OPS Forum 25.06.2010 OPS/EOP Collaboration for EO Connectivity


Published on

The presentation provides a high-level overview of the evolution roadmap concerning the Earth Observation Connectivity Services. In particular, it focuses on a description of the Earth Observation Wide Area Network upgrade.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

OPS Forum 25.06.2010 OPS/EOP Collaboration for EO Connectivity

  1. 1. EOP/OPS Collaboration on EO Connectivity Services OPS-E Forum – 25 June 2010 C. Silvagni & A. Rodríguez (OPS-ERO)
  2. 2. Agenda <ul><li>Background/Context (AR) </li></ul><ul><ul><li>OPS-ERO role </li></ul></ul><ul><ul><li>OPS/EOP collaboration </li></ul></ul><ul><li>WAN Connectivity Activity (CS) </li></ul><ul><ul><li>Evolution Activity History </li></ul></ul><ul><ul><li>Overview Of Current EO WAN Network & New EO WAN Services </li></ul></ul><ul><ul><li>Service Level Agreements & Key Performance Indicators </li></ul></ul><ul><ul><li>Network Migration Approach & Schedule </li></ul></ul><ul><ul><li>Evolution Activity Management & Challenges </li></ul></ul><ul><ul><li>EOP IP-VPN Evolution </li></ul></ul><ul><li>Q&A (AR-CS) </li></ul>
  3. 3. Background / Context (1) <ul><li>OPS-ERO’s multiple role at ESRIN: </li></ul><ul><ul><li>Provision of Corporate ICT services to ESRIN users. </li></ul></ul><ul><ul><li>Provision of Technical services </li></ul></ul><ul><ul><li>Management of evolution activities for local ESRIN customers </li></ul></ul><ul><li>EOP-G is the main OPS customer at ESRIN for Technical Information Systems, mainly on </li></ul><ul><li>connectivity-related services and activities </li></ul><ul><li>OPS/EOP relationship </li></ul><ul><ul><li>OPS-ERO provides support to EOP on: </li></ul></ul><ul><ul><ul><li>Operational Service Management (ODAD-NS, through OSP) </li></ul></ul></ul><ul><ul><ul><li>Definition (SoW), negotiation and phase-in of new Operations & Maintenance contract for the NET work package </li></ul></ul></ul><ul><ul><li>OPS-ERO leads the EO NW transformation </li></ul></ul><ul><ul><li>Relationship is regulated through </li></ul></ul><ul><ul><ul><li>SLA for corporate and technical services </li></ul></ul></ul><ul><ul><ul><li>Two-Year Work Plan for evolution activities </li></ul></ul></ul><ul><ul><ul><li>Agreed EAD and EAP for each activity </li></ul></ul></ul>
  4. 4. Background / Context (2) <ul><li>Guidelines </li></ul><ul><ul><li>Prepare for an end-to-end LAN managed service </li></ul></ul><ul><ul><li>Consolidate WAN connectivity in a unique commercial provider. Current service is based in several academic providers (NRNs) and a commercial service (Comnet, by OBS) </li></ul></ul><ul><ul><li>Develop technical capability to satisfy new-mission requirements (high capacity, SLAs, near-real time) </li></ul></ul><ul><li>Transformation Plan </li></ul><ul><ul><li>EO PDGS NW upgrade at ESRIN: B11 re-cabling and LAN infrastructure upgrade (completed) </li></ul></ul><ul><ul><li>EO WAN service Set-up (Interoute), migration (replacement of NRNs and Comnet), and integration in O&M framework contract (On-going) </li></ul></ul><ul><ul><li>Consolidation of EO FWs and rationalisation of legacy infrastructure </li></ul></ul><ul><ul><li>EO LAN harmonisation in remote sites </li></ul></ul><ul><ul><li>Tender for LAN managed service integrated in O&M contract (through “best practices” mechanism) </li></ul></ul><ul><ul><li>EO WAN connectivity upgrade to support new generation missions (GSC/Sentinel) data circulation and dissemination </li></ul></ul>EO Connectivity Roadmap
  5. 5. EO WAN Upgrade Drivers & Objectives <ul><li>Drivers </li></ul><ul><ul><li>Highly Availability </li></ul></ul><ul><ul><li>Single Service Level Agreement </li></ul></ul><ul><ul><li>Increase performance & reliability </li></ul></ul><ul><ul><li>Stringent time response requirements </li></ul></ul><ul><ul><li>Network simplification (Design and Operations; M&C, Reporting) </li></ul></ul><ul><li>Objectives </li></ul><ul><ul><li>Consolidation of ODAD & COMNET </li></ul></ul><ul><ul><li>Deployment of centralized Internet service </li></ul></ul><ul><ul><li>Modular design </li></ul></ul><ul><ul><li>Removal of obsolete elements </li></ul></ul><ul><ul><li>Increase scalability factor </li></ul></ul><ul><ul><li>Migration of existing Public IP Addresses space into ESA Addresses </li></ul></ul>
