Abstracts

Abstract:

Join members of the program committee and Internet2 staff at this lunchtime gathering to bring together a cross-audience and kick-start your experience. Subject-matter Experts in each track will give a short overview of what to expect in their track this year.

Please contact meetingregistration@internet2.edu if you are interested in attending!

Speaker:

• Jennifer Kim, Internet2

Slides:

• Science DMZ and Networking for All (opens in a new window)

Abstract:

MS-CC participants will begin their week in the Science DMZ and Networking for All workshop hosted by MS-CC in collaboration with the Cyberinfrastructure Lab of the University of South Carolina (opens in a new window). The workshop will introduce participants to networking terminology, open-source tools, and hands-on learning in preparation for the 2023 Internet2 Technology Exchange. Registration is limited and will be selected by the MS-CC.

Abstract:

A mini, pre-conference ACAMP for CSP participants and alumni.

Learn about deploying IPv6, RPKI and DNSSEC, keeping your ARIN data accurate, and navigating the IPv4 Transfer Market.

Abstract:

Join members of the program committee and Internet2 staff at this open-format breakfast gathering in the main dining hall. Follow the signs at the front of Minneapolis Ballroom Salon D to where tables are designated with one of the event tracks. We hope to see you there!

Abstract:

The InCommon Certificate Service, powered by Sectigo, helps our community to manage the various challenges that come with managing large numbers of certificates. Join us for discussion of various strategies for managing SSL certificates at scale using the features of the InCommon Certificate Service and get your questions answered about how you can implement certificate renewal automation at your organization.

Abstract:

“Are you interested in the latest tech stories dominating news headlines, such as the potential TikTok ban, platform censorship, and backdoor encryption? Do you have strong opinions on these topics but lack the policy experience to make your voice heard? If so, join us for a continuation of the popular 2022 TechEx session.

We will explore ways that individuals and organizations in the research and education (R&E) space can make a difference in shaping tech policy. We will discuss strategies for engaging with policymakers, building coalitions, and advocating for change. No prior policy experience is necessary, as we will provide resources and support to help participants navigate the policy landscape.

Join us for a lively discussion and learn how you can make your voice heard on the issues that matter most to you in the tech industry. Let’s work together to make a difference!”

Abstract:

Speakers:

• Marc Wallman, North Dakota State University
• Kevin Morooney, Internet2

Slides:

• InCommon Futures 2.0 (opens in a new window)

Abstract:

During this session, we review the process, implementation timeline, and current state for the InCommon visioning process for Identity tools and services used by our community.

Speaker(s):

• James Deaton, Internet2

Abstract:

Please join James Deaton as he kicks off the 2023 Technology Exchange Advanced Networking track. James will provide an overview of what is happening in Internet2’s Network Services division and a preview of the Network Services sessions at TechEX.

Speakers:

• Johnny Lasker, Internet2
• Jonathan Gabel, Alfa Jango
• Mark Donnelly, Painless Security

Slides:

• Federation Manager – A Collaboration (opens in a new window)

Abstract:

The InCommon Federation Manager allows users to manage critical infrastructure including the US research and education metadata registry and national eduroam configurations. Like our global partners, this application is the singular instance for the country. With such a broad scope of responsibilities, how do we maintain, support, and evolve our application to best serve our users and services?

With a focus on our core competencies and collaboration with trusted agency partners for what falls out of that range, we’ve struck a balance for progress and innovation. We’ll explore our approaches to expansion of services, prioritizing operational responsibilities, and keeping an open path to the future. Join us as we discuss working daily with teammates that may have a different org chart, but share a common goal – get stuff done.

Speakers:

• Mike Simpson, Indiana University
• Shannon Byrnes, Internet2
• Scott Taylor, Internet2

Slides:

• Ten Obscure Things I Learned Automating (opens in a new window)

Abstract:

Talk 1: Internet2’s new Insight Console makes extensive use of the Internet2 Identity Services platform, which in turn is based on software applications delivered as part of the InCommon Trusted Access Platform. This presentation will get as far into the technical weeds as possible in thirty minutes, and describe how authentication, attribution, and authorization are handled in the Insight Console and the supporting NS API.

Talk 2: Often, the biggest surprise changes to project time effort estimates reveal themselves after you are already knee-deep. They come in the form of small “gotchas”, forgotten snowflake configurations, weird race conditions, and other miscellaneous, easy-to-forget considerations. This lightning talk will cover some obscure (and memorable) surprises that the presenter encountered working on network automation projects and initiatives.

Talk 3: Scott will talk about one failure mode to avoid when building connectivity to the cloud service providers.

Speakers:

• Kelly Rivera, University of Wisconsin Madison
• Hallah Hussein, University of Wisconsin Madison

Slides:

• Automating AWS Org Management (opens in a new window)

Abstract:

The adoption of public cloud platforms, such as Amazon Web Services (AWS) and Microsoft Azure, has increased significantly over the years. However, managing cloud resources in large-scale organizations can be a challenging task, particularly when it comes to maintaining consistency across different cloud providers and organizations, ensuring compliance with security policies. We will explore how Terraform, an open-source infrastructure as code tool, can be used to automate AWS and Azure organization management. We will discuss the benefits of using Terraform for infrastructure as code (IaC) and how it can be used to create, modify, and delete resources across multiple accounts and regions. We will also dive into the specifics of how Terraform can be used to automate the creation and management of AWS and Azure organizations, including configuring policies, enabling services, and setting up member accounts.

We will highlight the advantages of using Terraform for organization management, such as reducing manual errors, improving compliance, and enabling faster iteration. Finally, we will provide practical examples and demonstrations of how Terraform can be used to automate AWS and Azure organization management. By the end of this presentation, attendees will have a deeper understanding of how Terraform can be used to automate organization management on AWS and Azure, and be equipped with practical tips for implementing Terraform effectively in their own organizations.

Speakers:

• Marina Krenz, Indiana University
• Susan Coleman Snyder, REN-ISAC

Abstract:

This session will go over the current Higher Education security landscape and will discuss several options to evaluate and improve HE security posture. It will also cover several security measures that could benefit institutions of different sizes.

Speaker:

• Ken Miller, ESnet

Slides:

• FasterData Mobility Testing Framework (opens in a new window)

Abstract:

Over 10 years ago, ESnet and our collaborators around the world introduced the concept of the Science DMZ and Data Transfer Nodes: a strategy to develop data architectures to support scientific use of networks that reduced the barrier to data mobility. To date, 100s of universities, laboratories, and facilities have adopted this approach and have successfully implemented efficient data movement; yet many sites still struggle to reach even a 10% efficiency in sending data which results in loss of productivity and wasted financial infrastructure investment.

ESnet is revisiting these complications community wide in the form of the “Fasterdata DTN Framework”, a revitalized effort to help define a set of Best Common Practices for installing, configuring, and operating a performant data movement capability. Through testing and consultation, our goal is to have a core set of major facilities able to reach a performance level of 2PB of data transfer a day (e.g. sustained performance of 200Gb/s), as well as working with end users to reach an efficiency of 4PB of data transfer a week (e.g. sustained performance of 50Gb/s). Campuses with 10G DTNs will strive to reach 0.5 PB per week or 6.67 Gb/s. Campuses with 100G DTNs will strive to reach 2PB per week or 26.68 Gb/s. This multi-year effort will seek volunteers from the user community to participate and increase the R&E’s communities ability to be productive with data mobility.

Speaker:

• Chris Hyzer, University of Pennsylvania

Abstract:

Grouper ABAC and data fields in v5 will help improve these areas in Grouper: ability to delegate loader query management, reduce number of basis groups and allow cross products, reduce number intermediate groups, and improve the subject source.  We will present the current state and roadmap for these features in Grouper.  A demo will be performed of data fields and ABAC.  Existing use cases that can benefit from ABAC will be discussed.  This might seem heavy, but we will be driving 88 mph in no time!

Learn about deploying IPv6, RPKI and DNSSEC, keeping your ARIN data accurate, and navigating the IPv4 Transfer Market.

Speaker(s):

• AJ Ragusa, GlobalNOC
• Amy Liebowitz, University of Michigan
• Frank Seesink, University of North Carolina – Chapel Hill
• Maria Isabel Gandia, CSUC/RedIRIS (GÉANT project)
• Shannon Byrnes, Internet2

Slides:

• Network Automation Tapas  (opens in a new window)
• Data Formats: Reading and writing JSON – XML – YAML (opens in a new window)

Abstract:

“Bite-sized talks to give the audience a little something to chew on”

“Network automation” is a broad stroke term covering a wide range, from simple single-file shell scripts interacting with a single device up to fully automated and orchestrated networks. This series of lightning talks will provide introductions/overiews of various topics impacting those involved in, or looking to become involved in, network automation. The talks are intended to meet you where you are today and then “level you up”.

Each talk will cover one topic. This could be installing a Python interpreter on your computer, writing your first Python script, discussing Source of Truth (SoT), comparing Netbox vs. Nautobot, using Netmiko, using Nornir, understanding version control, using git, using GitHub/GitLab, explaining CI/CD, etc.

The intended audience is anyone already involved with or simply curious about network automation. Audience members are encouraged to bring their laptops and participate.

Speaker(s):

• Jared Johnson, Children’s Mercy Research Institute
• Harpreet Singh Gill, Children’s Mercy Research Institute

Slides:

• AzureAD Proxying for InCommon Federation (opens in a new window)

Abstract:

As more institutions move from on-premises to hybrid-cloud and cloud dedicated platforms for identity management, we introduce new challenges in reconciling existing infrastructure with new solutions for building and maintaining identity federation capabilities. With Office365 adoption across the globe, Azure AD has become a default choice for identity and access management (IAM) at many institutions.

AzureAD’s native SAML support being insufficient for compliance with the InCommon federation necessitates the provisioning of an additional party to serve SAML 2.0 identity flows. By customizing and deploying the TIER Shib-IdP docker image into a cloud-native environment to serve as a proxy to AzureAD we can fully support the requirements posed by InCommon and join AzureAD to the multi-federated environment. We will demonstrate the steps needed to securely proxy AzureAD with Shibboleth to support SAML 2.0 and join the InCommon federation.

Speaker:

• Rafael De Tommaso do Valle, Rede Nacional de Ensino e Pesquisa (RNP)

Slides:

• RNP Advanced Services RDI Program (opens in a new window)

Abstract:

RNP, the Brazilian NREN, has a 20-year-old RDI program called Working Groups (WGs), whose main goal is to develop technological solutions in collaboration with the Brazilian research community. To quickly deliver value to RNP customers, the program was, in 2019, renamed Advanced Services RDI and reformulated to include business development aspects.

One of the developed solutions from this new phase is DeVIaS, an automated SecDevOps environment that receives code submissions and repositories and creates a Secure Software Development LifeCycle (S-SDLC) automated pipeline based on several open-source, state-of-the-art security tools for coding, delivering high quality reports, and auditable timestamps so that developers can learn and correct vulnerability bugs on the software layer. DeVIaS is a collaborative effort among RNP, ITA, IFTO, the Brazilian Army, and the Netconn Group.

Speakers:

• Summer Scanlan, University of California, Berkeley
• Jesse Taylor, University of Nevada, Las Vegas

Slides:

• MFA Lessons Learned – Implementing Large-Scale Change (opens in a new window)

Abstract:

How do you implement large-scale change successfully? Background: The University of California, Berkeley rolled out mandatory MFA to all employees and students in 2018. The University of Nevada, Las Vegas did the same for most applications used by faculty, staff, and students in late 2022.

This session will review our implementation strategy, the impact of the change, and our efforts to monitor and refine our processes over time. We will cover: the technology we used, including how to use your authentication engine or Grouper to enforce change; the planning and buy-in from leadership and the campus; and what you can expect once you flip the switch. We will also offer lessons learned with a Q&A session at the end.

Speakers:

• Charise Arrowood, Unicon
• Ethan Kromhout, University of North Carolina, Chapel Hill
• Celeste Copeland, University of North Carolina, Chapel Hill

Slides:

• Relax & Listen to Peers! (opens in a new window)

Abstract:

Relax and Listen to Your Peers Talk About the VALUE of Support! This session is about hearing from several institutions as they share their experiences and the overall ‘relief’ of having an open-source support option available when things get tough or they just need a second set of eyes.

The attendees will hear about the rare occurrences when help is needed during off hours and what happens— along with hearing about several business use cases that arise from time to time, like a new member joining your team and they need help with configuration changes, or an update to one of the applications did not go as planned– Actual ITAP users will share the value and comfort having support for ITAP provides, join us for some positive feedback!

Speaker(s):

• Jim Wilgenbusch, University of Minnesota
• Daniel Stocker, University of Minnesota
• Colby Reese, University of Minnesota
• Cody Hanson, University of Minnesota
• Charles Nguyen, University of Minnesota
• Dan McDonald, University of Minnesota

Slides:

• Coordinating Campus-based RCD Research (opens in a new window)

Abstract:

It Takes a Village: Coordination of Research Computing and Data Stakeholders is Essential to the Success of University-based Research

Computational and data-related resources undergird all areas of modern research at US-based universities. These resources run the gamut, from advanced networks and data storage devices to specialized software and a highly skilled workforce. While the enterprise of managing these resources has been helped by a certain degree of centralization, the management of research computing and data resources is and will likely be for the foreseeable future a distributed function, operated by on- and off-campus entities, and governed under different reporting structures.

