Difference between revisions of "Network Infrastructure and Services"

From Gobblerpedia
Jump to: navigation, search
imported>Mutantmonkey
(Network Policies)
imported>Echarlie
(Fuck you; we turned it off)
 
(22 intermediate revisions by the same user not shown)
Line 1: Line 1:
'''Communications Network Services (CNS)''' is a division of the Office of the Vice President for Information Technology, which provides ISP services including telephone and Internet to the university. Unlike most departments, CNS operates as an auxillary service, and therefore recieves funding through cost-recovery rather than university budgets. Individual departments and students must pay a ''per-port'' charge for each IP or phone device attached to the network.
+
'''NI&S''', previously known as '''Communications Network Services''' ('''CNS'''), and briefly as '''Advanced Network Infrastructure and Services''' ('''ANIS''') is the ISP of [[Virginia Tech]], and part of the [[Division of IT]], providing services including telephone and Internet to the university. Around 2015, they went through a significant rebranding effort, because of the poor reputation earned by CNS as being "unhelpful, tyrannical network overlords", in the words of a former student. Today, they attempt to exist by their ''Brand Promise'', "Let's explore what's possible together", and ''Brand Character'', "Approachable, Plain Spoken, Collaborative", in order to prevent the need for further rebranding. Several NI&S employees have suggested a more accurate motto would read "F*ck you; we turned it off", in reference to several services essential to the jobs of departmental IT, like rdweb, the "temporary" port 22 block, the L2TP VPN, and several other useful services. Unlike most departments, CNS operates as an auxillary service, and therefore recieves funding through cost-recovery rather than university budgets. Individual departments and students must pay a ''per-port'' charge for each IP or phone device attached to the network.
  
=== Network Topology ===
+
== Network Topology ==
In Blacksburg, CNS has redundant fiber uplinks from the [[Andrews Information Systems Building]] to an upstream router in Equinix's [[Ashburn, Virginia]] datacenter. At Equinix, CNS has about 4 Gbps aggregate bandwidth for commodity Internet from Cogent, as well as, through the [[Mid Atlantic Terascale Partnership]], connections to [[Network Virginia]], [[National LambdaRail]], and [[Internet2]].
+
In Blacksburg, CNS has redundant fiber uplinks to Ashburn, Virginia, McLean, Virginia, and Atlanta, Georgia. The [[Mid-Atlantic Broadband Communities Corporation]] provides the OC-192 (10 Gigabit) connections to Ashburn and McLean from the [[Andrews Information Systems Building]], and the OC-192 (10 Gigabit) connection to Atlanta from [[Hillcrest Hall]]. In summer 2015, the OC-192 connection to Ashburn will be upgraded to OC-768 (100 Gigabit).<ref>[https://www.vtnews.vt.edu/articles/2015/04/042115-it-gigabits.html]</ref>
 +
 
 +
For cost-savings reasons, the university's connectivity is primarily provided through an aggregation network shared by several other universities in Virginia, the [[Mid-Atlantic Research and Education Exchange]] (MREX). MREX, also known as the [[Mid-Atlantic Terascale Partnership]] (MATP)<ref>[https://beta.peeringdb.com/net/4326 PeeringDB: Mid-Atlantic Terascale Partnership - MATP]</ref>, is operated by Virginia Tech and provides connectivity for the [[Mid-Atlantic Research Infrastructure Alliance]] (MARIA), an alliance of the universities that receive connectivity through MREX.<ref>[http://www.marialliance.net/about-us About Maria - Mid-Atlantic Research Infrastructure Alliance]</ref>
 +
 
 +
MREX operates two regional hubs: MREX-ATL, at Telx Atlanta, and MREX-DC, at Equinix Ashburn. At each hub, MREX operates a Cisco ASR9006 aggregation router. There is another MREX facility at Level3 McLean, connected as part of a fiber ring that also includes the [[Arlington Research Center]] and the [[Northern Virginia Center]].
 +
 
 +
At Equinix in [[Ashburn]], MREX-DC has a 100 Gigabit connection to [[Internet2]], 10 Gigabit connections to  [[ESnet]] and the Equinix Internet Exchange, and 30 Gigabits of commodity Internet connectivity through Cogent. Virginia Tech also has a 10 Gigabit connection to [[Mid-Atlantic Crossroads]] and a 1 Gigabit connection to [[NetworkVirginia]] here.
 +
 
 +
At Telx in Atlanta, MREX-ATL has 10 Gigabit connections to [[Southern Crossroads]], [[ESnet]], the Telia Internet Exchange, and 30 Gigabits of commodity Internet connectivity through Telia.<ref>[http://www.cafm.vt.edu/busprac/_docs/bpseminar_2014/2014-BusinessPracticeSeminar-Internet.pdf]</ref> MREX-ATL was opened in 2014 and is the first network facility operated by Virginia Tech located outside of Virginia.<ref>[https://www.vtnews.vt.edu/articles/2014/03/032114-it-datanetworkexchange.html]</ref>
 +
 
