Technical Requirements for the APRICOT Summit Network

APRICOT Summit network infrastructure has fairly straight forward infrastructure needs. Most importantly, APRICOT runs an open and high speed network recognising that delegates need to carry on with their day job reliably and without impediment while they are attending APRICOT.

Venue Requirements

The APRICOT venue is normally a large conference hotel able to handle the space requirements of an 800 delegate event in three parallel sessions over 4 days.

The APRICOT venue must permit APRICOT to deliver its own network infrastructure via two separate Internet Service Providers. These links are commonly delivered over fibre optic links to the demarcation point in the venue. The venue must faciliate the connection of these links and the equipment used so that APRICOT can provision its own fixed and wireless network infrastructure for streaming, on-line participation, and delegate Internet access.

It is not ever feasible for APRICOT to use a hotel's guest Internet access. Hotels never have sufficient wireless density in the convention space, never have sufficient bandwidth from their service provider, and have unnecessarily restrictive access to accommodate room guest needs. APRICOT is the region's premier Internet operations conference and all delegates have high expectations of the quality of the Internet access provision.

Wireless Network Infrastructure

The wireless network infrastructure is provisioned, where possible, through the entire conference venue for the duration of the workshop and conference days of APRICOT. The wireless network equipment is provided by a sponsor or the local organising partner. Requirements:

• Wireless access points must support 2.4GHz and 5GHz, and at least the IEEE 802.11ac standard. Support for IEEE 802.11b must be disabled.
• Wireless access point need to be enterprise grade, capable of handling 80 or more associations per device.
• Wireless access points need to support Power over Ethernet (IEEE 802.3af or, additionally, IEEE 802.3at)
• Wireless access points must support band steering - the ability to steer supporting clients from 2.4GHz to 5GHz channels.
• Wireless access points need to use and be controlled by a central controller accessible by the conference network operations staff
• Main conference wireless network uses 5GHz, with only a few access points provisioned supporting 2.4GHz
• The conference wireless network needs to be configured with non-overlapping channels. For 2.4GHz these are channels 1, 6, 11, and 14 only at channel width of 20MHz. For 5GHz, these are the UNII-1 and UNII-3 ranges, again with a channel width of 20MHz. UNII-2 and UNII-2 Ext can be used if local regulations permit.
• The quantities of access points required is ascertained by site survey according to projected room capacities prior to the procurement of equipment. Note that the typical APRICOT delegate often has two or three wireless capable devices each.

There are two wireless networks provisioned at APRICOT:

• The standard dual stack SSID known as apricot which provides both a global IPv4 address (by DHCP) and global IPv6 address (by SLAAC) to the connecting clients. Authentication is by WPA2-PSK.
• An IPv6-only SSID known as apricot-v6 which provides a pure IPv6-only connectivity for connecting clients (complete absence of IPv4). Authentication is by WPA2-PSK.

Physical Wired Network Infrastructure - Workshop Week

During the workshop week, each workshop room requires an ethernet drop. The ethernet drop in each workshop room is provisioned like this:

• Physically provisioned as 1Gbps ethernet (Cat5e or Cat6 termination)
• A single fixed IPv4 and IPv6 address assigned to each workshop (the workshop routers are provided by the workshop instructors)
• Each workshop receives its own address allocation, providing a /27 IPv4 subnet and a /48 IPv6 subnet.

The workshop rooms themselves do not require any conference provisioned WiFi as the workshop instructors provide this via their own equipment. However it is necessary to provision an access point or two in the general areas outside the workshop rooms to ensure that delegates have wireless Internet access available when the workshops are not running.

Physical Wired Network Infrastructure - Conference Week

During conference week, each of the three conference halls requires an ethernet drop for the conference webcast. This ethernet drop is provisioned like this:

• Physically provisioned as 1Gbps ethernet (Cat5e or Cat6 termination)
• Each room is on its own physical subnet
• Each room receives its own address allocation, providing a /27 IPv4 subnet and a /64 IPv6 subnet.
• Each room receives its own routed address allocation, providing a routed IPv6 /48 subnet (should any presenter require this)

The conference wireless network needs to deployed the day after the workshops conclude, to provide coverage for side meetings that take place prior to the conference week commencing, and to assist the Secretariat setting up the registration counter and the infrastructure teams setting up the venue rooms.

The conference Registration Counter requires fixed wired ethernet drop on its own subnet and at minimum an 8-port ethernet switch so that staff computers and registration printers have fixed network access independent of the conference wireless.

The conference Secretariat requires fixed wired ethernet drop on its own subnet and at minimum an 16-port ethernet switch so that staff computers and Secretariat printers have fixed network access independent of the conference wireless.

Network Core

The network core needs to be fully redundant, with the provisioning of dual Layer-3 switches. These Layer-3 switches can be provided by a sponsor or by the local host. The Layer-3 switches need to support:

• 1Gbps Ethernet copper (and fibre if required)
• PoE (IEEE 802.3af or, additionally, IEEE 802.3at) support for the wireless access points.
• Multiple VLANs, inter-VLAN routing, VLAN trunks, RSTP
• Inter switch link by 10Gbps (DAC or fibre)
• IPv4 and IPv6 static routing and the IS-IS dynamic routing protocol
• DHCP snooping, RA Guard, Dynamic ARP inspection, IGMP snooping
• DHCP-relay/helper
• uRPF for IPv4 and IPv6 on all VLANs
• Management via SSH and SNMPv2
• Full configuration via command line interface.