This talk describes why an explicit approach to coordinate the growing landscape of Research Computing and Data stakeholders is essential to the success of university-based research. Embracing the reality that computing, data, and stakeholders will always be distributed lowers barriers to collaboration, opens opportunities to leverage and sustain the existing workforce, and makes it easier to assemble multidisciplinary teams suited to find creative and acceptable solutions to persistent challenges.

The case described in this talk is based largely on practices and experiences from the University of Minnesota, a large R1 institution with five system campuses. That said, we expect that these experiences are more generally relevant and the approaches described are more broadly applicable to other institutions engaged in the support of leading edge research.

Speaker:

• Scott Cantor, The Ohio State University

Slides:

• Shibboleth Project and Roadmap Update (opens in a new window)

Abstract:

The Shibboleth Project team will present a review of 2022-2023 project outcomes and the updated roadmap for 2024, along with an update on the Consortium for members in attendance. Discussion of project priorities will be solicited and there will be time for Q/A with any team members in attendance.

Speaker(s):

• Jason Hardy, University of Texas at Arlington
• Frank Seesink, University of North Carolina – Chapel Hill
• Luke Fowler, Indiana University

Slides:

• When You Are Ready to GO Beyond PYTHON (opens in a new window)
• Building an Automation Culture (opens in a new window)

Abstract:

Talk 1:

Network automation has become a key enabler for organizations seeking to streamline network operations, increase efficiency, and improve overall network performance. In this session, we will explore how The University of Texas at Arlington utilized network automation to streamline a hardware refresh while simultaneously deploying an efficient and scalable network based on EVPN and VXLAN technologies. We will share our experiences and insights on how to leverage automation to empower network operations.

We will discuss the benefits and challenges of network automation, exploring its potential for reducing manual effort and improving network reliability. We will also address key considerations for implementing network automation, such as selecting the right tools and ensuring security and compliance.

We’ll explore practical examples of network automation, including network provisioning, configuration management, and monitoring. We will showcase UTA’s platforms for network automation, Mist, and discuss its strengths and limitations.

We will close with a look at the future of network automation, discussing emerging trends such as AI and machine learning, and their potential for revolutionizing network management. We will also explore the role of network engineers in the era of automation, highlighting the importance of developing new skills and mindsets to adapt to the changing landscape of network operations.

Talk 2:

In fields such as networking and data science, the Python programming language dominates, and for good reasons. As a “batteries included”, high-level, dynamic scripting language which enforces specific indentation/formatting with an easy-to-grasp syntax that has an ecosystem of modules users can leverage to do network automation, data analytics, and visualization, it is easy to understand why Python has been one of the top 3 languages in use for several years according to various rankings.

There comes a time, however, when Python may not be the “right tool for the job”. It could be Python’s performance limits. It could be the various dependency challenges, both in distributing and maintaining all the “LEGO pieces” together, from the version of Python interpreter to the versions of every module required. So what is a Python developer to do?

This presentation, told as a story from my own experiences, intends to demonstrate specifically how the language Go (often written Golang) might offer an alternative, comparing and contrasting the two languages side-by-side, and providing some context.

Created at Google in the mid-2000s by many of the same folks behind the C programming language, Go benefits from more than 30 years of observations into what makes an effective language. In short, Go is as if C and Python had a baby, with that baby having the benefits of each language.

Go offers a very “Pythonic” programming experience, allowing Python developers to bring their programming “muscle memory” with them. Coupled with several benefits including (but definitely not limited to) static typing, concurrency, and fast, cross-compiled executables with no external dependencies, it is not surprising why projects such as Kubernetes, Etcd, Docker, Grafana, InfluxDB, Prometheus, Hugo, Terraform, and more are all written in Go. Nor is it surprising why “the cloud” and companies such as Google, Cloudflare, Dropbox, SoundCloud, and others all leverage the language.

To be clear, this is NOT a session advocating one language is better than another. It is simply to provide insight into when and why Go might be an option to consider vs. Python.

 Talk 3:

GlobalNOC has a long history of automation in our network operations center.  Recently, with the groundswell of network configuration automation activity across the R&E community, we have tried to capture this excitement to build a richer culture of automation across our organization — at every level across all of our teams.  By involving all GlobalNOC staff in the idea generation and implementation of new automation efforts, we hope to create an “automation snowball” at GlobalNOC, enabling an “automation-first” strategy as we enhance our tools and processes as part of our continuous improvement efforts.

 In this talk, we will discuss our recent automation work and how we encouraged broad involvement across our organization in these projects — including work in the config automation space as well as operations automation via projects such as:

• Automated alert handing at our Service Desk
• Automated event handling and communication when outages are detected
• Our “network troubleshooter” tool that assists our network engineers and service desk technicians diagnose outage incidents
• Automated systems to facilitate fine grained control of event notifications from our NOC to our users.
• Automated software testing and deployment for our network management systems
• And more…

Speaker(s):

• Khalid Ahmadzai, University of California, Office of the President (UCOP)

Slides:

• Moving from VM to Cloud Native Container (opens in a new window)

Abstract:

As technologies continue to modernize and move towards a cloud-native architecture, what to do if you have an application already running in virtual machines that requires an upgrade, migration, and modernization?

How do you create an infrastructure that is scalable, supportable, secure, and helps Developers move at a much faster pace, the University of California Office of the President was presented with the challenge of developing an infrastructure to support the migration and modernization of applications from VMs to Cloud-native containers and will share the tools/automation that are used to move with these migrations and modernizations.

Speaker:

• Fatema Bannat Wala, ESnet

Slides:

• Zeek Known Services Classification: ZTA Edition (opens in a new window)

Abstract:

With the advent of new mandate of Zero trust, one of the aspects of it is to monitor outbound traffic and services used by an enterprise. Zeek by default comes with the known services detection internal to a network, which works great to fine tune inbound network traffic based on the services allowed on the network. This presentation talks about a zkg package that we wrote to detect known services on the internet that our network connects to, so that we can do egress traffic filtering and fine tune allowed outbound connections from our network.

Speakers:

• Dana Brunson, Internet2
• Timothy Middelkoop, Internet2
• John Hicks, Internet2

Slides:

• Facilitating RCD Community Success (opens in a new window)

Abstract:

Internet2 is committed to supporting the research computing and data (RCD) community through a range of services and programs. This session will focus on Internet2’s work in research engagement and facilitation, including efforts to support the RCD community in leveraging Internet2’s offerings effectively.

The session will cover Internet2’s work in collaboration and community engagement with RCD professionals and researchers, including initiatives such as the Internet2-led NSF Cyberinfrastructure Center of Excellence pilot RCD Nexus that supports the Campus Research Computing Consortium (CaRCC); the Minority-Serving Cyberinfrastructure Consortium (MS-CC), the National Research Platform (NRP), and the Ecosystem for Research Networking (ERN). The presentation will discuss best practices in RCD workforce development and institutional capabilities assessment, as well as strategies for measuring impact and communicating strategic priorities to stakeholders.

Participants will have the opportunity to learn about Internet2’s latest initiatives in RCD engagement, exchange ideas and experiences with other professionals, and explore ways to leverage Internet2’s resources to advance research and innovation in their own institutions and organizations.

Speakers:

• Scotty Strachan, Nevada System of Higher Education
• Forough Ghahramani, NJEdge
• Timothy Middelkoop, Internet2
• Dana Brunson, Internet2

Abstract:

Regional and national research and education networks (RENs) have enabled research and research education (education that is associated with research) since the dawn of digital connectivity. Evolution of research/education has accelerated along with technology complexity in computing automation, IoT, instrumentation, security and IAM, cloud, and big data.

Research and education have “gone global” with team science, virtual laboratories, and remote work disrupting decades of traditional campus IT workflows. RENs are in a unique place to engage, explore, and facilitate this research/education transformation. But how? This BOF will bring together REN representatives and campus stakeholders to discuss strategies for communication, partnerships, and support for research/education technology needs at local-to-regional levels.

Topics of discussion may include campus outreach and engagement, the role of RENs in supporting research computing and data, and best practices for fostering collaboration between regional stakeholders. Participants will have the opportunity to share their experiences, exchange ideas, and build connections with others in the field.

Abstract:

Grouper is an open-source toolkit that enables project managers, departments, institutions and end users to create and manage institutional and personal groups, roles, and permissions. You are invited to this Grouper working group session whether you are a Grouper developer, adopter, potential adopter, or just curious to learn more.

We will talk about the latest developments in the Grouper project, what is planned for the next release, and your “wish list” potential new features. In addition, there will be time for community members to share their group and access management use cases and Grouper usage stories

Speaker:

• Steve Dyck, Principal Consulting Engineer, Nokia

Slides:

• Segment Routing Benefits and Learnings (opens in a new window)

Abstract:

Abstract:

Following on the success of the last Tales from the Trenches (TechEx 22), join us again for more harrowing adventures and wild success stories of our everyday struggles and triumphs to operate all manner of IT infrastructure.

Tales from the Trenches is an informal gathering of geeks where folks will share their horror stories of the time they took down production. We’ll laugh, we’ll cry, and we’ll learn everyone makes mistakes and lives to tell the tale. Audience participation is encouraged but not required.

Speakers:

• Brenna Meade, Indiana University
• Jason Zurawski, ESnet

Abstract:

“Bridging the Diversity Gap in Networking and High Performance Computing” aims to foster an open discussion led by the leaders and participants of the WINS (Women in Networking at Super Computing) program. Women in Networking at Supercomputing (WINS) was a program established to promote gender diversity and inclusion within the high-performance computing (HPC) community. It is specifically focused on addressing the underrepresentation of women in networking and related fields, such as supercomputing and high-performance data communication. This collaborative gathering of the community will explore successful initiatives, valuable lessons learned, current gaps, and potential opportunities for enhancing diversity and inclusivity within the networking and high-performance computing (HPC) fields.

Speakers:

• Benn Oshrin, Spherical Cow Group
• Laura Paglione, Spherical Cow Group

Abstract:

“Each month, the COmanage project hosts Open Office Hours. This is a loosely-structured, open forum for questions, discussion, and peer sharing among those using or interested in COmanage Registry and/or Match. A short conversation starter (Topic Aperitif) kicks off each session to help get the discussion started.

September’s Topic Aperitif: Re-thinking Enrollment Flows

COmanage Registry is undergoing a significant update with version 5.0.0. With a substantial upgrade to the underlying development framework, CakePHP, we are taking the opportunity to review current Registry uses and adjust the code and features to better align with how the system is being used today. For this month’s “topic aperitif,” we will explore how we are rethinking enrollment flows and seek your input and use cases as we start to implement this updated core feature. This session will replace the September virtual event, so it also will be offered to online participants.”

Abstract:

“The NET+ team is preparing to do a service evaluation for a cloud vendor risk management service that campuses can use for third party risk management, vendor management, service inventory, and many other uses! More details on this can be found in this blog:

This working meeting is to get together to explore what campuses are already using, GRC functionality, campus requirements, and potential service providers.”

Speaker:

• The perfSONAR Development Team

Abstract:

Members of the perfSONAR development team will be demonstrating prototypes of new data visualization software to replace MaDDash and some experimental dashboards for a future version of the perfSONAR toolkit’s web interface.  As always, we can answer your questions on other perfSONAR topics, too.

Speaker(s):

• Peter Balčirák, CESnet

Slides:

• Passwordless Authentication (opens in a new window)

Abstract:

User authentication can be done via different authentication methods. The most common one is based on something users know, like a password or a PIN. While the server-side implementation of the approach can be done quite securely, the users are the weaker part of the flow. They often use weak or recycled passwords that potential attackers easily break.

To overcome the issue, multi-factor authentication (MFA) steps forward. It usually combines two approaches, something users know, i.e., a password, and something users have, i.e., a hardware token. MFA brings improved security, but the extra step provides discomfort for users. Even if they want to authenticate to services securely, they want to do it as simply as possible, ideally in one step.

The concept of passwordless authentication aims to provide easy and secure authentication. Instead of using potentially weak passwords or annoying MFA, passwordless authentication relies on something users have, for example, a hardware token or their device. The concept provides a trade-off between security and user experience. It can be easier to use for end users and eliminates the most common vectors of attacks typically used against passwords, i.e., phishing and other remote attacks done over the network.

Some vendors have developed proprietary solutions for passwordless authentication using specific hardware tokens or smartphone apps. There is also an open standard for authentication with something users have, called Web Authentication API (WebAuthn), created by W3C and FIDO alliance. The standard covers second-factor authentication as well as passwordless authentication, called discoverable credentials or passkeys. This type of authentication is supported by many commercial services, and most client operating systems can be used as a passkey without the need for separate hardware or an app. Some password managers are also working on passkey support for signing into services.

However, most open-source systems for identity providers do not fully support passwordless authentication and user-friendly token management or provide the functionality we need to migrate from passwords to passkeys.

At Masaryk University, in cooperation with CESNET, we are working on a solution to use the passwordless approach in our authentication gateway. We are integrating it into our environment, which already supports MFA, so users can manage and use their security keys for passwordless authentication the same way they handle them for the MFA. We use privacyIDEA for token management of WebAuthn credentials, including passkeys and TOTP tokens.

This talk will introduce passwordless authentication in more detail, present the challenges behind integrating the concept into the existing MFA environment, and showcase our current results.

