JANET Development Eye

Matt Cook’s talk at Networkshop explained Loughborough University’s thinking on how virtualisation might be used to provide both resilience and flexibility by allowing services to be moved between different locations in both internal and external clouds.

Rather than virtualising a single server, this involves creating a virtual container holding the various components required to deliver a particular service. For example a virtualised VLE container would also need to include the underlying database, a DNS resolver giving a consistent view of the world (especially if DNS views differ for ‘internal’ and ‘external’ requests), a mirrored copy of at least relevant parts of the authentication/authorisation system, and a network firewall. Such a container can then be moved relatively easily between data centre hosts, whether in response to load, system faults or simply changes in contracts.

Such flexibility does, however, create significant demands on Internet routing to ensure that the container can be ‘found’ wherever on the network it happens to be (re-)located and, indeed, no matter whether the user is connected to the campus network, elsewhere on JANET, or elsewhere on the Internet. Although this should, in theory, be possible using IPv4 addressing, the near-exhaustion of that address space means it may be hard to find enough contiguous public addresses. Loughborough are therefore planning an initial trial of this approach using IPv6, where it will be much easier to obtain the required addresses while preserving a hierarchical allocation of address blocks (and therefore simple routing tables). Matt also observed that moving a major service such as a VLE, document store or e-mail to a different network location can have significant effects on traffic flows. For example moving e-mail from on-site to off-site added 20-40Mbps to the traffic on Loughborough’s JANET link: organisations need to include this effect and any impact on network components in their out/in-sourcing plans.

JANET(UK) has just launched a new 3G data service as part of its ongoing development of eduroam.

The service will take us one step further to anytime anywhere network access through the use of 3G technology, so now when you move outside of a wif-fi hotspot, you won’t lose connectivity as the 3G will kick in – perfect for those people moving around.

The other great thing about the new service, is that it’s not just a one solution fits all – the range of plans mean that even low users can take advantage of the service without it costing an arm and a leg.

And for those lucky enough to have an iPad or tablet; or like me, have a simple laptop, the service can be accessed through both a standard and micro-size SIM card.

The contract was signed last night so it’s all steam ahead now. For those of you going to Networkshop, why not visit the JANET 3G stand 23 – you can speak directly to the supplier or talk to JANET(UK)’s Service Manager to find out more. For those who can’t join us, you can find out more by visiting the 3G web page

Excellent talk from Jeff Haywood opening the UCISA management conference with ideas on how to sell IT to management in 90 seconds. The slides suggest how to use familiar images such as different types of car (do you want your IT to be a supercar, a people carrier or a SMART?) , benchmarking, comparators and even the Gartner hype cycle to emphasise how important IT is to universities and link use of it to the organisation’s mission.

One bar chart that prompted much discussion showed the proportion of money spent on ‘running’, ‘growing’ and ‘transforming’ IT (note that there is a typo on the slide at the moment!). Comments suggested that the amount spent by universities on just running IT ranges at least from 50% to 80 of budget.

[UPDATE - Christine Sexton has a more extensive write-up]

The second Project Meeting commences on Thursday 24 March. The project has made very substantial progress since the first meeting in September; significant milestones include:

• The chartering of the IETF’s ABFAB working group, which adopted our draft specifications as a starting point for standardisation.
• The first ABFAB working group meeting at IETF 79, with excellent progress on a number of specifications since that meeting.
• The delivery of the GSS EAP mechanism, the core of the Moonshot architecture, and the SASL GS2 mechanism that enables the use of that mechanism within SASL-based applications.
• The successful proof-of-concept testing of the initial software architecture components.
• The first demonstration of the technology working with SSH and Jabber.
• A virtual machine build process that will greatly facilitate testing and demonstration.

Given the exceptionally ambitious goals of the project, and one or two challenges along the way, I’m delighted to report that we’re on track.

The meeting will be mostly focusing on the software architecture and implementation aspects of the project, as the specification discussions have now moved into the ABFAB working group. However, we will also be discussing the Key Negotiation Protocol and Trust Router, ahead of a presentation to the ABFAB working group next week. The KNP and Trust Router are, in my mind, the most interesting aspects of the Moonshot architecture, although we’ve not discussed these extensively in public yet.  I expect some rather lively discussion at the Moonshot and ABFAB meetings when we do!

