--- Begin Message ---
On Tue, 21 Jun 2005, Jesus Climent wrote:
On Tue, Jun 21, 2005 at 08:48:55AM +0300, Veijo Kylaverkko wrote:
On Mon, 20 Jun 2005, Jesus Climent wrote:
So, basically, we need info about the network link we are getting in Smokki,
and the link between the buildings (Computer Sciences department, Smokki and
Otaz) since the servers will be located in the basement of the Otaz building.
The HUT computing centre network administrator did not know about these
servers and we need to talk with him about this. His email is
kimmo.laaksonen@hut.fi.
I mentioned to the head of the HUT network services that we where in need of
setting some servers, and that we would set them either on Smokki, the
Computer Sciences department or on one of the Otaz buildings. We have decided
for the last one due to logistic reasons: smokki is too busy with 200+ people
wandering around, CSD is going to be our conference centre (so no 24 access).
Hello,
Greetings from me, too. I'm sorry you've been left out of the circulation.
We had a meeting with Heikki Arppe from the CS dept & our chief of
IT security at the Computing Centre (that's right, it's still Computing,
not Computer, or IT services :-). Based mainly on restrictions
to outsiders' access to network we came to a conclusion that
we set up a separate subnet from HUT's B-class network (130.233/16)
for you. (As to the size we haven't yet decided about that. What's
your estimate? 1 (256 addrs) or 2 (512 addrs) C-classes? 2 consecutive
can be allocated easily. Anything larger, like 4 C-classes, is harder
to find.)
This subnet we will distribute as a Layer 2 network to the CS dept
building, where they can futher distribute it to the required RJ45
connectors. BTW, are the participants bringing RJ45 patch cords with them?
We, meaning mainly CS dept, can perhaps loan them, but I guess
they'd get only some of them back. Not to say you people are
dishonest. Patch cords are just like ballpoint pens, you simply
forget to return them :-) On the other hand, in some places you'll
probably need longer patch cords which people don't usually carry
with them. That's all about the network in the CS dept building. I'll
return to the restrictions (ACL's) later.
We discussed about the possibility of distributing the same subnet as
a Layer 2 network to Smokki. It would certainly make it easier to move
between CS dept building and Smokki, as the same network
configuriration would be valid in both places. Our IT security required
that we build "a private link" between the CC and Smokki.
Transporting anything through TKY networks, even in 802.1q Layer 2
trunks, is out of the question. Fortunately there is a lot of dark
fiber between CC and TKY. I've discussed about this with Tommi
Saranpaa from TKY, and it seems we can set up this link, too. OK?
The basement of the Otaz building has a very accessible switch, which we will
have access to (only selected infrastructure people) and rooms with
ventilation.
I just discussed with Tommi, and he suggested that they (TKY) distribute
(with "private links", ie. separate fiber) the same subnet to Otaz
dormitory building. That seems ideal to me. No hassles with changing
network configuration when moving with a laptop between Otaz, Smokki,
& CS dept building. OK? (I guess the question about 1 or 2 C-classes
is irrelevant now. You'll probably need at least 512 addresses.)
Your servers can be in TKY network. HUT network ACLs has to be so that
you can access your servers from the hut network.
That would be needed. Would it be possible to set them so that we can access
specific IP addresses, on specific ports?
Also, we would like to know the speed of the network links between the
buildings, to plan the video streaming: If it can be done (for speed limits,
for topology limitations,...)
Layer 3, eg. routing for the subnet, will be from our central routers
at the main building. The link to the CS dept building is a 1 G
trunk with CS nets. I'm not sure if we have a 1 G port free for
the "private link" (eg. access) to TKY for distribution to Otaz &
Smokki. I think Smokki probably has to do with 100 M. Tommi can
clarify (something to do with the fibers terminating to a part
leased to outsiders, with just Cat5 copper available to your
part). So it seems at worst you'll have 100 M links in Smokki
and Otaz, 1 G shared in the CS dept building. All switches
are non-blocking, best effort, so packet loss is possible
during intense bursts.
Also, for smokki, which we will be using as a code-lab, we need to know how
many ethernet plugs we will be getting there, to plan the network topology,
and if the network there (which we will be getting fixed ip addresses, if i
remember right) is connected to the dorm (Otaz) or is in an independent
network.
There is around 4 plugs altogether. So you will need a switch or wavelan
access point.
An Intel representative is coming by the end of next week (29 or 30) to start
planning the network in Smokki. He is bringing some 10/20 APs and some
switches to prepare a complete network.
That's great. We (CC) promised to loan a HP4000M (max. 80 10/100 RJ45 ports)
for Smokki, but you won't probably need that. As to the APs: forget about
them. It's strictly forbidden to connect a WLAN Acces Point directly to a
"wired" HUT network! There are no exceptions to this rule. I warn you now that
should it come to our (CC's) knowledge that you (organizers) or
participants have acted against this rule, your network will be
disconnected! Please, wired access only!
From smokki to the Otaz buildings, is the same unrestricted network or there
are some firewalls in between? What network link we have between those two
buildings?
If we proceed as defined above, there will be no restrictions within the
whole subnet (full Layer 2 access!). Internally you can run whatever
services (whatever protocols, even non-IP!) between the clients (laptops)
and the servers.