Speaker(s):

• Davide Vaghetti, Consortium GARR;
• Maarten Kremers, SURF

Slides:

• eduGAIN’s Future Is Now (opens in a new window)

Abstract:

Currently, eduGAIN comprises 78 participant federations and connects more than eight thousand Identity and Service Providers.

Born in 2011, eduGAIN did not fundamentally change in the last 11 years. The service wasdesigned to be a trusted metadata exchange point with light technical, policy and operational requirements. Metadata transports all the information needed to access services and authenticates users in a trusted way and federations participating in eduGAIN are welcomed to share metadata on a need to use basis. eduGAIN also supports advanced use cases, covered by specifications and trust frameworks developed by standardisation bodies such as REFEDS, but adoption is mostly optional. The governance model is based on the eduGAIN Steering Group, which is composed of representatives from each member federation.

This lightweight approach proved to be very successful and let eduGAIN grow steadily and reach Today’s remarkable numbers, but there are also some drawbacks. The main challenges and issues are represented by the wide range of possible setups for Federations, Identity and Service Provider, which led to a complex environment where it is not always possible to meet services expectations. Moreover the current governing model makes it hard to define and implement changes in a reasonable time frame.

In order to address these challenges, an eduGAIN Futures Working Group was established
to define recommendations to improve the future service delivery of eduGAIN. The group,
composed by operators of the participating federations, eduGAIN service staff members and
recognised stakeholders, started its work on by reviewing the REFEDS Baseline
Expectations document, a set of base policy and operational expectations for entities,
federations and interfederations services developed by REFEDS on the basis of best current
practices in the federation environment.

The group defined three distinct sets of recommendations: baseline expectations
implementation, service model and governance. If implemented, these recommendations will
change some of the fundamental premises of eduGAIN. First of all eduGAIN will be able to
operate at a lower level with the added capabilities to define requirements for single entities
(based on the REFEDS Baseline Expectations) and suspend them in case of non
compliance.

Further recommendations are meant to make the exchange of information
between Identity and Service providers more predictable and error proof. At the governance
level, the main recommendation aims to define a new more agile governing body composed
of elected members and the service owner, a real steering committee that will play a crucial
role in implementing the changes envisioned by the working group.

Despite the enthusiastic grow rate, a failure in addressing the issues in the current service
delivery and governance models could represent a real threat to eduGAIN’s future and its
capability to offer and maintain a suitable environment for services dedicated to researchers
and students worldwide. eduGAIN Future working group defined a solid ground of
recommendations for eduGAIN’s future, now it’s time to start building it.
In this talk we will address how eduGAIN is going to change technically and politically in order
to continue to deliver an essential service to research and educational users worldwide

Speakers:

• Marc Koerner, Esnet
• Karl Newell, Internet2
• Amy Liebowitz, University of Michigan

Slides:

• ESnet’s Orchestration Perspectives (opens in a new window)
• Automating a Campus with Cisco NSO (opens in a new window)

Abstract:

Talk 1: ESnet and Internet2 are using the Cisco Network Service Orchestrator (NSO) to automate and orchestrate network configuration by leveraging principles of intent based networking and vendor agnostic service abstraction. This talk will give a brief overview of ESnet’s and Internet2’s NSO service architecture, the lessons learned, and the impacts of the overall software development process. ESnet will present a more granular umbrella service redesign, as well as the resulting strategy for the NSO service refactoring within ESnet’s network orchestration stack. Internet2 will present it’s current architecture and how we’re leveraging NSO to support the upcoming Insight Console Virtual Networks.

Talk 2: Over the last several years, the University of Michigan designed and implemented a new campus core that leverages data center networking platforms and protocols. Campus buildings are currently being migrated to this new core as part of a multi-year distribution router replacement project.

With the goal of having a fully automated network, the University of Michigan purchased Cisco’s Network Services Orchestrator (NSO) as part of the core network refresh project. NSO currently manages the configuration of the new campus core and all buildings connected to it, and NSO is integral to the process of migrating a building from U of M’s legacy network to the new campus core.

This session will provide a brief overview of Cisco NSO, describe U of M’s NSO service design and how it was developed, detail how NSO is leveraged as part of the building migration process, and enumerate lessons learned along the way.

Speaker:

• Jason Rappaport, Princeton

Slides:

• Deploying Shib IDP via Azure DevOps (opens in a new window)

Abstract:

In this presentation, I will share my experience at Princeton University in deploying Shibboleth IdP using DevOps methodologies that enabled us to streamline the deployment process, reduce costs, and improve scalability. Specifically, I will cover the following topics:

• Overview of the DevOps methodology
• Strategies for automating the deployment process for the IaC, container registry, and service provider configuration
• Our process for automating reloading the reloadable services
• How we overcame challenges in the deployment process and the lessons we learned

Attendees will learn about Azure DevOps, Azure resources, deploying resources into Azure, container files, and a bit of Shibboleth IDP.

Speaker(s):

• Kyle Lewis, RCDT

Slides:

• Risk in Complex R&E Environments (opens in a new window)

Abstract:

Risk in Complex R&E Environments – Tailored Cybersecurity Management Framework

The NIAID Clinical Informatics Branch (CIB) supports the International Centers for Excellence in Research (ICERs) in Africa, India, and Cambodia. These collaborative research centers play host to basic and translational research funded by the US, their own governments, other governments, as well as scientific organizations such as the Gates Foundation and the Welcome Trust. The multi-organizational model leads to complex IT governance landscapes, with integrated and parallel networks of varying degrees of interconnection.

Traditional risk-management frameworks, which assume a single CIO has governance authority over the entire security boundary, tend to be difficult to apply or enforce for a cyber-terrain involving multi-lateral support, architecture, unequal funding, and governance. The NIAID CIB international team has developed a tailored set of security controls sourced from internationally accepted frameworks from information security and scoped specifically to cybersecurity. This presentation will discuss the framework and how it was applied to assist leadership in prioritizing risk remediation efforts.

Learn about deploying IPv6, RPKI and DNSSEC, keeping your ARIN data accurate, and navigating the IPv4 Transfer Market.

Speakers:

• Keith Wessel, University of Illinois Urbana-Champaign
• Keith Hays, University of Illinois Urbana-Champaign

Slides:

• Two Factors, No Eyes, Again (PDF) (opens in a new window)
• Two Factors, No Eyes, Again (PPT) (opens in a new window)

Abstract:

Multi-factor authentication (MFA) is everywhere these days, and for good reasons. With the range and sensitivity of things on-line these days, passwords alone are definitely not enough to keep what’s yours yours. As good as MFA is from a security perspective, it can present considerable challenges to users with disabilities.

In 2015, Keith Hays and Keith Wessel from the University of Illinois Urbana-Champaign presented on this topic at Internet2 Technology Exchange. Both MFA and the assistive technology that users with disabilities use to interact with it have obviously changed a lot since then. In this session, Keith and Keith will provide an updated perspective of MFA for users with disabilities.

Come to learn about the challenges that MFA can present to this population and see demos of how these individuals interact with authentication technologies. You’ll walk away with a new perspective on MFA and how to make it better for everyone.

Speaker(s):

• Kellen Murphy, University of Virginia
• Chris Bongaarts, University of Minnesota

Slides:

• IAM Archaeology (opens in a new window)

Abstract:

Discover valuable insights on retiring legacy systems as we discuss the experiences of the University of Minnesota and the University of Virginia. Learn from UMN’s latest attempt to retire a 31-year-old identity system, as well as UVA’s journey of replacing their home-built group management solution with Grouper. We’ll offer practical knowledge on retiring old systems and facilitating future retirements from both organizational and technical perspectives.

Speakers:

• Yatish Kumar, ESnet
• Christoper Cummings, ESnet

Slides:

• ESnet High Touch (opens in a new window)
• Intro to The Workflow Orchestrator  (opens in a new window)

Abstract:

Talk 1: ESnet operates one of the largest science data networks in the US, connecting all DOE sites and research facilities. For a network of this scale, we took on the audacious goal of measuring every packet that enters and leaves ESnet, at full line rate, with ns precise timestamps. This is equivalent to a stop motion video of our entire network, as we watch packets enter our edge at 300 million frames per second. In this presentation we will describe how we make such measurements, how we reduce such a large torrent of data, and some of the interesting insights we are able to derive from such measurements. Discovering Martians , Elephants , Cheetahs , Honey Badgers , Bed Bugs and the odd Protocol Robot.

Talk 2: Network Orchestration is a defining factor in next generation networks, enabling operators to deliver more consistent and reliable services. Using the collaboratively developed Workflow Orchestrator and other commercial and open source tools, ESnet has been able to successfully Orchestrate and Automate network configuration deployment for large swaths of the ESnet6 network. This approach has enabled rapid deployment of new network services, as well as ensuring that configuration standards are well enforced when deploying network services.

During this talk, we will provide a brief history of automation at ESnet, Introduce The Workflow Orchestrator, dive into what our goals were for orchestration and automation in the ESnet6 project, describe the technology and process that we used to meet those goals, and then provide a live demonstration of ESnet’s orchestration tooling in action. Finally, we will discuss the lessons we learned along the way while developing this tooling, providing time for Q&A.

Speaker:

• Frank Seesink, University of North Carolina – Chapel Hill

Slides:

• Containers and Orchestration Oh My! (opens in a new window)

Abstract:

VMs (Virtual Machines). Containers. Docker. Orchestration. Kubernetes. Cloud native. The world is awash with terms around “the cloud,” and it can sometimes all seem a bit overwhelming. But you do not need to be an Einstein to understand. In fact, Einstain famously said “If you can’t explain it simply, you don’t understand it well enough.” Taken from the perspective of a network engineer involved in automation work who had to sift through all this the hard way, this presentation attempts to do just that.

Take a journey as we navigate this world, starting with the basics and building up an understanding, one layer at a time, to hopefully short-circuit your learning process. By the end, the audience should have enough understanding to continue further with a better sense of direction.

Speaker:

• Jesse Erdmann, University of Minnesota

Slides:

• Proprietary Data in Data-Driven Research (opens in a new window)

Abstract:

IT professionals and data scientists working In the Agri-Food science domain face a mix of challenges commonly experienced in other domains and unique to this discipline. The familiar challenge we face is a field that is rapidly getting access to increasing volumes of data where established domain experts often do not have experience with the requisite tools to work with that deluge of data. How do we effectively partner with domain scientists to bridge the gap in current skills and help the next generation of researchers gain confidence with more technologically complex workflows?

Concurrently, one of the more unique challenges in the Agri-Food science domain is the preponderance of privately funded research and associated proprietary concerns surrounding that data. Additionally much of the data can include personally identifiable information of individual farmers. These circumstances result in an environment where the primary data cannot be made public. Researchers commonly work with private enterprise and need trusted and secure access to privately collected data. The resulting analyses need to be shared back to data providers in a similar fashion. Where open access is not possible, how do we interact with a broader scientific community focused on open access data while also promoting public-private partnerships in data-driven R&D?

In this talk we will cover how the GEMS Informatics Initiative, a partnership between Research Computing and the College of Food, Agriculture and Natural Resource Sciences, both at the University of Minnesota, are addressing these issues.

Speaker(s):

• Matt Growden, Provision IAM

Slides:

• Get to Know the InCommon Catalysts (opens in a new window)

Abstract:

This would be a joint session where each of the Catalysts will share a bit about who they are and the value they provide to Higher Education and the open source community. There will be presentations covering a variety of topics, from consulting services to building connectors, managed solutions, and new UI applications. You’ll hear about ITAP services and support, including Federation, hosting, and more.

Come hear what we have to offer. We’ll collaborate and work together to help meet your needs: The InCommon Catalysts and the Community come together!

Speakers:

• James Harr, Internet2
• Josh VanDeraa, NetworktoCode
• Karl Newell, Internet2

Slides:

• Let’s GIT Started (opens in a new window)
• Data-Informed Network Automation with Na (opens in a new window)

Abstract:

Talk 1: Join us for a talk exploring Git, the most popular version control system. Review fundamental concepts in Git including commits, branches, merging, and synchronizing. Learn effective workflow patterns on platforms like GitLab, GitHub, or Gitea. Gain insights into how team workflows mature. Finally, we’ll explore tips and techniques for becoming a more effective Git power-user. Whether you’re a novice, seasoned developer, individual contributor, or team lead, there’s something new to learn about revision tracking with Git.

Talk 2: Network Automation continues to grow by companies independent of size or vertical. In this session, you will learn why an authoritative Network Source of Truth is necessary for a network automation framework. We’ll cover how Nautobot, an open-source Network Source of Truth and Network Automation Platform, helps organizations regain control of their network with a data-driven approach to network automation.

This session will help you understand the capabilities of Nautobot and dive deep into a few key applications that can help you with your daily tasks, such as the Golden Configuration app to aid in configuration compliance and integrity, the Circuit Maintenance app to help you take control of your WAN maintenance events, and the Device Lifecycle Management app to understand upcoming hardware and software events.

Speakers:

• Judith Bush, OCLC
• Scott Cantor, The Ohio State University
• Gary Windham, Cirrus Identity

Slides:

• Browser Privacy: Benefit or Threat (opens in a new window)

Abstract:

Join us as we discuss the privacy-enhancing changes in progress in browsers: the outcome is far from certain.. REFEDS’ Browser Changes working group has been working with the W3C Federation ID Community Group in hopes that R&E federated authentication use cases continue to be supported as browsers fight tracking. Come learn what to ask your vendors and service providers.

