Wireless LAN
Open Area Server Room
Mail ServerFile serverWeb server…
Ethernet port
Wireless LAN
Other campuses(Mita, Hiyoshi, Yagami, Shinanomachi…)
The Internet
26
Keio Univ. SFC CampusMedia Center
14
27
Inter building connectionwith patch panel
Research Lab
Classroom building
Media Center
Classroom buildingFaculty of Medical Carebuilding
28
Necessity of Patch Panel
• Flexibility• Unknown usage for future, e.g.
– Link aggregation by user demand• GEC (Gigabit Ether Channel), IEEE 802.3ad, even WDM in
future, etc...
– Alternative/backup for other circuit’s line cut• Change only patching port of troubled circuit/link
• Operational cost can be decreased– e.g. moving the terminating device in remodeling the
NOC room, the length of cable needed may change
15
29
Abstracted connectionbetween L2/L3 devices
Research Lab
Media Center
Classroom building
Classroombuilding
Faculty of Medical Care building
30
Abstracted Physical connectionin SFC campus
16
31
Ethernet Specification– SMF: SI: Step-Index, <10μm, 125μm– MMF: GI: Graded-Index, 50μm or 62.5 μm, 125 μm
2kmMMF (850nm)802.3j10Base-FL
40kmSMF (1550nm)
10kmSMF (1310nm)
10GBase-ER
10GBase-LR
65mMMF (850nm)10GBase-SR 802.3ae
802.3ab
5kmSMF (1310nm)
550mMMF (1310nm)1000Base-LX
550mMMF (850nm)1000Base-SX
100mUTP
802.3z
1000Base-T
2kmMMF (850nm)100Base-SX
10kmSMF (1310nm)
2kmMMF (1310nm)100Base-FX
100mUTP802.3u100Base-TX
operating distancemedia (wave-length)IEEE specspec name
32
Network Configuration Summary
• Backbone consist of 3 (high-performance) L3 switches and aggregated link e.g. 4Gbps
• Most edge segments support 1Gbps• Tree form (basically no physical loop)
– redundancy is provided by technologies below L2• link-aggregation• redundant module/power unit
• VLANs: IEEE 802.1q• Link Agg: GEC (v.s. IEEE 802.3ad)• STP (IEEE 802.1d) enabled in core networks• STP not enabled in edge networks
– user may accidentally create L2 loops ...
17
33
IP/Routing
• Class B address space (/16)• OSPF with 2 stub area
– most are static• static route between SFC and WIDE
– aggregate 8 links by GEC, HSRP enabled• Employs static IP packet filtering
– need-to-apply basis• applies MAC-based black-list filtering in
DHCP
34
Wireless Operation• Operating IEEE802.11b
– Covers almost all field as well as all room in buildings (approx. 200 APs)
– APs are from multiple vendors (3 vendors)– Type of AP depends on the usage (i.e. #users) at each location
• Policy– Roaming is demanded (Ubiquity)
• AP areas as a whole forms one IP segment (/21 !)– No security / authentication
• Easy-to-use for many guests visiting here– security can be provided by upper layer
• HTTPS, SSL, ssh, etc ...
18
35
DHCP statisticson wireless segment
36
Traffic• peak traffic is around 100Mbps
19
37
Miscellaneous• Strategy (loose, changing)
– bandwidth estimation• Upstream bw > edge segment bw x 10
– if port many then additional x 2• Upstream bw > actual traffic x 2
– upgrading facilities• Incremental upgrades on user demand• e.g. additional installation of inter-building fibers
• Empirical feelings– Upgrading fiber is necessary at an interval of about 10 year
(About to upgrade from MMF to SMF to support 10G)– Upgrading metal is necessary at an interval of about 4 year
(CAT3, CAT5, CAT5e, CAT6)• Everything falls in cost-performance balance problems
THE END
Any questions ?
