I’m listening to Terry Gray give his annual State of the Network talk at the UW Computing Support meeting.
A couple of choice quotes from Terry’s opening remarks:
“sometime in the last ten years the Internet has gone from being designed to being perpetrated.”
“Is there such a thing as intellectual post-traumatic stress syndrome?”
There are lots of transient problems that people encounter every day. The benefit of our dependence on the internet is enormous, but the mean-time-between-glitch may be getting worse. Terry tends to be on the side that things are getting worse.
The open internet died in 2003 at the hands of slammer and blaster, and now we have pervasive TDAs – Traffic Disruption Appliances like firewalls. It’s moving to a two port Internet – port 80 and 443. Threats are moving to the inside – like phishing. Because of firewalls you can’t ascertain the health of the end points. If policy enforcement points are imposed in the middle of the network then the user thinks the network is broken and calls the NOC.
There are also industry failures – like having router vendors tell you more about packets they throw away.
Some of the original design goals of the internet were overtaken by events – like having the complexity at the end points of the network and keeping the core simple, or the idea of pervasive symmetric connectivity everywhere – it came as a shock to find that not everybody wanted that. Another one is the core characteristic of the Internet as being packet switched – we’re no seeing high end users with less faith that a shared infrastructure can give enough predictability and diagnosability to perform – so that’s behind the move toward personal lambdas for research.
The window for super-good deals on dark fiber is shrinking as a result of mergers and acquisitions. The commodity networks are in worse shape – there is saturation of some of the commodity links, especially across the Atlantic to Europe.
On the Network Security front, there’s now an Intrusion Protection System at the UW, commercial option from Tipping Point. It’s gotten us out of the battles of which ports to block at the border. We also have some Intrusion Detection System capabilities out of the netflow information from the routers – detects slammer, nacho, etc and does some automatic action, like shutting of ethernet ports. Can’t do it everywhere because of old switches – would like to eventually move to a more sophisticated quarantine strategy.
We have private addressing in the P172 project, now with NAT. We’re doing vulnerability scanning – 80% of hosts appear to be behind some sort of firewall and not available to the scan.
There will be more work on the security tools portal that allows people to do self-scans.
As far as campus network status goes, we still have buildings with cat 3 wiring which limits our performance. There are nearly 100k hosts on the network these days. There are roughly 1000 subnets – many in the data center. We have access to multiple 10 Gbps research nets via the PNWGP.
C&C manages approx 5,000 network devices (routers and switches).
We’re replacing Foundry routers with Cisco 7600.
Our next generation network architecture work is going on – allowing partitioning for new features for minimum risk. Phase 2 will move to a 10GigE backbone. The Med Centers are now more isolated and there’s lots of upgrade work going on in both UWMC and Harborview.
We now have more than twice as many network devices as phones, and now slowing of the growth. For outbound traffic we’re getting perilously close to peaking at 1.5 Gbps. Inbound traffic is about .5 Gbps – so we’re a 2-to-1 producer of bandwidth.
For the SC05 show this fall at the Convention Center we supported some novel research network applications, including world-wide multicast videoconferencing at 1.5 Gbps. We also did a lot of work to support the event itself – provisioning 50 10Gbps optical fibers into the convention center – half a terabit per second of bandwidth!
The UW gets both its commodity and research connectivity through the Pacific Northwest GigaPop.
Future issues – What’s the future of perimeter defense when all traffic is encrypted and tunneled over ports 80 and 443?
What’s the future of VoIP or even desk phones, when everybody has cell phones? What does it mean if the cell phones come with pretty good data service? Would we still need WiFi?
Do we need Network Admission Control, where you have to authenticate to get on the network? Why do we want this? For traceability and increased scanning access. In some contexts people do asset management – there are a bunch of tradeoffs.
Network convergence – could mean using the same network over a wide geographic area, or a different classes of service for different uses. For instance, only a certain kind of traffic without authenticating. The motivation is to save money by avoiding building up separate networks, but is it worth it? For instance, should we use the same network for monitoring patient care traffic as we do for student labs?
Is it going to be important to offer organizational subnets?
Should we keep over-provisioning network capacity, or do we need separate classes of service?
CALEA (the Communications Assistance for Law Enforcement Act) – last fall the FCC decided to update the CALEA rule to account for Internet technology. There are lots of scary possibilities here – the answer to all questions are “we don’t know yet.” There are lawsuits and discussions galore.
Oren Sreebny 