Taiwan Advanced Research and Education Network (TWAREN) - Current status & Future Plan Dr. Te-Lung Liu Researcher National Center for High-Performance Computing

2 Outline TWAREN Network Overview Development and Research Technologies

3 TWAREN Network Overview Development and Research Technologies

4 T ai W an A dvanced R esearch and E ducation N etwork TWAREN

5 What is TWAREN A physical network serves multiple purposes and logical networks TANet, connects to commodity Internet TWAREN research network experiment, testbed, special research Provisioning services on multiple layers L1 lightpaths L2 VLAN L3 IP has been successfully migrated from old backbone in Oct 2006

6 4 core nodes 20G backbone 12 GigaPops Connects HPC resources in North and South Taiwan TWAREN Architecture

7 TWAREN is part of “Challenge 2008”, a comprehensive six- year national development plan formulated by the government Build a highly reliable, stable and flexible R&E network for academic and research community in TW Provide advanced network services to satisfy the needs of academia field in TW. Increase the International and domestic collaboration Future infrastructure drives today’s research agenda Goals of TWAREN

8 TWAREN GigaPoPs

9 TWAREN Services ■ Broadband Connection Service ■ International Research Network Transit (Internet2) ■ Measurement / Network Management ■ Multimedia / Multicast ■ Lightpath provisioning ■ Virtual Private Network(VPN) ■ Native IPv6 Service ■ Internet access  MCU  Proxy Server  SourceForge  File Download Center  Consultation  Applications support

10 High reliability & availability (99.9%  99.99%)‏ fault tolerance automatic protection if possible automatic failure detection and locating Better performance: minimum number of routers between GigaPoPs Flexible: can be easily and quickly to set up a logical network per user’s request People skills: Optical network OAM TWAREN Achivements

11 STM-64 STM-16 NSYSU NCHU NCTU NTHU ASCC NCKU CCU TP HC TN TC NIU NDHU NCU NTU ONS15600 ONS15454 Optical Backbone

12 Interconnecting with L2/L3 devices STM64 STM16 10GE GE NSYSU NCHU NCTU NTHU ASCC NCCU NCKUCCU Taipei Hsinchu Tainan Taichung NCNU NIU NDHU NHLTC NTTU NCU ONS15600 ONS15454 GSR NTU

13 Protection Mechanism Circuit break: 2 levels of protection By carriers: SDH protected By architecture: Link b/w core nodes: VLAN are reconfigured with rapid spanning-tree protocol. (5s)‏ Link b/w GigaPOP and core node: the backup SNCP lightpaths are configured for automatic fail- over. (50ms)‏

14 Protection Mechanism Equipment protection Core node failure : Manually configure emergency lightpaths to re-route traffic from affected GigaPoPs to another core node. Emergency lightpaths need to be designed and documented. GigaPoP failure : Spare line cards

15 NTU Normal Traffic Flows

16 NTU In case of circuit break...

17 STM64 STM16 10GE GE NSYSU NCHU NCTU NTHU ASCC NCCU NCKUCCU Taipei Hsinchu Tainan Taichung NCNU NIU NDHU NHLTC NTTU NCU ONS15600 ONS15454 GSR NTU In case of core node failure...

18 NOC (Network Operation Center) Located at NCHC southern business unit in Tainan Science Park Goals: To ensure the 7x24 network operation Major works: Providing 7x24 network maintenance and operation Enhance the security capacity Provide network service Peering Light path provision Network architecture design TWAREN NOC

19 TANet VPN TANet VLAN NTU6509 NCCU6509 NDHU6509 TP7609C L2 Switch TC7609C L2 Switch HC7609C L2 Switch TN7609C L2 Switch NCHU6509 NTHU6509 NCTU6509 CCU6509 NTTU6509 NCKU6509 NSYSU6509 NHLUE6509 TN7609P MOEcc6509 TC7609 HC7609 NCU6509 One Subnet L2 VLAN

