SCION Project Testbed Trials. David Hausheer, Youssef El Biad, Kurt Baumann, Adrian Perrig

Similar documents
SCION: A Secure Multipath Interdomain Routing Architecture. Adrian Perrig Network Security Group, ETH Zürich

SCION: A Secure Internet Architecture Samuel Hitz CTO Anapaya Systems ETH Zurich

Interconnection of testbeds to enable better testing

Towards Deployment of a Next- Generation Secure Internet Architecture

GÉANT L3VPN Service Description. Multi-point, VPN services for NRENs

GT Apiary: Remote Honeypots

Central Office Testing of Network Services

GÉANT IP Service Description. High Performance IP Services to Support Advanced Research

IPv6 deployment, European Commission involvement. RIPE 60 Prague 4May Per Blixt

How Cisco ASR 1000 Enables Cisco Business Strategies by Providing Capacity and Resiliency for Collaborative Applications

Wholesale Solutions. Connectivity without compromise

Cisco 5921 Embedded Services Router

Federal Agencies and the Transition to IPv6

Connectivity Services, Autobahn and New Services

Selling the Total Converged Solution Module #1: Nortel Enterprise Networking Overview of the 4 Pillars and Why Nortel Tom Price Nortel HQ Sales

Introduction. Network Architecture Requirements of Data Centers in the Cloud Computing Era

Evolution of connectivity in the era of cloud

Delivering the Wireless Software-Defined Branch

GÉANT perspective of Virtual Networks and Implementation

Enterprise IPv6, Affecting Positive Change

about us bandwidth changes everything

A Routing Infrastructure for XIA

Adding Path Awareness to the Internet Architecture

Community Connection Service for escience. Ronald van der Pol, SURFnet TNC May 2014

Service Mesh and Microservices Networking

THE MPLS JOURNEY FROM CONNECTIVITY TO FULL SERVICE NETWORKS. Sangeeta Anand Vice President Product Management Cisco Systems.

Converged World. Martin Capurro

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

High Performance Networks

Verified Secure Routing

Workshop on the IPv6 development in Saudi Arabia 8 February 2009; Riyadh - KSA

Akamai's V6 Rollout Plan and Experience from a CDN Point of View. Christian Kaufmann Director Network Architecture Akamai Technologies, Inc.

Strategy for SWITCH's next generation optical network

How to Configure a Hybrid WAN in Parallel to An Existing Traditional Wan Infrastructure

Vishal Shirodkar Technology Specialist Microsoft India Session Code:

Akamai's V6 Rollout Plan and Experience from a CDN Point of View. Christian Kaufmann Director Network Architecture Akamai Technologies, Inc.

NORDUnet Nordic Infrastructure for Research & Education

GÉANT Open Service Description. High Performance Interconnectivity to Support Advanced Research

Dissemination of Paths in Path-Aware Networks

6WINDGate: The Smart IPv6 Migration Router IPv6 Summit Madrid, 2002

Extending Enterprise Security to Multicloud and Public Cloud

Cross-Site Virtual Network Provisioning in Cloud and Fog Computing

The Go4IT project. Toward a TTCN-3 open environment for IPv6 protocols testing. Project identity card

SCION: PKI Overview. Adrian Perrig Network Security Group, ETH Zürich

MyCloud Computing Business computing in the cloud, ready to go in minutes

Colt Novitas: Bringing SDN & NFV in Production. Javier Benitez, Strategy & Architecture,

Benefits of SD-WAN to the Distributed Enterprise

Cato Cloud. Solution Brief. Software-defined and Cloud-based Secure Enterprise Network NETWORK + SECURITY IS SIMPLE AGAIN

GÉANT Open Service Description. High Performance Interconnectivity to Support Advanced Research

Service Description Safecom Customer Connection Version 3.5

Transform your network and your customer experience. Introducing SD-WAN Concierge

Huawei AR1000V Brochure

Deployment Explained: DREN IPv6 Pilot

Session Border Controller virtualization towards service-defined networks based on NFV and SDN

BACnet Secure Connect

Chapter 10: Review and Preparation for Troubleshooting Complex Enterprise Networks