We are fortunate that almost all of the developers will be at the meeting. We will be taking this opportunity t spend a full day on software integration and testing. We also have participation from a number of other organisations that are following the Moonshot and ABFAB work, including Eduserv, Cisco and Nokia Seimens. It is very exciting to have this level of interest from these vendors that are so important to the JANET community, and I hope that this is something that we’ll build upon as the project continues.

During the first couple of months of 2011 the top-level pool of available IPv4 addresses held by the Internet Assigned Numbers Authority (IANA) will be exhausted, putting us in the latter days of (relatively!) easy IPv4 availability.  Once the IANA pool is empty, the Regional Internet Registries (RIRs) will deplete their own pools in the months following until each only has a single “/8″ left.  Allocations from that space will only be of a minimal size, and each Internet Service Provider (ISP, also called a Local Internet Registry (LIR) for allocation purposes) will only receive a single allocation from it.

LIR’s own pools will run on a little longer still, but how long will depend on the growth rate of each LIR/ISP.  At the current assignment rate within the JANET community we can expect JANET(UK)’s own pool to last a few years, but that rate may change as demand changes, and may also change based on the policies we have to comply with.  Previously sites have been able to justify address requests based on the planned usage two years out from the request.  At the moment addresses are assigned based on a justification looking six months ahead.  By the first of July, this will be brought down to looking three months ahead in accordance with rules set by the community of our own RIR, RIPE.

IPv6 is the long-term solution to IPv4 exhaustion, and JANET has been offering IPv6 services for over a decade to encourage our community to adopt it, but as with the rest of the industry, uptake has been slow.  Originally it was envisioned that by the time IPv4 exhaustion came around, IPv6 would be widely enough adopted that it would not matter.  Now, this is not to be the case.  IPv4 will be exhausted, but there will still be a large number of internet-connected hosts without functioning IPv6.

What will this mean?  Many universities are lucky enough to have large assignments of IPv4 space from systems that pre-dated the RIRs.  They may be able to continue to grow and provide new services using this space.  Many smaller institutions are already using Network Address Translation (NAT) and are largely independent of the requirements for public addresses.  However, services that are available to other sites and data-centres hosted off-site require public addresses to be reachable.  In the medium term it may be possible to NAT IPv4 to a small range of public addresses and use native IPv6 in dual-stack mode, but there still may be a gap between the last IPv4 address being handed out and a site’s ability to deploy IPv6 ubiquitously.

There is little we can do to stop this, but perhaps there are ways to ease it.  Sites that have more addresses than they need could, if they are using JANET-assigned space, hand it back to our registry so it can be used elsewhere.  Can we do something with sites that have large amount of pre-RIR address space?  The “/16s” that used to be called “class B” space?  Perhaps use JANET as a broker within the community?  None of this is without other implications, of course.  Perhaps meaning renumbering to free up space, or advertising more specific prefixes.  The latter can be restricted to JANET if the community co-operates, otherwise it means yet more entries in the global routing table.

Whilst I’m on the topic of the pre-RIR address space, some of it does not appear to have the correct registration details.  RIRs have already started hunting around for address space, and this may be one of the clues they use to investigate further.  If you have address space obtained before the RIRs were in existence, then please check its registration details in the RIPE whois database.
whois -h whois.ripe.net <network number>
E.g.
whois -h whois.ripe.net 128.86.0.0
If the output mentions “locked” or has the output from both ARIN and RIPE in it, then it would be worthwhile updating the information.  You can do this yourself, or JANET(UK) can assist if you drop a request to the JANET Service Desk.

Adoption of IPv6 needs to happen to allow the Internet to scale as it needs to, with each individual having many devices that require Internet access, but there is still this gap to bridge until IPv6 is as available as it needs to be.  Transition mechanisms that translate between IPv4 and IPv6 are just that — transition mechanisms.  IPv6 is the goal, but we may need to work together as a community to get there, and I’d welcome some discussion on what we can do to co-ordinate this, either through comments on this blog, or perhaps on a suitable mailing list.

