Network Layout at CN Sites
==========================

Describes the network layout for the Coordinating Node hosting locations at ORC,
UCSB, and UNM.


ORC
---

DataONE services are operated from a single location at ORC. 

.. TODO:: Firewall and packet inspection at ORC

The ORC network that the VMs operate on is:


UCSB
----

There are two locations where DataONE servers operate from: NCEAS and Campus.
DataONE nodes (test and production) operate on the Campus. Some other services
such as Subversion and the Plone site operate at NCEAS.

.. TODO:: Firewall and packet inspection at UCSB and NCEAS


The UCSB network that the VMs operate on is:

:Subnet: 128.111.54.64/26
:Broadcast: 128.111.54.127
:Netmask: 255.255.255.192


The NCEAS network where DataONE services operate is:

:Subnet: 128.111.84.0/25
:Broadcast: 128.111.84.127
:Netmask: 255.255.255.128


UNM
---

There are two locations where DataONE servers operate from: The UNM Research
Library (RL), and the DataONE offices in the building on Basehart (Basehart).
All production and for the most part, the test CNs and MNs operate out of the
RL.

The UNM internet connection has in place an intrusion detection system that
performs packet inspection. All traffic entering and leaving the campus passes
through this system. The network at Basehart on which DataONE machines are
running has no additional firewall or traffic inspection. The network at the RL
is additionally protected by an institutional firewall that blocks all incoming
traffic by default. Outgoing traffic is not affected.

The RL network that DataONE VMs operate on is:

:Subnet: 64.106.40.0/26
:Broadcast: 64.106.40.63
:Netmask: 255.255.255.192

There is an institutional firewall between the RL subnet used by DataONE and the
internet. The firewall rules are currently (2012-07-30) configured as:

Group DataONE-subnets_ingress
------------------ -------------------------------------------------------------
Address            Host / Alias
------------------ -------------------------------------------------------------
128.111.36.0/24    University of California, Santa Barbara
129.24.0.0/16      UNM Networks partial
129.237.201.155/32 University of Kansas
160.36.13.0/24     University of Tennessee
------------------ -------------------------------------------------------------


----- ------------------------     ------------ ----------------- ---------------------------------------
Rule  Subnet Source                Destination  Service Ports     Description
----- ------------------------     ------------ ----------------- ---------------------------------------
1     JuniperVPN, 129.24.220.64/28 Any          [ip]              Juniper SSL VPN access 
2     UNMVPN, 129.24.228.80/28     Any          icmp              DataONE ICMP VPN access
3     UNMVPN, 129.24.228.80/28     Any          ip                DataONE VPN access
4     Any                          Any          DataONE Services  Allow SSH and HTTP/HTTPS from anywhere
5     DataONE-subnets_ingress      Any          [tcp] 5701-5705   Allow access to Hazelcast ports
6     DataONE-subnets_ingress      Any          [tcp] 389, 636    Allow LDAP and LDAPS access
7     LibraryVPN, 129.24.220.64/28 64.106.40.4  ip                Library VPN to firewall context
8     DataONE-subnets_ingress      Any          [tcp] 6556        Monitoring system ingress
9     DataONE-subnets_ingress      Any          [tcp] 5432        PostresQL communications
10    DataONE-subnets_ingress      Any          [tcp] 7612, 7632  Peering VPN
----- ------------------------     ------------ ----------------- ---------------------------------------


The Basehart network that DataONE services operate on is:

:Subnet: 129.24.0.0/24
:Broadcast: 129.24.0.255
:Netmask: 255.255.255.0

There is no institutional firewall between these machines and the internet, and
so rely upon IPTables configuration to block access as appropriate.