You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

This page contains service description outlining how and where service should be used, targeted users, service delivery model and service elements and topology.

RESPONSIBLE: Information provided in this page is initially populated by the development team (during the transition phase), and revised based on the need or in a yearly service check by service_name Service Manager, with exception of CBA which remains the responsibility of business development team.

Service description

Add brief description of the service, how and where service should be used,  typical or key use cases or scenarios (for various groups/levels of end users) and other relevant overview information


FoD is a BGP-FlowSpec-based [RFC5575] [RFC7674], multi-tenant DDoS mitigation solution allowing users
(connected NRENs or recursively connected institutions with own AS; especially the NoC amins of these organizations)
to control DDoS mitigations for filtering normally routed IP traffic destined for their networks
by using a web UI (manual) or a REST API (automated).


FoD is currently provided as a productive service in the GÉANT core network
using FoD software flowspy v1.1.
v1.5 is in pilot phase. It adds support for explicit port ranges in rule specifications
allowing more convenient mitigation with less rules,
provides a multi-tenant REST-API allowing for automated user mitigation instead of manual one with WebUI,
and provides rule mitigation statistics for user feedback.
v1.6 in design/development phase. It will provide automated rule proposals created out of DDoS events and information,
in case of GÉANT particularly out of NSHaRP (Network Security Handling and Response Process) DDoS events.

Users

Add definition of who are the targeted users, estimate about possible number of users etc.


connected NRENs or recursively connected institutions with own AS; especially the NoC amins of these organizations

#users >= #(of connected NRENs)

The direct benefit for the users is that they
can themselves start/monitor/stop DDoS mitigation actions regarding their IP traffic
without contacting GÉANT NoC in an manual (WebUI) or automated (REST API) fashion,
i.e. a flexible, independent, fast DDoS mitigation.

Contacts

All operations, business development and stakeholders contacts

 

Service ManagerDeputy Service ManagerL1 supportL2 supportL3 support
 Evangelos Spatharas 

 support@oc.geant.net

 fod@lists.geant.org

 security@geant.org  gn4-2-jra2-t6@lists.geant.org

Service delivery model

Add explanation about organisation of service delivery

In GÉANT, FoD, currently running v1.1, for GÉANT core network, is operated by GÉANT NOC. Potential users are all NREN (NoCs) as well as any recursively connected institutions having own AS. Any potential users can subscribe to FoD service and afterwards use the service, that is access it via the web portal address. Authentication of users is based on eduGAIN.

Service Elements

Service Elements, with brief description and links to products, resource instances and software stack of the service, indicating the software components types - if they are internally (in-house) developed, OSS or commercial off-the-shelf softwareService elements can be grouped in two following categories:

Technology infrastructure

Add list and description of products and resources used to deliver main functionalities of the service. Add service technical architecture - i.e. its good to have a conceptual architectural diagram and topology diagram.

FoD Software is OSS, internal name of the software is flowspy. It was initially developped by GRNET NoC for GÉANT in earlier phases of the project. While GRNET is still continuing the development of FoD on its own regarding GRNET special needs, in GN4-SGA2 it is FoD further developed by JRA2-T6 regarding GÉANT needs (as well as potential future generic NREN needs for running FoD on their own in their core network). Where useful this GN development is coordinated and cooperated with the current GRNET developpers. Official github of FoD is https://github.com/grnet/flowspy (maintained by GRNET). New development by JRA2-T6 will be published in future under https://github.com/geant . Currently they are available only on a GEANT development/pilot server as well as in private github repository of JRA2-T6 members.

FoD is written in python, mainly based on django.
So it run in productive mode behind an apache web server.
FoD support eduGAIN logins for its users, based on apache edugain support.

FoD (along with apache with edugain support, a mysql database and a supporting software beanstalk) 
is run on a single VM with possibility to connect a particular core router
via NETCONF for pushing its BGP FlowSpec rules.
In addition to that the v1.5 being currently in pilot support creation
of rule drop statistics for user feedback by using SNMP to all core routers.

Supporting infrastructure

Add list and descriptions of products and resources used to deliver supporting services such as specialized monitoring and measuring systems, configuration management system, issue/ticket reporting system, etc.)

Cost Benefit Analysis

Provide URL to last valid CBA

CBA draft documents can be found as attachements in

FoD CBAs

 (restricted access)


  • No labels