OPS Forum 25.06.2010 OPS/EOP Collaboration for EO Connectivity

EOP/OPS Collaboration on EO Connectivity Services OPS-E Forum – 25 June 2010 C. Silvagni & A. Rodríguez (OPS-ERO)

Agenda
Background/Context (AR)
OPS-ERO role
OPS/EOP collaboration
WAN Connectivity Activity (CS)
Evolution Activity History
Overview Of Current EO WAN Network & New EO WAN Services
Service Level Agreements & Key Performance Indicators
Network Migration Approach & Schedule
Evolution Activity Management & Challenges
EOP IP-VPN Evolution
Q&A (AR-CS)

Background / Context (1)
OPS-ERO’s multiple role at ESRIN:
Provision of Corporate ICT services to ESRIN users.
Provision of Technical services
Management of evolution activities for local ESRIN customers
EOP-G is the main OPS customer at ESRIN for Technical Information Systems, mainly on
connectivity-related services and activities
OPS/EOP relationship
OPS-ERO provides support to EOP on:
Operational Service Management (ODAD-NS, through OSP)
Definition (SoW), negotiation and phase-in of new Operations & Maintenance contract for the NET work package
OPS-ERO leads the EO NW transformation
Relationship is regulated through
SLA for corporate and technical services
Two-Year Work Plan for evolution activities
Agreed EAD and EAP for each activity

Background / Context (2)
Guidelines
Prepare for an end-to-end LAN managed service
Consolidate WAN connectivity in a unique commercial provider. Current service is based in several academic providers (NRNs) and a commercial service (Comnet, by OBS)
Develop technical capability to satisfy new-mission requirements (high capacity, SLAs, near-real time)
Transformation Plan
EO PDGS NW upgrade at ESRIN: B11 re-cabling and LAN infrastructure upgrade (completed)
EO WAN service Set-up (Interoute), migration (replacement of NRNs and Comnet), and integration in O&M framework contract (On-going)
Consolidation of EO FWs and rationalisation of legacy infrastructure
EO LAN harmonisation in remote sites
Tender for LAN managed service integrated in O&M contract (through “best practices” mechanism)
EO WAN connectivity upgrade to support new generation missions (GSC/Sentinel) data circulation and dissemination
EO Connectivity Roadmap

EO WAN Upgrade Drivers & Objectives
Drivers
Highly Availability
Single Service Level Agreement
Increase performance & reliability
Stringent time response requirements
Network simplification (Design and Operations; M&C, Reporting)
Objectives
Consolidation of ODAD & COMNET
Deployment of centralized Internet service
Modular design
Removal of obsolete elements
Increase scalability factor
Migration of existing Public IP Addresses space into ESA Addresses

EO WAN Upgrade Scope
EO Facilities
The WAN infrastructure at the following thirteen EO Facilities will be migrated to the new WAN provider:

Evolution Activity History 1/2
May-June 2009 RFI – Market Analysis
September 2009 RFI Results – EOP Management Decision
November 2009 WAN Restricted Tender Issued
December 2009 - March 2010 Formalized OPS-ERO EOP-GS activity -Evolution Activity Plan
January-March 2010 ESA-Interoute Negotiation
24th March 2010 Signed Contract ESA-Interoute
April 14th 2010 Evolution Activity Kick-Off Meeting

Evolution Activity History 2/2
Market Analysis
The goal of the request for information was to provide a description of the network infrastructure,
operating model, SLA and ROM costs for the installation and operations of a single WAN
infrastructure based on the following:
IP-VPN and Internet connectivity services for the EOP facilities with access lines that support 10Mbps, 34Mbps, 100/155Mbps, 1Gbps, 2Gbps, >2Gbps bandwidths
The RFI was issued to the following twelve network providers:
Telefonica British Telecom
T-Systems Level 3 Communications
AT&T Deutsche Telecom
Telecom Italia Orange Business Services
Global Crossing Colt
Verizon Business Interoute

Interoute: The New EO WAN Provider 1/2
Interoute:
Is one of the Pan-European network carriers considered by Gartner
Is fully owned by the Sandoz Family foundation (Swiss)
Is competitively positioned to carriers able to deliver the services being sought (e.g. Global Crossing, Colt)