Speaker(s):

• Ivan Palikuca, Loyola Marymount University

Slides:

• Modernizing Legacy Architecture (opens in a new window)

Abstract:

At LMU, we are building modern web services to replace some legacy custom applications and, at the same time, protect legacy applications that are not able to utilize the latest technology. In the current state, we are not agile, nor can we deliver timely updates to our existing applications. With AWS, we are using the following technologies:

– Move toward a microservices architecture
– Utilize API Gateway
– AWS Elasti-cache (redis cluster)
– Custom authorizer for API Gateway that still uses LMU IdP for authentication
– Lambda functions for API Endpoints, and Lambda authorizer
– AWS Secrets manager
– Using proxy requests to legacy services that support basic auth without exposing service to the internet

We are moving towards this model to improve security and to be able to provide features to end-users faster. We have 20+ applications that we are moving towards this model and breaking those apps into different pieces. When you look into large applications, it is hard to think about how to break them down into smaller pieces, where to start, what technology to use, and how to implement all of this. The intended audience for this topic would be software developers, architects, and security analysts.

Speakers:

• Benjamin Lynch, University of Minnesota
• Jim Wilgenbusch, University of Minnesota
• Graham Allan, University of Minnesota

Slides:

• IaaS for Research: OpenStack Lessons (opens in a new window)

Abstract:

The increasing prominence of digital resources and services in facilitating research across diverse fields calls for a deeper understanding of their implementation and the challenges they present. Our presentation examines the deployment of an OpenStack cluster by the Minnesota Supercomputing Institute (MSI), highlighting the capabilities of Infrastructure as a Service (IaaS) in meeting data compliance requirements and providing flexibility in research areas like agricultural informatics, neuroscience, and genomics.

Despite these successes, we acknowledge the preferences of many researchers for alternatives to IaaS and explore the reasons behind this trend. We present a comprehensive analysis of what worked well, what fell short, and how our next OpenStack cluster aims to address emerging challenges. Furthermore, we emphasize the importance of effective collaborations, training, and professional development to maximize the potential of digital resources in the research landscape.

Our findings offer valuable insights to research computing service providers as they adapt their infrastructures to cater to the evolving needs of their user-base. By sharing our experiences at MSI, we aim to foster discussions on enhancing research computing ecosystems and better supporting researchers in this era of data-driven research.

Slides:

• CACTI Open Working Meeting (opens in a new window)

Abstract:

We’ll host a community discussion focused on a report-out from the CACTI Next-Generation Credentials Working Group.

Speaker:

• Nick Lewis, Internet2

Abstract:

This session is for collaboration with campuses on the NET+ Duo Service Advisory Board to engage with Duo to provide feedback and direction for the program.

Abstract:

The NTAC Network Automation SIG seeks to connect members of the research and education community for discussions and collaboration around network automation. In addition to SIG members, this meetup is available to all who are interested in implementing automation within their institution and want a launching point for interacting with peers facing the same challenges.

Abstract:

Come join us for an in person IAM-HER meeting, all are welcome! IAM-HER is a community of women and their allies who work in Identity and Access Management in Higher Education and Research.

Speakers:

• Barr von Oehsen, Pittsburgh Supercomputer Center
• Forough Ghahramini, EDGE
• Maureen Dougherty, Ecosystem for Research Networking

Abstract:

Join the Ecosystem for Research Networking (ERN) BOF to explore the benefits and challenges of democratizing access to scientific research instruments; networking research computing resources including quantum computing; and enabling connected data and metadata management and storage for the research community.

Multi-institutional collaborations are on the rise and are creating new pressures to support shared access to institutional resources. Access to special purpose instruments such as quantum computers, handling massive data sets produced by research instruments such as cryogenic electron microscopes (cryo-EM), supporting computational and storage infrastructure, and building the expertise to support compute intensive research – along with the associated financial impacts – represent significant obstacles for these collaborations, particularly for under-served and non-R1 institutions.

ERN is developing an open source edge computing platform to address some of these challenges and opportunities. The goal of this BOF is to host a community discussion about what impacts such a compute model could have on collaborations, approaches for achieving adoption by resource owners/national centers, attracting community support, and stimulating scientific discovery.”

Speakers:

• Paul Caskey, Internet2
• Keith Hazelton, Internet2

Abstract:

It’s said that a conundrum is “a confusing and difficult problem or question.”  Are you in an identity management conundrum?  Come to this session to learn how you can leverage the InCommon Trusted Access Platform (TAP) to escape from that conundrum!  We’ll briefly cover the components that make up the TAP – Shibboleth, Grouper, COmanage, and midPoint.  Then, we’ll discuss a couple of common integration patterns of those components, including Internet2’s own implementation of the TAP components.  We’ll also show how a number of your peer institutions have leveraged the InCommon Collaboration Success Program (CSP) and the CSP Workbench to explore the TAP components and how they can all be harnessed to meet most any need in campus identity management.

Speakers:

• Andrew Morgan, Oregon State University
• Jason Peak, Oregon State University

Slides:

• Zero Trust: Identity’s Critical Role (opens in a new window)

Abstract:

Come join Oregon State University’s Identity and Access Management team, part of the Office of Information Security, to learn how we are implementing Zero Trust through our “Smart Access” program. The Smart Access program enables a foundational capability to provide and secure appropriate access to data and systems.

As part of our Smart Access program, Oregon State University completed an RFP, purchased a commercial IGA (Identity Governance and Access) system, and hired an implementation partner. We are early in our Zero Trust journey and will approach the next phase of this project during the time of this conference.

Attendees will come away with an understanding of Zero Trust goals for a large R1 university and our approach to implementing Zero Trust principles.

Christopher will provide a demo of the Insight Console, focusing on the Virtual Networks feature. On October 28-29, Internet2 will migrate users from OESS to Virtual Networks.

Speaker:

• Bram Peeters, GEANT

Slides:

• The GÉANT Network: Ready for the Future (opens in a new window)

Abstract:

In recent years GÉANT has made considerable investments in the network, to match European investments in research infrastructure. With more than 20.000 km of fibre or spectrum connecting 32 European NRENs, the basic challenge of network capacity is addressed.

We are now moving to the next stage, where we will invest in the routed layer and services, in automation and tooling, and in global connectivity. In this talk we will cover some of the drivers and challenges, and explain our choices and approach that allow us to support research and education, independent of location, and deal with Moore’s law for the next decade.

Speakers:

• Pål Axelsson, Sunet / Swedish Research Council
• Joanne Boomer,  University of Missouri
• Judith Bush, OCLC
• Scott Cantor, The University of Ohio
• Steven Premeau,  University of Maine
• Albert Wu, Internet2

Slides:

• Entity Categories: Federation to Scale (opens in a new window)

Abstract:

Earlier this year, REFEDS (Research and Education Federations) published a set of three new attribute bundle entity categories (Anonymous Access, Pseudonymous Access and Personalized Access). These new attribute release categories offer a simple and shared vocabulary for services to articulate its user data needs in a privacy preserving manner. It allows home organizations to evaluate services’ data needs in an organized manner, therefore scale (automated) user information release.

The InCommon Technical Advisory Committee has been leading the effort to promote the adoption of several interoperability and scalable data release standards across the InCommon Federation. Along with the Kantara SAML V2.0 Deployment Profile for Federation Interoperability (SAML2Int), which clarifies how to configure your SAML implementation to maximizes federation interoperability, these three new REFEDS attribute release bundles are major components of TAC’s effort to further clarify what it means to be “Federation Ready”.

This session will introduce these new attribute release bundles. We will also discuss how InCommon are building on these attribute bundles SAML2Int to further improve interoperability across Federation. Find out what the rollout roadmap looks like and what you can do to participate.

Speaker(s):

• Matt Growden, Provision IAM
• Stephen Fox, Provision IAM
• Slaveck Licehammer, Evolveum
• Johnny Lasker, Internet2
• Paul Caskey, Internet2

Slides:

• Eduroam logs: Demo of Grafana with IAM (opens in a new window)

Abstract:

Speaker(s):

• Andy Lake, ESnet
• Sarah Larsen, ESnet
• Mark Feit, Internet2
• Lætitia A Delvaux, Poznan Supercomputing and Networking Center

Slides:

• The perfSONAR Power Hour (opens in a new window)

Abstract:

This session will be 50 minutes of talks from members of the development team about the newest and upcoming developments in perfSONAR. Covered topics will include this year’s release of 5.0, new tools for visualization and on-demand testing, a new high-performance version of iperf3 and a look at how perfSONAR is deployed on Internet2’s backbone.

Speaker(s):

• Keith Wessel, University of Illinois Urbana-Champaign
• Rob Carter, Duke University
• Netta Caligari, West Arete
• Scott Woods, West Arete

Slides:

• Cloudy with a Chance of Conservation (opens in a new window)

Abstract:

Many of our universities already have climate commitments, centers for sustainability, and large infrastructure projects that include plans to reduce the university’s carbon footprint. It’s easy to feel like our individual role is too small to make a difference.

However, as stewards of cloud and on-premises infrastructures, your everyday choices have a direct impact on environmental sustainability. During this talk, we’ll provide some key principles to guide your decision-making process, guided by real-world examples that serve as inspiration for how you can make a difference.

Join us to learn about the small changes you can make that can have big positive environmental changes. Not only can they be good for the environment, they can be really good for your career, too. Despite the somewhat limited information on how academic institutions are grappling with these challenges, we hope that you can take some of the lessons from this talk, apply them to your day-to-day decisions, and make choices that are simultaneously good for your institution and the environment.

Speaker(s):

• Lucas Bondan, Rede Nacional de Ensino e Pesquisa (RNP)

Slides:

• OpenRAN@Brasil: Boosting RD&I in Telecom (opens in a new window)

Abstract:

The OpenRAN@Brasil Program is Brazil’s most extensive research, development, and innovation program in open and disaggregated radio access networks. In this paper, we describe how open RAN is boosting research, development and innovation in telecommunications and how it impacts this landscape by democratizing parts of large telecommunications infrastructures through open APIs, reducing equipment costs, and thus not depending on large equipment manufacturers. Specifically, we will present the main benefits and challenges of creating an open RAN testbed in the country.

Speakers:

• Marina Krenz, Indiana University
• Paul Howell, Internet2
• Nick Lewis, Internet2

Slides:

• Collaborations in Information Security (opens in a new window)

Abstract:

This panel will share how Internet2, REN-ISAC, and EDUCAUSE work collaboratively and independently to provide support for cybersecurity professionals to solve challenges as a community. The presenters will provide an update and showcase initiatives, projects, and resources each organization provides to the community and how they all collaborate.

Learn about deploying IPv6, RPKI and DNSSEC, keeping your ARIN data accurate, and navigating the IPv4 Transfer Market.

Speaker:

• Kyle Lewis, RCDT

Slides:

• REFEDS Assurance Framework (opens in a new window)

Abstract:

Know Thy Users – REFEDS Assurance Framework 2.0 Release Update

The REFEDS Assurance Framework (RAF) Working Group (WG) are culminating a two-year effort to update the RAF standard from version 1.0 to 2.0, to improve comprehension and ease implemention. The new version should be released for public consultation prior to the 2023 TechEX. The RAF WG Chair will present on the current status of the framework and highlight the new criteria. Presentation length should be approximately 20-30 minutes.

Speaker:

• Slavek Licehammer, Evolveum

Abstract:

IGA systems are the heart of organizational infrastructure, enabling secured and automated processes Even though the IGA brings enormous added value, it is also a crucial system which malfunction can cripple the whole organization. For this reason, all significant configuration changes in the IGA system result in a highly critical operation that needs excessive supervision.

Evolveum aims to address this pain point and provide tools and processes that lift some of the pressure by delivering a peek into the future using comprehensive simulations of the desired state. That enables both technical personnel and decision makers to use automated reporting and other tools to verify the impact of a change before the launch day.

This presentation describes the challenges of IGA operations, focusing on major areas like organizational transformation, significant infrastructure changes, and new processes. It also explains how open source IGA platform midPoint can address those challenges on both technical and management levels.

Speaker:

• John Sweeting, ARIN
• Steve Wallace, Internet2

Slides:

• Enabling RPKI (opens in a new window)

Abstract:

Resource Public Key Infrastructure (RPKI) products are opt-in services that can help mitigate the impact of unintentional misconfigurations or malicious attempts to hijack IP address resources. If your resources are already under a Registration Services Agreement (RSA), we’ll help you start using RPKI immediately. If you hold legacy resources not under agreement, we’ll help you learn how to sign a Legacy RSA and lock in lower annual fees prior to a fee change that’s coming at the end of 2023. Find out all the information required for you to participate in ARIN’s RPKI service to strengthen your routing security and establish an agreement with ARIN before the legacy rates expire.

Speakers:

• Heather Mitchell, Vanderbilt University

Slides:

• Migrating to Control Tower and Terraform (opens in a new window)

Abstract:

Like many of our peers, Vanderbilt University is deploying AWS Control Tower now that it is sufficiently mature. However, our environment is not a green field; we have 120+ accounts, and we have been deploying Config, GuardDuty, SSO, and centralized logging via CloudFormation stack sets throughout our Organization for years.

