ESnet ESCC March 23-27,1998

Notes by Bob Cowles (rdc@slac.stanford.edu)

Tuesday, March 24th

8:30 Intro, ESCC Overview

8:45 DOE Update Geo. Seweryniak (DOE)

DOE/MICS Changes

Hitchcock still acting director. Austin is not on board. Welch has left. Elbert is leaving in May for NSF. Now located on second floor in Germantown office.

Interagency activities

LSN/NGI Lots of visibility at high levels. Address requirements in large scale networking. Provide mechanisms for cooperation in LSN R&D. Lead-in for FY99 NGI funding for DOE. NGI Implementation plan released in January. DOE has requested 22M for activities in FY99. Demos and panel sessions in March (past) and November. Establish high speed interconnect points for FedNet in June.

PSWG/CIS has issued final report (Privacy & Security). Collaborations on Internet Security. Report on security technologies has been released. No "one size fits all" for security on the Internet. Will be on web shortly.

EOWG/JET EOWG no more. JET tackles networking issues related to Federal Agencies. ATM addressing issues; remote site connectivity (Alaska), international connectivity (work together with NSF to get to universities), NGI issues as requested by LSN.

MICS Initiatives

Computational Science Init. 100M for FY2000 http://www.er.doe.gov/csi for more information

Networked Challenged Applications low response. http://www/er/doe/gov/production/octr/mics/index.html

New focus on Network Research particularly on middleware. Bob will be putting out additional requests for proposals. There is some money available this year will have a short time fuse.

ESnet related activities-

No lobbying

Software dissemination of crypto software http://www-itg.lbl.gov/~johnson/security/Crypto.Code.Distribute.WP.html

International Conn. how to enable connections. Only 3 letters received from university presidents requesting connection to Esnet.

Program Plan Program Plan review in early May. Will look very nice lots of graphics.

Progress Report needs more work. Please get your input in it's very important for review.

Program Review This one will be different a real program review. Will be held at this site.

Need to be sure we have a good plan for the future and are addressing the future. Meetings are no longer contentious are we really addressing the issues?

Putting in request of 14.6M for next year. (up approx. 1M from this year).

Networking requirements will outstrip ability to fund bigger pipes especially for international connections. We need to look at working with other agencies ... for international connectivity. Report due in May for future connectivity options (John Morrison, DP)

9:15 ESnet update Jim Leighton (ESnet)

Statistics

Traffic is increasing 12 to 17 Gigapackets in past year. Although that number is suspicious.

Byte count has doubled.

Domestic Issues

New sites Network Virginia; INEEL (T1 via LLNL); human Genome Center (Walnut Creek expected Spring '98); LIGO (NSF) Project (measure gravity waves in building 25 miles long and 10ft wide); Yucca Mt.; LANL & SNLA OC3 into ALB; GA and ITER-US OC3's into San Diego Hub; "Southern Cross", ORNL and SRS under re-consideration for possible Atlanta Hub but talking to Sprint for options. Interest also in Seattle (interest from PPNL and NASA); vBNS T3 via GA to SDSC brought up some time ago; GWU will peer through Network Virginia; ALB ops office requested by Allied Signal.

Still receiving numerous requests from Universities for access to DOE facilities/ESnet; High level of interest in reaching DOE Nat'l Labs and in using ESnet international access.

Bad list for connectivity: U wash, Purdue, Johns Hopkins, Oregon, Harvard, Duke.

International Issues

Connections are loaded at the moment (complaints confirm this). Outbound traffic 2-3x more than inbound traffic (most done at US off-hours). CERN connection and DANTE connection both not overly utilized.

There has been a default routing issue with the Japanese. OFE is now paying ESnet for routing of collaborators traffic.

Proposing a virtual internet international backbone that was the international transit traffic does not use ESnet AS. Traffic can be contained in that fashion.

Services

Telepresence toolkit testbed, e. g. PictureTalk share anything on your screen with other people; audio bridge very easy to use; web-based scheduling resource.

Other Topics

Have started on procurement for next year evaluating alternative approaches.

Class Based Queuing (CBQ) provide an implementation of QoS for IP/ATM; does not require interaction with application; Cisco is going to put code in routers to not throw away CBQ-marked packets. Will use ESnet Research Testbed with CBQ as initial project.

AdTech trials Web caching test Cisco caching engines; IP at OC12 between Oakland and Chicago, and LNL ANL sites, interested in performance, reliability, and limitations. Will run OC3 and OC12 in parallel for a few months.