<ipv6-users@jiscmail.ac.uk> may be a good choice for IPv6 deployment, and I might suggest resuscitating <ntlg@jiscmail.ac.uk> for IPv4 exhaustion discussions.

https://www.jiscmail.ac.uk/cgi-bin/webadmin?A0=ipv6-users
https://www.jiscmail.ac.uk/cgi-bin/webadmin?A0=ntlg

As an aside, the Internet Society (ISOC) is arranging a “World IPv6 Day” for June 8th.  The idea behind this is that as many service providers as possible enable IPv6 on their public-facing website (keeping IPv4 enabled too of course!), then monitor it to see if any of the feared problems arise.  More details are at the URL below, but if your site isn’t IPv6-enabled, perhaps you could give it a go?

http://isoc.org/wp/worldipv6day/

Recently, JANET(UK) has begun investigating an exciting new technology being developed by the Trusted Computing Group, particularly looking at how it might be useful to the education sector.

This will be the first in a series of posts exploring IF-MAP and how it can be used; in particular, with how JANET(UK) will be making use of the technology.

Developed with network security and access control in mind, IF-MAP (InterFace to Metadata Access Points) is an open standard that allows devices connected to a network to share metadata using a common language, allowing information such as who has been assigned to an IP address, or who is connected to the network on a certain port to be shared between devices with a minimum of effort and complexity. Described as “twitter for networked devices“, it has gained significant interest from several major groups in its relatively short existence.

Previously, if information needed to be shared between devices, unless they are from the same vendor it is likely that a customised script is needed to interpret and modify messages as they pass by. While this works on a small scale, on enterprise scale networks such shims can cause a maintenance nightmare. IF-MAP solves this problem by providing a single open standard for reporting and searching metadata to a single, centralised point.

The key to an IF-MAP deployment is the MAP server. This takes in metadata being published by devices, and finds ways to link and relate items of metadata to each other. This allows for incredibly powerful searches that return a wealth of metadata from just a single search term; for example, querying a MAP server using an IP address could instantly reveal matching hardware addresses, the capabilities of the device, information on the antivirus or patching status of the device, and more – the only limit on the information that could be returned is how much is being published.

Sharing metadata is not just limited to the devices on your network either; a recent addition to the specification, published in September 2010 allows multiple MAP servers to form a federation for publishing metadata between servers. The new federation capabilities increase the number of potential use-cases that IF-MAP has, from aggregating metadata from multiple remote IF-MAP servers to a central MAP server, to publishing specific data to an outside contractor in real-time.

The usefulness of IF-MAP is only limited by what metadata is being published to it – and as extensibility is one of the key design goals of IF-MAP, storing new types of data is as simple as defining their structure. Major networking suppliers including Juniper Systems are backing the standard, and have been involved in designing the standard from its inception with companies already using IF-MAP to track inventory, monitor physical security, distribute statement of health information and much more.

If you want to find out more about getting started with an IF-MAP deployment, take a look at the TCG’s network access pages, the University of Hannover’s IF-MAP site and Infoblox‘ IF-MAP minisite.

In the next post, I’ll be looking at how we intend to use IF-MAP here at JANET(UK) to provide unique services for the education community.

Software development methodology doesn’t sound a likely topic for an enthralling talk, but Gary McGraw’s presentation on the Building Security In Maturity Model (BSIMM) at the GovCERT.nl Symposium was both interesting and entertaining. The model was developed by looking at more than thirty different organisations that have established software security programs and identifying practices that seem to be common to most of these. As with most maturity models organisations can assess whether their own practices exist, are documented or audited and compare themselves against published averages of other organisations. The BSIMM group already covers organisations with teams from tens to tens of thousands of programmers and they hope to expand their collection of externally assessed measurements to provide average scores across individual sectors, continents, etc. For those starting a software security programme, three effective tools are code review, architecture analysis and penetration testing, but please use penetration tests after the other two or you will be swamped by the quantity of problems found.

The message from the 6UK event in London this week seems to be: ‘IPv6 is an eventuality, so prepare for the future and protect your online capabilities!’

With an allocation of more than 40,000 trillion trillion address spaces, this new protocol promises to open up a number of exciting possibilities for applications to carry their own address space. These include: intelligent housing, resource management for utilities, warehouse inventory, movement between clouds, amongst many others. To put things into perspective, Jim Reid of 6UK likened the capacity of address space to 60,000 suns!

