University of Virginia, ESnet Team Up to Win Best Paper

Networking has several definitions, including making key connections and moving information from one point to another. And a paper co-authored by engineers at ESnet and the University of Virginia proves the value of both — it was named a Best Paper at the Sixth International Conference on Communication Theory, Reliability, and Quality of Service, held April 21-26 in Venice, Italy.

The paper, “On How to Provision Quality of Service (QoS) for Large Dataset Transfers,” was written by Zhenzhen Yan, a Ph.D. student at the University of Virginia (UVA), UVA Professor Malathi Veeraraghavan, and Chris Tracy and Chin Guok of ESnet.

Read more: https://es.net/news-and-publications/esnet-news/2013/university-of-virginia-esnet-team-up-to-win-best-paper-award/

ESnet Partners with North American, European Research Networks in Pilot to Create First 100 Gbps Research Link Across Atlantic

Six of the world’s leading research and education networks – ESnet, Internet2, NORDUnet, SURFnet, CANARIE and GÉANT – have announced their intent to build the world’s first 100 gigabits-per-second (Gbps) intercontinental transmission links for research and education.

 The project, called the “Advanced North Atlantic 100G Pilot” or ANA-100G, is aimed at stimulating the market for 100 Gbps intercontinental networking and advancing global networks and applications to benefit research and education. In addition to ESnet (the U.S. Department of Energy’s Energy Sciences Network), the other participating networks are Internet2, NORDUnet (the Nordic Infrastructure for Research & Education), SURFnet (the Dutch National Research and Education Network), CANARIE (Canada’s Advanced Research and Innovation Network), and GÉANT (the high speed European communication network dedicated to research and education, operated by DANTE).

 The partners are inviting other national research and education networks (NRENs) and their constituencies from around the world to participate in the project. The announcement was made April 24 at the 2013 Internet2 Annual Meeting before 800 technology, education and research leaders.

Read more.

ESnet’s Greg Bell to Deliver Keynote at Canadian Conference

ESnet Director Greg Bell will give the keynote address at the 2013 THINK Conference organized by ORION, the high-speed network linking 1.8 million researchers in Ontario, Canada. The conference will be held April 25, 2013, in Toronto.

This year’s THINK Conference will focus on “Extreme Data” – including the trends, the issues and what they mean for Ontario’s research, education and innovation communities. The THINK Conference will challenge organizational leaders affected by the circumstances of the day to take notice, exchange knowledge, share best practices and develop ideas that lead to innovative solutions.

According to Bell, “It’s time to start thinking about research networks as instruments for discovery, not infrastructures for service-delivery.” In his talk, Bell will describe what’s at stake in this distinction, and explain how campuses and networks in Ontario can prepare themselves to support data-intensive science collaborations and workflows. 

Read more about the THINK Conference

.

ESnet Director Greg Bell

Oak Ridge First National Lab with 100G Production Connection to ESnet

More labs scheduled to follow soon

On Tuesday, April 9, Oak Ridge National Laboratory in Tennessee became the first DOE lab with a 100 gigabit-per-second production  link to ESnet’s 100G backbone. Since the high-speed backbone went into production in late 2012, each of the labs served by ESnet has been developing plans to upgrade their connections to 100G. Within the next 6 months, DOE’s National Energy Research Scientific Computing Center (NERSC), Fermilab, and Lawrence Berkeley, Lawrence Livermore, Argonne, Brookhaven  national labs are expected to put 100G links into production as well.

Since the faster connections replaces the old links when they go live, it’s important to thoroughly test the new links. We do this by building the new link so we can test it in parallel with the existing one and troubleshoot as needed. When everything appears to be ready, we conduct a 24-hour link acceptance test, sending network traffic nonstop for 24 hours. It’s basically a bit-blast followed by a thorough check for problems, then a handover to the end site.

Once the test is completed, we schedule a maintenance activity to move traffic to the new link.  When that comes, we time get everyone who is involved in the switchover on the phone, each one does their part, and the changeover is completed.

ESnet’s Patrick Dorn did a great job heading up the project, and Vangelis Chaniotakis and Chris Tracy helped to architect the ORNL hub to make this possible.