Best of Breed Surveillance System SOLUTION WHITEPAPER

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Cisco 5921 Embedded Services Router

Deliverable D8.9 GÉANT Testbeds Service 6.0

COE IPv6 Roadmap Planning. ZyXEL

Network Virtualization for Future Internet Research

CASE STUDY: Integrating Agile Operations to support NFV/SDN Deployment & B2B services redefinition, Orange Polska case study

GÉANT Plus Service Description. High Performance Cost-effective Connectivity

Implementing Cisco Network Security (IINS) 3.0

Network Service Description

Hands-On VPLS: Virtual Private LAN Service

GEANT testbed service (GTS) for R&E community Based on cloud technologies

Paperspace. Architecture Overview. 20 Jay St. Suite 312 Brooklyn, NY Technical Whitepaper

SURFnet network developments 10th E-VLBI workshop 15 Nov Wouter Huisman SURFnet

Advancing European R&E through collaboration

Database Level 100. Rohit Rahi November Copyright 2018, Oracle and/or its affiliates. All rights reserved.

Early RINA prototyping and deployment in the IRATI project, and future research in the PRISTINE and IRINA projects

Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications

CCNP Switch Questions/Answers Cisco Enterprise Campus Architecture

HY436: Network Virtualization

Advanced architecture and services Implications of the CEF Networks workshop

MANTICORE II: Integrated logical IP network, a step beyond point to point links

A connected workforce is a more productive workforce

A Blockchain-based Architecture for Collaborative DDoS Mitigation with Smart Contracts

IPv6 transition in a data centre network experiences

AVAYA FABRIC CONNECT SOLUTION WITH SENETAS ETHERNET ENCRYPTORS

Cisco Self Defending Network

Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications

Campus Network Design

Questions for Decision Makers

Davidson Technologies: A Medium Sized Business Experience with DFARS 7012/NIST

Virtualized Network Services SDN solution for enterprises

TF-NOC flash presentation DFN

Securing Containers Using a PNSC and a Cisco VSG

Network Virtualisation Vision and Strategy_ (based on lesson learned) Telefónica Global CTO

Securing Containers Using a PNSC and a Cisco VSG

The DETER Testbed: Overview 25 August 2004

10970B: Networking with Windows Server

AT&T NetBond User Guide

A large-scale International IPv6 Network. A large-scale International IPv6 Network.

Building a Big IaaS Cloud. David /

Building Core Networks and Routers in the 2002 Economy

Loosely Coupled Actor Systems

EUMEDCONNECT3 and European R&E Developments

Transcription:

SCION Project Testbed Trials David Hausheer, Youssef El Biad, Kurt Baumann, Adrian Perrig

SCION Project Testbed Trials 2 SCION: A Secure Internet Architecture SCION: Scalability, Control, and Isolation on Next-Generation Networks SCION Design Goals Availability in the presence of adversaries (e.g. DDoS) Transparency and control over forwarding paths Multipath forwarding Efficiency, Scalability, and Extensibility Incentives for deployment

SCION Project Testbed Trials 3 Activities: APs, Presentations 11the STF Meeting Zurich June 2017 SCION Concept (overall) Presenter: Adrian Perrig GEANT Action Proposal - November 2017 SCION Pilot Service Submitted by Kurt Baumann 13the STF Meeting Berlin Feb. 2018 SCION Testbed Trial (and Whitepaper discussion) Presenter: David Hausheer TNC2018 June 2018 SCIONLab: A Deployment of the Scion secure Infrastructure Presenter: David Hausheer Fed4FIRE+ Experiment Proposal Sept. 2018 - Deployment and Evaluation of the SCION Secure Internet Architecture on the GEANT GTS Testbed Submitted by David Hausheer

SCION Project Testbed Trials 4 SCION as a Research Testbed SCION supports research activities in several areas, e.g.: Multipath communication Advanced and highly secure PKI systems In-network DDoS defenses Next-generation routing architecture policy definitions Path-aware applications Path-based inter-domain routing architectures Those are difficult to evaluate on the current Internet!