Also, we need to know the exact firewall access we will be getting since some
services will be provided to the users in debconf/debcamp: ldap accounts in
our servers, mail routing (unless TKY/TKK forces us to use their mail
gateways), sfs (secure fs) for remote audio/video recording,...
Do you mean the access between HUT network and TKY network? Or do you mean
ACLs to internet?
The servers will be located on the basement in Otaz, so we need to access from
TKK's Comp. Sc. Dept. building those servers providing ldap/ssh. Is that
possible?
Re previous chapter, no problem with that.
Now the hard part: the firewall, or rather Cisco ACLs for your subnet.
It'll be based on general network access policies, with some added
restrictions, because you are outsiders.
First of all: there can be no access from outside (Internet or even
HUT) to the servers within. So they are for internal use only (with
no restrictions inside your subnet). The ACL towards your subnet
will pass through TCP sessions initiated from within (subject to
further restrictions at our Internet interfaces; I'll explain later).
Some "technical" protocols are let through: DNS queries, NTP, active
FTP data connection, "traditional" UDP traceroute, basic ICMP (eg.
ping). Anything else is denied. This is quite a standard setup for
workstations within HUT.
Second: we will apply the same ACL to traffic from your subnet as to
traffic coming in from the outside world (you are outsiders :-).
That means that only servers/services within HUT that are open
to the outside are accessible. The only difference will be that
any traffic NOT addressed to HUT networks will be let through
to the third level: the ACL towards Internet. You sent in May a
list of protocols ports you would like to get through. I'll
comment on that:
- ssh (TCP 22), OK (allowed from any HUT addresses already)
- http (TCP 80) OK ( -"-); ports TCP 8000, 8001, 8080, too
- https (TCP 443) OK ( -"- )
- ftp TCP 21 only (for connecting to an outside ftp server;
in active mode the server will connect back from port TCP 20
to an upper port, see above)
- irc (TCP 6667) OK (I guess irc should work with TCP only;
UDP would make things very complicated)
- imap(s) (TCP 143/993) OK
- pop3(s) (TCP 110/995) OK
- jabber (TCP only 5222) OK
- rsync (TCP only 873) OK
- nntp(s) (TCP 119/563) OK
As you'll notice I've left out smtp. Smtp is blocked at the
border, except from eg. our smtp farm. This is to prevent
viruses spreading via smtp direct from workstations (viruses don't
know how to use a smarthost). I suggest you route all
smtp through smtp.hut.fi, too.
Does this satisfy your needs? Some adjustments are possible,
but for example the rule that you can't setup any servers
directly accessible from the Intenet is nonegotiable. So
you'll have to use some kind of "push" techniques (with
the ports open at the third level) to publish anything
developed during the conference. Sorry.
Some technical details: we'll register all IP addresses
within your subnet into HUT DNS's with a "generic" name
like aXXX-XXX-XXX-XXX.debconf.hut.fi. These can be updated
(at least for servers) later. Just mail to hostmaster@hut.fi.
I'll let you know the IP's ASAP. I'll include the addresses
reserved for routers. They'll have our "standard" names in DNS
without debconf. The routers (with Cisco HSRP enabled) usually
take 3 addresses; probably we'll allocate the first 3 in
the subnet.
HUT DNS servers are at IP's 130.233.224.1 & 130.233.224.13.
HUT NTP service is at IP 130.233.224.2.
You'll have to set up a DHCP server. We strongly suggest that
you set up it so that the participants get a fixed IP bound
to their Ethernet MAC address, say at the registration.
No dynamic pool, please. Some of the premises are open to
general public, and you wouldn't want to watch out for
non-participants. (IP bound to MAC is a very weak security
measure, but the lack of dynamic pool makes it at least
harder to get instant access.)
Now I'll be leaving for the midsummer holiday. I'll be back
on Monday the 27th. If you have any more questions, requests
&c, please email us. tietoliikenne@tkk.fi is a list address
to reach datacomm persons at the CC. For TKY related matters
(Smokki, Otaz) verkko@tky.hut.fi reaches their datacomm persons.
As to matters concerning CS dept building, I don't know anything
better than Heikki.Arppe@tkk.fi directly.
Best regards and welcome to Otaniemi,
Kimmo Laaksonen
Data communications
Computing Centre
TKK, Helsinki University of Technology
We need to know all this issues as soon as possible, since we are starting to
get people to Helsinki to get everything ready as soon as next week.
Send reply also to Kimmo Laaksonen so that he knows what is going on.
Thank you very much for the help provided, and for your prompt answer.
PS: If you think a face to face meeting would solve the issues at hand in a
faster way, please, call for a meeting on one of your free slots, and we can
talk about the matters.
Thanks!
--
Jesus Climent info:www.pumuki.org
Unix SysAdm|Linux User #66350|Debian Developer|2.6.10|Helsinki Finland
GPG: 1024D/86946D69 BB64 2339 1CAA 7064 E429 7E18 66FC 1D7F 8694 6D69
Thank you for pressing the self destruct button.
--[Computer] (Spaceballs)
--- End Message ---