 +
At Level3 in McLean, MREX's McLean facility, referred to as the National Capital Region (NatCap) Aggregation Facility, has a 10 Gigabit connection to [[Mid-Atlantic Crossroads]] and a connection to [[NetworkVirginia]].<ref>[http://www.cns.vt.edu/docs/NIS_SubcommitteeMinutes07Dec2009.pdf]</ref>
  
 
From the Andrews Information Systems Building, there are redundant fiber connections to the main campus at both [[Burruss Hall]] and [[Cassell Colliseum]]. [[Owens Hall]], [[Hillcrest Hall]], and [[Shanks Hall]] have intermediate routers for some buildings. Nearly all ethernet portals on campus are capable of 100 Mbps or Gigabit speeds, due to fiber interconnects between buildings; however, intrabuilding wiring varies in age and may not support high speeds. The vast majority of campus IPv4s come from two directly-allocated blocks (128.173.0.0/16 and 198.82.0.0/16).
 
From the Andrews Information Systems Building, there are redundant fiber connections to the main campus at both [[Burruss Hall]] and [[Cassell Colliseum]]. [[Owens Hall]], [[Hillcrest Hall]], and [[Shanks Hall]] have intermediate routers for some buildings. Nearly all ethernet portals on campus are capable of 100 Mbps or Gigabit speeds, due to fiber interconnects between buildings; however, intrabuilding wiring varies in age and may not support high speeds. The vast majority of campus IPv4s come from two directly-allocated blocks (128.173.0.0/16 and 198.82.0.0/16).
  
CNS is a leader in the transition to IPv6, as their [[w:Autonomous System|ASN]] consistently ranks in the top 5 in terms of percentage of IPv6 traffic, according to [http://www.worldipv6launch.org/measurements/ World IPv6 Launch Measurements]. A dual-stack topology exists for the entirety of campus, but not all systems connected to the network are IPv6-enabled. One system that notably lacks connectivity is the main vt.edu website, which is due to a lack of support from the load balancers currently in use. For legacy reasons, Virginia Tech continues to use its /48 sub-allocation from the [[w:University of Maryland|University of Maryland]], instead of its assigned IPv6 block (2607:b400::/32). It is unknown when the new address space will begin to be used.
+
=== IPv6 ===
 +
 
 +
CNS is a leader in the transition to IPv6, as their [[w:Autonomous System|ASN]] consistently ranks in the top 5 in terms of percentage of IPv6 traffic, according to [http://www.worldipv6launch.org/measurements/ World IPv6 Launch Measurements]. A dual-stack topology exists for the entirety of campus, but not all systems connected to the network are IPv6-enabled. One system that notably lacks connectivity is the main vt.edu website, which is due to a lack of support from the load balancers currently in use. For legacy reasons, Virginia Tech continues to use its /48 sub-allocation from the [[w:University of Maryland|University of Maryland]] on many subnets, although newer equipment is being configured with the assigned IPv6 block (2607:b400::/32).
 +
 
 +
=== Unified Communications ===
  
 
In December 2011, CNS announced that a contract had been awarded to IBM and Avaya for ''Unified Communications'', a project to both replace the aging ROLM phone system with SIP phones and upgrade the network infrastructure in each building. This has also somewhat reduced monthly rates of common telephone and ethernet services for departments. While most buildings will be undergoing upgrades through 2014, it is unknown whether or not each will have full gigabit speeds at actual user ports. It is also unknown whether users will be able to use SIP softphones in conjunction with this.
 
In December 2011, CNS announced that a contract had been awarded to IBM and Avaya for ''Unified Communications'', a project to both replace the aging ROLM phone system with SIP phones and upgrade the network infrastructure in each building. This has also somewhat reduced monthly rates of common telephone and ethernet services for departments. While most buildings will be undergoing upgrades through 2014, it is unknown whether or not each will have full gigabit speeds at actual user ports. It is also unknown whether users will be able to use SIP softphones in conjunction with this.
  
=== Network Policies ===
+
== Network Policies ==
 
Contrary to popular belief, CNS does not actively monitor users for torrenting activity; however, they are obligated to forward DMCA notifications to the relevant parties. Residential users that engage in peer-to-peer filesharing are often throttled (according to policy) if their daily upload average exceeds 4.9 GB. Campus-wide intrusion detection systems are deployed through cooperation with the [[IT Security Lab]].
 
Contrary to popular belief, CNS does not actively monitor users for torrenting activity; however, they are obligated to forward DMCA notifications to the relevant parties. Residential users that engage in peer-to-peer filesharing are often throttled (according to policy) if their daily upload average exceeds 4.9 GB. Campus-wide intrusion detection systems are deployed through cooperation with the [[IT Security Lab]].
  
