JISCMail - TB-SUPPORT Archives

John, i have more intel, but really need to speak with you guys (and Themis)

Janet policy is to supply connection according to need and so its not at all obvious that
an extra 10G connection would have to be charged anyway.

It would be easy to get JISC to join a conversation with Liverpool - but of course Liverpool management has to want and request it.
Again, happy to say more on phone.

Our NFL alludes to DTZs at other sites (although we just tend to cal it bypass)
You could also show what RAL networking do - the “tube map” showing firewall bypasses
is a powerful picture of what a serious research organisation does.

Dave Salmon is seeing if he can find some links to any useful JISC documents.

Pete

On 26 Jan 2018, at 10:09, Chris Brew <[log in to unmask]> wrote:

Hi,

Does anyone have any good references on Science DMZs/Data Transfer Zones, it sounds better than firewall bypass and as a quite hot topic at the moment, that might be best thing to go in asking for - I believe that's the JISC recommendation so if there's anything from JISC Liverpool can take to their networking people that could be good.

On firewalls, there are two things, firstly I suspect most 10Gb/s rated appliances are only rated at that with a single "PASS ALL" rule, secondly even if the firewall appliance can handle a throughput of 10Gb/s that's probably only spread over thousands of individual connections and the per stream rate of any individual connection will be much lower (I'm actually pretty impressed with Cambridge's 1Gb/s stream rate, that's way better than we've ever got out of some pretty expensive kit at RAL).

Yours,
Chris.

P.s. Does it mean anything that I keep on mistyping 'networking 'as 'notworking'

On 26/01/2018, 09:55, "Testbed Support for GridPP member institutes on behalf of Peter Clarke" <[log in to unmask] on behalf of [log in to unmask]> wrote:

John

Im interested seeing the replies coming in.

For completness Edinburgh also has a very good relation with our networking people whose attitude is “how can we make sure the science gets done”
There is no question of paying for this sort of thing.

The problem here is that this needs to be raised above your network group at a strategic level.

In Edinburgh I comunicate directly with Heads of College, Head of IS…etc.. and so our needs are understood in the context of does this university
want to be a peer with other research led universities, and play in the arena of "global data intensive science”
I.e. are we a “well found university”

I also have said within Edinburgh (although hardly had to use) that other sites have no problem, and the bottom line is that we would cease
to be a Tier-2 if in-surmoutable barriers were placed in front of us by the university centre.

So i would suggest you talk with Themis to see if there is a way to bring this up at a more strategic level
without annoying anyone.
Im happy to talk to Themis with you if it helps
This is one of the reasons we have the Network Forward Look by the way, so you can take it to university management and
show them what their peers are doing.

Pete

On 26 Jan 2018, at 08:20, John Bland <[log in to unmask]> wrote:

Hi,

We're getting some push back from our central networking team about our WAN connectivity.

Our current connection uses the standard shared campus WAN, passing through the university firewall, then out to JISC through a redundant pair of 10G links.

Although we have our 'grid' IP range set to be not filtered by the firewall all packets still pass through it and still get hit with some filtering (most recent bit of fun was SSL connections with X509 certificates being dropped because they were wrongly marked as 'insecure', essentially killing all Grid traffic).

Our traffic also causes campus-wide issues, mostly due to overloading the firewall rather than the links themselves, so we are throttled to ~5G. While we have IPv6 addresses our traffic is being heavily throttled (~0.3G) by university routers in the path that have very poor IPv6 performance.

The plan was to reuse some university routers to upgrade the physical connection and to provide us a direct 10G link to the JISC WAN, with no University firewall and (supposedly) much better IPv6 throughput.

Despite this initial progress the University is now pushing us (again) to pay for our own direct 10G link to JISC, and pay for and install a hardware firewall on this connection (yeah). Apparently another department has done this (why, or how, we don't know).

What would be interesting to know before loading up my shotgun and replying to them is whether other Grid sites do this, or have been asked to do this. Does any other Grid site pay for a dedicated WAN uplink to JISC just for GridPP or their department? Do you put a hardware firewall on this path as well?

Cheers,

John

--
John Bland [log in to unmask]
Research Fellow office: 220
High Energy Physics Division tel (int): 42911
Oliver Lodge Laboratory tel (ext): +44 (0)151 794 2911
University of Liverpool http://www.liv.ac.uk/physics/hep/
"I canna change the laws of physics, Captain!"

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.