20 TWAREN Research VPN Research VLAN NTU7609P ASCC7609P NDHU7609P TP7609C Switch TC7609C Switch HC7609C Switch TN7609C Switch NCHU7609P NCNU7609P NTHU7609P HC7609P NCTU7609P CCU7609P TN7609P NCKU7609P NSYSU7609P TN12816R TP12816R TC12816P HC12816R NCU7609P TN12816P TP12816P TC12816R HC12816P NIU7609P TAIWANLightTAIWANLight TANet (MOEcc6509) TWGATE Internet ISP Peering ASCC APAN TAIWANLightTAIWANLight TAIWANLightTAIWANLight ISP Peering iBGP RR

21 VPN Services Multipoint-to-Multipoint Layer2 VPN (VPLS) Multiple VPNs over single architecture Cross-area campuses and offices can be connected within single administrative domain Provide dynamic creation of VPNs for National- wide integrated projects User-based SSL VPN Access Access to different VPN according to login name and password authentication Researchers and Professors could access their own research resources from home or outside

22 VPLS Architecture

23 User-Based SSL VPN Access SSL VPN TWAREN VPLS Backbone Core HsinChu Org 1 Org 2 Org 3 Org n Web Browser Users Core Tainan

24 TWAREN’s International Connections  Pacific Crossing to USA’s west coast upgraded to 5 Gb/s  Connections between LA, Palo Alto, Chicago, and New York are 2.5 Gb/s  Connects to the rest of the world via the U.S.’s Abilene Network  Connection expanded to Europe in 2006 (IEEAF donated 622 Mbps of bandwidth/fiber optic cable)‏

25 NCU TP TN-15600TC HC HC TN NCHU-15454CCU-15454NCKU-15454NCSYSU ASCC NIU NDHU NTU-15454NCTU NTHU TP TWAREN Optical Network Palo Alto Chicago LA NY TAIWANLightTAIWANLight Combined TWAREN/TAIWANLight Lambda Testbed

26 TWAREN’s International Peerings  TWAREN made peerings with international NRENs at Los Angeles, Chicago, New York and Seattle (through Pacific Wave).

27 TWAREN’s Direct Peerings Coverage  TWAREN's direct peering covers most area in America, Asia, Australia and New Zealand, and will soon be expanded to Europe.

28 TWAREN/TAIWANLight and GLIF TWAREN is a member of GLIF (Global Lambda Integrated Facility)‏ TAIWANLight is an official optical exchange - GOLE (GLIF Open Lightpath Exchange)

29 TWAREN Network Overview Development and Research Technologies

30 Future Internet Taiwan

31 Future Internet There are many serious limitations in current Internet. Scalability Security QoS Virtualization Future Internet is a summarizing term for worldwide research activities dedicated to the further development of the original Internet. (From Wiki)

32 Future Internet Testbed For innovations and researches in Future Internet, the testbed requires some advanced concepts: Programmability Virtualization End-to-end slice

33 OpenFlow Make deployed networks programmable Makes innovation easier No more special purpose test-beds Validate your experiments on production network at full line speed

34 TWAREN OpenFlow Testbed in 2010 TWAREN L3 Network NOX OpenFlow Switch iCAIR Capsulator OpenFlow OpenFlow NCHC NCKU and KUAS are pilot universities that connected with the Testbed The OpenFlow Testbed is extended to Capsulator (Ethernet-in-IP tunnel) is used to emulate pure L2 network for OpenFlow 34

35 TWAREN VPLS KUAS 35 OpenFlow Switch NCKU OpenFlow Switch CHT-TL OpenFlow Switch NCU OpenFlow Switch NCHC OpenFlow Switch NTUST OpenFlow Switch OpenFlow Switch Capsulator TWAREN OpenFlow Testbed in 2011 NTUST, NCU and CHT-TL joined the Testbed. For TWAREN connectors (NCKU, KUAS and NCU), a dedicated VPLS VLAN is allocated for better transmission performance. lightpath

36 Emulab/ProtoGENI Testbed TWISC (Taiwan Information Security Research and Education Center) operats 206 nodes of Emulab Testbed in Taiwan. Third largest Emulab in the world is operated by NCKU team and co-located in NCHC A portion of the testbed is planned to try ProtoGENI test with University of Utah. A lightpath is provisioned between NCHC and iCAIR shared by both OpenFlow and Emulab/ProtoGENI 36