SCION Project Testbed Trials 5 Use Case: IoT Protection through Default Off Monitoring Site FW SCION SCION SCION SCION IoT Domain Legacy device SCION device

SCION Project Testbed Trials 6 Use Case: VPN-based Deployment Central Office VPN FW SCION SCION SCION ER SCION Branch VPN FW Legacy device SCION device

SCION Project Testbed Trials 7 SCION-IP Gateway (SIG) Deployment A FW BR BR BR C BR BR B Legacy device SCION border router SIG

SCION Project Testbed Trials 8 SCIONLab

SCION Project Testbed Trials 10 Swiss SCIONLab Network SCION running in test environments at SWITCH, Swisscom, and ETH over the past 18 months

SCION Project Testbed Trials 11 Global SCIONLab Network

SCION Project Testbed Trials 12 SCIONLab Visualization

SCION Project Testbed Trials 13 Bandwidth Tester

SCION Project Testbed Trials 14 IoT Camera

SCION Project Testbed Trials 15 AS Router Monitoring with Prometheus

SCION Project Testbed Trials 16 SCION AS runs on Small Scale Devices SCION as a platform for smart home environments, IoT applications Raspberry Pi

SCION Project Testbed Trials 17 SCION Enhancements for Key Stakeholders SCION architecture provides opportunities for several parties: Researchers so far needed to rely on simulations, e.g.: Path-aware networking DDoS defenses relying on inter-domain mechanisms End users can benefit from several improvements: Enhanced availability and reliability for applications Increased bandwidth thanks to multi-path operation Path optimization during a connection increased bandwidth and/or decreased latency. NRENs: Better utilization of network resources through multi-path support Potential cost-savings in leased-line connections Lower management overhead (e.g., link access control and path selection done by end domain) New types of route policy expressible Path-aware networking offers many new opportunities

SCION Project Testbed Trials 18 SCION Pilot Service within GEANT SCION has matured SCION prototype software in its 5th generation Successful course assignment in a network security course over the prototype SCIONLab environment SCION is now ready for a large-scale pilot service deployment within GEANT SCION pilot service can contribute to several planned GEANT research activities: Next-Generation Internet (NGI) activity SCION provides a scalable and reliable platform for future Internet applications, e.g., IoT Security activity

SCION Project Testbed Trials 19 Goals of the SCION Pilot Service Development of the SCIONLab pilot software environment Deployment of the SCIONLab infrastructure Providing a platform for NGI research Enabling real-world research that is otherwise only possible in simulated environments Interaction with other deployed SCION networks and services SCIONLab enables a broad range of applications: Nodes can contribute to the routing within the SCION topology Researchers can attach their own computing resources anywhere within the SCIONLab network

SCION Project Testbed Trials 20 Planned SCION Pilot Activities Development activities: Supporting extension of SCIONLab SCIONLab resource monitoring and enforcement mechanisms Tools to help writing SCIONLab applications Operations/support activities: Purchase and management of SCIONLab nodes within GEANT, NRENs and associated universities serving as attachment points for SCIONLab users and application developers Study usability of the infrastructure for administrators and end users Potential target KPIs: Ease-of-use for researchers Network availability and performance (bandwidth and latency) Supported features (PKI, DDoS defense mechanisms, path selection support, end host / application support) Usability Scalability in terms of network size and amount of usage

SCION Project Testbed Trials 21 Planned Roadmap: Year 1 Building up the SCION pilot service infrastructure Pilot partners: (N)RENs: SWITCH, DFN, ASNET-AM GEANT Universities and research institutes: ETH, U. Bonn, U. Magdeburg, National Academy of Sciences of Armenia Initial deployment: 15 SCION nodes across 3 GEANT PoPs and at the universities Border router network for SCION pilot backbone use of GEANT GTS Routers only needed at interconnection points with other SCION networks Internally: standard communication infrastructure used for SCION traffic Key milestones after Year 1: Support of SCION pilot service users through SCIONLab Path-aware networking and hidden paths for secure IoT operation Basic resource allocation system and control-plane PKI in place for SCIONLab users

