LHCONE AUP

Preamble

The LHCONE is a dedicated network architecture inter-connecting participating HEP Sites and allowing those sites to pool their computing resources for a more efficient distribution, storage, processing and analysis of HEP data.

 

Definitions

 

  • HEP Site: a high energy physics laboratory or university participating in and formally tied to one or more of the participating Collaborations listed in the next chapter;
  • HEP Service: a computing resource primarily used to distribute, store, process and analyse the data generated by HEP Sites
  • LHCONE Site: a HEP Site connected to the LHCONE L3VPN service;
  • LHCONE Prefix: an IP subnet announced by a LHCOPN Site to the LHCONE L3VPN;
  • LHCONE Node: a device using an IP address from a LHCONE Prefix to source or receive data;
  • LHCONE Traffic: IP data traffic carried by the LHCONE L3VPN network, i.e. data traffic generated by a LHCONE Node and sent to another LHCONE Node;
  • LHCONE Provider: National or International Network Service Provider (NSP) which provides network resources for the LHCONE L3VPN service;
  • LHCONE Management Board: the Management Board of one of the Collaborations listed in the next section. Each LHCONE Management Board has ultimate jurisdiction on its affiliated HEP/LHCONE sites.

 

Participating Collaborations and related information

The following Collaborations are currently participating in using the LHCONE:

WLCG

Belle II

U.S. ATLAS

U.S. CMS

Pierre Auger Observatory

NOvA

XENON

Process to include additional collaborations to LHCONE

Any scientific collaboration wishing to use the LHCONE services can ask to participate. The admission process is the following:

  1. The collaboration presents itself, its computing model and network requirements to the community during a LHCONE meeting
  2. The collaboration produces this information
    1. link to collaboration's description and documentation
    2. link to management board
    3. list of participating sites
    4. documentation of security policies
    5. - email address(es) of contact people
  3. The LHCONE community accepts or rejects based on the impact on the LHCONE. Among criteria to be used in the evaluation:
    1. the collaboration must be related to Particle Physics
    2. a major fraction of the sites and collaboration’s resources (CPUs and storage) must be already connected to LHCONE
    3. commitment to meet the technical and security requirements listed at the next point
    4. the bandwidth demand shouldn’t have a significant impact on existing LHCONE data transfers
    5. commitment to participating and contributing to LHCONE meetings
  4. Requirements to fulfil:
    1. comply with the WLCG security policies
    2. comply with the technical specifications of the LHCONE AUP concerning Announcement of IP Prefixes (LHCONE Prefixes) and Authorized source and destinations nodes (LHCONE Nodes)
    3. acknowledge the LHCONE AUP
  5. The LHCONE community chairman informs the WLCG Management Board and WLCG Overview Board of the request and the decision

Scope

This AUP is a pragmatic guideline that shall apply to all LHCONE Sites. Its purpose is to define:

  • which IP Prefixes must be announced for LHCONE Traffic;
  • which nodes can be LHCONE Nodes;
  • which HEP sites can be LHCONE Sites;
  • consequences for non-compliance with this AUP.

 

LHCONE L3VPN Acceptable Use Policy (AUP)

 

Announcement of IP Prefixes for LHCONE Traffic (LHCONE Prefix)

A LHCONE Site announces to the LHCONE Provider's router a limited amount of IP prefixes (subnets) from its own public address range (see here for instructions on how to connect to LHCONE). These prefixes are called LHCONE Prefixes.

All LHCONE Traffic is subject to the following conditions:

  • Traffic injected into the LHCONE can be originated only from addresses that belong to a LHCONE Prefix;
  • Traffic injected into the LHCONE can be sent only to addresses that belong to a LHCONE Prefix.

This is essential to ensure traffic symmetry through any stateful firewall, i.e. enabling a proper TCP handshake. In addition, some sites might use the announced LHCONE Prefixes for traffic filtering in their stateful or stateless firewalls. Alternatively, LHCONE Sites can decide independently whether the LHCONE Traffic is allowed to bypass their own perimeter firewall or not.

 

Authorized source and destinations nodes (LHCONE Nodes)

IP addresses from the LHCONE Prefixes must be assigned to LHCONE Nodes, i.e. only to

  • Nodes that are currently and primarily used to distribute, store, process and analyse the data generated by HEP Sites;
  • Routers and switches for routing such data;
  • perfSONAR probes and correspondent management infrastructure used for LHCONE.

The following devices must not be LHCONE Nodes:

  • Generic campus devices (desktop and portable computers, wireless devices, printers, VOIP phones....).

Currently the following devices are tolerated as LHCONE Nodes:

  • Computing nodes, storage elements and web servers not related with HEP computing services as long as they are managed according to the security policies agreed by each participating Collaboration. Relevant security policies documents are listed in the related section.

This exception is subject for later review.

 

Eligibility for Becoming a LHCONE Site

 

Non-compliance with the AUP

If a LHCONE Site believes that another one is not complying with this AUP, it can report the fact to its Collaboration's Management Board. Thus, this procedures will be followed:

  • Should the Management Board believe a report of non-compliance to be justified, it will ask the non-compliant site to take all necessary action in order to resume compliance;
  • If no action is taken by the site within the next 2 months, the Management Board will ask the non-compliant site to disconnect itself from the LHCONE L3VPN;
  • If it doesn't happen within another one month, the Management Board will ask the upstream LHCONE Provider to disconnect the non-compliant site;
  • It is at a LHCONE Site's discretion to drop the prefixes announced by the non-compliant site at any time, regardless of the effect it may be caused by the asymmetry. The 65010:ASN LHCONE BGP community can be used to ensure symmetry.

 

Compromised Security

Like any WAN network, the LHCONE is not intrinsically secure. If a LHCONE Site receives malicious traffic via its LHCONE connection, it can disconnect itself from the LHCONE without any notice. If the threatened site knows which LHCONE Site is sending the malicious traffic, it can ask the LHCONE Provider of the compromised site to temporarily disconnect it from the LHCONE in the interest of all the connected sites.

 

Roles and Responsibilities

LCG and LHCONE Sites LCG and LHCONE Sites:

  • have to acknowledge this AUP;
  • are responsible for forming their own security policy with regard to traffic arriving from the LHCONE;
  • can decide independently if the LHCONE traffic can bypass their own perimeter firewall or not.

LHCONE Providers LHCONE Providers:

  • must make sure that they connect to the LHCONE L3VPN only sites that are HEP Sites and which have acknowledged this AUP;
  • must announce to the lhcone-operations@cernSPAMNOT.ch mailing list whenever a new site get connected to the LHCONE;
  • must acknowledge disconnection requests made by a LHCONE Management Board;
  • should disconnect a LHCONE Site from the LHCONE if told so by a LHCONE Management Board;
  • must implement BGP filtering based on LHCOPN BGP communities.

LHCONE Management Boards

  • Any LHCONE Management Board can ask a LHCONE Provider to disconnect a not compliant LHCONE Site from the LHCONE.

 

Related documents

Submitted by Edoardo Martelli on Thu, 04/21/2016 - 12:11