自律システムの運用を実践する環境 “AS DOJO” の設計

Transcript

1. ͔͠Θ͖͟ͻΖ͖ ࣗ཯γεςϜͷӡ༻Λ
   ࣮ફ͢Δ؀ڥ
   l"4
   %0+0z
   ͷઃܭ AS-DOJO: Design and implementation of a

   practical and virtual EGP testbed

2. ຊ೔ͷ͜Μͩͯ Table of contents ⿣ ίϯϐϡʔλ͓ͨ͘ͷՌ͠ͳ͖ྲྀΕͷՌͯʹ
   ⿣ ͦ͜Ͱ%JTUDMPVEͰ͢
   ·ͨ܅͔ʙ ɻ
   

   ⿣ զʑ͸Ͳ͜΁ߦ͘ͷ͔ɻ
   ⿣ ·ͱΊͱࠓޙͷల๬

3. ͸͡Ίʹਆ
   +PIO
   1PTUFM ͸*1ΞυϨεͱܦ࿏੍ޚද ͱΛ૑଄͞Εͨɻ
   ܦ࿏੍ޚද͸ܗͳ͘ɺΉͳ͘͠ɺ΍Έ͕෵ͷ͓΋ͯʹ ͋Γɺਆͷྶ͕ਫͷ͓΋ͯΛ͓͓͍ͬͯͨɻ
   ਆ
   +
   )BXLJOTPO
   5
   #BUFT
   ͸ʮ"4͋Εʯͱݴ͍Θ

   Εͨ
   3'$
   ɻ͢Δͱ"4͕͋ͬͨ
   
   ɻ
   ਆ͸ͦͷ"4Λݟͯɺྑ͠ͱ͞Εͨɻਆ͸ͦͷ"4ͱҋ ͱΛ෼͚ΒΕͨɻ ϙεςϧ ૑ੈه
   תישארב

4. ۙـେֶ͸ύϒϦοΫͳ AS൪߸Λ͍࣋ͬͯΔͷʹ Ͳ͏ͯ͠ӡ༻ͯ͠ ͍ͳ͍ΜͰ͔͢ ͭͿΒͳಏͰਘͶΒΕͨ ֶੜ ͤ΍ͳʜɻ

5. https://www.nic.ad.jp/timeline/20th/chapter5.html #(1ͷ஀ੜ

6. https://www.nic.ad.jp/timeline/20th/chapter5.html

7. https://www.homenoc.ad.jp/

8. None
9. None

10. アマチュアAS運用を議論するBoF 2024年07月05日(木) JANOG54 一般社団法人 Home NOC Operators Group https://speakerdeck.com/as59105/amatiyuaasyun-yong-woyi-lun-surubof-janog54

11. https://www.enternet.jp/

12. యܕతφʔυͷਐԽܗଶ The evolutionary form of a typical computer nerd Πϯλʔωοτ
    

    ͱͷॳ઀৮͔Β
    *1ΞυϨεΛ஌Γ
    ΠΩΓࢄΒ͔͢ ༮೥ظ δϡϒφΠϧ ੨೥ظ ऴ຤ظ ݻఆ*1ΞυϨε
    ΁ͷڧ͍ಌጦ
    *1W΁ͷ໨֮Ί ࣗ୐αʔόͷ࣮ݱ
    ҳൠͷޡՈఉͷ
    ωοτϫʔΫ΁ ݸਓ"4
    ӡ༻ ௒͑ΒΕͳ͍น

13. ݸਓ"4ͷนͱ͸
     ⿣ ϐΞϦϯά૬खΛͲ͏ݟ͚ͭΔ͔
    ಉ޷ͷ͕࢜ू͏ʹͯ͠΋ɺͲ͔͜άϩʔόϧ"4ͱ઀ଓ͢ Δحಛͳ"4͕ͳ͚Ε͹
    *OUFSOFU
    SFBDIBCMF
    ʹͳΒͳ͍ 1SJWBUF
    "4 1SJWBUF
    "4 1SJWBUF
    "4 (MPCBM
    "4

14. ݸਓ"4ͷนͱ͸ ⿣ Α͠Μ͹ݟ͚ͭͨͱͯ͠ɺͲ͜ͰͲ͏઀ଓ͢Δ͔
    ͦͷ"4ͷڥքϧʔλ·ͰͲ͏઀ଓ͢Δ͔ɻಉ͡%$ͷۙ͘ ͷϥοΫΛआΓͨΓ͢Δͷ͔ɻ ˞
    ͜Εʹ͍ͭͯ͸*53$
    NFFUͰ &OUFSOFUͷখ໺ଜ͞Μ͔ΒʮϑϨοπ ͷ/(/Ͱτϯωϧ۷ͬͯQPJOU
    UP
    QPJOUͰ઀ଓ΋Մʯͱ͍͏
    ඇެࣜͳ

