Networks Service Improvements, Summer 2009

We are very pleased to announce a number of major service improvements from the OUCS Networks team, most of which we expect to take place during the summer vacation of 2009. These upgrades were announced to IT Officers in July, 2009.

Although these are not the only projects we are undertaking this year, they each represent not only a significant improvement to a current service, but one which was absolutely necessary at this time. In the sections below, some background is provided to each of the four projects.

1. JANET Connection Upgrade

Oxford University, like others in the UK, receives a connection to the Internet from JANET-UK, a government-funded ISP for higher and further education institutions. At the time of writing, our connection to the SuperJANET 5 service is 2GBits/s. You may recall this upgrade from 1GBit/s was installed in late summer 2007.

Since that time there has been a significant increase in network usage generally, but in particular in Internet-bound traffic. There are two primary causes: a significant increase in the amount of video content received via the Internet (not only the likes of YouTube, and iPlayer but also videoconferencing technology). Second, a number of departments in the University collaborating on research with sites elsewhere are using the Internet as a data transport. An example is the physicists receiving several hundred Mbits/s of data from the Large Hadron Collider at CERN.

In recent months we have peaked at over 80% utilization on this link, which is outside the comfort zone for both ourselves and JANET-UK. We had a successful dialogue with JANET-UK to arrange an upgrade to 10GBits/s, which is now tenatively scheduled for August 18th.

Our new 10GBits/s service will be delivered on two 10GBits/s Ethernet fibre links, for resilience. At each end, each link arrives at a diffrerent line card in the router. From JANET-UK's router in Oxford, the links take geographically separate paths to their Point of Presence at Reading. You may be familiar with the Thames Valley Network, which carries these services for sites such as ourselves and the Rutherford Appleton Laboratory.

As usual, the upgrade will take place in our standard at-risk time early on a Tuesday morning, and there will be an email to IT Officers with further details closer to the time.

2. VPN Service Upgrade

The OUCS VPN service allows any University member with an Internet connection outside of the University network to make use of a University IP to access services limited to such addresses, including internal websites, library facilities and OXAM. It is a popular service, peaking at over 800 concurrent users, with many thousands of registered Remote Access accounts.

Currently the service runs on a Cisco 3000 series concentrator, which has received End of Life notification from the vendor (although we have a number of years of support still available). The key issue, however, is that the IPSec based VPN client that OUCS currently distributes will also not receive further development from Cisco, other than bug fixes. Newer operating system platforms such as Windows 7, XP/Vista 64bit, and OS X Snow Leopard are not able to use this VPN client.

The long-term replacment for this product line is the ASA security appliance, and thanks to funding obtained from the PRAC ICT subcommittee (PICT) with the support of the Office of the Director of IT (Paul Jeffreys), we have been able to purchase new VPN concentrators. For new operating systems, they make use of a new client application called AnyConnect, although all current working client installations will continue to operate seamlessly with the new ASA devices.

There are a number of other feature improvements with our new concentrators. A pair of the ASA devices will provide failover resilience, operating in active-active mode. The crypto throughput will also greatly be improved from the current 100 MBits/sec to 950 MBits/sec across the failover pair. As before, we can support up to 5,000 concurrent user sessions and these can now use either IPSec or SSL based technologies. We will continue to support the current VPN client (IPSec) for existing installations for the time being, and the AnyConnect client (SSL) can be deployed for new operating system platforms.

When the new concentrators are to go live, they will provide service from a new IP block we have set aside for VPN services. This will require any local firewall which permits connections to the OUCS VPN service to be updated. An email will be sent to IT Officers with further details, closer to the time.

3. Bandwidth Management for Location-Independent Network Services

Location Independent Network (LIN) services are provided by OUCS for use by members and their guests, to provide network access independently of physical location. Currently these services are OWL, Eduroam, VPN, and the Visitor Network service (the latter two also being able to run over OWL).

Wireless, or generally mobile network usage, will inevitably greatly increase over the coming years. The University has already acknowledged this by funding the OWL Phase 2 project. We are pleased that with the support of ODIT and PICT we were able to provide crucial enhancements to the infrastructure at OUCS that supports all the LIN services.

We appreciate that peer-to-peer (p2p) application usage is of great concern to the University and IT staff. Besides the legal issues, there are noticeable detremental effects on network performance when these applications are serving files to others on the Internet. A bandwidth management appliance is to be installed into the LIN back-end infrastructure to better control usage of these applications.

Following an evaluation, we have selected the Allot NetEnforcer for this purpose. We intend to implement two key features: Identifiable p2p applications will be bandwidth-restricted both for downloads and uploads. Second, a fair use traffic shaping policy will be assigned to each user. The latter is quite important to ensure resources such as wireless access points are not overwhelmed by any single user. There will be exemptions for most University-only connections (for example, to allow TSM backups over Eduroam to utilize the maximum available bandwidth).

There will be no inspection of web content (HTTP) or URL filtering taking place. We intend to err on the side of caution but do whatever we can to ensure fair use of the service and to uphold University statutes.

The NetEnforcer system operates as a transparent bridge so there will be no reconfiguration required on the part of the user or IT Officer. An email will be sent to IT Officers announcing the changes, closer to the time.

4. IP Address Management

In order to deal with the unusual structure of the collegiate University, the DNS and DHCP services run by OUCS are understandably rather complex in their configuration. A decade ago, when the current web-based IP Address Management (IPAM) system was written in OUCS, it was a necessary undertaking to support our devolved IT model as no suitable software existed at the time with similar features.

Over time we have augmented the web services as resources have allowed. Inevitably there is also a list of feature requests which we have been unable to fulfil. Later in 2009 the complete infrastructure providing DNS and DHCP will be due for replacement, so we started to evaluate commercial alternatives, or funding of continued development within the department.

Following this investigation we conducted an on-site evaluation of an IPAM system by BlueCat Networks. The product is a complete replacement for the current DNS and DHCP infrastructure, including web management and back-end service provision. The OUCS Networks team is satisfied that the replacement system will meet all our current service requirements and there will be a number of additional significant service improvements for IT Officers.

In particular, much more control will be devolved to the IT staff of a unit, effectively reducing the need to email Hostmaster with change requests. The better integration of DNS, IP address management, and DHCP, provides a much improved user experience, and the web interface far surpasses what we would be able to develop in-house. Being able to support IPv6 was a key issue as we are gearing up to its deployment in the University. We hope to enable a SOAP-based API to both DNS and DHCP, on request, to IT staff.

The new IPAM deployment will be a significant undertaking for the team, and so we have pencilled two windows for changeover to the new service. If planning and integration proceed well, then we will migrate before the start of Michaelmas term 2009. Otherwise, we will wait until the middle of term.

Your users will see no change in service, but we know you will want to familiarize yourselves with the new web interface, so we will avoid the start of term for disruptive work. We also intend to collborate with ITS3 to provide training or open workshop sessions on the new interface. We will email you as further details are settled.

Written by IT Services. Latest revision 5 August 2014