  6. 6. EO WAN Upgrade Scope <ul><li>EO Facilities </li></ul><ul><li>The WAN infrastructure at the following thirteen EO Facilities will be migrated to the new WAN provider: </li></ul>
  7. 7. Evolution Activity History 1/2 <ul><li>May-June 2009 RFI – Market Analysis </li></ul><ul><li>September 2009 RFI Results – EOP Management Decision </li></ul><ul><li>November 2009 WAN Restricted Tender Issued </li></ul><ul><li>December 2009 - March 2010 Formalized OPS-ERO EOP-GS activity -Evolution Activity Plan </li></ul><ul><li>January-March 2010 ESA-Interoute Negotiation </li></ul><ul><li>24th March 2010 Signed Contract ESA-Interoute </li></ul><ul><li>April 14th 2010 Evolution Activity Kick-Off Meeting </li></ul>
  8. 8. Evolution Activity History 2/2 <ul><li>Market Analysis </li></ul><ul><li>The goal of the request for information was to provide a description of the network infrastructure, </li></ul><ul><li>operating model, SLA and ROM costs for the installation and operations of a single WAN </li></ul><ul><li>infrastructure based on the following: </li></ul><ul><ul><li>IP-VPN and Internet connectivity services for the EOP facilities with access lines that support 10Mbps, 34Mbps, 100/155Mbps, 1Gbps, 2Gbps, >2Gbps bandwidths </li></ul></ul><ul><li>The RFI was issued to the following twelve network providers: </li></ul><ul><ul><li>Telefonica British Telecom </li></ul></ul><ul><ul><li>T-Systems Level 3 Communications </li></ul></ul><ul><ul><li>AT&T Deutsche Telecom </li></ul></ul><ul><ul><li>Telecom Italia Orange Business Services </li></ul></ul><ul><ul><li>Global Crossing Colt </li></ul></ul><ul><ul><li>Verizon Business Interoute </li></ul></ul>
  9. 9. Interoute: The New EO WAN Provider 1/2 <ul><li>Interoute: </li></ul><ul><ul><li>Is one of the Pan-European network carriers considered by Gartner </li></ul></ul><ul><ul><li>Is fully owned by the Sandoz Family foundation (Swiss) </li></ul></ul><ul><ul><li>Is competitively positioned to carriers able to deliver the services being sought (e.g. Global Crossing, Colt) </li></ul></ul>
  10. 10. Interoute: The New EO WAN Provider 2/2 <ul><li>Interoute's Strengths </li></ul><ul><ul><li>Interoute has an extensive fibre network (intercity and metropolitan), in Western and Eastern Europe. The backbone has been upgraded to multiple 10G Ethernet. </li></ul></ul><ul><ul><li>It has strengthened its service portfolio and delivery, including WAN optimization solutions and further enhancements to self-service automation in areas such as delivery and configuration. </li></ul></ul><ul><ul><li>Interoute offers strong processes for developing service components, and an extensive component library that enables a wide range of custom-made network-centric solutions, including vertical industry solutions for sectors such as media and publishing. </li></ul></ul><ul><ul><li>It has a strong portfolio of network-based communication applications, including site-to-site and public IP voice. </li></ul></ul><ul><li>Cautions </li></ul><ul><ul><li>In some smaller European markets, deep in-country coverage is still missing, affecting pricing and service levels for enterprises with requirements in these markets. </li></ul></ul><ul><ul><li>Interoute is focused on network-based solutions and has limited capability in the area of customer premises-based services, such as managed LAN or IP PBX. </li></ul></ul><ul><li>(Source: Gartner, December 2008) </li></ul>
  11. 11. Overview Of Current EO WAN Network 1/5 Private VPNs over NRENs (ODAD) ComNet
  12. 12. Overview Of Current EO WAN Network 2/5 The ODAD & COMNET networks are deployed at the following EO Facilities:
