The most up-to-date version can be found here: https://twiki.cern.ch/twiki/bin/view/LHCONE/LhcOneAup
The LHCONE is a dedicated network architecture inter-connecting participating HEP Sites and allowing those sites to pool their computing resources for a more efficient distribution, storage, processing and analysis of HEP data.
- HEP Site: a high energy physics laboratory or university participating in and formally tied to one or more of the participating Collaborations listed in the next chapter;
- HEP Service: a computing resource primarily used to distribute, store, process and analyse the data generated by HEP Sites
- LHCONE Site: a HEP Site connected to the LHCONE L3VPN service;
- LHCONE Prefix: an IP subnet announced by a LHCOPN Site to the LHCONE L3VPN;
- LHCONE Node: a device using an IP address from a LHCONE Prefix to source or receive data;
- LHCONE Traffic: IP data traffic carried by the LHCONE L3VPN network, i.e. data traffic generated by a LHCONE Node and sent to another LHCONE Node;
- LHCONE Provider: National or International Network Service Provider (NSP) which provides network resources for the LHCONE L3VPN service;
- LHCONE Management Board: the Management Board of one of the Collaborations listed in the next section. Each LHCONE Management Board has ultimate jurisdiction on its affiliated HEP/LHCONE sites.
The following Collaborations are currently participating in using the LHCONE:
- The WLCG collaboration is documented on the web site http://wlcg.web.cern.ch/
- The WLCG collaboration is managed by the WLCG Management Board
- WLCG sites are listed on this web page
- WLCG Security Policies: Grid Security Policies, Security Incident Response Policy, Grid Site Operations Policy
- Additional information can be asked to wlcg.office@cernSPAMNOT.ch
- The Belle II collaboration is documented on the web site http://belle2.kek.jp/
- The Belle II Computing Resources are managed by the Belle II Computing Steering Group (B2CSG)
- Belle II sites are listed in the Belle II MoU
- Belle II Security Policies: Belle II MoU. KEK is a member of EGI, thus compliant with WLCG security policies
- Additional information can be asked to belle2-wan-networking@belle2SPAMNOT.kek.jp
- The U.S. Atlas collaboration is documented on the web site http://www.usatlas.bnl.gov/
- The U.S. Atlas collaboration is managed by the U.S. ATLAS Operations Program Management Team
- The U.S. Atlas sites are listed on this web page: http://www.usatlas.bnl.gov/USATLAS_TEST/institutes,%20reps,%20emails.htm
- U.S. Atlas Security Policies: https://twiki.grid.iu.edu/bin/view/Documentation/PoliciesProcedures
- Additional information can be asked to U.S. ATLAS Computing usatlas-grid-l@listsSPAMNOT.bnl.gov
- The U.S. CMS collaboration is documented on the web site http://uscms.org
- The U.S. CMS collaboration is managed by the U.S. CMS Operations Program Management Team
- The U.S. CMS sites are listed on this web page: http://uscms.org/public_2/about/univs_labs.shtml
- U.S. CMS Security Policies: https://twiki.grid.iu.edu/bin/view/Documentation/PoliciesProcedures
- Additional information can be requested from the U.S. CMS Software and Computing Program Execution Team uscms-pet@uscmsSPAMNOT.org
Pierre Auger Observatory
- The Pierre Auger Observatory collaboration is documented on the web site https://www.auger.org/
- The Pierre Auger Observatory collaboration is managed by the Spokeperson
- Pierre Auger Observatory sites are listed in this web page
- Pierre Auger Observatory Security Policies based on EGI AUP
- Additional information can be asked to auger-distributed-computing@augerSPAMNOT.unam.mx and Jiri.Chudoba@cernSPAMNOT.ch
- The NOvA collaboration is documented on the website http://www-nova.fnal.gov/.
- The NOvA collaboration is managed by the spokespeople
- The NOvA computing sites (both dedicated and opportunistic) are listed in this web page
- The NOvA collaboration security policies are based on the OSG Security Policies, including AUP
- Contacts for the NOvA experiment are Alex Himmel <email@example.com> and Andrew Norman <firstname.lastname@example.org>
- The XENON collaboration is documented on the website http://xenon1t.org/
- The XENON collaboration is managed according to this organization chart
- The XENON computing sites are listed in this web page
- The XENON computing security policies are described in this document
- Contacts for the XENON experiment are Luca Grandi <email@example.com> and Rob Gardner <firstname.lastname@example.org>
Any scientific collaboration wishing to use the LHCONE services can ask to participate. The admission process is the following:
- The collaboration presents itself, its computing model and network requirements to the community during a LHCONE meeting
- The collaboration produces this information
- link to collaboration's description and documentation
- link to management board
- list of participating sites
- documentation of security policies
- - email address(es) of contact people
- The LHCONE community accepts or rejects based on the impact on the LHCONE. Among criteria to be used in the evaluation:
- the collaboration must be related to Particle Physics
- a major fraction of the sites and collaboration’s resources (CPUs and storage) must be already connected to LHCONE
- commitment to meet the technical and security requirements listed at the next point
- the bandwidth demand shouldn’t have a significant impact on existing LHCONE data transfers
- commitment to participating and contributing to LHCONE meetings
- Requirements to fulfil:
- comply with the WLCG security policies
- comply with the technical specifications of the LHCONE AUP concerning Announcement of IP Prefixes (LHCONE Prefixes) and Authorized source and destinations nodes (LHCONE Nodes)
- acknowledge the LHCONE AUP
- The LHCONE community chairman informs the WLCG Management Board and WLCG Overview Board of the request and the decision
This AUP is a pragmatic guideline that shall apply to all LHCONE Sites. Its purpose is to define:
- which IP Prefixes must be announced for LHCONE Traffic;
- which nodes can be LHCONE Nodes;
- which HEP sites can be LHCONE Sites;
- consequences for non-compliance with this AUP.
