http://www.cesnet.cz/doc/techzpravy/ Overview of technical reports released by CESNET en http://www.cesnet.cz/doc/techzpravy/2009/ha-eduroam-radius-server AUTHORS: J. Tomášek. This document describes the national RADIUS proxy server of the Czech eduroam federation implemented as a high available cluster, consisting of two nodes housed in two geographically separated localities. The cluster acts as a single IP address to ease setup of the RADIUS servers at the side of the connected organisations. Switchover between active and passive node is done by Gratuitous ARP packet. The control and the monitoring of the cluster is done by the heartbeat daemon from the project Linux-HA. http://www.cesnet.cz/doc/techzpravy/2009/shibb-auth-adobe-connect-pro AUTHORS: I. Novakov. This technical report describes the technical process of implementing Shibboleth authentication for the Adobe Connect Pro application. It is designated for system administrators with practical experience with the Shibboleth Service Provider software. http://www.cesnet.cz/doc/techzpravy/2009/inter-cluster-scheduling AUTHORS: M. Ruda, Š. Tóth. For last ten years, scheduling of computational jobs across MetaCentrum (Czech national grid) was managed by one, central PBSPro installation. Reason for this decision was the possibility to schedule jobs between different clusters (spread across whole Czech Republic), with full understanding of complete situation of all clusters, with shared fair-share policy for users and with better support for large jobs, running across different clusters. Development effort was concentrated on improving stability of this setup (especially in case of instability of the national network connecting different clusters) and support for advanced scheduling methods and virtualization. Yet, with the growing number of clusters and processor, this setup is becoming problematic and may become single point of failure and scalability bottleneck. In this paper we study possibility of change MetaCentrum scheduling system to the system of less depended clusters, each maintained by separate server and scheduler, but still fulfilling original requirements on central accounting of jobs, fair share of computational resources across complete MetaCentrum and possibility to schedule large jobs or virtual clusters across such infrastructure. Because several of the reasons to choose PBSPro usage are also invalid in such setup (PBSPro was chosen for its better stability in such large setup and a better scheduling system supporting large number of jobs), we are also evaluating the possibility to switch scheduling system from PBSPro to open-source Torque system. Main features of PBSPro, used by MetaCentrum, are enlisted, together with discussion of state of such features in Torque, possible replacements and required development of missing features. http://www.cesnet.cz/doc/techzpravy/2009/security-voip-network-config AUTHORS: M. Petrovič. This Technical Report deals with fundamental security settings in networks to provide secure VoIP services. Example configurations of Cisco devices are included as well. http://www.cesnet.cz/doc/techzpravy/2009/manager-assistant-ip-phone-setup AUTHORS: M. Petrovič. This Technical Report discusses manager-assistant IP phone setup relying on Linksys IP phones. http://www.cesnet.cz/doc/techzpravy/2009/universal-transcoder-flac AUTHORS: M. Wimmer. It was our goal to design and implement a universal transcoder capable of real-time conversion of loss-less FLAC streams to other formats, making them available to other streaming servers or end-user clients. We have succeeded in implementing a system with an open, modular architecture, whose components may be freely combined or replaced with alternatives. This is very important, especially in the case of output stream producers, whose choice is not limited to a single encoding application. Any program capable of processing the input stream and generating output per specifications may be used as a producer. The implementation of the transcoder relies exclusively on free technologies. http://www.cesnet.cz/doc/techzpravy/2009/virtual-clusters-metacentrum AUTHORS: M. Ruda, Z. Šustr, J. Sitera, D. Antoš, L. Hejtmánek, P. Holub, M. Mulač. MetaCentrum, the Czech NGI, started to virtualize the infrastructure several years ago. The virtual nature of the resources, being integrated with the resource management system, is mostly hidden to end users. We are introducing a new public service virtual cluster which turns the virtualized infrastructure into end user service. Virtual cluster service provides an illusion of totally dedicated clusters running on a shared infrastructure under complete user control, including administrator access and user specified application environment. Virtual machines and clusters are handled in a way similar to ordinary computation jobs, planned for batch or interactive processing. We developed an extension to job scheduler PBSPro and new management tools to smoothly integrate virtual cluster service into production environment. Networking is a vital part of the service, where Czech NREN CESNET2 technology allows managing virtual