  13. 13. Overview Of Current EO WAN Network 3/5 <ul><li>COMNET Main Characteristics </li></ul><ul><li>ESACOM is the ESA wide IP-VPN, based on MPLS and end-to-end managed service </li></ul><ul><li>The EO COMNET is a subset of the ESACOM IP-VPN and consists of two IP-VPN communities. </li></ul><ul><ul><li>Full meshed ENVISAT IP-VPN community to interconnect ENVISAT networks among EO centres </li></ul></ul><ul><ul><li>Full meshed ERS-TPM IP-VPN community to interconnect ERS networks among EO centres </li></ul></ul><ul><li>5 Classes of Service (CoS) for congestion control and traffic prioritization. Two classes are configured (D1 and D2; D3, RTvo, RTvi not configured) </li></ul><ul><li>SubVPN setup on CE routers in case of multiple IP-VPN communities configured within the same site </li></ul><ul><li>Guaranteed connectivity with commercial SLAs (Service Availability / MTTR), max Round Trip Delays, Packet Loss, etc. </li></ul><ul><li>Low bandwidth transfer rates i.e. 32Kbps – 512Kbps </li></ul>
  14. 14. Overview Of Current EO WAN Network 4/5 <ul><li>High-speed IP-VPN over Internet among EO facilities </li></ul><ul><li>Access to EO servers within EO DMZs </li></ul><ul><li>IP addresses used within EO DMZs are owned by ISP </li></ul><ul><li>No SLA </li></ul><ul><li>Eight individual contracts and term and conditions to </li></ul><ul><li>manage </li></ul>Typical EO firewall infrastructure Research Internet Access Service Main Characteristics
  15. 15. Overview Of Current EO WAN Network 5/5 <ul><li>Secure IP network access from remote locations to the Payload Data Ground Segment (PDGS) systems connected within the EO networks. </li></ul><ul><li>RAS service provided to the EO industrial community in support of the execution of their contractual tasks from their own companies’ premises. </li></ul><ul><li>Two types of secure network access to the EO PDGS systems are provided to EOP contractors: </li></ul><ul><ul><li>LAN to LAN: contractors use systems connected to a trusted remote LAN </li></ul></ul><ul><ul><li>PC to LAN: contractors use PCs connected to the Internet, according to the specific security </li></ul></ul><ul><ul><li>policy (e.g. protocols, etc.) </li></ul></ul><ul><li>IPSec tunnels over the Internet: no guaranteed bandwidth / performance </li></ul><ul><li>LAN-to-LAN tunnels authentication based on RAS service provider’s PKI infrastructure </li></ul><ul><li>PC-to-LAN authentication based on strong authentication (double factor) via RSA tokens </li></ul>Network Remote Access Services (RAS) Characteristics
  16. 16. New EO WAN Service 1/8 <ul><li>EO WAN Services </li></ul><ul><ul><li>IP-VPN </li></ul></ul><ul><ul><ul><li>Single Access & Dual Homed Access </li></ul></ul></ul><ul><ul><ul><li>Multi-Service </li></ul></ul></ul><ul><ul><ul><li>QoS </li></ul></ul></ul><ul><ul><li>Internet Central </li></ul></ul><ul><ul><ul><li>Redundant Central Firewall </li></ul></ul></ul><ul><ul><li>Remote Access </li></ul></ul><ul><ul><ul><li>LAN-to-LAN </li></ul></ul></ul><ul><ul><ul><li>Token Based </li></ul></ul></ul><ul><ul><li>Distributed Denial of Service Protection </li></ul></ul><ul><ul><ul><li>DDoS Attack Detection & Mitigation </li></ul></ul></ul>
  17. 17. <ul><li>Single & Dual Homed IP-VPN </li></ul><ul><ul><li>Offers single or dual connectivity to the Interoute MPLS backbone at high or low access speeds allowing the interconnection of multiple IP-VPN communities which will have the capability to run a range of features such as Quality Of Service (QoS), Multi-VPN and IPSLA for performance tracking. </li></ul></ul>New EO WAN Service 2/8
  18. 18. Multi-Service CPE This functionality is available at each site and sites can be part as many of the Multi-VPN instances as required. No Connectivity is permitted between VRF instances – Each instance is a completely isolated IPVPN ENVISAT IP VPN ERS-TPM EOP Internal LAN Local Internet Breakout Internet New EO WAN Service 3/8 ESACOM MPLS/VPN Network