A LHCONE Site announces to the LHCONE Provider's router a limited amount of IP prefixes (subnets) from its own public address range (see here for instructions on how to connect to LHCONE). These prefixes are called LHCONE Prefixes.
All LHCONE Traffic is subject to the following conditions:
- Traffic injected into the LHCONE can be originated only from addresses that belong to a LHCONE Prefix;
- Traffic injected into the LHCONE can be sent only to addresses that belong to a LHCONE Prefix.
This is essential to ensure traffic symmetry through any stateful firewall, i.e. enabling a proper TCP handshake. In addition, some sites might use the announced LHCONE Prefixes for traffic filtering in their stateful or stateless firewalls. Alternatively, LHCONE Sites can decide independently whether the LHCONE Traffic is allowed to bypass their own perimeter firewall or not.
IP addresses from the LHCONE Prefixes must be assigned to LHCONE Nodes, i.e. only to
- Nodes that are currently and primarily used to distribute, store, process and analyse the data generated by HEP Sites;
- Routers and switches for routing such data;
- perfSONAR probes and correspondent management infrastructure used for LHCONE.
The following devices must not be LHCONE Nodes:
- Generic campus devices (desktop and portable computers, wireless devices, printers, VOIP phones....).
Currently the following devices are tolerated as LHCONE Nodes:
- Computing nodes, storage elements and web servers not related with HEP computing services as long as they are managed according to the security policies agreed by each participating Collaboration. Relevant security policies documents are listed in the related section.
This exception is subject for later review.
- Only HEP sites of one of the participating Collaborations can be connected to the LHCONE. Membership with a Collaboration can be verified by asking the contact emails provided in the related section;
- In order to be allowed to connect to the LHCONE L3VPN, a candidate site has to acknowledge this AUP. To acknowledge the AUP, a site representative has to
- join the mailing list lhcone-operations@cernSPAMNOT.ch (https://e-groups.cern.ch/e-groups/EgroupsSubscription.do?egroupName=lhcone-operations)
- send an email to the mailing list lhcone-operations@cernSPAMNOT.ch writing that the site acknowledges the AUP
If a LHCONE Site believes that another one is not complying with this AUP, it can report the fact to its Collaboration's Management Board. Thus, this procedures will be followed:
- Should the Management Board believe a report of non-compliance to be justified, it will ask the non-compliant site to take all necessary action in order to resume compliance;
- If no action is taken by the site within the next 2 months, the Management Board will ask the non-compliant site to disconnect itself from the LHCONE L3VPN;
- If it doesn't happen within another one month, the Management Board will ask the upstream LHCONE Provider to disconnect the non-compliant site;
- It is at a LHCONE Site's discretion to drop the prefixes announced by the non-compliant site at any time, regardless of the effect it may be caused by the asymmetry. The 65010:ASN LHCONE BGP community can be used to ensure symmetry.
Like any WAN network, the LHCONE is not intrinsically secure. If a LHCONE Site receives malicious traffic via its LHCONE connection, it can disconnect itself from the LHCONE without any notice. If the threatened site knows which LHCONE Site is sending the malicious traffic, it can ask the LHCONE Provider of the compromised site to temporarily disconnect it from the LHCONE in the interest of all the connected sites.
LCG and LHCONE Sites LCG and LHCONE Sites:
- have to acknowledge this AUP;
- are responsible for forming their own security policy with regard to traffic arriving from the LHCONE;
- can decide independently if the LHCONE traffic can bypass their own perimeter firewall or not.
LHCONE Providers LHCONE Providers:
- must make sure that they connect to the LHCONE L3VPN only sites that are HEP Sites and which have acknowledged this AUP;
- must announce to the lhcone-operations@cernSPAMNOT.ch mailing list whenever a new site get connected to the LHCONE;
- must acknowledge disconnection requests made by a LHCONE Management Board;
- should disconnect a LHCONE Site from the LHCONE if told so by a LHCONE Management Board;
- must implement BGP filtering based on LHCOPN BGP communities.
LHCONE Management Boards
- Any LHCONE Management Board can ask a LHCONE Provider to disconnect a not compliant LHCONE Site from the LHCONE.