Read about how we tested the 100G backbone before switching into production mode at: http://esnetupdates.wordpress.com/2012/10/31/esnet5-is-well-on-its-way-to-entering-production/

ESnet’s Eli Dart to Present Case Study at GlobusWorld Conference

The 11th annual GlobusWORLD conference, to be held April 16-18, 2013, will feature a presentation by ESnet’s Eli Dart on how the Science DMZ infrastructure combined with Globus Online is helping a scientist at Berkeley Lab’s Advanced Light Source keep up with a 50-fold increase in data generation.

Globus Online has become a primary on-ramp for researchers to access high performance networks like ESnet for rapidly sharing data or to use remote computing facilities like NERSC. This year’s conference at Argonne National Laboratory focuses on “moving, syncing and sharing” research data at scale.

Dart, an ESnet network engineer, will discuss “Optimizing Data Management at the Advanced Light Source with a Science DMZ.” ESnet is working with scientists at the Advanced Light Source at Berkeley Lab who are seeing massive increases in the data output of their experiments and who now require HPC and network resources to support their research. Dart’s talk details ESnet’s work with an ALS scientist who needed new resources to handle a 50-fold increase in data generation.

 ESnet staff worked with the beamline scientist to deploy new infrastructure based on the ‘Science DMZ’ architecture where data-intensive science applications are run on dedicated infrastructure specifically configured for high performance.

Leveraging Globus Online as the data primary data transfer tool on the Science DMZ, the beamline scientist now seamlessly transmits data to DOE’s National Energy Research Scientific Computing Center (NERSC) in Oakland, where the data is stored, managed and shared with other researchers.

Last November, ESnet and Globus Online announced a collaboration to help scientists better manage the growing amounts of data they need to move, share, and analyze worldwide. Read the announcement.

ESnet5 is well on its way to entering production

In mid-July we began activating the 100 gigabit-per-second optical waves needed to deploy the new nationwide ESnet5 backbone into production by the end of November.  We are thrilled to announce that all of the waves have been brought up successfully as of October 23.  In parallel with this work, ESnet engineers have successfully tested the new network using a clever “snake test” wherein a path is provisioned through the entire network and traffic is generated and received by test equipment, looking for errors and packet loss. The details of this test will be described in a separate blog, so stay tuned.

Our engineers’ attention has turned to provisioning the routing infrastructure in preparation for moving traffic from the old ESnet4 network to the new 100G-enabled network.  With the new infrastructure tested and ready to go, we are beginning the final phase of the transition which will continue through the third week in November.  During that time, our engineers are changing routing metrics to prefer the new network in a phased manner, taking care to make sure no loops or bottlenecks are created.  Greg Bell, ESnet’s Director, has likened the transition to changing engines between cars while they’re speeding down the highway.  Of course we aim to do so without interruption while continuing to provide excellent service. Once that phase has been completed and traffic is running on the new 100G production core network, our focus will change to the remaining work, which is to remove the ESnet4 links and decommission it – ending an era that served science well and beginning the era of the network as a scientific instrument.

- Mike Bennett, ESnet Network Engineering Services Group Lead

ESnet’s Greg Bell to give Invited Keynote at NORDUnet Conference

Greg Bell, head of ESnet and director of Berkeley Lab’s Scientific Networking Division, will give the closing keynote address on Thursday, Sept. 20, at the 2012 NORDUnet conference in Oslo, Norway. NORDUnet is a joint collaboration by the five Nordic national research and education networks in Denmark, Finland, Iceland, Norway and Sweden. ESnet has collaborated with NORDUnet on common methodologies for reserving end-to-end bandwidth to accelerate large data transfers, and on standards development for the emerging Network Service Interface protocol.  

In his talk, “Network as Instrument: the View from Berkeley,” Bell will argue that “it’s time to start thinking about research networks as instruments for discovery, not as infrastructures for service-delivery.”  He will explain what’s at stake in this distinction, and “how ESnet’s strategy is influenced by its unusual institutional context: embedded in a US national laboratory, classified as a user facility, and located uphill from a famously audacious university.”

Webinar: Using Globus Online for ESnet Users

Staff from ESnet, DOE’s high-speed science network, and Globus Online, a fast, reliable file transfer service, will offer a free webinar on how ESnet users can more easily transfer data. The free webinar will be held from 11 a.m. to 12:30 p.m. Wednesday, Sept. 12 (Pacific time). To register, go to https://www.globusonline.org/esnet-webinar/

ESnet is working with the various experimental and computing facilities, science communities and collaborations it connects to help optimize their science data transfers and resolve data mobility issues. One of its most successful strategies is the “Science DMZ” model, a network design which helps ESnet-connected sites optimize local network resources to offer the highest levels of performance for science data transfers.

One of the key Science DMZ components includes a Data Transfer Node (DTN) running software that is designed for efficient, reliable data transfers. Globus Online is a robust, high-performance data transfer tool that is ideal for deployment on a DTN in a Science DMZ, and is currently ESnet’s top recommended tool for wide-area network file transfers. This webinar will provide an overview of a Science DMZ, and a demonstration of the most frequently used Globus Online features, tips & tricks, and Q&A for integrating these tools into the scientific workflow.

The presenters will be  Brian Tierney, leader of ESnet’s Advanced Network Technologies Group, and Steve Tuecke, Globus Online Project Lead  and Deputy Director of the Computation Institute at the University of Chicago and Argonne National Laboratory.

The Risks of Not Deploying IPv6 in the R&E Community

Observations from ESnet’s resident IPv6 Expert Michael Sinatra

When having discussions with CIOs of various colleges, universities, and national laboratories, I often hear about such issues as “risk,” “return on investment,” “up-front-costs,” “CAPEX/OPEX,” and the like. When the topic turns to IPv6, costs are cited as well as potential risks involved with adopting IPv6. However, any good risk assessment should include risks and costs of not doing something as well as doing it. Until recently, much of the risk of not deploying IPv6 was centered around running out of IPv4 addresses and not much more. Organizations that had a lot of IPv4 addresses (or thought they did) presumably didn’t have to consider such risks. In the discussion below, I note several more risks of not deploying IPv6, advantages of IPv6, and reasons to move forward. This discussion can be combined with more traditional risks and costs associated with deploying IPv6, to provide the seeds of a more complete risk assessment.

Adoption, not migration

It’s important to understand that adoption, not migration is of principal concern. It is widely understood that IPv4 will remain active for some time and that a dual-stack environment–where networks, computers, and other devices all run both IPv4 and IPv6 simultaneously–is still the “best” way to achieve an IPv6 transition. My concern is principally about the adoption portion, where we add IPv6 functionality to networks and hosts, in order to achieve a dual-stack environment. Indeed, this assumes a reasonable abundance of IPv4 addresses within an organization.

Risk 1: Security

Conventional wisdom has it that adopting IPv6 brings with it a range of security issues, namely owing to the traditionally poor support for IPv6 in security appliances. Although open-source firewalls have long had near-parity between IPv4 and IPv6, many proprietary firewall and IDS devices have lacked sufficient IPv6 features. While it is true that security equipment has in the past turned a blind eye to IPv6, this is changing rapidly as vendors move to support IPv6.

Nevertheless, there are risks to ignoring IPv6 on the campus or the lab site. Because of the widespread and largely “default-on” support of IPv6 tunneling technologies, such as 6to4 and Teredo, IPv6 tunnels can and do easily exist on IPv4-only networks. Security devices which don’t understand IPv6 are unlikely to understand these tunneling technologies, and they will be unable to peel open the tunnel layers to see what’s really going on inside the tunnels.

Many black-hats and grey-hats understand this and will attempt to use IPv6 to transport illegal peer-to-peer content and malware. If the bad guys are adopting IPv6, the good guys need to adopt it as well so they can see the bad stuff and clean it up. Some IDSes and firewalls do understand IPv6 and they even understand the tunneling protocols. While it’s possible to block wholesale some of the tunneling protocols, it isn’t easy to block them all–especially if there are legitimate users of tunnels on your network. Moreover, blocking protocols at the border or at a router doesn’t block it within your enterprise or within individual LANs.

If you haven’t been including IPv6 support (and, ideally, feature-parity between IPv4 and IPv6) in your purchasing decisions and RFPs for security equipment, you are exposing yourself to this risk. Ignoring IPv6 simply won’t keep it off your network. However, adopting IPv6 as a natively-routed protocol will bring most of the tunneled traffic out in the open as native IPv6 traffic, where it will be easier to detect anomalies. That, combined with making IPv6 a key consideration in purchasing decisions will help mitigate the security risk.

Of course, purchasing life-cycles often span three- or five-year periods. That’s why it’s crucial to start thinking about IPv6 now, so that you can get IPv6 requirements embedded into purchasing processes before you really need IPv6. This is true for both network (routers, switches) and security equipment. Realizing you need IPv6 after a purchasing cycle has completed is not a good position to be in.

Risk 2: Your eyeballs

Of course, I am speaking here of “eyeball networks”–networks with client computers that access content and data. For colleges and universities, these include your wireless nets, your residence hall networks, and lab and research networks that consume and process data. That last category is also prevalent at national lab sites. Many of these organizations feel that they have enough IPv4 address to satisfy network growth for several years. However, that does not mitigate the risks that these organizations face: That eyeball networks–even those with abundant IPv4 address space–will still need access to IPv6 content and data, and that “several years’” worth of IPv4 address space still may not be enough.

As is the case with security, ignoring the need for IPv6 on those eyeball networks also poses risks. While users may be perfectly happy consuming content and data over IPv4, there is no guarantee that that content and data will always be available over IPv4. Indeed, with the recent run-out of IANA’s IPv4 free-pool, and of the Asia-Pacific region’s IPv4 address space, IPv4 address space is becoming scarce in the larger Internet. Secondary markets are beginning to open in IPv4 address space, and the prices this far have been around $10 per IP address–far more expensive than most R&E organizations are used to spending (or for that matter, can afford). Government and foundation grants are unlikely to support shopping for IPv4 addresses on the secondary market, and they will tend to view IPv6 as a more viable (and cheaper) alternative.

New colleges and universities will not have access to an abundance of IPv4 addresses. Moreover, as new scientific sites and special instruments come on-line around the world, it is increasingly likely that those (especially in Europe and Asia) will have access to fewer and fewer IPv4 addresses. These research centers will have two options: Entirely forego IPv4 addresses or get a very small number of IPv4 addresses and run some sort of NAT and/or protocol translation to support IPv4. In this latter scenario, IPv6 can be supported end-to-end, due to address abundance, while the limited IPv4 space requires middleboxes.

ESnet’s work with the Science DMZ concept has revealed that middleboxes have a detrimental effect on network performance for data-intensive science applications. The lack of a clean end-to-end path for IPv4 will mean that IPv4 can only be supported as a legacy “slow-path” protocol. For real performance, IPv6 will be necessary. Even legacy support for IPv4 may not be available in certain regions for much longer.

A reasonable scenario that may be encountered within the IT departments of research institutions–universities and national labs–is as follows: Faculty members and research staff will need access to data from a particular instrument or reactor. They will either be unable to get the data they need over IPv4 or they will have to go through a middlebox or bastion to get to the data, and that will have serious performance implications for the researchers. They will approach the IT department and request IPv6. Knowing that lead times for such requests do not often extend past the order of hours or days begs the question, will you be ready when a researcher comes to you and asks for IPv6 connectivity in her lab “by the end of the week”?

Risk 3: Your Content

As the developing world mobilizes economically, corporations, foundations, entrepreneurs, benefactors, and prospective students will increasingly hail from countries such as China, India, Brazil, and other parts of Asia and Latin America. These prospective donors, collaborators, and scholars will need access to information resources at your university or lab. And increasingly, these people will have better access to IPv6 than to IPv4. The next-generation research network in China, CERNET2, is IPv6-only, for example.

Moreover, this is not solely true in the developing world. As ISPs in the US and Europe become further strapped for IPv4 resources, they will turn to large-scale NAT (LSN, aka “carrier-grade NAT”). LSN promises to reduce performance and increase troubleshooting headaches. Avoiding these pitfalls requires IPv6 support, which is why large ISPs like Comcast are proceeding aggressively with IPv6 adoption. As the effects of IPv4 run-out become more pronounced, more people will be trying to access your information resources via IPv6. Will they be able to reach you easily?

As campus development and public-affairs offices continue to push the outreach envelope, using social media and a variety of Internet-based technologies, they will want to ensure that they are reaching the maximum range of benefactors and prospective students. How will you answer the vice president of development when he asks you if your institution is doing all it can to make information resources available to the maximum range of prospective donors?  How will you respond when a researcher at your lab site asks about how to improve real-time collaboration experiences with partners in India?  How will you ensure the director of admissions that prospective students in China, India, and Brazil will have easy access to admissions materials and information about programs of study?  IPv6 plays an important role in answering these questions. How well you answer them depends on how well positioned you are for IPv6 adoption.

Risk 4: Even if you have a lot of IPv4 addresses, you don’t have enough

There are a lot of applications for which NAT, or the use of private IPv4 addresses without NAT, is “good enough.” Home networks frequently use NAT. Large high-performance compute clusters (HPCCs) frequently use private IPv4 space to number internal nodes. Small labs may use a consumer-grade NAT device at your campus or site. In many cases, these devices work fine. But often, the network could work much better if each device could be individually addressed.

In the case of HPCCs, I frequently encounter cases where two clusters at disparate sites use the same private IPv4 range (usually the lower end of 10.0.0.0/8). When the cluster owners decide to connect the HPCCs together via a private layer-2 or layer-1 (wave) link, they suddenly have address collisions. I have seen several cases where rounds of iterative negotiation are needed to properly renumber hosts into non-colliding ranges. Surprisingly, this is not infrequent in HPCCs, and it certainly has the potential to occur in many other applications. IPv6 solves this problem in two ways: First, because of its massive address space, a chunk of globally-routable address space can be used to number hosts with little impact. In the HPCC example, a single /64 can number all of the internal nodes in both clusters!  Even if a similar “private” address space is desired, IPv6 provides a mechanism called Unique Local Addressing, which allows different sites to “create” their own private address space. The algorithm specified by RFC 4193 allows for a high likelihood of uniqueness, so that if and when clusters are eventually merged, address collisions won’t occur. ULAs aren’t an exact replacement for IPv4 private addresses, but they are useful in certain circumstances, such as this HPCC example.

In this case, the use of IPv6 lowers the risk of escalating OPEX costs in maintaining a private address space. Moreover, the internal nodes could be numbered using EUI-64 based stateless autoconfiguration (SLAAC), further lowering costs. Because of the closed nature of the network, SLAAC may be a good candidate for an easy and maintainable configuration. Using EUI-64, which is based on the hardware addresses of the physical interfaces, makes documentation easy (hardware addresses are often easily known in these clusters, so hosts files and internal DNS can easily be generated from the known MAC addresses) and greatly reduces the likelihood of number collisions.

While large-scale HPCCs can benefit from IPv6, it can also help with small-scale NAT installations. Even in my own home network, I find IPv6 to be valuable over the existing IPv4 NAT system. I often need to manage individual hosts and sometimes, I need end-to-end transparency for such things as video and voice conferencing. Using IPv6 is much easier and more efficient than trying to poke holes or configure special redirects in my NAT box. I can access individual hosts at home directly over IPv6 without having to go through a NAT box. Now, some people may view this as a security risk–to them having my hosts “exposed” on the Internet is a big risk that NAT otherwise “solves.”

I view this security issue not as a risk but as a benefit. Instead of my security policy being dictated by the technology, I am able to develop my own security policy for my home network and use stateful firewalls to enforce that policy technically. Moreover, this produces a much cleaner security policy than having to place redirects and other kludges in my NAT configuration to support video conferencing and other needs.

IT readiness: The overarching risk

How many large-scale IT projects in your organization finish on-schedule, let alone can be completed on short notice? When that PR person or researcher comes to you and needs IPv6 “real soon now,” do you really want to be in the position of having never enabled IPv6 on any of your networks, or–worse yet–having no plan for IPv6 adoption?  You certainly don’t want to wait until a prominent member of your scientific staff or faculty is demanding IPv6 on her network before you even start thinking about IPv6, do you?

IT projects are hard. They have a lot of dependencies. They have a lot of unforeseen obstacles. And, of course, there are risks that arise from deploying IPv6, as there are with any large IT project. The big problem for IT managers will occur when the risks of not deploying IPv6 begin to outweigh the risks of deploying IPv6, and there’s suddenly a lot of pressure to move forward quickly. How do you ensure that things aren’t moving too quickly?  How do you mitigate all of the risks, or at least the majority?

There is a simple answer: Start before you really need to. Ideally, you should have already started and you may even be enabling IPv6 on networks and services right now. But if you haven’t begun yet, now is the time to start. There are a number of things you need to do just to get going, and ESnet has put together a useful checklist to get you started. You’re going to run into problems–all will definitely not be smooth sailing. That’s why you need to start adopting IPv6 before one of the risks that I have identified comes to bear. Even if you can’t deploy IPv6 on your production network just yet, you can get a feel for how it works and what the pitfalls are by creating a special “IPv6 DMZ.”  Better yet, if you plan to build a Science DMZ, make sure that it supports both IPv4 and IPv6 from day one. That will go a long way toward ensuring that you and your colleagues and staff fully understand IPv6, and it will provide improved connectivity options for the Science DMZ itself.

By now it should be clear that none of the risks I have identified are mitigated in any way by how much IPv4 address space you have. Simply put, having lots of IPv4 address space–even your own /8–is not reason enough to delay IPv6 implementation for one second. Your IPv4 address space no longer matters in the IPv6 equation. In this increasingly interconnected world, you need to be able to reach everyone else, and they need to be able to reach you. If you delay adopting IPv6, you make it less likely that your resources will be available to all, and that poses risks to you and your institution.

OSCARS 0.6 hits the limelight

At the recent Supercomputing11 conference, the bubbly was flowing. ESnet launched its ANI 100 gigabit-per-second network, and marked a quarter century of networking for DOE science. That big news may have overshadowed another milestone—SC11 was the first time OSCARS 0.6 was publicly demonstrated in a production environment. Now we’d like to give OSCARS its due.

OSCARS, or On-Demand Secure Circuits and Advance Reservation System, allows users to set up virtual circuits on demand to reserve bandwidth, streamlining the transfer of massive data sets across multiple network domains. OSCARS originated at ESnet, but we open-sourced it to the community long ago. Last spring the more modular OSCARS version 0.6 was released for testers and early adopters.

Other famous OSCARS

The performance of OSCARS 0.6 at SC11 showed us that we met our design goal of creating a flexible and modular framework. This was reflected in the demos, which were easy for folks to customize according to their needs. In the demo, “Enabling Large Scale Science using Inter-domain Circuits over OpenFlow” Tom Lehman of ISI used OSCARS to provide the functionality to control Openflow switches. Thanks to the flexibility to customize software built into OSCARS 0.6, ESnet’s Eric Pouyol was able to produce a variation of that application, customizing OSCARS 0.6 for resource brokering. OSCARS also played a part in the successful demonstration of Internet2’s Dynamic Network System (DYNES).The goal of DYNES is to work with regional networks and campuses, using OSCARS to schedule and support scientific data flows from the LHC, and other data intensive science programs such as LIGO, Virtual Observatory, and other large-scale sky surveys.

Most of the 100 Gbps demos at SC were supported by both the ANI 100 Gbps network and the 100 Gbps SCinet showfloor network. OSCARS 0.6 was used to schedule all eight of the demos using the 100 Gbps ANI network, which included complex visualizations of climate models, the Large Hadron Collider and the VERY early history—13.5 billion years ago, or 100 billion in dog years— of the Universe. OSCARS also controlled the approximately 100 different connections at SCInet, as well as connecting to three other OSCARS instances on the show floor.

OSCAR the Grouch

We used OSCARS 0.6 to provision the network, scheduling user time-slices of the 100 gigabit-per-second ANI and SCinet network, 24 hours a day, over the period of a week so they could test the demos in advance without having to get up at 3:00 a.m. to do it.

OSCARS 0.6 ended up making certain network engineers’ lives much easier. According to my colleague Evangelos Chaniatakis a.k.a. Vangelis, who was involved in the gritty details of setting up OSCARS 0.6 at the show, his team was required to make last-minute changes to the pre-existing network framework to work with the new hardware but didn’t receive the equipment until the week before the conference. The modularity ESnet built into OSCARS 0.6 helped the team get the network working at short notice.

 Less of a Software, More of a Service

Every year the number of reservations and circuits at SC continues to grow. The SC11 network required roughly twice the number of VLANs over the previous year. While the bandwidth wasn’t much bigger, and there were approximately the same number of customers, this year’s users definitely had more requirements. “On the whole OSCARS 0.6 was really stable.” Vangelis reports. “It worked fine.”  But the lessons learned at SC11 made us rethink the OSCARS 0.6 service module and requirements. In the near future, we intend to tweak OSCARS 0.6 to provide users more flexibility, making it less of a software and more of a service.