General Comments and Observations

Talk about cost of bandwidth and short supply. Shortage may be ameliorated soon due to 16x WDMuxing (looking at 40x). Requires special fiber. New long-haul carriers are coming online. In the meantime, shortages continue, private exchanges are now congesting without sufficient advance planning, many major ISPs are just doing their own cross connects rather than deal with the uncontrolled traffic through NAPs.

Q. Pressure on Y2K compliance Will ESnet be there? A. We think we're in good shape. Q. What about Sprint? A. Hadn't thought about them will check and think about putting up a general compliance statement.

Q. What do you see ESnet role in future of IP telephony. A. Just another application.

Q. Is PictureTalk software available to members of Esnet community? A. Client software is freely available. Sever software is another issue will be discussed later.

11:30 Network Group update Mike Collins (ESnet)

SC97

Description of CBQ demo at SC97. It will take a while for all the pieces to be in place and to be ready for prime time.

Description of ATM based video conferencing using First Virtual software.

IP multicast update

Starting to deploy PIM in the backbone replacing DVMRP tunnels. (IETF has not adopted a single standard for multicast routing.) Full mesh of PVCs and DM PIM caused problems for vBNS. Will continue with carefully planned rollout of DM PIM for the time being.

6bone update

Currently have 14 sites, 11 peers.

IP routing

With upgrades were able to reduce from two hops to one. Increase of 10% in prefixes routing table every 6 months. Now up to 52,000.

Next meeting is tentatively October 19-23 at Fermilab.

<For now through noon Wednesday, I was back at SLAC due to the break-in on the Physics subnet on Stanford campus>

13:30 ESnet Network Information and Services Update Allen Sturtevant (ESnet)

14:40 Network Monitoring Warren Matthews (SLAC)

16:00 IPv6 Update and Gigabit Ethernet Update Bob Fink (ESNet)

Wednesday, March 26

8:30 Esnet Networking WG Report Phil DeMar (FNAL)

9:30 Telecommuting Jim Leighton (ESnet)

10:30 OC-12 Performance Bill Johnson (LBNL)

12:00 NGI Geo. Seweryniak (DOE)

13:30 DOE Corporate Network Geo. Sewernyiak

A corporate network is closed and info can transmitted without fear of compromise.

Opt 1. Adapt an existing network

Opt 2. Build a new network

Opt 3. Outsource to another venndor

Management options Outsource. existing group, new group.

Conclusion was to run over existing DOEBN. Currently planning on upgrading DOEBN; coast-to-coast ATM backbone (45 Mbps). Why ATM? (cost savings from combining data, voice, video regulatory problems), and other general wonderfulness of ATM reasons.

14:00 DOE Corporate Network Discussion GS (DOE), Sandy Merola (LBNL), Ray Whitney (JLab)

There are not sufficient requirements to justify the selected chioce. Some sites may be better off using ESnet, particularly is they run business and scientific data on the same net rather than different nets. What are implications if a separate network is required for business data? Will try to use a channel through SLCCC to provide feedback.

14:30 ESnet Testbed Startup Report Bob Fink (ESnet)

Two uses: research; ad tech

Problems with how to get workstation to route to two separate networks based on function and/or application (similar to DOE Corporate Network problem).

Initial plan for three site rollout ANL, LBL, SLAC to work on CBQ. IPv6 this summer will probably involve a different set of sites.

16:00 Secure Software Distribution Marcey Kelley (LLNL)

Tracks the state systems are in. How to get patches installed on vulnerable systems.

There is a lightweight process on each machine. There is a patch database keeping track of those supplied by vendor. Patches are in a standard format so it is operating system independent. Right now they only support Sun.

Currently at the point where they can evaluate what is on the system and have database of 900 Sun security patches. (125 security patches for Solaris 2.5.1). Can successfully determine whether or not 80% of the patches are applied.

Will be extending to HP and Digital; address secure communications between networked processes; and to distribute needed patches to remote systems. May address NT, but already exists some systems for NT. They expect to be able to interact with vendor patch management systems. Vendor independent database is used only for evaluation ... actual installation will be in vendor format using vendor tools.

16:30 CIAC News Paul Mauvais (LLNL)

Update on CIAC --Big increases in incidents reported.

Changing modes of operations Number of site scans increasing. Correlation of scans and break-ins. Using same old bugs.

Attacks Viruses are 30%; scanning is 20%. Many sophisticated tools but fairly difficult to use. Most us the old scripts against old unpatched systems. OpenBSD found 700 /tmp race conditions in FreeBSD.

Intrusion profiles Phf, Linux exploits DoS attacks, Sniffers, Spoofing, Sendmail, problems with email, software piracy (ftp misconfigured)

Future Windows is new target; more DoS attacks, more attacks on routers and firewalls.