SCION Project Testbed Trials 22 Planned Roadmap: Year 2 & 3 Year 2: Multi-path research, delivery of a multi-path QUIC socket that applications can use Accurate resource monitoring throughout SCIONLab End-to-end PKI system that application developers can rely on to build highly secure TLS applications Year 3: SIBRA inter-domain resource allocation system strong DDoS defense mechanism. Resource monitoring and policing enables detection and mitigation of users that exceed their allocated resources Improve easy-to-use control- and end-to-end PKI systems

SCION Project Testbed Trials 23 SCION over GEANT (current deployment) 17-ffaa: 0:1101 Swisscom Frankfurt 19-ffaa: 0:1303 OVGU Magdeburg Zurich Cogent SWITCH Frankfurt DFN Bucharest Level3 Vienna Prague Geneva Bucharest Roedu OpenVPN NAT_GW OpenVPN SCIONLab (partial topology) Prague 1G 1G Hamburg PUBC ISD1 SCMN ISD3 PUBC GEANT OVGU h2 10G 19-ffaa:0:1302 GEANT GTS h1 37ms 35ms 50ms 25ms 19-ffaa: 0:1301

SCION Project Testbed Trials 24 Deployment of SCION over GEANT Step 0: Instantiate GEANT GTS testbed for SCION (currently two hosts) and upgrade hosts to Ubuntu 16.04 Step 1: Download and execute SCION installation script on GTS nodes Step 2: Establish OpenVPN connections across GTS NAT gateway Step 3: Generate configuration from SCIONLab according to the own AS. Step 4: Configuration of the services in the gen -folder in order to communicate correctly with the other SCION ASs and ISDs.

SCION Project Testbed Trials 25 SCION over GEANT (current deployment)

Achieved Bandwidth [Mbps] SCION Project Testbed Trials 26 Bandwidth Test (current deployment) Comparison of GEANT vs non-geant paths in SCION A 35 GEANT PUBC 30 25 20 15 10 5 0 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 Time On average 20 times higher bandwidth over GEANT

SCION Project Testbed Trials 27 SCION over GEANT (targeted native deployment) Internet SCIONLab Administrator VPN_GW PAR h2 GEANT GTS h1 HAM ERL Control Layer (over IP) Data Layer (over SCION) VLAN2 GVA VLAN1 GVA MAG h0 IPv6 DFN GTS SWITCH ETH Zurich OVGU Magdeburg MDS Uni Bonn

SCION Project Testbed Trials 28 Wish List for potential GEANT GTS Evolution Possibility to install own VM image to avoid tricky replacement Improve ssh access to nodes (e.g. via VPN) Web-based VNC console fairly limited and buggy Global IP(v6) addresses to reach GTS nodes from outside via data layer instead of NAT gateway Automated establishment of external domain connections Possibility to modify (extend/reconfigure) an existing testbed Allow multiple network links to BMS nodes Avoid long maintenance periods Avoid to release projects for deployment of new GTS versions

SCION Project Testbed Trials 29 Trial Extension SCION pilot service may be extended to further NRENs Requirements: NREN should be interconnected with GEANT Ideally enabling a "native" SCION connection NREN should be willing to contribute Minimum: deploy, housing the nodes For each NREN at least 3x SCION nodes are required Ideally, have customer organizations (associated universities, research labs, etc.) who are willing to deploy a SCION network

SCION Project Testbed Trials 30 Conclusions SCION is a secure Internet architecture that has matured and is now ready for a large-scale pilot service deployment! SCION prototype software in its 5th generation Running in test environments at SWITCH, Swisscom, and ETH over the past 18 months Running prototype SCIONLab environment Numerous benefits for researchers, end users, and NRENs: Researchers: Path-aware networking, multipath routing architecture, in-network DDoS defenses End users: Enhanced availability and reliability, increased bandwidth, decreased latency, dynamic path optimization NRENs: Better utilization of network resources, cost-savings in leased-line connections

SCION Project Testbed Trials 31 SCION Project Team

SCION Project Testbed Trials 32 Further Information https://www.scion-architecture.net Book Papers Videos Tutorials Newsletter signup https://www.anapaya.net Commercializing SCION equipment https://github.com/scionproto/scion Source code https://www.scionlab.org SCIONLab Administration Software

SCION Project Testbed Trials 33 Thank you for your attention! Questions? hausheer@ovgu.de http://www.netsys.ovgu.de

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback