Elements of the PRPPhilip Papadopoulos
DMZ1
DMZ2
DMZ3
DMZ4
Pacific Research Platform
Traffic flows freely withinthe PRP
Traffic can be impeded in/out of the PRP
PRP Knits together DMZs
• Basic Tenets• Within PRP, Traffic flows freely• In/Out of PRP, traffic CAN be
impeded • Everybody has a different DMZ
implementation. • Solutions need to work for
everybody• Need to pay attention as to
how much people time a “solution” requires
DMZ1
DMZ2
DMZ3
DMZ4
CRG1
CRG2
CRG3
Pacific Research Platform
Collaborating Research Groups - CRGs
• PRP Constructed with Specific Science Drivers• Some of these groups need to
“protect” their traffic
• Likely sharing modes that we need to support
• Share only within the group• Share with anyone in PRP• Share with anyone on Internet2• Share to the world
DMZ1
vlan1-4
DMZ2
DMZ3
DMZ4
vlan2-4
vlan4-3
vla
n1
-2
DMZ-to-DMZ implemented with VLANs
R
vlan2-3
vlan1-3
Each Site Border Router Knows All other VLANs
R
R
R
Traffic can be impeded in/out of PRP
Pacific Research Platform
Peering VLANs – Not Scalable
• We can build it this way, but take Frank W.’s comment about PRP is only 3 FTEs to heart.• We will need to develop
mechanics to enable each site easily determine:• Is the source/destination on the
PRP?• Is the source/destination a
“partner” destination?
What are the mechanisms for managing PRP access? (and Monitoring Performance)• Route advertisments? BGP has many control features (I’m not an
expert in this area)• My external view is that much of the “routing” security required can be
accomplished with BGP, but it very very time intensive.
• A system similar to SciPass ?• Identify “good” traffic and reroute around firewalls
• Is there anything inherent/clever that we could do with IPv6 addresses to identify something as “part of the PRP”? • Can SDN (e.g. Openflow-enabled) hardware be of utility?
DMZ1
DMZ2
DMZ3
DMZ4
DMZ-to-DMZ implemented as v6-to-v6 Routing
R
Traffic can be impeded in/out of dDMZ
IPv6
routing
R
R
R
Pacific Research Platform
PRPv2 will be IPv6
• ARIN ran out of v4 address blocks, last month.• https://
www.arin.net/resources/request/ipv4_countdown.html
• This is going to be hard transition for many software components.• We (as a community) have to
move to v6.• Proposal is for PRPv2 to be IPv6
only.
DMZ Subnets
and Hosts
Rtr
openflow SW
FW
Allowed List
Flow Controll
er
All DM
Z-bound
v6 Traffic
Allowed Subnets updated from PRP registry
Per Site Template for PRPv2 with flow-based firewall
implemented with OpenFlow
One idea: for Openflow-based firewall
• A PRP-allowed resources place an openflow Switch between their local DMZ and border router.• A central (PRP-wide) registry identifies ALL
PRP subnets• Each site can upload (cryptographically
secure) a list of their local PRP-enabled resources
• Local Flow controller can use a combination of central registry and local policy to decide on pass/fail of a particular flow• Decision can be made on a per-flow basis,
not a per packet basis.