It is expected that the switches will operate as two independent cores with half the connections on one switch, and half on the other. In the unlikely event of a switch failure, the physical connectivity for devices connected to the failed switch would be moved over to the other operational switch. There isn't any requirement for redundant connectivity out to the edge.

Network Operations

A network operations LAN needs to be provisioned to host any NMS and other network operations systems deemed necessary for the conference network. This might include, at a minimum:

• LibreNMS - to monitor the devices across the conference network
• NfSen or ElastiFlow - to monitor traffic flow across the conference border network
• Smokeping - to monitor network performance
• WiFi Controller - to manage the wireless access points
• Routinator - to provide RPKI validator cache for the border routers
• DHCP server - DHCP server for conference network
• DNS resolver - DNS resolvers for conference network

These devices are normally provisioned on separate VMs on a host appliance, for example, an Intel NUC. Better to have two for redundancy.

It is useful to have a large screen near the registration counter to display current network monitoring statistics from the above network operations infrastructure.

Conference Border Network

APRICOT connectivity uses two independent network operators, and therefore two border routers are provisioned. The two border routers will normally be supplied by a sponsor or by the local host. These two border routers each will connect to the two core ethernet switches supporting the conference core infrastructure.

The requirements of the border routers are as follows:

• Full support of core BGP standards for IPv4 and IPv6.
• Full support of IS-IS dynamic routing protocol to talk with the core Layer-3 switches
• Full support of Route Origin Validation, including the configurable dropping of invalid routes.
• Full support of BGP prefix filtering
• Minimum throughput of 1Gbps
• Support for packet filtering (in hardware) to protect the conference network from the Internet and protect the Internet from the conference network
• Fully configurable via command line interface.
• Management via SSH and SNMPv2
• Connectivity to the core Layer-3 switches by 1Gbps or higher (more than Internet access provided).

Conference Upstream Connectivity

APRICOT requires redundant Internet access from two independent network operators with independent fibre connectivity out of the venue to their closest Point of Presence. These network operators are the connectivity sponsors for APRICOT.

The requirements for the upstream providers are as follows:

• Minimum of 1Gbps guaranteed throughput
• Completely unfiltered connectivity: no firewalls, no proxies, no NAT, no content "management", etc. Internet access means just that.
• Full BGP feed (IPv4 and IPv6) with no default route
• Accept the announcement of the APRICOT AS (24555) and address space (IPv4: 220.247.144.0/20, IPv6: 2001:df9::/32) from APRICOT routers and send to all customers, peers, and upstreams.
• Ensure that their AS-SET includes the APRICOT AS, and that all customers, peers, and upstreams have updated their filters to permit the APRICOT address space to be accepted.
• Ensure that the APRICOT address space is announced to any local content cache operators (eg Facebook, Google, Akamai, Cloudflare, etc) to optimise the content distribution towards delegate users.

If it is possible to also connect the APRICOT conference network to the local Internet Exchange Point, that'd be a very welcome extra.

The conference network operators need to announce the APRICOT address blocks from the APRICOT AS number several weeks in advance of the conference, and ensure that all filters are updated, and that the reachability of the address space is truly global. The conference network operators, along with APRICOT, need to ensure and verify that the geolocation of the conference address blocks actually points to the host economy.

Conference Address Plan

The standard address plan used for the APRICOT network is documented below.

• IPv4:
  • 220.247.144.0/21 for wireless users
  • 220.247.152.0/23 subnetted for wired (webcasting, secretariat and registration)
  • 220.247.154.0/24 subnetted for workshops
  • 220.247.155.0/24-220.247.157.0/24 reserve
  • 220.247.158.0/24 for p2p links (addressed as /31) and loopbacks (addressed as /32)
  • 220.247.159.0/24 for management LAN servers/services and AP management addresses
  • Default gateway is at the first unicast address of each network.
• IPv6:
  • Each segment has /64
  • 2001:df9:0:0::/64 for IPv6-only wireless SSID
  • 2001:df9:0:1::/64 for wireless users
  • 2001:df9:0:2::/64 to 2001:df9:0:F::/64 for wired (webcasting, secretariat, registration)
  • 2001:df9:1:0::/64 for management LAN servers
  • 2001:df9:10::/48 for p2p links (/64 reserved, addressed as /127) and with 2001:df9:10:0::/64 for loopbacks (addressed as /128)
  • 2001:df9:11::/48 to 2001:df9:15::/48 for workshops
  • Default gateway is at the first unicast address of each network and fe80::1/64 if possible.

Specific addressing details:

• DNS resolvers usually sit on 220.247.159.2/2001:df9:1::2 and 220.247.159.3/2001:df9:1::3.
• DHCP servers usually sit on the same addresses as the DNS resolvers.
• Every other device is findable via the DNS - sensible address planning recommended and is left to the conference network operator to devise.

Page Info

Your address: 3.144.97.170

Page last updated on Friday, 30-Jun-2023 14:41:58 AEST.

Back Home