Helmholtz Backbone Network¶
The networks of the individual Helmholtz centers are being interconnected on the basis of a high bandwidth network with mutual trust and increased overall security.
The backbone is an overlay of the DFN X-WiN, using the existing connections Helmholtz centres have via DFN. It is a virtual local area network, or VLAN, that is orchestrated by DFN in its so-called “Helmoltz VRF”, specific to HIFIS, with no link to the internet.
The following map shows the DFN glass fiber network and the current centres connected to the Helmholtz Backbone.
Background map of Helmholtz centres taken from helmholtz.de. Version as of June 2022.
Why do we need the backbone?
- Protection of existing resources, for example shielding a sensitive resource in a Helmholtz centre from public HTTP requests.
- Simplified access, for example by-passing firewalls for connections between Helmholtz centres.
- Availability of resources: potentially reduced latency between centres.
What are the use cases?¶
Two use cases are being developed in the frame of the Helmholtz Backbone:
-
Use case 1: Direct connection between private IP addresses of two different Helmholtz centres.
This is typically a use case when a scientist is working in a satellite station of his institution in another centre and wants to access his home institution’s servers. This use case is currently being implemented to connect HZDR equipment at XFEL (via DESY) to the HZDR networks which are not normally accessible outside of HZDR’s local network.
-
Use case 2: Data transfers using WebFTS over the backbone.
This use case is currently being investigated for sharing data between centres when the data itself should not be transferred through the internet. Like this, the transfers are conducted over a route that provides even higher security in addition to using a standard HTTPS connection. For more details on the transfer service provided by HIFIS, please visit this page.
Technical preparations¶
Centres with pre-existing BGP peering with DFN¶
Each centre has to configure its routing to the Backbone, and may decide to use dedicated hardware or not. Especially, if a trust relationship between the HIFIS partners can be established, the firewall/IPS system between LAN and router via the “DFN Helmholtz VRF” could be omitted to allow faster data transfers, because the traffic has not to be deeply inspected. This is illustrated in the picture below for Helmholtz centre A.
Centres without existing BGP peering with DFN¶
Some centres don’t have an existing BGP peering with DFN. In this case, it is also possible to set a routing encapsulation or “GRE tunnel” from the Helmholtz institute to (e.g.) DESY and within this GRE tunnel configure a BGP peering. This is for example the case for UFZ which is currently connected to the Backbone via DESY.
Drafts of policies (restricted to HIFIS)¶
Monitoring¶
Info
Upcoming: Proof of concept and testing for possible hardware and software issues.