    खଓ͖΋͋Δ͜ͱΛڭ͑ͯ΋Βͬͨ

15. ݸਓ"4ͷนͱ͸ ⿣ άϩʔόϧ"4ͷऔಘྉۚ
    *1ΞυϨε؅ཧࢦఆࣄۀऀͷܖ໿ྉͱΞυϨε*1ҡ࣋ྉ https://www.nic.ad.jp/ja/ip/member/fee.html

16. None

17. https://www.sinet.ad.jp/connect_service/service/bgp

18. https://www.sinet.ad.jp/connect_service/service/bgp

19. ,ZVTIV
    4BOHZP 6OJW ,ZVTIV
    4BOHZP 6OJW ,ZVTIV
    *OTUJUVUF
    PG 5FDIOPMPHZ ,ZVTIV
    *OTUJUVUF
    PG 5FDIOPMPHZ ,ZVTIV 6OJW

    ,ZVTIV 6OJW 3ZVLZV 6OJW 3ZVLZV 6OJW ,65 ,PDIJ
    6OJWFSTJUZ PG
    UFDIOPMPHZ ,65 ,PDIJ
    6OJWFSTJUZ PG
    UFDIOPMPHZ /** /BUJPOBM
    *OTUJUVUF PG
    *OGPSNBUJDT /** /BUJPOBM
    *OTUJUVUF PG
    *OGPSNBUJDT NEY NEY /"*45 /BSB
    JOTUJUVUF
    PG TDJFODF
    BOE
    UFDIOPMPHZ /"*45 /BSB
    JOTUJUVUF
    PG TDJFODF
    BOE
    UFDIOPMPHZ +"*45 +BQBO
    "EWBODFE
    *OTUJUVUF PG
    TDJFODF
    BOE
    5FDIOPMPHZ +"*45 +BQBO
    "EWBODFE
    *OTUJUVUF PG
    TDJFODF
    BOE
    5FDIOPMPHZ )JSPTIJNB 6OJW )JSPTIJNB 6OJW ,BOB[BXB 6OJW ,BOB[BXB 6OJW ,ZPUP 6OJW ,ZPUP 6OJW 0TBLB 6OJW 0TBLB 6OJW 5PIPLV 6OJW 5PIPLV 6OJW 5*5&$) 5PLZP
    *OTUJUVUF PG
    UFDIOPMPHZ 5*5&$) 5PLZP
    *OTUJUVUF PG
    UFDIOPMPHZ )PLLBJEP 6OJW )PLLBJEP 6OJW 4*/&5 4BQQPSP
    %$ 4*/&5 4BQQPSP
    %$ (VONB
    6OJW (VONB
    6OJW ,JOEBJ ,JOEBJ 4*/&5 'VLVPLB
    %$ 4*/&5 'VLVPLB
    %$ ,*5 ,JUBNJ
    *OTUJUVUF PG
    UFDIOPMPHZ ,*5 ,JUBNJ
    *OTUJUVUF PG
    UFDIOPMPHZ 6$4% 6OJWFSTJUZ
    PG
    $BMJGPSOJB 4BO
    %JFHP 6$4% 6OJWFSTJUZ
    PG
    $BMJGPSOJB 4BO
    %JFHP ޿Ҭ෼ࢄϓϥοτϑΥʔϜ
    %JTUDMPVE
    4JODF
    

20. https://www.sinet.ad.jp/connect_service/service/l2vpn

21. 71-4
    3'$

22. $PNQVUJOH
    OPEF &EHF
    TXJUDI $BNQVT
    TXJUDI 3ZVLZV $PNQVUJOH
    OPEF &EHF
    TXJUDI $BNQVT
    TXJUDI $PNQVUJOH
    OPEF &EHF
    TXJUDI $BNQVT
    TXJUDI

    $PNQVUJOH
    OPEF &EHF
    TXJUDI $BNQVT
    TXJUDI ,46 )BOEBJ 3*&$ 71-4

23. $PNQVUJOH
    OPEF &EHF
    TXJUDI $BNQVT
    TXJUDI 3ZVLZV $PNQVUJOH
    OPEF &EHF
    TXJUDI $BNQVT
    TXJUDI $PNQVUJOH
    OPEF &EHF
    TXJUDI $BNQVT
    TXJUDI