Interoute: The New EO WAN Provider 2/2
Interoute's Strengths
Interoute has an extensive fibre network (intercity and metropolitan), in Western and Eastern Europe. The backbone has been upgraded to multiple 10G Ethernet.
It has strengthened its service portfolio and delivery, including WAN optimization solutions and further enhancements to self-service automation in areas such as delivery and configuration.
Interoute offers strong processes for developing service components, and an extensive component library that enables a wide range of custom-made network-centric solutions, including vertical industry solutions for sectors such as media and publishing.
It has a strong portfolio of network-based communication applications, including site-to-site and public IP voice.
Cautions
In some smaller European markets, deep in-country coverage is still missing, affecting pricing and service levels for enterprises with requirements in these markets.
Interoute is focused on network-based solutions and has limited capability in the area of customer premises-based services, such as managed LAN or IP PBX.
(Source: Gartner, December 2008)

Overview Of Current EO WAN Network 1/5 Private VPNs over NRENs (ODAD) ComNet

Overview Of Current EO WAN Network 2/5 The ODAD & COMNET networks are deployed at the following EO Facilities:

Overview Of Current EO WAN Network 3/5
COMNET Main Characteristics
ESACOM is the ESA wide IP-VPN, based on MPLS and end-to-end managed service
The EO COMNET is a subset of the ESACOM IP-VPN and consists of two IP-VPN communities.
Full meshed ENVISAT IP-VPN community to interconnect ENVISAT networks among EO centres
Full meshed ERS-TPM IP-VPN community to interconnect ERS networks among EO centres
5 Classes of Service (CoS) for congestion control and traffic prioritization. Two classes are configured (D1 and D2; D3, RTvo, RTvi not configured)
SubVPN setup on CE routers in case of multiple IP-VPN communities configured within the same site
Guaranteed connectivity with commercial SLAs (Service Availability / MTTR), max Round Trip Delays, Packet Loss, etc.
Low bandwidth transfer rates i.e. 32Kbps – 512Kbps

High-speed IP-VPN over Internet among EO facilities
Access to EO servers within EO DMZs
IP addresses used within EO DMZs are owned by ISP
No SLA
Eight individual contracts and term and conditions to
manage
Typical EO firewall infrastructure Research Internet Access Service Main Characteristics

Secure IP network access from remote locations to the Payload Data Ground Segment (PDGS) systems connected within the EO networks.
RAS service provided to the EO industrial community in support of the execution of their contractual tasks from their own companies’ premises.
Two types of secure network access to the EO PDGS systems are provided to EOP contractors:
LAN to LAN: contractors use systems connected to a trusted remote LAN
PC to LAN: contractors use PCs connected to the Internet, according to the specific security
policy (e.g. protocols, etc.)
IPSec tunnels over the Internet: no guaranteed bandwidth / performance
LAN-to-LAN tunnels authentication based on RAS service provider’s PKI infrastructure
PC-to-LAN authentication based on strong authentication (double factor) via RSA tokens
Network Remote Access Services (RAS) Characteristics

New EO WAN Service 1/8
EO WAN Services
IP-VPN
Single Access & Dual Homed Access
Multi-Service
QoS
Internet Central
Redundant Central Firewall
Remote Access
LAN-to-LAN
Token Based
Distributed Denial of Service Protection
DDoS Attack Detection & Mitigation

Single & Dual Homed IP-VPN
Offers single or dual connectivity to the Interoute MPLS backbone at high or low access speeds allowing the interconnection of multiple IP-VPN communities which will have the capability to run a range of features such as Quality Of Service (QoS), Multi-VPN and IPSLA for performance tracking.