How do we stand up Control Tower and migrate our existing accounts into it without disrupting anything that’s currently in place? Especially, how do we do that for our secure environments, where there is more complexity and more risk? And to make things more interesting, can we also switch from CloudFormation as our Infrastructure-as-Code tool to Terraform? And introduce Account Factory and a CI/CD pipeline? We’ll discuss what worked and what’s better now, as well as gotchas, lessons learned, and potential “resume-generating events.”

Speakers:

• Jim Wilgenbusch, University of Minnesota
• Joshua Baller, University of Minnesota
• Benjamin Lynch, University of Minnesota
• Christy Henzler, University of Minnesota

Slides:

• Sustainable Staffing for RCD Research (opens in a new window)

Abstract:

Research computing and data (RCD) resources are increasingly important components of university-based sponsored research. The RCD resources required to achieve successful research outcomes may include some or the full spectrum of RCD assets from advanced networks and data storage systems to custom software and domain specific informatics experts.

Furthermore, it’s not uncommon for some sponsored research projects to require a substantial portion of these resources, which may exceed what is typically provided to a single project and if granted would stress an organization’s ability to provide RCD services to other members of the university-based research community.

Models to address these types of demands are fairly common when it comes to hardware (e.g., condo computing or dedicated storage), but approaches or frameworks that can be applied to sustainably address dedicated staffing requirements are still rare. The challenge universities typically face when it comes to people, is how to balance basic support for the broad spectrum of research activities that rely on RCD resources, while also providing for the dedicated and the highly specific needs of particular research projects.

In this presentation, we describe the specific components of the partnership framework that has enabled Research Computing at the University of Minnesota to scale up staffing in response to the dedicated research requirements of a wide variety of research domains including medicine, agriculture, and neuroimaging. While this framework was designed to address specific challenges at the University of Minnesota, this approach could be generalized to apply to other academic institutions. To that end, this presentation describes some of the core conditions at the U of M that were required to make this approach a success.

Speaker:

• Warrick Mitchell, AARnet

Slides:

• Fighting the Cyber People War (opens in a new window)

Abstract:

Speakers:

• David St. Pierre Bantz, University of Alaska
• Keith Wessel, University of Illinois, Urbana-Champaign
• Steven Pemeau, University of Mainse
• Jon Miner, University of Wisconsin-Madison
• Albert Wu, Internet2

Slides:

• Scalable Trusted Federation (opens in a new window)

Abstract:

Committee (TAC) have been working on several important initiatives to increase trusted interoperability among InCommon participants.

The first part of this session will describe the progress in these areas to date and how they will benefit scalable federation, including:
– better user identifiers,
– new entity categories,
– completion of Baseline Expectations v2, and
– operationalizing baseline expectations

The second portion of this session will invite broad input on potential next directions to
– increase levels of assurance,
– facilitate interoperability and security, and
– streamline integration of relying parties
– better support for protocol alternatives to SAML, e.g., OIDC.

Speakers:

• Hannah Sebuliba, NIAID International Program
• Matthew Economou, NIAID International Program

Slides:

• Enabling Single Logout in SATOSA

Abstract:

Single Sign-On (SSO)/federated login is a popular authentication method that allows users access to multiple applications using the same set of credentials. SATOSA is an open-source proxy designed to enable communication between Identity Providers (IdPs) and Service Providers (SPs) even when they use different authentication protocols or authorization mechanisms. Without proper security measures in place, using a single set of credentials could lead to security vulnerabilities such as hanging sessions and session hijacking that might compromise the effectiveness of the whole authentication system.

One of the security measures that can be implemented is Single Logout (SLO), which allows users to terminate their sessions across the applications they have accessed through SSO. Currently, SATOSA does not support SLO for any protocol, so the NIAID International Program set out to introduce SLO on SATOSA’s SAML 2.0 SP and IdP, which required several changes to the architecture of SATOSA.

Speakers:

• Ryan Harden, Internet2
• Steve Wallace, Internet2
• Heather Starks, GlobalNOC
• Jason Zurawski, ESnet

Slides:

• Building the Internet2 Route Reports  (opens in a new window)
• GlobalNOC Light (opens in a new window)

Abstract:

Talk 1: The Internet2 Route Reports gather, parse, and utilize data from a multitude of sources. In this short talk, we’ll go over how we’ve automated the process of distilling gigabytes of data down to a consumable report for our Connectors and BGP Participants. Topics include, Gitlab-CI, Python Pickle, Radix Trees, and more!

Talk 2: The presentation will highlight new tools and resources that assist network operators with understanding the alignment between their intended route policy and real-world implementations. New tools that gather pre-policy-routing announcements (i.e., routes that exist before the best or allowed path is selected), routing data from other sources such as RIPEstat, and published policy in IRRs, and attempt to make this information actionable.

Talk 3: GlobalNOC has a long history of automation in our network operations center.  Recently, with the groundswell of network configuration automation activity across the R&E community, we have tried to capture this excitement to build a richer culture of automation across our organization — at every level across all of our teams.  By involving all GlobalNOC staff in the idea generation and implementation of new automation efforts, we hope to create an “automation snowball” at GlobalNOC, enabling an “automation-first” strategy as we enhance our tools and processes as part of our continuous improvement efforts.

In this talk, we will discuss our recent automation work and how we encouraged broad involvement across our organization in these projects — including work in the config automation space as well as operations automation via projects such as:

• Automated alert handing at our Service Desk
• Automated event handling and communication when outages are detected
• Our “network troubleshooter” tool that assists our network engineers and service desk technicians diagnose outage incidents
• Automated systems to facilitate fine grained control of event notifications from our NOC to our users.
• Automated software testing and deployment for our network management systems
• And more…

Talk 4: Coming soon…

Speakers:

• Heather Mitchell, Vanderbilt University

Slides:

• Creating and Managing Secure Research Engagement (opens in a new window)

Abstract:

How can you leverage the cloud to provide researchers with secure computing environments that are consistent, compliant, and manageable at scale? Come learn about Vanderbilt University’s approach to building and deploying secure environments based on Center for Internet Security levels and NIST 800-171, including process and governance aspects in addition to the technical nitty-gritty.

We’ll discuss our intake process, how we decide what level of compliance applies, and the tools we use to build and enforce our compliance maps in both Windows and Linux. We’ll also explore the crucial partnerships and support from Vanderbilt’s IT Risk & Compliance team and grants administration teams.

Speaker:

• Jason Rappaport, Princeton

Slides:

• Streamlining Policy Exemptions with Azure Functions (opens in a new window)

Abstract:

In today’s rapidly evolving cloud environment, ensuring security compliance is paramount. Just like many organizations, we embraced CIS Benchmarks to uphold best practices and security standards across Azure and other clouds. However, sometimes exemptions to these policies are required for the cloud service to function.  Join us for a discussion/ demo on how our cloud enablement team tackled the challenge of streamlining Azure Policy exemptions through an Azure Function.

Abstract:

“The Americas Grid Policy Management Authority (TAGPMA) is one of three regional policy management authorities (PMAs) in the Interoperable Global Trust Federation (IGTF, https://www.igtf.net). TAGPMA represents Authentication Providers (APs) and Relying Parties (RPs) for countries in North, Central, and South America and the Caribbean.

IGTF develops, maintains and enforces policies, profiles, and standards for authentication and authorization infrastructure (AAI) worldwide, primarily in support of the high performance computing and computational science communities. IGTF PMAs accredit authentication providers (APs) on behalf of relying parties (RPs) and the broader research community. IGTF maintains a distribution of trust anchors for accredited authentication providers.

This working meeting is for TAGPMA member representatives and invited guests. Discussions will focus on authentication provider accreditation and status updates, relying party requirements, IGTF profile and policy development, and evaluation of attribute authority operations.”

Abstract:

“The Global Network Advancement Group (GNA-G) gathers worldwide network professionals from the Research & Education (R&E) Networking organisations to support and enhance continent-to-continent interconnectivity and global science collaboration.

GNA-G organises its work in working groups around topics of multi-national and multi-domain interest and importance. Some of the working groups include, but are not limited to Data Intensive Science, Routing, AutoGOLE/SENSE, GREN map and Network Automation. Network engineers from operational teams and research groups from several continents are contributing in these groups, with the call always open for others to join.

The working meeting – open for all – aims at gathering community representatives interested to hear more about GNA-G and its working groups, learn which of them might be of their interest, and how to join and contribute.”

Abstract:

Join us for updates from Radware on their DDoS mitigation platform. This special interest group is open to all!

Abstract:

The InCommon Technical Advisory Committee guides InCommon leadership on immerging technical trends and challenges that impact R&E federations and InCommon members. In this open working meeting, the TAC will review its work so far for 2023 and begin brainstorming its work plan for 2024. Everyone is welcome to join us to learn more about the TAC and to provide input to help guide our efforts.

Abstract:

Hear from the service team and your eduroam Advisory Committee about the latest updates to the service. Ask questions of your fellow eduroam admins and discuss the further expansion of eduroam hotspots to toward coverage on every bus, and at every state park throughout the country.

Abstract:

This session is for collaboration with campuses on the NET+ Splunk Service Advisory Board to engage with Splunk to provide feedback and direction for the program.

Speaker:

• The perfSONAR Development Team

Abstract:

Members of the perfSONAR development team will be demonstrating prototypes of new data visualization software to replace MaDDash and some experimental dashboards for a future version of the perfSONAR toolkit’s web interface.  As always, we can answer your questions on other perfSONAR topics, too.

Speakers:

• Nick Lewis, Internet2

Slides:

• MFA Evolution on Campus (opens in a new window)

Abstract:

MFA on campus has changed dramatically over the last couple years as campuses responded to the pandemic, MFA phishing attacks, and the changing environment. The NET+ Duo program sponsored a 2023 MFA Community survey and continues to engage the community as campus environments evolve. This presentation will discuss the results from the 2023 MFA Community survey, how campuses are using MFA, and future directions on how they are planning to protect their campuses.

Speakers:

• Mariam Kiran, Scott Campbell, & Nick Buraglio, Lawrence Berkeley National Lab
• Dale Carder, Esnet

Slides:

• HECATE Update (opens in a new window)
• Using NetSage to Support ACCESS (opens in a new window)
• R&E Upgrades for HL-LHC (opens in a new window)

Abstract:

Talk 1: Designing optimum network topologies, where traffic flow is always efficient with minimal congestion points is imperative to guarantee successful science experimentations. In ESnet, we see a large percentage of long-running flows, mixed in with deadline-driven flows and remote analysis, which makes traffic engineering (TE) particularly challenging. In this paper, we divert from traditional TE approaches and use AI to improve real-time traffic path control such to improve flow quality and network performance proposing a deployable solution, Hecate. Hecate performs a two-stage optimization process, first learning traffic profiles and network health data to predict future statistics, and second, by leveraging deep reinforcement learning to optimize path routing over many optimization objectives. Hecate is designed to optimize network utilization and performance to reduce network hotspots over an operational network.

Talk 2: Coming soon….

Talk 3: The High Luminosity upgrade of the Large Hadron Collider (HL-LHC) at CERN in 2029 requires campus networks, regionals, and international networks such as ESnet to all be in cooperation to deploy substantial infrastructure improvements needed to handle an increase of up to 10x more than today’s traffic. One of upcoming milestones occurring early next year is Data Challenge ’24 which will be a benchmarking test to see if existing systems can run workloads at 25% of the target capabilities. In this presentation, we’ll give an overview of the challenges faced and the coordinated efforts involved in preparing for HL-LHC in the R&E networking community.

Speakers:

• Chris Horen, University of Colorado – Boulder
• Dan Landerman, Northwestern University
• Ananya Ravipait, Internet2
• Scott Taylor, Internet2

Slides:

• When Lightning Talks Strike: Navigating Storm Clouds (opens in a new window)

Abstract:

The Technology Exchange is, at its core, a crossroad of disciplines, many of which intersect, impact, and rely on each other. This session embraces these relationships by convening in a storm of lightning talks, each showcasing important issues impacting cloud technology and adoption for research and education: Networking and Cloud; Security and Cloud; Identity and Cloud; Research and Cloud. Each speaker will present important crossover points, lessons learned and best practices so that cloud technologists can leverage and utilize these expert tips on their own campuses.

Speakers:

• Al Anderson, Director of IT, Salish Kootenai College 
• Tim Warren, CIO, Tennessee State University 
• Febbie Dickerson, Vice President for Academic Affairs, American Baptist College
• Dr. Lei Qian, Associate Professor and Coordinator of Computer Science, Fisk University
• Lauren Michael, MS-CC

Slides:

• Cyberinfrastructure Advancement Designed by and for HBCUs and TCUs (opens in a new window)

Abstract:

Over the last year, the Minority Serving – Cyberinfrastructure Consortium (MS-CC) has piloted a new grant program to drive sustainable cyberinfrastructure (CI) advancement at historically Black colleges and universities (HBCUs) and tribal colleges and universities (TCUs). With funding from the NSF’s Office of Advanced Cyberinfrastructure (#2234326), MS-CC developed the Proof-of-Concept Grant (PoCG) program as a combination of both funding and dedicated advisory support from the MS-CC’s “Tiger Teams” of professionals experienced in campus CI development and stakeholder alignment. In this panel, representatives from campus recipients of PoCG pilot grants will share their experiences, thus far, and will discuss how the program is ‘proving’ multiple concepts for CI strategic advancement designed by and for their institutions.

