This meeting occurred at SLAC on 11/29/07. The attendees included: Richard Mount, Yee Ting Li, Gary Buhrmaster, Wei Yang, Les Cottrell (SLAC); Shawn McKee (U of Michigan); Dantong Yu (BNL). Bob Cowles (the SLAC Computer Security Officer - CSO) was traveling and so unable to attend. The following are rough notes taken by Les Cottrell.
Background
The purpose of the meeting was to raise and start addressing issues concerning deploying at SLAC the Terapaths dynamic path selection using QoS techniques (hence referred to as QoS). SLAC has been a part of the DoE funded Terapaths research project for roughly 2.5 years. Originally SLAC's contribution was oriented towards monitoring. In addition now SLAC is getting involved to test/evaluate the Terapaths QoS service. This is a research project to tie together with other QoS services such as ESnet's OSCAR's project for the wide area together with path selection on the site. If successful this will demonstrate a potential way to provide such path selection as a production service.
The next step in the Terapaths project is to take the initial research implementation and deploy it in test mode at various sites. This will help to try it out, expose issues, provide feedback to developers, determine its suitability and stability, compare to other possibilities, indiocate for what purposes (e.g. video conferencing, data transfer, real time control) it could/should be applied, what security risks it poses and compromises and resources will be needed, how it applies to USAtlas sites etc. Currently it has been applied at University of Michigan and Boston University. Deploying at SLAC is the next challenge. In many ways SLAC is a new challenge being a DoE Lab it has new constraints compared to a university.
As part of this we have already purchased a suitable Cisco 65xx router and it was successfully installed as a test set up at SLAC for the BNL led Terapaths SuperComputing 2007 demonstration. Yee wrote a security plan for this set up, and following SC07 it was agreed to take down the setup. During the demo the SLAC equipment was on an external network. The mechanism uses a software device driver that sends commands to a router to set ACLs to mark packets.
Issues
Gary has concerns that the code base has been contributed to by many people, it may not be secure, it has not been reviewed and it is unclear there are resources at SLAC to make such a code review. Thus we need a document to understand the risks, mitigations, costs, and identify residual risks. The residual risks will need to be accepted by the CSA and DAA. Richard stated that SLAC as a Lab needs to be involved with research. Thus what is needed is a productive dialog between networking and security to create a document that thoughtfully address the issues so we can balance the risks versus costs and impedances. This in itself will be a contribution to Terapaths. It will probably evolve from a document that addresses a pure research set up / sand box (without access to the production network) to one that provides production access to the SLAC farms.
Next Steps
The next steps are to put together a first draft of the document. The aim will be to initialy aim towards research which will enable us to learn the costs/benefits, and determine if and how to move towards production services. Yee will start from the current SC07 document hopes to have a rough first cut by end December, this will be shared and reviewed with Gary and Terapaths to improve and make sure it makes sense. We hope to have a working agreed upon copy available by the end January 2008. the goal is to have a first cut at a service that interfaces with production farm nodes by the end of April 2005
In terms of outside drivers, USATLAS has a Computer Service Challenge at the end of February, and an Intensive Data Test in May.
We also discussed other problems such as: power, however this should be addressed by early next year; the need for another router, we hope to provide this from the infrastructure.