37 Lightpath and VLAN setup NCHC OF sw AOF sw B iCAIR 7609V NCKU Vlan 462 Vlan 1548 NCKU 7609V NCKU EE Emulab/ProtoGENI – Vlan 462 Lab Vlan 2782 NCKU OF (with iCAIR) – Vlan 1548 Vlan 462 Vlan 1548 Trunk Vlan 462 Vlan 2782 iCAIR OF (with NCKU) – Vlan 2782 Trunk port Vlan 2782 Emulab/ProtoGENI – Vlan 462 Vlan 462 Vlan 2782 Vlan 462 Vlan 2782 Vlan 1548 Vlan 1555 Vlan 1548 Vlan 1555 Vlan

38 iGENI - Taiwan Integrated Research Network 38

39 Multi-Domain OpenFlow Management Each network domain has its own OF Controller Each Controller manages topology and flow provisioning inside the domain Inter-domain flow could be made by connecting partial flows provisioned by controllers of each cloud Lack of global view for inter-domain flows No loops allowed for inter-domain topology Difficult to support QoS or SLA functions across domains Inter-domain topology auto-discovery is required for multi-domain management 39

40 OpenFlow Controller just only knows its directly connected switches. ENVI is a useful GUI tool to show OpenFlow topology under single controller. 40 Controller 1 OF A OF B OF C OF D OF A OF B Topology of Domain1 Controller 2 OF C OF D Topology of Domain2 UI Domain Inter-Domain Topology Discovery (I)

41 We add additional contents in LLDP packet to let Controllers have its neighbors’ connectivity details. ENVI is also modified to show the whole topology. 41 Controller 1 OF A OF B OF C OF D Controller 2 OF A OF B OF C OF D UI Domain Topology of Domain1 & 2 Inter-Domain Topology Discovery (II)

42 Results 42 Physical OpenFlow Network Topology Multi-Domain Network Topology shown in GUI

43 GLIF & SC11 Demo Joint Demo among NCHC/TW, iCair/US, and CRC/Canada

44 Information Security Activity Detection over High-Speed Backbone

45 Security Detection over High- Speed Backbone Normally, we don’t install IDS/IDP in backbone for performance issue. IDS/IDP are placed at user’s local sites Backbone traffic is hard to mirroring due to its large amount and high-speed It’s impossible to do packet analysis Packet header analysis is available with Netflow/sFlow Information Security Activity Detection over High-Speed Backbone Integrate fast packet header analysis with attack information from user’s local site

46 Invasion and attack info from user’s local sites Users’ IDS/IDP Users’ HoneyPot Users’ Log analyzer Security Collect Search Orientation Trace-back Notification Block Backbone’s Netflow data Netflow Data from Backbone/User Routers Users’ Netflow data Notify User with Suspicious Activities Backbone network, peering partner, User network System Architecture

47 Design Concepts Distributed Computing For monitoring netflow data in real-time Fast Search Effective Tree-Searching algorithm Expandable Simply add more machines when larger data analysis is required Remote Backup Separate different computing nodes in order to provide robust analysis service Single Portal All input can be submit to single portal with Global Server Load- Balancing technology Cooperate with Researchers/Developers Will design an open API for developers to contribute their own ideas

48 Design Blocks Controller 2 Distributor 1 Distributor 2 Filter 1Filter 2Filter 3Filter N Analyzer 1Analyzer 2Analyzer 3Analyzer N Controller 1 Router1 Router2 Router3RouterN IDS/IDP Honey... Syslog IPPortTypeAnalyzerAnalyzer Port…… A.A.A.A1234botnet13333 B.B.B.B4321Fake-IP24444 C.C.C.C1122Cracker35555 Blacklist Analyzer 1 P3333 Analyzer 2 P4444 Analyzer 3 P5555 Blacklist Search Tree Update Blacklist Update Search Tree Netflow packet Matched Netflow raw Netflow packet result

49 Numerical Results of Tree Creation

50 Numerical Results of Real-time Matching

51

52

53

54

55

56

57

58 Thank You ! For more information, please see :