Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Date

Attendees

Goals

  • Status Updates of work items (FoD/RepShield/CT)
    • FoD v1.5 pilot preparations
    • Deliverable FoD v1.6 (with automated rule proposal from RepShield)
    • FoD v1.6 pilot
  • Status of DDoS Detection/Mitigation WG
  • F2F-Meeting-Planning:
      • location: Prague
      • => Discussing potential date
  • GEANT Symposium, 02-05.10.2017, Budapest
  • Review Open Action Points from last VC(s)
  • AOB

Discussion items

TimeItemWhoNotes

Firewall On Demand (FoD)
  • (info page for FoD development https://wiki.geant.org/pages/viewpage.action?pageId=63965046)
  • FoD v1.5 = FoD with new functionalities: rule range specification, current rule behavior statistic graphs, multi-tenant rule control REST-API
  • FoD v1.6 = FoD with automated rule proposal from RepShield
  • FoD v1.5 pilot preparations by David
      • Found particular DANTE python27 RPMs (including virtualenv) which can be installed in parallel to normal OS python (v2.6) without

conflicts

      • Built a rpm with new FoD v1.5 code/config, based on old FoD rpm file, which depend on python27 RPMs
      • Created scripts for preparing python27 virtualenv environment for FoD and for installing all needed python dependencies, especially
gunicorn and celeryd binaries, there
      • Workarounds for issues with short storage space on pilot machine as well as puppet overwriting new FoD code
      • Pilot machine is installed, everything seems to work so far, but has to be tested in depth, especially with real traffic to be filtered
      • Afterwards all changes for v1.5 have to be adapted in puppet
      • Excel sheet for pilot acceptance criterias has to be reviewed and finalized
      • Then pilot can be opened to the commited pilot users
  • Tomáš, Václav and David started to write deliverable D8.3 "DDoS Detection/Mitigation Pilot" about FoD pilot v1.6 (integration with RepShield)

  • Plan for FoD v1.6 (with RepShield) development/testing/pilot:
      • Evangelos installed a VM for Warden/RepShield in Cambridge lab next to FoD having connectivity to FlowMon as well as FoD; Vaclav will

install Warden/RepShield there

      • Use FlowMon script for accessing NSHaRP events by this Warden/RepShield instance
      • Firewall-rule-updater component: script which uses API of RepShield to get NSHaRP events (correlated with each other and other
DDoS/security events/information) as well as REST API of FoD to propose rules in inactive state, inform respective (pilot) users via mail
  • Nicole Harris added Tomáš, Evangelos, and David to GEANT github area (https://github.com/geant), where in future T6 FoD development will reside

DDoS Detection/Mitigation (D/M) WG

Plans for a combined PoC for CORSA NSE7000 box and A10 DDoS D/M solution (Evangelos)

  • Corsa included new features in NSE7000: Gigafilter, copying/redirecting (on L2) of traffic, anomaly detection
  • The former might allow for a combined D/M solution with A10 parts where the NSE7000 will pre-filter malicious traffic by the anomaly detection before A10 will detect and inform the NSE7000 about this (change the GigaFilter via REST-API)
  • PoC of this may start in September, Evangelos will keep T6 updated
  • He should not forget about integration with FoD (user control)
  • As today for DDoS D/M solutions a key element is integration of the various existing intelligence systems, e.g. capability of detection solutions to inform (via standards preferably) mitigation solutions, or end-to-end perspective from end-user site via core network to upstream providers (Nino)

GARR DDoS D/M PoCs (Silvia/Nino)


RepShield/NERD
  • NERD REST-API implementation is nearly complete
  • Václav will install Warden/RepShield on VM created by Evangelos for FoD v1.6 test/pilot (cmp. FoD section above)
  • Evangelos will created already an account for Tomáš, he will also create one for Václav

Certificate Transparency (CT)
  • As Linus and Magnus are not here today David will contact them separately about status

F2F Meeting Planning
  • Location: Prague is to be used (thanks to Tomáš and Václav), if no one complains
  • So everybody can check required travel time
  • David will create a Foodle poll (starting at end of August) to find a suitable, common date

GEANT Symposium, 02-05.10.2017, Budapest
  • Everybody in T6 is invited to come there
  • Exact dates still to be announced
  • There will be a "Network Monitoring and Management" session where
          • Evangelos/David will present about NSHaRP and FoD (10min)
          • David will present about other parts of T6, i.e., mainly RepShield and CT
          • Afterwards a 15-min discussion will follow

Next VC

In 2 weeks: 26.07.2017, 14:15-15:15 CE(S)T

Action items

  •  Evangelos provide account for Václav on new VM
  •  Tomáš/Václav: install Repshield for FoD v1.6 pilot on VM provided by Evangelos
  •  David: create Foodle for F2F meeting in Prague (beginning after end of August)
  •  all: Next regular T6 VC: 26.07.2017, 14:15-15:15 CE(S)T