cluster network without perceivable overhead. Virtual network is seen as a new resource. This report is an extended version of the paper called Virtual Clusters as a New Service of MetaCentrum, the Czech NGI , which was presented at CGW 2009. http://www.cesnet.cz/doc/techzpravy/2009/shibboleth-terracota AUTHORS: I. Novakov. The article describes how to deploy Shibboleth IdP in cluster environment using Terracotta for session replication.The text is suitable for skilled Shibboleth IdP administrators with general knowledge of Apache web server, Tomcat servlet container and networks in general. http://www.cesnet.cz/doc/techzpravy/2009/timestamp-module-flowmon AUTHORS: Tomáš Martínek, Martin Žádník. Precise timestamps assigned to individual packets play an important role for network traffic analysis and measurement of network infrastructure. Moreover, connection of precise timestamps with flow based analysis, allow us to measure quality of end to end and other QoS-oriented applications. This technical report describes a hardware module for precise timestamp generation dedicated for netflow monitoring probe FlowMon. It shows module hardware architecture, measurement of timestamp accuracy and discussion about possible use cases in flow based applications. http://www.cesnet.cz/doc/techzpravy/2009/ihdtv-implementation-ultragrid AUTHORS: Miloš Liška, Martin Beneš, Petr Holub. This report describes implementation of iHDTV video conferencing protocol for UltraGrid. In addition to the compatibility with the original iHDTV tool implementation of this protocol allows for splitting of the video stream and sending it through two different network interfaces. This allows to send a stream of uncompressed HDTV video, which requires 1.2 Gbps or 1.5 Gbps of available bandwidth, over a GE network infrastructure. http://www.cesnet.cz/doc/techzpravy/2009/security-risks-ip-telephony AUTHORS: Miroslav Vozňák, Filip Řezáč. This technical report deals with VoIP communication security and various techniques of VoIP attacks. We divided these threats in several categories according to their specific behaviour and their impact on the affected system. We also tried to find effective methods to prevent or mitigate these attacks. We focused our work on Spam over Internet Telephony (SPIT) as a real threat for the future. We have developed both a tool generating SPIT attacks and AntiSPIT tool defending communication systems against SPIT attacks. AntiSPIT represents an effective protection based on statistical blacklist and works without participation of the called party which is a significant advantage. http://www.cesnet.cz/doc/techzpravy/2009/rat-separate-record-playback AUTHORS: Tomáš Rebok, Martin Beneš, Milan Kabát. This technical report describes the modifications of the Robust Audio Tool (RAT) application, that allow its users to select separate recording and playback audio devices. These modifications have been driven especially by the requirement to support professional sound cards providing separate half-duplex recording and playback audio devices only, which the original RAT is not able to make use of. http://www.cesnet.cz/doc/techzpravy/2009/impact-ipsec-speech-quality AUTHORS: M. Vozňák, F. Řezáč. This technical report deals with an analysis of voice over secure communication links based on IPsec. The security increases an overhead, hence requires a change in a bandwidth allocation. We deal with issues such as its calculation and the impact of packet loss and delay on speech quality. Such basic information describing the transmission path is important to enable to estimate the overall speech quality. The achieved results should help in network design and optimizations, as network operators need to maintain certain levels of service quality. http://www.cesnet.cz/doc/techzpravy/2009/all-optical-wavelength-converter AUTHORS: P. Škoda, J. Vojtěch, M. Karásek, T. Uhlář, M. Hůla, S. Šíma, J. Radil. We present a working sample of a wavelength converter with an photonic multicast option. The key prototype component is the commercial module from CIP Technologies. The device utilizes wavelength conversion in the interferometric scheme through cross phase modulation in a semiconductor optical amplifier. We tested conversion efficiency at 10 Gbps speeds, 40 Gbps tests will continue. Basic setup, alignment and performance measurements are described too. http://www.cesnet.cz/doc/techzpravy/2009/cl-vmux-deployment AUTHORS: M. Hůla, J. Vojtěch, J. Radil. In this article we summarize properties of various technologies for VMUXes. We then describe our practical experience with the CL VMUX, which is based on the PLC technology. We also investigate behavior of CL VMUX device after power loss. http://www.cesnet.cz/doc/techzpravy/2009/access-control-distributed AUTHORS: D. Kouřil, M. Procházka. Although a lot authorization frameworks have emerged recently, they all tend all-or-nothing solutions and thus are hard to integrate with an existing infrastructure. The frameworks also often introduce new critical components, which are too complex and not robust enough, making the deployment and operation difficult. In this report we present