Speaker:

• Kyle Lewis, RCDT

Slides:

• How to Sirtfi (opens in a new window)

Abstract:

Developing InCommon’s Community Cybersecurity Cooperation Year Two: It’s Not Just a Check Box

In 2023, InCommon’s Community Trust and Advisory Board (CTAB) continued the Sirtfi Exercise Planning Working Group (SEPWG). In this session, the SEPWG Chair will present on the Sirtfi framework, provide key tips on implementing Sirtfi in your organization beyond just signaling compliance through the metadata. We will also highlight what the SEPWG has accomplished thus far through community engagement feedback and preview the Sirtfi distributed tabletop exercise planned for the Fall 2023 season.

Speakers:

• Keith Wessel, University of Illinois Urbana-Champaign
• Erik Coleman, University of Illinois Urbana-Champaign

Slides:

• Can your API Do This: Cloud APIs and SSO (opens in a new window)

Abstract:

Many organizations are hosting services in the cloud these days. With all the work to build continuous integration workflows and deploy infrastructure with code, it’s easy to overlook something as basic as authentication.

In 2018, the University of Illinois revealed its AWS CLI SAML plugin that enables command-line browserless authentication to AWS using a SAML identity provider. Since then, other cloud providers have gained momentum, and other SAML and OIDC based mechanisms have come along to leverage external SSO for authenticating cloud hosting providers. Come to this session to learn about some of the options that are available, how they work, and their pros and cons.

Speakers:

• Vojdan Kjorveziroski, Cyril and Methodius University
• Łukasz Łopatowski, Poznan Supercomputing and Networking Center
• Andrew Ragusa, GlobalNOC

Slides:

• Deployment of Virtual Labs with NMaaS (opens in a new window)

Abstract:

Talk 1: NMaaS (Network Management as a Service) is a multi-tenant platform for effortless, on-demand deployment of software tools and applications. Developed as part of the GÉANT project, it is available in two flavors:
– A hosted service maintained on a dedicated infrastructure provided by the project (running for over 4 years),
– An open-source software which can be deployed in a self-hosted model, by anyone, anywhere, in their own environment.

Initially aimed at supporting National Research and Education Networks (NRENs) and their end-institutions in monitoring their infrastructures, it offers an extensible catalog of network management applications which can be deployed with just a few clicks either on the managed production instance operated by the GÉANT project (https://nmaas.eu), or on a self-hosted one deployed on the NREN’s premises.
NMaaS, at its core, leverages a catalog of containerized applications which can be deployed in an existing Kubernetes cluster. It allows each application instance to be tailored to the user’s needs through a configuration process either at deployment time or at any point afterwards, while the application is running.

Recognizing the versatility of this approach, NMaaS is well suited to serve additional use-cases as well. One of these use-cases, explored in the latest phase of the project, is the option to use NMaaS in virtual laboratory scenarios in the context of both formal education and life-long learning. By extending the existing catalog of applications with additional entries developed both within the GÉANT project, as well as by the wider open-source community, NMaaS can be used for organizing hands-on exercises in a wide range of scenarios, from university courses, to online learning platforms offering unsupervised learning. The multi-tenant environment allows each participant to have their own workspace, with a personalized catalog of applications, as configured by the administrator of the platform. This approach makes it possible to use one NMaaS instance in multiple scenarios, across a number of courses.

The first set of applications developed for the new virtual lab use-case and added to the NMaaS catalog are focused on remote development environments and cybersecurity training exercises. Remote development environments can help students easily set up the required software tools needed for a given course, avoiding complex installation procedures, and allowing them to run resource intensive applications which might not have been originally compatible with their own personal computers. Examples include deployment of database management systems (DBMS), message queues, integrated development environments (IDEs), specialized software, and Jupyter servers. On the other hand, NMaaS also provides an isolated and secure environment where purposely vulnerable software can be run. Such vulnerable application instances can be personalized at deployment time introducing additional entropy by varying the configuration of the vulnerable software across deployments, thus posing a unique challenge to each participant and making solution-sharing harder.

One of the core NMaaS’ objectives is to foster collaboration between various communities, allowing them to easily exchange their tools and applications. The existing set of supporting applications developed for the virtual lab use-case as part of the GÉANT project is published as open-source and can be reused by anyone on their self-hosted NMaaS instance. The goal of the presentation would be to describe NMaaS in more detail, discussing its overall concept, along with the brand new use-case which has been recently introduced and already piloted at a participating university for organizing hands-on exercises in the field of cybersecurity.

Talk 2: The GlobalNOC has been working on several different aspects of routing security for a long time. Starting with the ANI (Automatic Network Injector), a blackholing service offered to IU since 2010. Recently we have added several new tools to our Routing Security offering. Assisting with updating prefixes in IRRs and RIRs, providing RPKI services, validating advertised routes, and using automation to automatically blackhole DDoS attacks. The developers and users of these tools will talk about how they are used and where the future of these tools is going.

Speakers:

• Josh Drake, OMNI-SOC/Indiana University

Abstract:

Research cyberinfrastructure faces a unique cybersecurity threat landscape. Researchers and scientific operations are far more likely than similarly sized commercial institutions to be targeted in a cybersecurity incident, while facing the same opportunistic threat landscape as their SMB counterparts, and often with fewer resources available to implement adequate controls and governance.

This talk draws on data from the 2021 Data Breach Investigation Report from Verizon and Trusted CI’s Open Science Cyber Risk Profile to build a mental model for understanding the threat vertical for scientists and research cyberinfrastructure operators that they can use to apply their cybersecurity resources in the most impactful areas of their organization. This talk is aimed at research cyberinfrastructure operators, but would be of value to anyone involved in cybersecurity governance and planning in higher ed or research.

Speakers:

• Grady Bailey, University of Texas – Austin
• Peter Balčirák, CESnet
• Summer Scanlan, University of California, Berkeley

Slides:

• Bringing Commercial Products into Open-Source World (opens in a new window)
• Lived Name Considerations (opens in a new window)

Abstracts:

1. This talk will describe the design, implementation, and rollout of Federated Identity at NERSC, the primary scientific computing facility for the Office of Science in the U.S. Department of Energy. We’ll demonstrate how FedID enables and streamlines the sort of team-based collaborative science campaigns NERSC enables for scientists worldwide. (LT2)
2. Integrating existing systems is essential to the open-source community. It helps to build complex solutions in a sustainable way that can be beneficial to our world. However, integrating separate open-source components is not enough to meet users’ requirements. Often bringing together solutions from the open-source and commercial worlds is necessary.The effort is practical but more challenging than it may look. While the open-source community is about flexibility and cooperation, the commercial industry is often about money. Meaning that it is hard to convince companies to change product behavior unless we pay them enough.Recently at Masaryk University, we had a similar experience when integrating Atlassian products into our Identity and Access Management (IAM) system. One of the obstacles is that users can have only one email inside the Atlassian ecosystem, which is also used as the primary identifier. Not only could it cause problems when users’ email changes, but it also makes it almost impossible to use multiple email addresses to communicate with the system, i.e., to send their requests directly through their email clients.This talk presents the challenges we have encountered during the integration of Atlassian products with the Perun IAM system. It also demonstrates possible techniques we would like to implement to overcome the shortages of the current solution. (LT3)
3. Many universities are implementing Lived Name policies, and IAM teams are tasked with changing data intake and assertions to meet new requirements. (LT4)

Speakers:

• Frederic Loui, RENATER/GEANT
• Sonja Filiposka, GEANT
• Karl Newell, Internet2

Slides:

• GP4L in GEANT-5 Project (opens in a new window)

Abstracts:

Talk 1: RARE/freeRtr is a project that started in 2019. Its objective is to implement an Open Source Routing platform versatile enough to run in various situations. It aims to support Research and Education (R&E) specific use cases. While RARE uses freeRtr as the control plane, the platform has the particularity to run on top of different data plane implementations. This allows a high degree of deployment and flexibility. Most features are developed with P4 for the software target BMv2, and where possible also for the Intel Tofino hardware target. Additionally, a DPDK-based data plane called P4DPDK for x86 platforms is also available that addresses use cases requiring lower bandwidth.

NMaaS is another project from GEANT initiated in 2015. It aims to provide a comprehensive catalog of network management applications. Relying on Kubernetes technology, It has never been that easy to deploy Prometheus, Influxdb or Grafana application.

It has become natural for NMaaS to become RARE/freeRTr inherent network management solution. The combination of these 2 platforms constitute a turnkey solution for Network operators.

All of these features are tested in the Global P4 lab, which is a representative lab environment that started with 4 nodes in Europe only. It received a warm welcome from the R&E organisations and has become a world-wide community effort and comprise now 30 nodes all around the world. Various demonstrations were presented during SC22 via the usage of GP4L.

RARE/freeRtr, GP4L & NMaaS are initiatives pursued within the GÉANT-5 project which started January 2023 under the umbrella of Horizon Europe.

Talk 2: What was old is new again. Many of use are familiar with the ScienceDMZ and one of its main goals, to ensure optimal data transfer across the wide area network (WAN). The TCP performance pain points that led to the development of the ScienceDMZ are once again revisited with the advent of the cloud and dedicated virtual circuits towards cloud providers. We are once again witnessing perceived network performance issues related to large TCP transfers across the WAN. These issues are typically related to TCP tuning on the endpoints and the protocols and applications used for the transfer. Additionally, due to the nature of the data and location within the campus, there is one, if not more, firewalls in the network path. Internet2 is developing training and documentation to assist members with understanding and troubleshooting large data transfers across the WAN. This walk will highlight those efforts and engage with the audience to determine how we can help each other.

Speakers:

• Jay Hulslander, Cornell University

Slides:

• How to Support a Customized ERP and Run It in AWS (opens in a new window)

Abstract:

Cornell University runs a customized version of Kuali Financials System in our AWS account. This presentation we go over the process we use to update our customization with vendor releases, bug fixes and general Cornell enhancements and integrations.  The presentation will also cover what Amazon technologies we use to host our Kuali suite of applications along with some general Devops tools we use to build and maintain our Infrastructure.

Some of the technologies covered will be Java, Ruby, Jenkins, Puppet, and Docker. A number of Amazon services are used to host our application, we will cover EC2, Route 53, RDS, Secrets Manager, S3 and Dynamo DB. The majority of the coverage will be in the EC2 configuration on we build and manage our instances.

Speakers:

• Mike Simpson, Indiana University
• Ryan Kiser, OmniSOC/ResearchSOC
• Hugh Thomas, Forewarned Inc.

Slides:

• Protecting Research Vessels: Honeypots (opens in a new window)

Abstract:

OmniSOC and Forewarned presents our experiences in the planning and implementation phases of the STINGAR / Forewarned shared threat intelligence platform to deploy and monitor network honeypot sensors on oceanographic research vessels in the US Academic Research Fleet. We’ll discuss 1) the challenges of sensor usage and deployment to monitor threat activity in research infrastructure 2) operating in remote, bandwidth-constrained locations with limited local infrastructure, and 3) our solution to use commercially available, low-cost Raspberry Pi single board computers to act as configurable network sensors.

Participants will explore our system up close as well as see the “world view.” This includes system architecture to real world environment sensors deployed with images of actual research vessels and the hardware components which are deployed on board. We will also provide details of software operations with cyber attack analysis, and overall sensor network health. Participants will takeaway:

> An understanding of how intrusion detection and response systems are deployed in unusual environments.
> Learn more about the latest honeypot technology and its impact in protecting Higher Ed and Research networks.
> Explore some of the real world challenges protecting truly remote networks with limited connectivity.

Speaker:

• Linda Roos, Internet2

Abstract:

The Connector/Network Member BoF brings together regional network representatives to discuss topics of interest such as network automation, networking for cloud, networking infrastructure and other topics of interest. Anyone associated with a regional network is invited to attend.

Game Night (Open for All)

Abstract:

Join us for a chance to unwind and get to know your colleagues over a card game or board game. We’ll have some games there, but bring your own favorite if you’d like.

Abstract:

Advance CAMP (ACAMP) attendees again gather to set the morning’s unconference agenda, with 40 break-out slots up for grabs. Any attendee is welcome to propose a topic. Bring your ideas and your proposals! For more information and the attendee-designed agenda, see ACAMP Unconference 2023 (opens in a new window).

Christopher will provide a demo of the Insight Console, focusing on the Virtual Networks feature. On October 28-29, Internet2 will migrate users from OESS to Virtual Networks.

Speakers:

• Chris Wilkinson, Internet2

Abstract:

Chris will talk about the emerging developments on the Internet2 backbone including Cisco and Ciena software upgrades, AOC replacement, resiliency work and ROADMs and the next step beyond transponders.

He will also talk about 400G global connectivity and the collaborations that will enable including the expansion of the Atlantic Pacific Research and Education Exchange (AP-REX) to include new consortium members and the scope of the activities.

We will discuss these initiatives, long-term goals, and how community input and requirements will likely impact the development of the Internet2 core. Finally, he will give you a preview of the upcoming talks by the Internet2 Network Architecture and Planning staff.

Speaker:

• James Bennett, Indiana University

Slides:

• Hybrid Cloud Models for Fun and Heartburn (opens in a new window)

Abstract:

It is common to need to balance workloads which run across multiple clouds and manage the need to access on-premise resources as well. During this session we’ll discuss a few approaches that Indiana University uses to manage working in a hybrid cloud model. We’ll also discuss how we are leveraging Kubernetes to help take a cloud-agnostic approach to managing our assets so we are ready to deploy in any cloud our workloads require.