  19. 19. <ul><li>QoS </li></ul><ul><li>Interoute offer 4 Levels of QoS. The RP+M queue is reserved by Interoute for Management Traffic </li></ul><ul><li>Priority Queue: this is a low latency queue best suited to jitter sensitive apps like VoIP. </li></ul><ul><li>Interoute QoS implementation has the following features: </li></ul><ul><ul><li>Reserves Bandwidth for each queue to pre-agreed levels </li></ul></ul><ul><ul><li>Allows all queue (except the priority queue) to burst up to full line rate when line is not congested </li></ul></ul><ul><ul><li>WRED to avoid congestion in TCP flows </li></ul></ul><ul><ul><li>SLA related information shown in the Interoute Hub on a per queue basis </li></ul></ul><ul><ul><ul><li>Jitter </li></ul></ul></ul><ul><ul><ul><li>RTT </li></ul></ul></ul><ul><ul><ul><li>Packet Loss </li></ul></ul></ul>New EO WAN Service 4/8
  20. 20. New EO WAN Service 5/8 <ul><li>Internet Central </li></ul><ul><ul><li>Offers controlled and mediated public Internet access through a central Interconnect between the VPN and the public Internet. Internet Central is delivered as a central connection provided in two of Interoute's carrier neutral co-location facilities one in Paris and the other in Frankfurt. The Firewall will act as demarcation point between the public Internet and the private VPN network providing up to 1.2Gbps redundant Internet access. </li></ul></ul>Current Internet Setup Interoute Internet Central Setup
  21. 21. Interoute MPLS Cloud Internet Central Firewall Internet Optional DMZ Internet Central Untrusted Interface Trusted Interface Sites gain Internet access according to the ESA security policies through a centralised Internet Central Firewall (Cisco ASA) All traffic to the Internet from the internal networks can be NAT’ed by the FW. DMZ traffic will not be NAT’ed All inbound traffic towards each facility is filtered by the Internet Central Firewall according to the security policy. New EO WAN Service 6/8 Site I Site II Site III
  22. 22. Remote Access Service LAN-to-LAN Remote Access Delivers Site based IPSec with multi-service functionality at all sites. This will be provided using VRF lite on each CPE with a separate physical LAN interface for each VRF. Each CPE will come with the capacity to deliver two distinct VPNs at each site. Token Authentication Remote Access The managed token authentication service allows remote users to access local resources via a two factor authentications process. Token Authentication is delivered via the Internet Central Firewall upon which IPSec tunnels terminate and that acts as the gateway between the public Internet and the EO IP-VPN MPLS. New EO WAN Service 7/8
  23. 23. New EO WAN Service 8/8 <ul><li>Distributed Denial of Service Protection </li></ul><ul><ul><li>The detection process works by analysing Netflow information on Interoute PE routers. This information is fed back to Arbor Netflow Collectors which are used to retain and analyse the Netflow stats, this part of the process also flags up anomalous or suspicious traffic flows to the Interoute NOC. </li></ul></ul><ul><ul><li>Once a flow has been detected and confirmed as malicious it is manually forwarded to Interoute traffic scrubbers, these are Cisco Guard devices capable of ‘cleaning’ traffic. This means that attack traffic can be dropped while genuine traffic will be forwarded back to its original destination. </li></ul></ul>
  24. 24. New WAN Reference Architecture 1/2 New WAN High Level Design The Interoute CPE deployed at each EO facility will provide access to the EO IP-VPN network an to the Internet via the Internet Central infrastructure. The Intranet interfaces of the CPE devices will be interconnected to the internal LAN therefore behind the ODAD firewalls meanwhile the Internet interfaces will be directly connected to the firewall system. DMZ-to-DMZ and Internal-to-Internal traffic will be no longer routed over the public Internet , the Interoute backbone shall support this traffic directly.