Multi-Service CPE This functionality is available at each site and sites can be part as many of the Multi-VPN instances as required. No Connectivity is permitted between VRF instances – Each instance is a completely isolated IPVPN ENVISAT IP VPN ERS-TPM EOP Internal LAN Local Internet Breakout Internet New EO WAN Service 3/8 ESACOM MPLS/VPN Network

QoS
Interoute offer 4 Levels of QoS. The RP+M queue is reserved by Interoute for Management Traffic
Priority Queue: this is a low latency queue best suited to jitter sensitive apps like VoIP.
Interoute QoS implementation has the following features:
Reserves Bandwidth for each queue to pre-agreed levels
Allows all queue (except the priority queue) to burst up to full line rate when line is not congested
WRED to avoid congestion in TCP flows
SLA related information shown in the Interoute Hub on a per queue basis
Jitter
RTT
Packet Loss

Internet Central
Offers controlled and mediated public Internet access through a central Interconnect between the VPN and the public Internet. Internet Central is delivered as a central connection provided in two of Interoute's carrier neutral co-location facilities one in Paris and the other in Frankfurt. The Firewall will act as demarcation point between the public Internet and the private VPN network providing up to 1.2Gbps redundant Internet access.
Current Internet Setup Interoute Internet Central Setup

Interoute MPLS Cloud Internet Central Firewall Internet Optional DMZ Internet Central Untrusted Interface Trusted Interface Sites gain Internet access according to the ESA security policies through a centralised Internet Central Firewall (Cisco ASA) All traffic to the Internet from the internal networks can be NAT’ed by the FW. DMZ traffic will not be NAT’ed All inbound traffic towards each facility is filtered by the Internet Central Firewall according to the security policy. New EO WAN Service 6/8 Site I Site II Site III

Remote Access Service LAN-to-LAN Remote Access Delivers Site based IPSec with multi-service functionality at all sites. This will be provided using VRF lite on each CPE with a separate physical LAN interface for each VRF. Each CPE will come with the capacity to deliver two distinct VPNs at each site. Token Authentication Remote Access The managed token authentication service allows remote users to access local resources via a two factor authentications process. Token Authentication is delivered via the Internet Central Firewall upon which IPSec tunnels terminate and that acts as the gateway between the public Internet and the EO IP-VPN MPLS. New EO WAN Service 7/8

Distributed Denial of Service Protection
The detection process works by analysing Netflow information on Interoute PE routers. This information is fed back to Arbor Netflow Collectors which are used to retain and analyse the Netflow stats, this part of the process also flags up anomalous or suspicious traffic flows to the Interoute NOC.
Once a flow has been detected and confirmed as malicious it is manually forwarded to Interoute traffic scrubbers, these are Cisco Guard devices capable of ‘cleaning’ traffic. This means that attack traffic can be dropped while genuine traffic will be forwarded back to its original destination.

New WAN Reference Architecture 1/2 New WAN High Level Design The Interoute CPE deployed at each EO facility will provide access to the EO IP-VPN network an to the Internet via the Internet Central infrastructure. The Intranet interfaces of the CPE devices will be interconnected to the internal LAN therefore behind the ODAD firewalls meanwhile the Internet interfaces will be directly connected to the firewall system. DMZ-to-DMZ and Internal-to-Internal traffic will be no longer routed over the public Internet , the Interoute backbone shall support this traffic directly.

IP Bandwidth Capabilities The IP bandwidth that will be delivered at each facility in all cases is equal or greater that what is in place today. It is important to note that high speed connectivity is available at all locations, however in order to deliver high BW requires in most cases an upgrade of the Interoute infrastructure. New WAN Reference Architecture 2/2

Service Level Agreements & Key Performance Indicators Contractual SLAs & KPIs The services provided by Interoute are regulated by fourteen SLAs and measured by ten KPIs KPIs are measured on a monthly basis and when a KPI is breached a service credit is applied Service credits can reach up to 100% of the total monthly charge for the affected site or service in the applicable monthly review period.