Speakers:

• Damian Doyle, University of Maryland – Baltimore County
• Tim Champ, University of Maryland – Baltimore County
• Kevin Murakoshi, AWS

Slides:

• Gamifying Cloud Training To Build Your Community (opens in a new window)

Abstract:

Getting staff excited about training is often harder than you would think. The same can be true of team and community-building activities. To try and find different solutions to these challenges, UMBC is hosting an AWS GameDay. GameDay is a team-based immersive competitive challenge working with different components of the cloud. It is not only great training, but it’s also a lot of fun. The hope for UMBC is to bring together diverse groups within the Division of IT, and within the IT organizations of neighboring universities, to expand our cloud knowledge and provide a fun and engaging introduction to the cloud for many. In this talk we will go through our approach, how it went, what we took away from it, and our thoughts on using this type of activity to increase the cloud IQ of your teams.

Abstract:

During these breakout sessions, groups will be meeting in:

Breakout Room #1: Marquette I
Breakout Room #2: Marquette II
Breakout Room #3: Marquette III
Breakout Room #4: Marquette IV
Breakout Room #5: Marquette V

Speaker(s):

• Chad Sorrell
• Jeff Bartig, Internet2
• Chris Tracy, Esnet

Abstract:

Talk 1: In this session, Internet2 will talk about updates on the latest IOS-XR upgrades on the core network. We will also go over design and architectural changes being discussed on the core network and the International Exchange Points.

Talk 2: TBD

Talk 3: The talk will discuss a successful demonstration of transporting 400GE client signals over a distance of approximately 4600km using two 200G wavelengths on production infrastructure without the need for regeneration. The public demonstration, which took place at OFCnet in March 2023, was a collaboration between commercial vendors and NRENs to support high-performance network applications from academia. The demonstration showcased the capabilities of Data Transfer Nodes (DTNs) in effectively using 400G services for data transfer between the OFC show floor and the Starlight data center in Chicago.

Please see the OFCnet architecture diagram for reference, which is posted publicly at ofconference.org

Speaker(s):

• Emilio Tissato Nakamura, Rede Nacional de Ensino e Pesquisa (RNP)

Abstract:

Establishing a Security Operation Center (SOC) to improve the security level of research, education and innovation institutions involves a set of capabilities and a holistic approach that integrates different cybersecurity technologies, teams, and processes. The challenges include a distributed environment and multiple layers to monitor, from backbone to services, including cloud and endpoints.

RNP is the Brazilian NREN and the SOC-RNP improves the overall network security level, maximizing the security visibility, providing advanced detection and response, improving the security operations, and strengthening the institutions security culture through security intelligence. The SOC-RNP is holistic by nature, including basic cybersecurity functions and a set of integrated security technologies that help institutions to understand and organize the cyber risks, prioritizing actions related to threats, vulnerabilities, security incidents, governance, and compliance.

Speaker(s):

• Yatish Kumar, Esnet

Abstract:

ESnet has released its FPGA technology for P4 applications research on GitHub for use by the R&E community. In this talk, we will describe the FPGA technology, as well as the containerized gRPC based control plane that can be used to build and attach SDN controllers to the P4 data plane.

Despite the demise of the Tofino chipset, high level P4 programming is still available to the research community via. this platform. We will describe how it can be used on the FABRIC testbed, and discuss some of ESnet’s research use cases built on this platform. .

Learn about deploying IPv6, RPKI and DNSSEC, keeping your ARIN data accurate, and navigating the IPv4 Transfer Market.

Abstract:

During these breakout sessions, groups will be meeting in:

Breakout Room #1: Marquette I
Breakout Room #2: Marquette II
Breakout Room #3: Marquette III
Breakout Room #4: Marquette IV
Breakout Room #5: Marquette V

Speakers:

• William Brockelsby & Charles Kneifel, Duke University
• Eyle Brinkhuis, SURF

Slides:

• Hybrid SDN Campus Architectures (opens in a new window)
• NFV @ SURF (opens in a new window)

Abstract:

Talk 1: Hybrid SDN Campus Architectures for Agility and Enhanced Cybersecurity:
With the explosion of network-connected devices and heightened awareness of the need for enhanced cybersecurity, many organizations are looking for solutions to provide multitenancy and microsegmentation amid continuously rising network loads. Moreover, in the research and education space, these needs are augmented with the requirement for friction-free connectivity in support of the transfer of research data sets. During this session we describe NSF funded research conducted at Duke University to augment traditional campus networks with strategically placed Software Defined Networking (SDN) nodes to form a hybrid network architecture in support of these goals. We then present selected real-world deployment scenarios at Duke University and beyond.

Talk 2: SURF has spent a considerable amount of time developing and implementing an open-source based NFV-infrastructure using Ansible, FD.io VPP, KVM/qemu that ties into the SURF-network closely. With our NFV-infrastructure, SURF is able to provide additional services for its constituents in a scalable, on-demand, pay-as-you-grow manner which is ideal for growing services, the rise of cloud-services and streaming media.

At TNC ’22 we talked about our NFV-infrastructure and showed the deployment of a virtual firewall from zero to hero. In this talk, we will elaborate on the architecture of our infrastructure and software components, and explain:
– why we decided to develop our own;
– how it all works together;
– what our use cases are;
– our plans for open-sourcing;
– future work like smart NICs.

Speakers:

• Matthew Stout, University of California, Office of the President (UCOP)
• George Holbert, University of California, Office of the President (UCOP)

Slides:

• Cloud Security By Default (opens in a new window)

Abstract:

The Rewards of Standards and Infrastructure as Code. Join us to hear how the University of California Office of the President leverages Infrastructure as Code (IaC) to make it as easy as possible to deploy in the cloud with security by default.

When an organization starts looking at a major shift to the cloud many steps are small. Pilot a single application. Allow teams to learn and discover. However, the more effort you also include on standards and IaC the higher the rewards in the long term. Teams can deploy faster and focus more on the services they are delivering without compromising on security.

Speaker(s):

• Prasad Calyam, University of Missouri-Columbia

Abstract:

Cloud-hosted services are being increasingly used in hosting business and scientific applications due to cost-effectiveness, scalability, and ease of deployment. To facilitate rapid development, change and release process of cloud-hosted applications, the area of Development and Operations (DevOps) is fast evolving.

It is necessary to train the future generation of application development professionals such that they are knowledgeable in the DevOps-enabled continuous integration/delivery automation. In this talk, we present the design and development of our “Mizzou Cloud DevOps platform,” an online self-service platform to learn cutting-edge Cloud DevOps tools/technologies using open/public cloud infrastructures for wide adoption amongst instructors/students.

Our learning platform features scalability, flexibility, and extendability in providing Cloud DevOps concepts knowledge and hands-on skills. We detail our “application-inspired learning” methodology that is based on integration of real-world application use cases in eight learning modules that include laboratory exercises and self-study activities. The learning modules allow students to gain skills in using latest technologies (e.g., containerization, cluster and edge computing, data pipeline automation) to implement relevant security, monitoring, and adaptation mechanisms.

Speaker:

• David Sinn, University of Washington

Slides:

• Streaming Telemetry Isn’t Better (opens in a new window)

Abstract:

During these breakout sessions, groups will be meeting in:

Breakout Room #1: Marquette I
Breakout Room #2: Marquette II
Breakout Room #3: Marquette III
Breakout Room #4: Marquette IV
Breakout Room #5: Marquette V

Speaker(s):

• Dennis Cagampan, CENIC
• Joe Metzger, Esnet

Slides:

• ESnet Site Resilience Program Overview (opens in a new window)

Abstract:

Talk 1: CENIC provides connectivity to 20 million users across California, including the vast majority of K-20 students,
educators, researchers, and individuals at other vital public-serving institutions. Challenges may arise in optimizing the different workloads of a diverse member community in a single network infrastructure environment.

In this session, we’ll explore how Segment Routing (SR) Flexible Algorithm can enhance routing decisions on our SR-enabled backbone resulting in lower latency and optimized traffic distribution. We’ll also discuss the use cases, benefits, and challenges the CENIC team experienced modeling the solution.

Talk 2: The ESnet Site Resilience Program (SRP) was started in 2022 to improve the way ESnet and our user community thinks about, quantifies, communicates, and manages network resilience. The heart and soul of SRP is joint risk analysis, between ESnet and our customers that feeds appropriate investments to ensure DOE’s mission.

Speaker:

• James Bennett, Indiana University

Slides:

• Scaling Apps with Platform Engineering (opens in a new window)

Abstract:

During this talk we will discuss how you can put platform engineering concepts to work to help teams scale up the work they do. This involves taking ideas from early development on their machines to running in varied environments as rapidly as possible to help meet business needs.

Speaker:

• Garhan Attebury, University of Nebraska – Holland Computing Center
• Greg Gray, University of Nebraska
• Neil Brown, University of Nebraska
• Matthew Long, University of Nebraska

Abstract:

A collaborative group from Research, Networking, and Security will discuss current and emerging needs/trends in the research computing space while considering how to balance enhanced needs for greater information security and compliance. We will discuss the current state of our research computing environment, what the emerging trends/needs are, what the desired end state is, and how we plan to get there.

Abstract:

Join us to discuss common topics of interest in network security! This special interest group is open to all.

Abstract:

The Internet2-facilitated Higher Ed Azure Advisory Group will host an in-person meeting to get community input on issues important to their successful use of the Azure cloud environment. Bring your challenges, ideas, questions, and feedback for the advisory group and for Microsoft.

Abstract:

“The joint APAN/GNA-G Routing Working Group was formed to address global routing issues impacting performance of international data flows. Since its creation in June 2021, the group has addressed many different routing issues relevant to the R&E networking community:
asymmetrical routing, inefficient global routing (e.g. flows crossing the same ocean twice) , R&E flows using commodity routes when an R&E path is available, and changes to links impacting how traffic is routed throughout the world.

The Routing Working Group is bringing together members of the global REN community (nearly 150 members from over 80 organizations to date) and developing strategies to begin addressing these issues in a more coordinated way. During this meeting we will discuss the current open cases being addressed by the working group, strategies to create a more proactive strategies to address future routing anomalies, and a creation of best practices for public use.”

Speaker:

• The perfSONAR Development Team

Abstract:

Members of the perfSONAR development team will be demonstrating prototypes of new data visualization software to replace MaDDash and some experimental dashboards for a future version of the perfSONAR toolkit’s web interface.  As always, we can answer your questions on other perfSONAR topics, too.

Abstract:

During these breakout sessions, groups will be meeting in:

Breakout Room #1: Marquette I
Breakout Room #2: Marquette II
Breakout Room #3: Marquette III
Breakout Room #4: Marquette IV
Breakout Room #5: Marquette V

Speaker(s):

• Ryan Harden, Internet2
• David Wheeler, NCSA
• David Ripley, GlobalNOC
• Patrick Storm, ESnet

Talk 1:

MFA isn’t just for servers and web applications. This panel will discuss how MFA has been successfully implemented on network devices across multiple networks and platforms, some of the common gotchas and hoops, and learn how you too can make managing your network more secure.

Moderator: Ryan Harden (Internet2)

Panelists: David Wheeler (NCSA), David Ripley (GlobalNOC), Patrick Storm (ESnet)

Speaker:

• Joshua Whitlock, University of California, Office of the President (UCOP)

Slides:

• Control Chaos with IaC & Automation (opens in a new window)

Abstract:

Reimplementing an enterprise application with no documentation and an ever-evolving list of requirements leads to inconsistencies and quality issues that will undermine stakeholder confidence. How can you deploy and deliver a consistent, high-quality application no matter how often the requirements change or issues are resolved?

Learn how the University of California Office of the President took control and brought order to the chaotic migration of their vendor hosted enterprise pension administration application into their self-managed cloud. Learn how utilizing a component-based methodology based on principles of IaC and automation allowed for faster, more consistent deployments that could be reused across any number of environments and build combinations.

Speakers:

• Tangui Coulouarn, NORDUnet
• Rogier Spoor, SURF

Slides:

• Security, the Community Way (opens in a new window)

Abstract:

Inspired by eduroam a new VPN service has emerged in Europe. It started in the Dutch NREN, SURF, and soon became a service, replacing commercial solutions for many universities. 130+ universities have now replaced their commercial solutions while 18 NRENs are offering national gateways. How do we do this? How can we learn from and leverage other successes in the community such as eduroam or eduGAIN?

We believe eduVPN has been successful because of the ease of use – our apps – and because of the trust we built in our NRENs.

Abstract:

During these breakout sessions, groups will be meeting in:

Breakout Room #1: Marquette I
Breakout Room #2: Marquette II
Breakout Room #3: Marquette III
Breakout Room #4: Marquette IV
Breakout Room #5: Marquette V

Speakers:

• Jeronimo Bezarra, Florida International University
• Renata Frez, Florida International University
• Italo Valcy, Florida International University
• Tiago Monsores, RedCLARA

Slides:

• A Scalable Solution to Detect Microbursts (opens in a new window)
• Integrated Monitoring Portal for Latin American NRENs (opens in a new window)

Abstract:

Talk 1: Detecting microbursts is an ongoing challenge for any research and education networks (REN) and commercial internet service providers. Microbursts are sporadic bursts of traffic that occur in very short timescales (hundreds of milliseconds) that most times go undetected by conventional network monitoring tools. They impact data transfers and cause costly performance problems in long-haul and regional networks. The topic of detecting microbursts has become increasingly hotter with the availability of programmable network devices with the Intel Tofino ASIC and P4.