  25. 25. IP Bandwidth Capabilities The IP bandwidth that will be delivered at each facility in all cases is equal or greater that what is in place today. It is important to note that high speed connectivity is available at all locations, however in order to deliver high BW requires in most cases an upgrade of the Interoute infrastructure. New WAN Reference Architecture 2/2
  26. 26. Service Level Agreements & Key Performance Indicators Contractual SLAs & KPIs The services provided by Interoute are regulated by fourteen SLAs and measured by ten KPIs KPIs are measured on a monthly basis and when a KPI is breached a service credit is applied Service credits can reach up to 100% of the total monthly charge for the affected site or service in the applicable monthly review period.
  27. 27. Evolution Activity Management 1/2 <ul><li>Evolution Activity Interface Structure </li></ul><ul><li>EOP-GS Customer representative </li></ul><ul><li>Five EOP-G Technical Officers </li></ul><ul><li>Thirteen EOP-G Domains/Sub-Domains </li></ul><ul><li>Thirteen Facilities </li></ul><ul><li>Two ODAD engineers </li></ul><ul><li>Two OPS-ERO engineers </li></ul><ul><li>Interoute PM/CSM </li></ul><ul><li>Interoute engineering </li></ul>
  28. 28. Evolution Activity Management 2/2 <ul><li>Evolution Activity Work Breakdown Structure </li></ul>There are six major work packages defined in the Evolution Activity Plan WBS. The EAP describes in detail all the WPs defining owner, resources, schedule, inputs, outputs and deliverables which are in total 42. WP400 defines the interaction with the Interoute PMP and is subdivided into twenty sub work packages
  29. 29. WAN Migration Approach <ul><li>WAN Migration Approach </li></ul><ul><li>The deployment of the Interoute services at the EO facilities will be carried out in a phased approach. The migration steps will slightly differ between facilities however they will be sequential, one facility at a time. The deployment of the Internet Central will be the first service to go live and will be gradually utilized by the facilities that have been migrated. </li></ul><ul><li>Pre-Migration Activities </li></ul><ul><ul><li>Deployment of IP overlay network </li></ul></ul><ul><ul><li>DMZ server IP address migration – Over 400 IP addresses to be changed </li></ul></ul><ul><ul><li>Site Survey </li></ul></ul><ul><ul><li>Network to Network interface between OBS-Interoute </li></ul></ul><ul><ul><li>ODAD upgrade & reconfiguration </li></ul></ul><ul><li>Migration Activities </li></ul><ul><ul><li>Interoute IP-VPN deployment </li></ul></ul><ul><ul><li>Interoute RAS deployment </li></ul></ul><ul><ul><li>ODAD reconfiguration </li></ul></ul><ul><ul><li>ODAD VPN service migration </li></ul></ul><ul><ul><li>ESA facility/service acceptance - validation </li></ul></ul><ul><ul><li>Transfer into Operations/SRR per facility/service </li></ul></ul><ul><ul><li>Final SRR & Contract transfer to O&M (Serco) </li></ul></ul>
  30. 30. Schedule Evolution Activity Schedule A key element concerning the schedule is given by the lead time to deploy the access lines in each facility; it may vary between nine and twenty-five weeks. The lead time depends on the country where the EO facility is located and on the bandwidth that was requested, in some cases civil works will have to be carried out. The final SRR will be held in December 2010.
