Date

Attendees

Goals

  • Status Updates of work items (FOD/RepShield), especially:
        • FoD v1.5 transition to production
        • FoD v1.6 pilot
            • Enhancement of FoD rule API
            • Extended FoD rule concept
            • Firewall-Rule-Updater script
            • DDoS-Testing
  • Status of DDoS Detection/Mitigation WG,:
        • GARR PoCs
  • Review Open Action Points from last VC(s)
  • Code on Github Issue solved (Tomas/Vaclav)
  • GDPR compliance
  • AOB
      • PSNC FoD Installation Issue
      • ACONET FoD edugain issue

Discussion items

TimeItemWhoNotes

Firewall On Demand (FoD)
  • (info page for FoD development https://wiki.geant.org/pages/viewpage.action?pageId=63965046)
  • FoD v1.5 = FoD with new functionalities: rule range specification, current rule behaviour statistic graphs, multi-tenant rule control REST-API
  • FoD v1.6 = FoD with automated rule proposal from RepShield
  • FoD v1.5 transition to production
      • David needs still to review Evangelos' changes in the Service Template
  • FoD v1.6 development
      • mail notification on rule creates/edits will now inform any affected peer in FoD, not only the first one which associated with editing user
      • Tomáš is in progress of extending extended rule format, now integrating it with current v1.6 changes from David and starting to test NETCONF updates on FoD test lab server
      • FoD demo at 14th STF meeting:
          • FoD in general (productive v1.1); v1.5 including REST API examples; v1.6 including FRU prototype proposing rules out of NShaRP DDoS events (via Warden)
          • questions/comments:
              • possibility to provide Software packages, at least support documentation, support mailing list -> add/update in Service Template
              • help PSNC to solve pending issues at FoD upgrade with beanstalk access configuration in celeryd
              • FoD in partner portal?
              • better filtering/searching to provide better overview and handling of many rules
              • consider conflicting rules: e.g. overlapping peers, but also rules where source prefix overlaps with some peer
              • interconnection of different FoD instances (GEANT<->NREN<->institution)
          • => Ivana is in progress to create a support mailing list
          • => JRA2-T6 will work on software installation/support documentation, and see how can be done until end of the project regarding packaging

DDoS Detection/Mitigation (D/M) WG

GARR DDoS D/M PoCs/Testing Framework

      • ARBOR and Radware PoC have been completed
      • Ivana, Nino, David will define index for white paper reporting the findings to share knowledge with community
      • Nino agreed with his superiors in GARR that the results and experience should be presented on some upcoming appropriate meeting(s)

Holiday

Next VC

In 2 weeks: 25.07.2018, 14:15-15:15 CE(S)T

Action items

  • Tomáš: continue to work on FoD v1.6 improved rule structure
  • David: continue FirewallRuleUpdater development/testing
  • David: test DDos testing tool provided by Tomáš
  • David: review additions Evangelos' additions to FoD service template (https://wiki.geant.org/display/gn42jra2/Firewall-On-Demand+%28FoD%29+Service) to get acquainted with it
  • Silvia, Ivana, Nino, David: agree on index for white paper about GARR DDoS Testing results/experience
  • all: next regular T6 VC: 25.07.2018, 14:15-15:15 CE(S)T


  • No labels