ESCC, Columbus, Ohio

Rough notes by Les Cottrell 7/21/04

ESnet - Mary Anne Scott, acting head of ESnet

Same mission as before. There have been many planning workshops on computing and networking. Question on future focus/purpose of ESCC.

ESnet Update - Bill Johnston

ESnet top 20 flows are heavily SLAC driven (2 of top 3). Some flows (~10) are > 100GBytes.  ESnet is a central cross-cutting organization for ESnet sites so can provide general services and interfaces such as PKI, federated RADIUS service. There is a One-Time Password (OTP) initiative, the RADIUS federation will enable interworking between different OTP domains. H.323 video use continues to increase will increase the audio & video ports. ISDN will disappear in January 2004. Mike O'Connor trying to catalog, assign alarms etc. (e.g 48.8/day on average June 03 Apr 04 16342 alarms).

Updating the ESnet Site Coordinator Model (presented to the SLCCC June '04).Coming up with a roles and responsibilities document. Will include formalizing the site coordinator selection process; provide a formal mechanism for an alternate site coordinator to ensure a continuously available site contact; expand the roles & responsibilities; formally documented. SC must supply a Site Security Contact for ESnet's use, a Net operation s contact for use in problem diagnosis (probably an email list), the SC must supply the information necessary to register an assignment of ESnet's address space to the site. Provide a pointer to a locally maintained mail loist for distribution of ESnet status messages. SC must establish responsibility for ESnet property (routers etc. coordinate the signing of a property responsibility MOU, provide prompt response to information requests from ESnet/DoE etc.

Have designed and will be installing MAN rings for Bay Area, Chicago, looking at Long Island and JLab, also LANL Sandia UNM looking at a proposal. Will provide high performance with no single point of failure. Will have production IP service, ESnet managed circuits, research net and a spare on different lambdas. Will use 10GE which are half cost of 10Gbps OC192 interfaces. In Bay Area will get to PAIX. SFO MAN funded this year. Will use segments on NLR to provide backup to ESnet circuits, also provides high speed access to SDSC & GA.

Network Research Program Update - Thomas Ndousse

New SciDAC & MICS nework research projects:

Gap (Network enabled storage sys)

Leadership class national supercomputer will have impact on program

Budget reduction in FY04 will go into FY05 budget

SC net PI meeting in late Sept 2004.  Will hold kickoff for new projects and show what was accomplished on previous 3 years programs

Need to revisit program focus.

Leadership class supercomputing

Program elements:

Budget: '03/04 $6.5M -> '04/05 $4M Added testbeds and ECPI.

Future lot of data from HENP, bio climate etc. need multiu-Gbps data transfer capabilities for next 2 years.

Program activities:

Need to provide different capabilities to communities, i.e. give choice of transport, (e.g. TCP, UDP, FC etc.),  networks (switched, packets, hybrid).

Require a multi-tier network: advanced research net (exp optical inter-working; on demand bw DWDM circuits; GMPLS); High-impact science network (connect few high-impact science sites; ultra hi-speed IP net tech; reliable & secuer,; QoS/MPLSW for on-demand bw). Production nets (connect all DoE sites, 7x24 etc.)

Category A sites: w local fiber arrangements: FNAL, ANL, ORNL, PNNL, NERSC, LBL, SLAC - use Ultranet to link site with local fiber, develop dynamic provisioning technologies to manage DWDM circuits, develop & test advanced transport protocols for high-speed data transfers.

Category B: BNL, JLab, GA, Princeton, MIT.

Advanced research net testbeds (QoS & MPLS). SLAC is not an MPLS/QoS site.

UltraNet: Dynamic provisioning develop data circuit technologies; IP control plane based on GMPLS, integration of QoS, MPLS, GMPLS, inter-domain control plane signaling, bandwidth on-demand technologies'

Iltra HS data transfer protocols: his speed transport protocols for dedicated channels, hi-speed data transfer.

UltraNet/GMPLs  include SLAC.

USN ops & mgmt: will be an

Leadership computing will require revision of USN/ESnet plans.

UltraScienceNet (USN) - Bill Wing

A lambda switching network

enaough lambda (2 initial) to make switching real

Explore light paths for high end transport

connect 4 hubs close to large DOE science users (but let Labs play last mile connections)


Off-hours bnadwidth via MPLS on SONET

Core SONET at 4 hubs

Edge MSPP boxes for added services

GE attached storage

A control plane to tie it all together.

NLR CHI_SNV first light late Augusr (10GE not SONET), traffic test Aug-Sep; NLR SONET circuits follow in October, expect full system just in time for SC2004.

QWest - Wes Kaplow

NetFlow  Data Mining - Scott Pinkerton <>, ANL

Using for cyber-security. Have 5 min sliding window, cron job to analyze each minute. Keep data for a year. Look for scans on firewall open ports (read FW config each 30 mins). Look for problem machines at Lab. Also looking for in to out problems (exclude a priori known hosts/servers such as email, dns, scanner ... servers). Also looking at in to in (often for post-mortem forensics, e.g. what did machine do after it was infected).   Start by classifying IP addresses into a taxonomy: possible bad guy, possible victims, possible intermediary (stepping stone, rootkit resource site, etc.). Process can be aided by syslog etc. Integration/correlation with IDS logs, ARP/CAM tables (MAC persistence), firewall logs, DHCP/VPN logs, host based syslogs.

When gets a DHCP address then will do a Nessus scan, if infected then bump off VPN, does not require admin/root access, complete scan in first 10 seconds of user getting connected. May get false positives. Looking at host profiling and variations from norm.

JLab Operations Review - Mike Memory, JLab

Need to get network review for all purchases that need to network accessible. Same for credit card requisitions.

Have 65 APs, do not use WEP in Guest/Conference wireless. Do use WEP on JLab wireless network. Had to close down visitor network. Need to treat WEP keys like user passwords (store, change, distribution). Need detection for rogue access points.

Flat network security model was a concern. Recommended to segment the network using ACLs.

Open Source Monitoring from LBL - Ling Zhang

They use Nagios which appears to have a lot of capabilities for alerts etc.