This page contains service description outlining how and where service should be used, targeted users, service delivery model and service elements and topology. RESPONSIBLE: Information provided in this page is initially populated by the development team (during the transition phase), and revised based on the need or in a yearly service check by service_name Service Manager, with exception of CBA which remains the responsibility of business development team. |
Service description
FoD is a BGP-FlowSpec-based [RFC5575] [RFC7674], multi-tenant DDoS mitigation solution allowing users (connected NRENs or recursively connected institutions with own AS, especially the NOC admins of these organizations) to control DDoS mitigations for filtering normally routed IP traffic destined for their networks by using a web UI (manual) or a REST API (automated).
FoD is currently provided as a production service in the GÉANT core network using FoD software based on flowspy v1.8.
FoD v1.5 is in pilot phase. It adds support for explicit port ranges in rule specifications allowing more convenient mitigation with less rules, provides a multi-tenant REST-API allowing for automated user mitigation instead of manual one with WebUI, and provides rule mitigation statistics for user feedback.
FoD v1.6 is in design/development phase. It will provide automated rule proposals created out of DDoS events and information, in case of GÉANT particularly out of NSHaRP (Network Security Handling and Response Process) DDoS events.
FoD v1.8 upgrades the underlying software framework the platform is build upon to the most recent version. It also added IPv6 support for injecting routes into the GÉANT core network, fixed bugs and added a few enhancement to the user interface.
Users
FoD users are connected NRENs or recursively connected institutions with their own AS; especially the NoC admins of these organizations
#users >= #(of connected NRENs)
The direct benefit for the users is that they can themselves start/monitor/stop DDoS mitigation actions regarding their IP traffic without contacting GÉANT NOC in an manual (WebUI) or automated (REST API) fashion, i.e. a flexible, independent, fast DDoS mitigation.
Contacts
All operations, business development and stakeholders contacts
Service Manager | Deputy Service Manager | L1 support | L2 support | L3 support |
---|---|---|---|---|
Evangelos Spatharas | security@geant.org |
Service delivery model
Add explanation about organisation of service delivery
In GÉANT, FoD, currently running v1.8, for GÉANT core network, is operated by GÉANT NOC. FoD users are all NREN NOCs as well as any recursively connected institutions having their own AS. Any potential user can subscribe to FoD service and afterwards use the service, that can be accessed it via the web portal address. Authentication of users is based on eduGAIN.
Service Elements
Service Elements, with brief description and links to products, resource instances and software stack of the service, indicating the software components types - if they are internally (in-house) developed, OSS or commercial off-the-shelf software. Service elements can be grouped in two following categories:
Technology infrastructure
Add list and description of products and resources used to deliver main functionalities of the service. Add service technical architecture - i.e. its good to have a conceptual architectural diagram and topology diagram.
FoD Software is OSS, internal name of the software is flowspy. It was initially developped by GRNET NOC for GÉANT in earlier phases of the project. While GRNET is still continuing the development of FoD on its own regarding GRNET special needs, in GN4-SGA2 FoD was further developed by JRA2-T6 regarding GÉANT needs (as well as potential future generic NREN needs for running FoD on their own in their core network). The software has been further developed in GN4-3 to update the code to Python3 and the latest Django framework. The code continues to be developed in the GN5-1 project. All code is published at GitHub and available freely through https://github.com/GEANT/FOD.
FoD is written in python, mainly based on django. It is run in production mode behind an apache web server.
FoD support eduGAIN logins for its users, based on apache edugain support.
FoD (along with apache with edugain support, a mysql database and a supporting software (redis, celeryd) is run on a single VM with possibility to connect a particular core router via NETCONF for pushing its BGP FlowSpec rules. Feature releases will support injecting BPG-flowspec rules directly.
FoD uses SNMP to gather basic statistics on packets dropped for all active rules.
Supporting infrastructure
Add list and descriptions of products and resources used to deliver supporting services such as specialized monitoring and measuring systems, configuration management system, issue/ticket reporting system, etc.)
Cost Benefit Analysis
CBA draft documents can be found as attachment in FoD CBAs (restricted access)