an authorization infrastructure, which is simple and robust enough to be used in large distributed environment yet enabling to express and handle a reasonable range of access control policies. http://www.cesnet.cz/doc/techzpravy/2009/g3-extensions AUTHORS: T. Košňar. G3 system aims to be a set of complex tools designed for large scale and continuous network infrastructure measurement visualization and reporting. We focused on two areas of system development in 2009 - measurement capabilities of the G3 system especially in the area of virtual infrastructures monitoring and processing efficiency of G3 stand-alone automated visualization tool - the G3 system reporter. http://www.cesnet.cz/doc/techzpravy/2009/40g-channels-over-dwdm AUTHORS: V. Novák, K. Slavíček. This paper describes 40 Gbps communication channels tests over the current CESNET2 10 Gbps DWDM optical transport system between the main CESNET2 PoPs in Praha and Brno. These tests were performed with both ODB (1OC768-ITU/C, also known as Godzilla) and DPSK+ (1OC768-DPSK/C, also known as Godzilla+) modulations. There were several reasons for this experiment: - Verify the solution for possible deployment of 40 Gbps over the existing DWDM system. - Compare the performance of both solutions under different conditions. - Verify the 40-Gbps IPoDWDM technology. 40 Gbps communication channels have been tested on two possible optical paths between Praha and Brno PoPs, also called South and North paths. The basic 2-way fiber lines parameters are: - Southern path: length =299 km, OSNR=~15 dB, residual CD=153/153 ps/nm, average PMD=2.13 ps/km (for both fibers), mix of G.655/G.652 - Northern path: length =462 km, OSNR=~15 dB, residual CD=324/424 ps/nm, average PMD=2.13 ps/km (for both fibers), G.652 only. The PMD values were not measured for all used fibers, but all the values were estimated from CTP (Cisco Transport Planner) simulation. The Southern path was verified for 40-Gbps transmission by Cisco optical engineers in Monza. http://www.cesnet.cz/doc/techzpravy/2009/audio-transport-ultragrid AUTHORS: M. Liška, M. Beneš, P. Holub. This document describes implementation of real-time transmissions of high quality audio for the UltraGrid platform. We have opted for standards compatible implementation of audio transmissions in accordance with RFC 3190. Also, our goal was to preserve the multi-platform character of UltraGrid and allow for future enhancements of the audio subsystem in UltraGrid. Therefore we have based the implementation on the Portaudio library. http://www.cesnet.cz/doc/techzpravy/2009/flow-measurement-applications AUTHORS: M. Žádník. Modern networks are expected to provide wide range of application-oriented services. While some applications require a network to be loss-free, low delay with low jitter, others are fault tolerant and happily trade off quality for higher bandwidth. In order to measure these requirements and subsequently provide them, network nodes must be able to determine the application in traffic carried. Since flow measurement is usually utilized to gain information about the traffic mix, we propose to extend it with L7 decoder based on signature matching to identify the part of applications that are not covered by other methods, such as port lookup, fingerprinting and behavioral analysis. As an example, we compare signature matching and port lookup on a CESNET backbone link in order to motivate our future work on a hybrid application identification system based on a combination of several approaches. http://www.cesnet.cz/doc/techzpravy/2009/eduroam-overlap/ AUTHORS: J. Fürman. This paper describes one of the most problematic part of the eduroam network deployment in heterogeneous environment and its possible solution. The problem described in this paper may occur whenever two or more organizations providing the eduroam wireless network cover the same physical space and their radio networks overlap. This well known issue is also mentioned in the European roaming policy. The aim of this article is to describe the general technical solution - not to provide the detailed configuration procedure. This would be just a useless replication of manual pages. http://www.cesnet.cz/doc/techzpravy/2009/virtcloud-design/ AUTHORS: D. Antoš, L. Matyska, P. Holub, J. Sitera. Networking infrastructure is a vital part of virtual computer clusters. This report describes VirtCloud, a system for interconnecting virtual clusters in a state-wide network based on advanced features available in academic networks. The system supports dynamic creation of virtual clusters without the need of run-time administrative privileges on the backbone core network, encapsulation of the clusters, controlled access to external sources for cluster hosts, full user access to the clusters, and optional publishing of the clusters. The report describes architecture of the system, and prototype implementation in MetaCenter (Czech national Grid infrastructure) using Czech national research network CESNET2. Feasibility of the concept is evaluated through a series of measurements demonstrating that the network performance of the system is satisfactory.