 
Port security is enabled on most ports, meaning that users are not permitted to attach a switch to the network and must pay for new connections for all devices. While the $20/month fee for gigabit connectivity is generally thought to be reasonable, many department networks require them to evade this restriction through the use of NAT routing, ARP proxies, and/or NDP proxies. For most public portals, MAC address registration is often required, although some department ports are known to not carry this restriction.
 
Port security is enabled on most ports, meaning that users are not permitted to attach a switch to the network and must pay for new connections for all devices. While the $20/month fee for gigabit connectivity is generally thought to be reasonable, many department networks require them to evade this restriction through the use of NAT routing, ARP proxies, and/or NDP proxies. For most public portals, MAC address registration is often required, although some department ports are known to not carry this restriction.
  
NAT routers are officially banned, largely due to dorm residents bringing their own NAT router, plugging it in backwards, and sending DHCP leases to their entire building. While the ban is generally unenforced unless a problem arises, users are encouraged to purchase additional connections through CNS instead.
+
== Controversies ==
 
 
=== Controversies ===
 
 
In addition to the network policies stated above, the following controversial activities have arisen:
 
In addition to the network policies stated above, the following controversial activities have arisen:
* CNS has begun deploying [[w:Network Address Translation | NAT]] to dorm buildings, starting with [[Ambler Johnston Hall]], as it has done in the past with wireless access points.
+
* CNS has begun deploying [[w:Network Address Translation | NAT]] to dorm buildings, starting with the [[Graduate Life Center]]<ref>[http://ipv6.cns.vt.edu/ IPv6 at Virginia Tech]</ref>, as it has done in the past with wireless access points.
 
* In January 2013, emergency maintenance was done at Virginia Tech's uplink in Ashburn, but users were not informed in advance of the potential downtime. This initially took out VT's edge IPv4 access for several hours, and later resulted in intermittent routing issues at the BGP level until the next morning.
 
* In January 2013, emergency maintenance was done at Virginia Tech's uplink in Ashburn, but users were not informed in advance of the potential downtime. This initially took out VT's edge IPv4 access for several hours, and later resulted in intermittent routing issues at the BGP level until the next morning.
 
* Like most administrative university offices, CNS is often regarded as having much bureaucracy. For example, the processes for obtaining SSL certificates or a DNS entry directly under "vt.edu" are especially tedious.
 
* Like most administrative university offices, CNS is often regarded as having much bureaucracy. For example, the processes for obtaining SSL certificates or a DNS entry directly under "vt.edu" are especially tedious.
* CNS services such as VPN and VT-Wireless (the secure wireless network) require use of MS-CHAPv2, which is proven to be very insecure.
+
* CNS services such as VT-Wireless (the secure wireless network) require use of MS-CHAPv2, which is proven to be very insecure.<ref>{{cite news
 +
| title      = Wifi Security
 +
| url        = https://www.hokieprivacy.org/wifi/
 +
| work        = Hokie Privacy
 +
| accessdate  = 7 October 2015
 +
}}</ref>
 +
 
 +
 
 +
== References ==
 +
<references/>
  
 
[[Category:Blacksburg ISPs]]
 
[[Category:Blacksburg ISPs]]

Latest revision as of 04:36, 6 September 2017

NI&S, previously known as Communications Network Services (CNS), and briefly as Advanced Network Infrastructure and Services (ANIS) is the ISP of Virginia Tech, and part of the Division of IT, providing services including telephone and Internet to the university. Around 2015, they went through a significant rebranding effort, because of the poor reputation earned by CNS as being "unhelpful, tyrannical network overlords", in the words of a former student. Today, they attempt to exist by their Brand Promise, "Let's explore what's possible together", and Brand Character, "Approachable, Plain Spoken, Collaborative", in order to prevent the need for further rebranding. Several NI&S employees have suggested a more accurate motto would read "F*ck you; we turned it off", in reference to several services essential to the jobs of departmental IT, like rdweb, the "temporary" port 22 block, the L2TP VPN, and several other useful services. Unlike most departments, CNS operates as an auxillary service, and therefore recieves funding through cost-recovery rather than university budgets. Individual departments and students must pay a per-port charge for each IP or phone device attached to the network.