Evolution Activity Management 1/2
Evolution Activity Interface Structure
EOP-GS Customer representative
Five EOP-G Technical Officers
Thirteen EOP-G Domains/Sub-Domains
Thirteen Facilities
Two ODAD engineers
Two OPS-ERO engineers
Interoute PM/CSM
Interoute engineering

Evolution Activity Management 2/2
Evolution Activity Work Breakdown Structure
There are six major work packages defined in the Evolution Activity Plan WBS. The EAP describes in detail all the WPs defining owner, resources, schedule, inputs, outputs and deliverables which are in total 42. WP400 defines the interaction with the Interoute PMP and is subdivided into twenty sub work packages

WAN Migration Approach
WAN Migration Approach
The deployment of the Interoute services at the EO facilities will be carried out in a phased approach. The migration steps will slightly differ between facilities however they will be sequential, one facility at a time. The deployment of the Internet Central will be the first service to go live and will be gradually utilized by the facilities that have been migrated.
Pre-Migration Activities
Deployment of IP overlay network
DMZ server IP address migration – Over 400 IP addresses to be changed
Site Survey
Network to Network interface between OBS-Interoute
ODAD upgrade & reconfiguration
Migration Activities
Interoute IP-VPN deployment
Interoute RAS deployment
ODAD reconfiguration
ODAD VPN service migration
ESA facility/service acceptance - validation
Transfer into Operations/SRR per facility/service
Final SRR & Contract transfer to O&M (Serco)

Schedule Evolution Activity Schedule A key element concerning the schedule is given by the lead time to deploy the access lines in each facility; it may vary between nine and twenty-five weeks. The lead time depends on the country where the EO facility is located and on the bandwidth that was requested, in some cases civil works will have to be carried out. The final SRR will be held in December 2010.

Evolution Activity Challenges
Main Challenges
Complex network infrastructure
Server IP address migration
Schedule – multiple implementation dependencies
Migration synchronisation between current WAN providers (nine) &
ODAD/Interoute/O&M (Serco)
Interaction with EOP domains and services
Interaction with local facilities
Dismissal of COMNET and NREN current contracts
Network downtimes for migration activities

EOP WAN Service Evolution The WAN service described within the presentation is the first step of the EO transformation roadmap. New missions such as the Sentinels will produce terabytes of data on a daily basis and require near real time dissemination and high availability services. For these reasons the EO WAN will have to be able to evolve in order to accommodate these needs.
Next Steps
Improve security, only two Internet access gateways
Reduce number of firewalls, two per central location
Reduce operational complexity
Implement disaster recovery network architecture
Simplify network architecture – Remove legacy devices
OTC & MRC saving for new services i.e.:
Enhanced Online Archiving: Service provided by two
servers instead of eighteen, one server at each
location that hosts the Internet access and DMZs

THANK YOU
Jose Antonio Rodriguez Vazquez
Cristiano Silvagni
Questions

Backup Slides Start

Overview Of Current EO WAN Network Red CE routers = multiple IP VPN community  multiple LAN interface installed on CE and SubVPN configured to forbid communications across LAN interfaces. LAN interface used as gateway for local Payload Data Ground Segment (PDGS) networks to reach other PDGS networks at different EO centres. COMNET Characteristics

Overview Of Current EO WAN Network
“ Green Networks” at remote sites belong to the same security class of the EOP Internal LAN.
“ Blue Networks” at remote sites belong to the same security class of the EOP DMZ LAN.
LAN to LAN connectivity among Green networks and/or Blue networks across remote sites is forbidden.
The use of multi-homed systems either on the Green networks or on the Blue networks is not allowed.
The RAS is a modular service so that it can be available at any location.
ESRIN
Serco Frascati Office & Elsag-Datamat
ACS
RAS LAN-to-LAN service is provided at the following locations:

ESACOM MPLS/VPN Network eBGP eBGP
Interoute can run on the LAN interface of the CPE
OSPF
EIGRP
RIPv2
HSRP
Interoute Managed CPE Interoute PE Routers Dual Homed Multi-Service IP-VPN Using this solution both circuits mirror each other and in the event any failure on the primary bearer the secondary circuit takes over – This solution offers a 99.95% availability SLA New EO WAN Service

Backup Slides End

OPS Forum 25.06.2010 OPS/EOP Collaboration for EO Connectivity

by ESA/ESOC - Darmstadt, Germany on Jun 23, 2010

Accessibility

Categories

Upload Details

Usage Rights

1 Embed 1

Statistics

OPS Forum 25.06.2010 OPS/EOP Collaboration for EO Connectivity Presentation Transcript