Pilot of FoD v1.5 was initially described in deliverable GN4-2 D8.2
"Firewall-on-Demand-Progress-Report", available at
https://www.geant.org/Projects/GEANT_Project_GN4/deliverables/D8.2_Firewall-on-Demand-Progress-Report.pdf .
Here instead, all details of the planning and conducting of this pilot are covered allong with all related documents, e.g. KPIs, survey (results).
FoD v1.5 finally comprises 3 new user functionalities:
- Explicit support for TCP/UDP port ranges in rule specifications making it much easier for users to deploy complex rules,
- rule mitigation statistics graph to give users feedback of the mitigation per rule, #
- as well as a multi-tenant REST API as alternative to the existing WebUI which will allow users to automate DDoS mitigation.
After developing and testing these new functionalities and evaluating the potential usefulnessof them for users, it was decided by T6 that a proper pilot with actual users and operators to be conducted for this new version of FoD.
Pilot Users
Pilot for FoD v1.5 has 3 designated pilot users, namely RedIRIS, LITnet and EEnet, which will extensively test these new user functionalities and the usefulness for their operational work.
Pilot Goals
In addition to the testing of the new user functionalities, the pilot includes as preparation the testing of the installation, also by GEANT operators and their making sure that the installation works with the Puppet configuration management in place,
as well as after installation testing of the proper operation by GEANT operators.
Pilot Preparations
Preparation of the pilot, i.e. packaging and test installation by T6 developers, started at beginning of 2017/07, since start of 2017/08 UAT test-installation by GEANT operations is in progress.
During that installation and application dependency issues where found, identified and solved together with the T6 developers.
Pilot Environment
Basically Fod v1.5 pilot is using similar resources as existing FoD v1.1 production service:
I.e. a VM for FoD installed along with all its python dependencies, mysql DB, and further requirements on host, i.e. beanstalkd, apache with shibboleth support (for eduGAIN support).
Also, same as for FoD v1.1, FoD v1.5 VM needs access to one GEANT core router via NETCONF to synchronize the DDoS mitigation rules via BGP FlowSpec.
In addition to that, FoD v1.5 needs SNMP access to particular MIB variables on all GEANT core routers for fetching individual statistics of performed mitigation on each router of per published BGP FlowSpec rules,
which is the only operational requirement needed beyond the requirements for v1.1.
Means of verification
Also an excel document (KPIs_2017_09.xlsx) of appropriate Pilot criteria/KPIs has been prepared (update of corresponding pilot criteria document for v1.1).
This contains criteria to be tested by users as well as criteria to be tested by operator (GEANT) of the service.
TO BE COMPLETED:
Also appropriate updated user documentation (presentation document) has been prepared.
Finally, a pilot result survey to be filled at the end of the pilot is prepared (update of pilot result survey of v1.1), too.
Proper start of the pilot (opened for users) is expected soon, and should take a duration of 2 months.
Summary of Scheduling
Official Start Date (including installation (also by operators) which also had to be tested): start of 2017/07
Proper Start Date (open for pilot users): expected start of 2017/10
End Date: 2017/11