Network Topology

In Blacksburg, CNS has redundant fiber uplinks to Ashburn, Virginia, McLean, Virginia, and Atlanta, Georgia. The Mid-Atlantic Broadband Communities Corporation provides the OC-192 (10 Gigabit) connections to Ashburn and McLean from the Andrews Information Systems Building, and the OC-192 (10 Gigabit) connection to Atlanta from Hillcrest Hall. In summer 2015, the OC-192 connection to Ashburn will be upgraded to OC-768 (100 Gigabit).[1]

For cost-savings reasons, the university's connectivity is primarily provided through an aggregation network shared by several other universities in Virginia, the Mid-Atlantic Research and Education Exchange (MREX). MREX, also known as the Mid-Atlantic Terascale Partnership (MATP)[2], is operated by Virginia Tech and provides connectivity for the Mid-Atlantic Research Infrastructure Alliance (MARIA), an alliance of the universities that receive connectivity through MREX.[3]

MREX operates two regional hubs: MREX-ATL, at Telx Atlanta, and MREX-DC, at Equinix Ashburn. At each hub, MREX operates a Cisco ASR9006 aggregation router. There is another MREX facility at Level3 McLean, connected as part of a fiber ring that also includes the Arlington Research Center and the Northern Virginia Center.

At Equinix in Ashburn, MREX-DC has a 100 Gigabit connection to Internet2, 10 Gigabit connections to ESnet and the Equinix Internet Exchange, and 30 Gigabits of commodity Internet connectivity through Cogent. Virginia Tech also has a 10 Gigabit connection to Mid-Atlantic Crossroads and a 1 Gigabit connection to NetworkVirginia here.

At Telx in Atlanta, MREX-ATL has 10 Gigabit connections to Southern Crossroads, ESnet, the Telia Internet Exchange, and 30 Gigabits of commodity Internet connectivity through Telia.[4] MREX-ATL was opened in 2014 and is the first network facility operated by Virginia Tech located outside of Virginia.[5]

At Level3 in McLean, MREX's McLean facility, referred to as the National Capital Region (NatCap) Aggregation Facility, has a 10 Gigabit connection to Mid-Atlantic Crossroads and a connection to NetworkVirginia.[6]

From the Andrews Information Systems Building, there are redundant fiber connections to the main campus at both Burruss Hall and Cassell Colliseum. Owens Hall, Hillcrest Hall, and Shanks Hall have intermediate routers for some buildings. Nearly all ethernet portals on campus are capable of 100 Mbps or Gigabit speeds, due to fiber interconnects between buildings; however, intrabuilding wiring varies in age and may not support high speeds. The vast majority of campus IPv4s come from two directly-allocated blocks (128.173.0.0/16 and 198.82.0.0/16).

IPv6

CNS is a leader in the transition to IPv6, as their ASN consistently ranks in the top 5 in terms of percentage of IPv6 traffic, according to World IPv6 Launch Measurements. A dual-stack topology exists for the entirety of campus, but not all systems connected to the network are IPv6-enabled. One system that notably lacks connectivity is the main vt.edu website, which is due to a lack of support from the load balancers currently in use. For legacy reasons, Virginia Tech continues to use its /48 sub-allocation from the University of Maryland on many subnets, although newer equipment is being configured with the assigned IPv6 block (2607:b400::/32).

Unified Communications

In December 2011, CNS announced that a contract had been awarded to IBM and Avaya for Unified Communications, a project to both replace the aging ROLM phone system with SIP phones and upgrade the network infrastructure in each building. This has also somewhat reduced monthly rates of common telephone and ethernet services for departments. While most buildings will be undergoing upgrades through 2014, it is unknown whether or not each will have full gigabit speeds at actual user ports. It is also unknown whether users will be able to use SIP softphones in conjunction with this.

Network Policies

Contrary to popular belief, CNS does not actively monitor users for torrenting activity; however, they are obligated to forward DMCA notifications to the relevant parties. Residential users that engage in peer-to-peer filesharing are often throttled (according to policy) if their daily upload average exceeds 4.9 GB. Campus-wide intrusion detection systems are deployed through cooperation with the IT Security Lab.

Port security is enabled on most ports, meaning that users are not permitted to attach a switch to the network and must pay for new connections for all devices. While the $20/month fee for gigabit connectivity is generally thought to be reasonable, many department networks require them to evade this restriction through the use of NAT routing, ARP proxies, and/or NDP proxies. For most public portals, MAC address registration is often required, although some department ports are known to not carry this restriction.

Controversies

In addition to the network policies stated above, the following controversial activities have arisen:

  • CNS has begun deploying NAT to dorm buildings, starting with the Graduate Life Center[7], as it has done in the past with wireless access points.
  • In January 2013, emergency maintenance was done at Virginia Tech's uplink in Ashburn, but users were not informed in advance of the potential downtime. This initially took out VT's edge IPv4 access for several hours, and later resulted in intermittent routing issues at the BGP level until the next morning.
  • Like most administrative university offices, CNS is often regarded as having much bureaucracy. For example, the processes for obtaining SSL certificates or a DNS entry directly under "vt.edu" are especially tedious.
  • CNS services such as VT-Wireless (the secure wireless network) require use of MS-CHAPv2, which is proven to be very insecure.[8]


References