    $PNQVUJOH
    OPEF &EHF
    TXJUDI $BNQVT
    TXJUDI ,46 )BOEBJ 3*&$    CS
    7-"/
    *% CS
    7-"/
    *% CS
    7-"/
    *% CS
    7-"/
    *% CS
    7-"/
    *% CS
    7-"/
    *% CS
    7-"/
    *% CS
    7-"/
    *% CS
    7-"/
    *% CS
    7-"/
    *% CS
    7-"/
    *%

24. VLAN A153 VLAN B153 VPLS site A site B VLAN

    A153.AB QinQ VLAN B153.AB QinQ VLAN A156d
    MPDBM VLAN B156d
    MPDBM Distcloud ver.3

25. https://www.sinet.ad.jp/connect_service/service/l2vpn

26. https://www.sinet.ad.jp/connect_service/service/l2vpn

27. https://www.sinet.ad.jp/connect_service/service/l2vpn

28. https://www.sinet.ad.jp/connect_service/service/l2vpn

29. https://www.sinet.ad.jp/connect_service/service/l2vpn

30. 1IZTJDBM
    .BDIJOFT %JTUDMPVEDPSF 7JSUVBM
    3PVUFS -71/71-4 2JO2 *&&&R "4 "4 "4 "4

    "4 "4 1SJWBUF
    "4 (MPCBM
    "4 4*/&5 1BSUJDJQBUJOH 0SHBOJ[BUJPO 1IZTJDBM 3PVUFS "4 "4 "4 "4 "4 "4 "4 ෼ࢄඇதԝूݖࢦ޲"4ӡ༻ςετϕου
    "4%0+0
    "VUPOPNPVT
    4ZTUFN
    %JTUSJCVUFE
    %FDFOUSBMJ[FE
    0SJFOUFE
    +PJOU
    0QFSBUJPO 

31. VLAN A153 VLAN B153 VPLS site A site B VLAN

    A153.AB QinQ VLAN B153.AB QinQ VLAN A156d
    MPDBM VLAN B156d
    MPDBM Using 31-Bit Prefixes on IPv4 Point-to-Point Links RFC3021 IEEE802.1q QinQ

32. ෼ࢄඇதԝूݖࢦ޲"4ӡ༻ςετϕου
    "4%0+0
    "VUPOPNPVT
    4ZTUFN
    %JTUSJCVUFE
    %FDFOUSBMJ[FE
    0SJFOUFE
    +PJOU
    0QFSBUJPO  େࡕڭҭେ ௗऔେֶ ޿ౡେֶ ܈അେֶ

    0TBLB
    ,ZPJLV
    6OJWFSTJUZ 5PUUPSJ
    6OJWFSTJUZ )JSPTIJNB
    6OJWFSTJUZ (VONB
    6OJWFSTJUZ ,JOEBJ
    6OJWFSTJUZ େࡕେֶ 6OJWFSTJUZ
    PG
    0TBLB ౦ژՊֶେֶ 4DJFODF
    5PLZP ژ౎େֶ גࣜձࣾ -PDBM ,ZPUP
    6OJWFSTJUZ -PDBM
    *OD ,ZPUP
    8PNFO` T
    6OJWFSTJUZ ژ౎ঁࢠେֶ ,ZPUP
    4OBHZP
    6OJWFSTJUZ ژ౎࢈ۀେֶ ෱Ԭঁࢠେֶ 'VLVPLB
    8PNFO` T
    6OJWFSTJUZ ۝भ࢈ۀେֶ ,ZVTIV
    4BOHZP
    6OJWFSTJUZ ௕࡚ݝཱେֶ 6OJWFSTJUZ
    PG
    /BHBTBLJ ۙـେֶ

33. ւ֎Ͱͷಈ޲ ⿣ l1&&3*/(z
    "$.
    $P`/&95
    
    Ծ૝Խ#(1࣮ݧج൫ʮ1&&3*/(ʯɻ୯Ұͷ#(1Τοδ ϧʔλΛෳ਺ͷ࣮ݧʹ҆શʹڞ༗͢Δ࢓૊ΈʮW#(1ʯɻ
    ෺ཧ"4ͱಉ౳ͷ੍ޚݖݶΛఏڙ͢Δɻطʹڌ఺ʹల։ ͞ΕɺҎ্ͷωοτϫʔΫͱ઀ଓ͓ͯ͠ΓɺҎ্ ͷֶज़࿦จͰͷݚڀͷج൫ͱͯ͠ར༻͞Ε͍ͯΔɻ