Vint Cert described the internet as an ‘endless frontier’ with huge possibilities for innovation through new standards and address space. With 2 billion internet users and 4.5 billion mobiles worldwide, (many of which are now internet enabled), the demand for IP addresses is likely to continue to rise.

So, as far as IPv6 is concerned, what will drive take-up? – there is not yet a killer app. which is only v6 enabled and everyone seems to be looking to the Asian market for this; they are, of course, the biggest users of v6, with an estimated 80 million internet users! The message by Vint Cert is that if organisations don’t move to v6, or at least prepare to adopt it over the next year, they run the risk of hurting their business expansion. ‘It’s a dinosaur and egg’ situation as Velmar Manojilovic from RIPE likes to call it. Until content providers move over to the new protocol then organisations don’t see the need to adopt it; and if customers aren’t demanding it, the service providers won’t see this as a priority!

The UK actually has only 1% of the allocated IPv6 address space worldwide, behind many other European counterparts. With Facebook planning for v6 adoption and even the White House seeing the importance of IPv6, the message seems to be getting through… but very slowly!

6UK are trying to drive the uptake of v6 in the UK, with this launch event being just one of the activities to engage UK business in the campaign. The aim is to raise the profile, build the business case and support and guide businesses in the adoption process. The message to take away was summed up nicely by Tom Kliber at Comcast: adopt IPv6 to futureproof your business: plan your resources, train your staff and increase your competitive edge and business continuity.

So will the Olympics be what breaks the mould and drives the uptake of this protocol? – that’s what many people were asking. Whether this grand event will be the catalyst, or whether demand will be driven by links with Asia, who knows. The fact that v4 address space is due to run out in 2011, is surely evidence enough that organisations can no longer ignore IPv6!

In a tweet shared by Philip Sheldrake of 6UK’ T-shirts seen at IETF79 had the words – Transition World Tour IPv4 – sold out!’ I think this sums it up nicely!

Articles around the event were published in: Guardian http://bit.ly/cKWfWS, Telegraph http://bit.ly/b6WYVW, and the BBC http://bbc.in/bp9whv

An interesting session at the Internet2 Fall Members’ Meeting on developing the state of the art in identity- and group-based access management systems.

Jens Haeusser suggested that we are currently at the stage of a do-it-yourselfer who has a box of parts but neither an assembly manual nor a complete list of the components, tools and skills – both technical and management – needed to build a particular service using them. His group are working to develop an architecture and reference model that can both guide those assembling systems and identify any new components that may need to be developed.

Tom Zeller discussed one of these gaps: extending the provisioning of accounts and groups from university systems to outsourced cloud services. A standard, the Service Provisioning Markup Language (SPML), has existed for a number of years, but has not seen much use. Commercial cloud services rarely implement SPML, but do have similar functions in their APIs so it should be possible to write lightweight shims to convert to and from the standard. A SAML Change Notify protocol has been proposed which could provide either off-line or real-time provisioning, for example to create a new user account and add it to appropriate groups on a cloud service as part of the user’s first federated access. A group working on this are seeking use cases to check that the suggested protocols provide the required function and to prompt development of the required open source code.

Finally, Keith Hazelton described another project on use cases, this time to explore how different group management and access systems could implement real-world scenarios collected by the MACE-paccman working group. For example creating a workspace on a Learning Management System for a particular class and granting one student an extended period of study because of personal circumstances. The access rules for each scenario are being extracted in English, XACML and S-expressions for implementation under Grouper, perMIT, Rice and SPOCP. This is allowing these systems’ Policy Enforcement Points and Policy Decision Points to be tested with real-world examples, as well as discovering and documenting various different approaches to group, role and privilege management.

It was great to see eduroam available at the JISC Future of Research event (19 October 2010) at the Congress Centre, London. The eduroam meeting support solution built upon work by the University of Southampton SOWN (Southampton Open Wireless Network) project. Using open standards, a pre-configured eduroam access point tunnelled authentication traffic back to SOWN’s RADIUS proxy server from a data connection in the Congress Centre. This enabled delegates from participating organisations to acquire eduroam access from their laptops and smart phones.

JANET(UK) will be trialling other related solutions at future events, so look out for the eduroam SSID at the next event you attend!

Mark Tysom