However, most solutions leverage the resources in programmable network devices by adding extra stages to the forwarding pipeline, which is not always possible in RENs. RENs, such as Internet2, ESnet, and AmLight, must support a variety of network protocols and functions and can’t always be customized to do microburst detection directly in the forwarding plane. For most network operators, network telemetry solutions and microburst detection are performed out-of-band, leveraging technologies such as In-band Network Telemetry (INT) and traffic mirroring. INT enables network operators to detect microbursts by measuring bandwidth utilization in sub-second intervals.

In previous Internet2 Technology Exchange conferences, AmLight experience with instrumenting its production long-haul research and education network with INT was described, including its open-source solution named AmLight INT Collector. During INDIS 2021, with INT enabled, AmLight demonstrated how microbursts are being monitored by measuring bandwidth utilization using intervals of 100 ms to 500 ms. However, during our operation, we learned that even a short interval, such as 100 ms, is not enough to detect some microbursts observed. AmLight needed a shorter bandwidth utilization interval to be able to detect dual-digit microbursts.

Lowering the bandwidth utilization measurement interval even lower than 100 ms incurs multiple tradeoffs: (1) Storing massive amounts of data for analysis, even though microbursts are sporadic events; (2) Not detecting even shorter timescale microbursts, because of predefined fixed bandwidth utilization measurement intervals; (3) Resulting performance issues, because of increasing CPU and I/O usage and disk space, possibly leading to loss of accuracy; and (4) Risking impacting network troubleshooting activities due to the delay caused when plotting graphs with tens of thousands of measurement points.

Based on our experience managing the tradeoff between storing granular counters and the bandwidth utilization measurement interval, we believe that an efficient solution should be capable of evaluating the need for storing counters, versus storing, then later deleting them. This is the objective of our adaptive and efficient solution: to collect and process network counters every few milliseconds, but only store them when there is a clear indication of a microburst. Counters should be evaluated against a set of operator-defined metrics. For instance, the minimum and maximum bandwidth utilization measurement intervals for data gathering, and thresholds to detect a microburst by measuring traffic increases since the last data gathering. Upon microburst detection, adapt the interval between two consecutive data gathering operations based on historical measurements. The AmLight INT collector was enhanced to detect microbursts as small as 20 ms while preserving disk space and CPU cycles. Table below shows an example of 13 microbursts detected, some as short as 20 ms and multiple Gbps.

Talk 2: Network visibility has always been one of the most requested network features by RedCLARA users. The idea to be aware of everything moving within and through the network should define the new normal. Network visibility makes it possible to:

• Understand where NREN’s (National Research and Education Network) data is and how it is used
• Identify where network traffic is coming from and going to
• Determine what user behavior is normal and abnormal
• Know what software is in use on the network
• Locate vulnerabilities or misconfigurations on the network
• Proactively detect network outages and performance issues

Network visibility covers a lot of ground, but its definition is actually rather simple. The term refers to being aware of everything within and moving through the network with the help of network visibility tools. In this way, network visibility tools are used to keep a close and constant eye on network traffic, monitored applications, network performance, managed network resources and big data analytics, which in turn, requires effective and scalable data collection, aggregation, distribution and delivery.

Network visibility, however, is not a passive function as it allows you to exert greater control over all these aspects. The more in-depth, proactive and extensive your network visibility, the more control you have over your network data, and the better you can make decisions regarding the flow and protection of that data.

With this concept in mind, RedCLARA Network Engineering Group (NEG) and Systems Engineering Group (SEG) have built the Integrated Monitoring Portal (IMP). Its goal is to become the best network monitoring and visualization tool for Latin American NRENs, where users can visualize and analyze network traffic on each of the configured VRFs, network latency, packet errors, packet discards, BGP state and uptime, service availability, number of BGP accepted and denied prefixes, network alerts among many others.

Also, NRENs can visualize information about the network flows and therefore determine the most used IP addresses, autonomous systems (AS), services, protocols, detect network threats, traffic origin and destination, geolocation information and so forth.

In addition to that, users can also visualize important information about RedCLARA’s backbone. A Network WeatherMap has been included and also each of the international backbone circuits can be monitored using IMP. This brings valuable information to network operators which demand real time data for troubleshooting network issues and evaluating network performance. It is also integrated to IMP the information about eduroam for each of RedCLARA’s associates.

For increased visibility, it was also added to the platform an SSH Tool which allows network operators to perform ping and traceroute from any router of the network in addition to an extensive subset of show commands which allows the visualization of interface status and the operation of a diverse stack of protocols such as IPv4, IPv6, ARP, BGP, IS-IS, MPLS, L2VPN, L3VPN, IGMP, PIM, MSDP, etc.

In recent years RedCLARA NEG has put an immense effort to study, evaluate and implement the most modern network monitoring, administration and visualization tools and the Integrated Monitoring Portal can be seen as the consolidation of all this work.

As the TechEX23 audience is comprised of Research and Education network operators, network administrators and network users, we expected this presentation will be interesting to everyone attending this conference.

Speaker(s):

• Eliyahu Ben-Shoshan, University of Florida
• Nicholas Cecere, University of Florida

Slides:

• How to Tame Your Clouds with Automation (opens in a new window)

Abstract:

This talk will cover how University of Florida IT ( UFIT ) uses automation tools to deploy and manage both our public and private clouds.

The following tools will be covered:
– Hashicorp Terraform Open Source Software ( OSS )
– Hashicorp Vault OSS
– Gitlab Continuous Integration / Continuous Deployment ( CD )

Along with the following public and private clouds:
– AWS
– Azure
– VMware private

Speakers:

• Sven Gabriel, Nikhef/EGI
• David Crooks, STFC UKR

Slides:

• Results of a Global Security Exercise  (opens in a new window)

Abstract:

Dozens of compute sites were targeted by a allegedly malicious payload and got drawn into an investigation of a large-scale incident. Hundreds of mails were exchanged among the sites, the coordinating EGI CSIRT and various infrastructure service providers, from which the blue team was trying to gradually build the overall picture of the incident and keep all the parties informed. In the meantime the red team had to fix outages of the attacking infrastructure, making sure the exercise could smoothly proceed. The main purpose of the exercise was to challenge current procedures and their usability.

As an additional component, for site admins experienced with security operations a CTF-like game was prepared, guiding the attendees through essential forensics investigation of the payload.

Here we will provide an overview of the whole activity and will summarize findings and feedbacks. We will discuss organization aspects and experience how we demonstrated the importance of a close and maintained collaboration of the relevant Security Teams to bridge between European and US operational security for the WLCG and EGI.

Abstract:

During these breakout sessions, groups will be meeting in:

Breakout Room #1: Marquette I
Breakout Room #2: Marquette II
Breakout Room #3: Marquette III
Breakout Room #4: Marquette IV
Breakout Room #5: Marquette V

Speakers:

• JoAnne Bender, Internet2
• Dale Carder, Esnet
• Daniel Doyle, Esnet

Slides:

• Leveraging Coherent Optics and Open Line Systems in Production Scenarios (opens in a new window)
• Empowering Measurement Users at ESnet (opens in a new window)
• Minding our MANRS (opens in a new window)

Abstract:

Talk 1:
In this session, we will be providing an overview of coherent pluggable optics that Internet2 is focusing on deploying in our production network. Topics will include deployment strategies, challenges, practical considerations, and how these will shape how Internet2 provides connectivity inside and outside our network.

Talk 2:
The R&E networking community has increased its focus on routing integrity, and ESnet was able to join MANRS (Mutually Agreed Norms for Routing Security) as an early participant. We’ll describe how we implement BCP38, use PeeringDB, the Internet Routing Registry (IRR) system, and open source tools like bgpq4 as part of our network automation, and where we will need to pay attention next. As our RPKI deployment proceeds, there will also be an update on our trials and tribulations in dealing with ARIN as a governmental entity holding legacy address space.

Talk 3:
Come hear how ESnet has worked to put more of its portfolio of network measurement collection and analysis capabilities directly – and securely – into the hands of users. These services and APIs are built around ESnet’s Stardust measurement platform and allow users not only to view data about the network, but also to control how data is visualized and reported on. Learn about how these themes also extend into some of the open source and community efforts that ESnet is involved in, with technologies and patterns inspired from the successes in Stardust.

Being more of a philosophical approach rather than a single technology or implementation strategy, we will be touching on several topics over the course of this talk. Each topic will focus on where this need came from, our approach to delivering on the need, lessons learned along the way, and where we see it growing in the future.

– The need to collect a variety of data and metadata from different sources using different protocols, as well as the ability to react quickly to changes in user needs
– The growing need at ESnet for custom network maps targeting a range of different end users and goals, such as engineering diagrams, outreach maps, or marketing and overmap maps
– ESnet’s use of Grafana Enterprise to provide federated authentication and filtered views of network data for external users
– Community benefit in Netsage and perfSONAR from open sourced data collection pipelines and storage based on lessons learned from Stardust

Central to all of these topics is the idea of Zero Trust. As we work to make these services more multi tenant capable and available to a broader segment of users, we must be able to consistently authenticate and authorize these users to ensure that they are only able to see and make changes to appropriate data. We will touch on some of the current and future efforts in this space as well.

By providing users with increased ability to see and manipulate information about the network, we hope to optimize many workflows by removing dependencies on developer or network engineer cycles while simultaneously freeing those resources up to work on other high impact items.

Speakers:

• Renata Frez, Florida International University 
• Jeronimo Bezzera, Florida International University 
• Italo Valcy, Florida International University 

Slides:

• DDoS Detection/Mitigation @ AmLight (opens in a new window)

Abstract:

Cloudflare, show that attacks aimed at Government and Research & Education facilities have been increasing in the last years.

As an International Research and Education Network, AmLight supports different science drivers in the USA, Latin America, and Africa, providing academic and commodity connectivity. While some science drivers have a robust infrastructure with multiple 100 Gbps connections, some still have 10 Gbps or less. For some connectors, a 1Gbps attack is enough to disrupt its operations. Because of the size range for AmLight connectors, tailoring DDoS event signatures for each connector is required but needs to be more scalable/effective. As a result, a multi-tier solution is being deployed to handle different scenarios.

The DDoS Detection/Mitigation Model at AmLight consists of three levels: Tier 1 – mitigates large-scale attacks; Tier 2 – mitigates small-scale attacks; and Tier 3 – mitigates at-scale attacks at the source.

The Tier 1 layer is AmLight’s first defense against DDoS events. Tier 1 aims to detect and mitigate large-scale attacks by leveraging the DDoS scrubbing service provided by AmLight’s primary upstream provider. The upstream provider performs a scrubbing process. As a result, DDoS events are detected and mitigated after a few seconds. The upstream provider’s DDoS mitigation solution requires no equipment on-premises and is charged per minute of mitigation. Currently, AmLight pays for 500 minutes per month. The Tier 1 layer has some pitfalls: the solution runs only on one upstream provider; AmLight pays to mitigate small-scale attacks that could otherwise be handled internally; during smaller-scale DDoS events, the Tier 1 layer might not detect the issue, and manual mitigation is required, which leads to longer impacts to connectors.

To address the pitfalls from Tier 1, AmLight built a Tier 2 layer, a second layer of defense against DDoS events. Tier 2 leverages a cloud-based DDoS detection solution. Tier 2 detects DDoS events leveraging NetFlow samples exported by AmLight border routers. Once the Tier 2 DDoS detection solution detects an event, the solution pushes instructions to AmLight border routers to drop or rate-limit the traffic based on fully customizable signatures. The instructions are pushed using BGP FlowSpec. Tier 2 enables federation by allowing AmLight connectors to access the interface and create/manage signatures that will be applied only to their interfaces.

Speaker(s):

• Jay Hulslander, Cornell University

Slides:

• Merging Development Team with DevOps (opens in a new window)

Abstract:

This presentation will discuss how we merged an agile development team with a cloud devops team. Some of the reasons that prompted the merge. Our trials and tribulations during the merge and some of the benefits we reaped from the merge.

Speaker:

• Mark Feit, Internet2

Abstract:

Software development within R&E has been a big factor in many of its most-important innovations. Developers who understand networking are a rare commodity and often a product of the community. To assist in growing those developers’ technical proficiency and industry awareness, this BoF provides a casual forum for short talks on a wide variety of topics with an emphasis on design, evaluation, development and development of software solutions in network engineering or operations settings.

Abstract:

Advance CAMP (ACAMP) attendees again gather to set the morning’s unconference agenda, with 40 break-out slots up for grabs. Any attendee is welcome to propose a topic. Bring your ideas and your proposals! For more information and the attendee-designed agenda, see ACAMP Unconference 2023 (opens in a new window).

Abstract:

During these breakout sessions, groups will be meeting in:

Breakout Room #1: Marquette I
Breakout Room #2: Marquette II
Breakout Room #3: Marquette III
Breakout Room #4: Marquette IV
Breakout Room #5: Marquette V

Speaker(s):

Coming soon…

Abstract:

Coming soon…

Speaker(s):

Coming soon…

Abstract:

Coming soon…