  31. 31. Evolution Activity Challenges <ul><li>Main Challenges </li></ul><ul><ul><li>Complex network infrastructure </li></ul></ul><ul><ul><li>Server IP address migration </li></ul></ul><ul><ul><li>Schedule – multiple implementation dependencies </li></ul></ul><ul><ul><li>Migration synchronisation between current WAN providers (nine) & </li></ul></ul><ul><ul><li>ODAD/Interoute/O&M (Serco) </li></ul></ul><ul><ul><li>Interaction with EOP domains and services </li></ul></ul><ul><ul><li>Interaction with local facilities </li></ul></ul><ul><ul><li>Dismissal of COMNET and NREN current contracts </li></ul></ul><ul><ul><li>Network downtimes for migration activities </li></ul></ul>
  32. 32. EOP WAN Service Evolution The WAN service described within the presentation is the first step of the EO transformation roadmap. New missions such as the Sentinels will produce terabytes of data on a daily basis and require near real time dissemination and high availability services. For these reasons the EO WAN will have to be able to evolve in order to accommodate these needs. <ul><li>Next Steps </li></ul><ul><ul><li>Improve security, only two Internet access gateways </li></ul></ul><ul><ul><li>Reduce number of firewalls, two per central location </li></ul></ul><ul><ul><li>Reduce operational complexity </li></ul></ul><ul><ul><li>Implement disaster recovery network architecture </li></ul></ul><ul><ul><li>Simplify network architecture – Remove legacy devices </li></ul></ul><ul><ul><ul><li>OTC & MRC saving for new services i.e.: </li></ul></ul></ul><ul><ul><ul><ul><ul><li>Enhanced Online Archiving: Service provided by two </li></ul></ul></ul></ul></ul><ul><ul><ul><li>servers instead of eighteen, one server at each </li></ul></ul></ul><ul><ul><ul><li>location that hosts the Internet access and DMZs </li></ul></ul></ul>
  33. 33. THANK YOU <ul><li>Jose Antonio Rodriguez Vazquez </li></ul><ul><li>Cristiano Silvagni </li></ul>Questions
  34. 34. Backup Slides Start
  35. 35. Overview Of Current EO WAN Network Red CE routers = multiple IP VPN community  multiple LAN interface installed on CE and SubVPN configured to forbid communications across LAN interfaces. LAN interface used as gateway for local Payload Data Ground Segment (PDGS) networks to reach other PDGS networks at different EO centres. COMNET Characteristics
  36. 36. Overview Of Current EO WAN Network <ul><li>“ Green Networks” at remote sites belong to the same security class of the EOP Internal LAN. </li></ul><ul><li>“ Blue Networks” at remote sites belong to the same security class of the EOP DMZ LAN. </li></ul><ul><li>LAN to LAN connectivity among Green networks and/or Blue networks across remote sites is forbidden. </li></ul><ul><li>The use of multi-homed systems either on the Green networks or on the Blue networks is not allowed. </li></ul><ul><li>The RAS is a modular service so that it can be available at any location. </li></ul><ul><li>ESRIN </li></ul><ul><ul><ul><ul><ul><li>Serco Frascati Office & Elsag-Datamat </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>ACS </li></ul></ul></ul></ul></ul>RAS LAN-to-LAN service is provided at the following locations:
  37. 37. ESACOM MPLS/VPN Network eBGP eBGP <ul><li>Interoute can run on the LAN interface of the CPE </li></ul><ul><li>OSPF </li></ul><ul><li>EIGRP </li></ul><ul><li>RIPv2 </li></ul><ul><li>HSRP </li></ul>Interoute Managed CPE Interoute PE Routers Dual Homed Multi-Service IP-VPN Using this solution both circuits mirror each other and in the event any failure on the primary bearer the secondary circuit takes over – This solution offers a 99.95% availability SLA New EO WAN Service
  38. 38. Backup Slides End