Protection install firewalls and monitor them; monitor network traffic; segment internal networks; use secure connections (ssh and tunneling for authentication). Monitor sensitive systems first. If you can't patch everything, patch critical systems and external vulnerabilities first. Collect as much as tolerable.

Spam/counter-spam New sendmail in test with anti-spam features.

Helping CIAC Unique subject line; say what you want to help with; can info be shared (CPPM or CSSM can give blanket stmt). If it's sensitive, send using PGP-encrypt.

Resources Good NT Site http://www.ntshop.com See lists at http://www.iss.net/vd/mail.html New service at http://www.ciac.org/news for archive of major lists. Subscribe to ciac-doe for faster bulletin. "How to detect an intrusion" document is on CIAC web site

Thursday, March 26

8:30 Public Key Infrastructure WG John Long (SNL)

Livermore has an Entrust server on the unclassified side and wants to reduce the number of ways a person has to identify themselves. LBL has a Netscape CA but its pretty early. ESnet is experimenting with a Netscape CA. ANL has Entrust v2 going to throw that away and restart with v3.

Ch. 9 of Telecom manual. It is currently not meant to cover contractor use of CA's for unclassified data but is expected to evolve in that direction. Discussion of problem with different levels of certificate and that applications do not differentiate and would allow transmission of more confidential info via a less trusted certificate. There are lots of parallels with the multiple network problems. Lots of sites are going to non-concur based on a poll, which means there are tons of comments coming in and the real Ch. 9 is probably going to look different than anything we see now.

8:30 Distributed Systems Management WG John Volmer (SNL)

Parallel session I attended the other one

10:30 Applications WG Deb Agarwal (LBL) and Jim Meyers (PNNL)

Parallel session I attended the other one

10:30 Distributed Computing Environment WG Troy Thompson (PNNL)

HP plans for DCE and DFS with closing of the Chelmsford site. Functions moving to Cupertino to the networking lab (program architecture and design) and to lab in India (20 people).

13:00 ESnet DCE session

Discussions of cross-site authentication. Volmer raised the question of liability last year no clear answers have been found yet.

LANL/LLNL/SNL (I may have gotten some of the players wrong) hope to be testing DFS/HPSS integration by the end of the year. Nothing definitive on performance ut so far they are pleased with it.

Doug Engert talked about using SSLeay to do SSL v3 encryption and pass it traffic through GSSAPI.

15:30 Electronic Notebook and DOE 2000 Infrastructure

Check out http://www.censa.org/html/new/censa_weblinks.html -- securable, shared web space for use by researchers. Rich media types, querying/searching, automation of instrument or calculation insertion of results, fine grain authorization, import/export, witnessing & timestamps. Uses MIME encoding for import/export, have API for editor and viewer.

Friday March 27

8:30 Networking for ASCI Dave Wiltzius (LLNL)

Expect to be turning up Securenet to OC3 very soon. (LLNL, LANL, SNL/CA & SNL/NM, and Y12/ORNL)

Need to capture the expertise of the people who are going to be retiring in the next 10 years for maintaining the stockpile.

Visualization applications will require 635MB/s to 6.3GB/s transfer rates to/from HPSS. (extrapolated requirements) Cornell demonstrated scalability of HPSS by striping techniques several years ago up to Gb/s. HPSS itself can stripe 8-wide to tapes.

It's better to reserve the teraflop machines for just a few users/applications at a time, because the aggregate bandwidth requirements get out of hand for lots of users running smaller applications.

Challenges: achieving application throughput in SAN (> 100MB/s); achieving application throughput in WAN (OC-3 min).

GOAL: Successful , scalable integration of ASCI's advanced technologies; work closely with other disciplines.

9:30 Authorization and Attribute Certificates for Widely Distributed Access Control Bill Johnston (PNNL) (See http://www-itg.lbl.gov/security/Akenti )

An excellent summary of hacker techniques at last Usenet Security Conference (a few weeks ago): "Network Security Profiles: What Every hacker Already Knows About You ..." .... presentation can be accessed through Bill's web site.

Steve Kent If you aren't attacked or at least probed within an hour of connecting to the net, you should probably contact your ISP because you probably aren't really connected.

Most systems are mis-managed or mis-configured from a security point of view.

Another presentation on the Akenti Access Control System.

11:00 Public Key Infrastructure WG Update John Long (SNL)

Entrust stuff will be included in the next version of Netscape.

There will be integration of Entrust with NT 5.0 when 5.0 ships.

Integration of Entrust with Outlook/Exchange being tested at SNL

NASA has developed an Entrust plugin for Eudora.