    Brandon Schlinker, Todd Arnold, Italo Cunha, and Ethan Katz-Bassett. 2019. PEERING: virtualizing BGP at the edge for research. In Proceedings of the 15th International Conference on Emerging Networking Experiments And Technologies (CoNEXT '19). Association for Computing Machinery, New York, NY, USA, 51–67. https://doi.org/10.1145/3359989.3365414

34. PEERING: Virtualizing BGP at the Edge for Research Brandon Schlinker†

    Todd Arnold‡ Italo Cunha𝐿‡ Ethan Katz-Bassett‡ † University of Southern California ‡ Columbia University 𝐿 Universidade Federal de Minas Gerais ABSTRACT Internet routing research has long been hindered by obstacles to executing the wide class of experiments necessary to characterize problems and opportunities, and evaluate candidate solutions. Prior works proposed a platform that would provide experiments with control of an Internet-connected AS. However, because BGP does not natively support multiplexing or the requisite security policies for building such a platform, prior works were ultimately unable to realize this vision. We present P!!"#$%, a community platform that provides multiple parallel experiments with control and visibility equivalent to directly operating a production AS. P!!"#$% is built atop vBGP, our design for virtualizing the data and control planes of a BGP edge router while simultaneously enforcing security policies to prevent experiments from disrupting the Internet and each other. With P!!"#$%, experiments operate in an environment qualitatively similar to that of a cloud provider, and can exchange routes and tra!c with hundreds of neighboring networks and the broader Internet at locations around the world. To date, P!!"#$%’s rich connectivity and "exibility have enabled it to support over 40 experiments and 15 publications in key research areas such as security, tra!c engineering, and routing policies. CCS CONCEPTS [12, 43, 44]. The growth in connectivity is seen as an opportu- nity to improve performance, but the improvements come at a cost: increased complexity of network con#guration and tra!c engineering, accompanied by increased security risks [87]. Due to the shortcomings of the Border Gateway Protocol (BGP), the protocol responsible for inter-Autonomous System (AS) communi- cation, content and cloud providers build sophisticated, customized controllers and measurement systems to handle the additional com- plexity [80, 81, 100, 104]. Researchers and network operators are well aware of BGP’s limitations and their impact on performance [44, 47, 60, 81, 101], availability [54, 66, 104], and security [69, 87], but progress to- wards overcoming these challenges is slow. A signi#cant barrier to exploring solutions is that BGP does not lend itself well to support- ing experimentation. Emulation and simulation cannot accurately model the Internet due to the lack of transparency in BGP and the proprietary nature of routing policies [28, 53, 54, 59, 86]. Existing tools that provide visibility into the current state of BGP [42, 73, 76] or perform measurements [27, 62, 67, 72] cannot interact with the routing ecosystem, so they can only provide limited insight into the current policies and connectivity of an AS [13, 49]. To gain better insight into how solutions will perform, experi- ments need to interact with and a$ect the Internet’s routing ecosys- tem. Interacting with the actual routing ecosystem would require researchers to take control of a real production AS and its resources: Brandon Schlinker, Todd Arnold, Italo Cunha, and Ethan Katz-Bassett. 2019. PEERING: virtualizing BGP at the edge for research. In Proceedings of the 15th International Conference on Emerging Networking Experiments And Technologies (CoNEXT '19). Association for Computing Machinery, New York, NY, USA, 51–67. https://doi.org/10.1145/3359989.3365414

35. ઀ଓ༧ఆػث ⿣ "MBYBMB͝ఏڙͷ ݹ͍ ػث
    ⿣ 7Z04
    ⿣ 2VBHHB
    ⿣

    '33PVUJOH
    ⿣ $JTDP
    93%
    SPVUFS
    ⿣ TEQMBOF
    XJSFUBQ
    AIOPCWA (intel N100, SFP+x2) Partaker C4 (Celeron J3160)

36. https://www.interop.jp/

37. None

38. Join us!!!

39. None

40. ·ͱΊ Conclusion ए͍΋ͷΛ৐͓͍ͤͯͯ ఐࢠ֎͢Α͏ͳਅࣅ͸͢ΜͳΑ ؊ʹ໏͡·͢ɻ ੍࡞ɾஶ࡞