ICC Home  /  Members  /  Meetings  /  Peer Support  /  Documentation  /  Projects

Minutes of January 14th, 2010 ITAC-NI Meeting:


back to ITAC-NI minutes index

    Link to ACTION ITEMS from meeting

    AGENDA:

    1. Approve prior minutes
    2. CNS Data Center update
    3. IPv6 update
    4. Should UF provide a centralized service for web certificates to save money and improve management?
    5. Governance update, and the role of ITAC-NI
    6. Should we track the outline of committee issues on the UF Wiki?

    CALL TO ORDER:

    This meeting was scheduled in CSE E507 at 1:30 pm on Thursday, January 14th and was made available via videoconference with live-streaming and recording for future playback. Prior announcement was not made via the Net-Managers-L list, so our broader audience might not have been aware of the meeting. The meeting was called to order by ITAC-NI chairman, Dan Miller, Network Coordinator of CNS Network Services.

    ATTENDEES: Fifteen people attended this meeting locally. There were four attendees via Polycom videoconference and no records of how many may have listened into the stream via a web browser using the web interface.

    Eleven members were present: Ron Cigna (via Polycom), Dan Cromer, Erik Deumens, Tim Fitzpatrick, Craig Gorme, Shawn Lander, Steve Lasley, Chris Leopold, Tom Livoti, Dan Miller, and Handsford (Ty) Tyler.

    Three members were absent: Charles Benjamin, Clint Collins, and Margaret Fields.

    Eight visitors participated as well: Jeff Capehart, Joe Gasper, Todd Hester, Stephen Kostewicz (via Polycom), John Madey, Marcus Morgan, Dave Pokorney (via Polycom), and Jan van der Aa (via Polycom).


    Viewing the recording

    You may view the recording via the web at http://128.227.156.84:7734. Currently, you will need to click on the "Top-level folder" link, then the "watch" link next to the "ITAC-NI Meeting_14Jan10_14.15" item. It was expected that these recording would be moved into the ITAC-NI folder shortly after each meeting, but that hasn't been the case since October of last year. Cross-platform access may not be available; on the Windows platform you will have to install the Codian codec.

    Audio archive

    An archive of audio from the meeting is available.

    1) Approve prior minutes

    No corrections or additions were offered and the minutes were consequently approved.

    2) CNS Data Center update

    2-1) Overall project status

    Tim Fitzpatrick began by providing a summary of the plans for building an additional data center off of the main campus in eastern Gainesville as discussed at our October meeting.

    2-1-1) Plans have been in progress nearly eighteen months

    Planning first began nearly eighteen months ago with the intention of providing a second site for disaster recovery, expanded facilities for High Performance Computing, and possibly liberating some on-campus space for the hosting of departmental virtual servers. Six months into planning they had considered piggy-backing this onto the East Campus office building--perhaps as a second or third floor. After an additional six months of consideration it was decided that this should be a separate but adjacent building. That closeness would permit the sharing of some facilities such as a chilled water plant, etc. These major plan changes delayed selection of an architect and engineering firm by another four months. On August 14th they had made those selections and were at the point where a go-ahead would have initiated construction.

    2-1-2) Things have stalled since mid-October

    Since that time, however, almost nothing has happened. The major cause of that delay is a dispute over the physical location of the data center within the footprint of the East Campus. Engineering felt that the proposed location would intrude on a number of their plans for that area. Discussion on that matter has been going back and forth for nearly five months now. Tim suspects this basically involves discussions among Cammy Abernathy (Dean of the College of Engineering), Joe Glover (Provost), as well as Ed Poppell (Vice President for Business Affairs) and others responsible for fiscal planning.

    2-1-3) Location decision will affect costs

    Tim said that the exact location is unlikely to affect the overall functioning of the new data center. However, the location decision will affect the ability to leverage existing utilities and may thus affect overall costs.

    2-1-4) Delays are complicating other decisions

    Behind the scenes, funding sources and loan plans are now being affected as well. Coordination of related implementation activities such as the necessary fiber-between here and there are being placed in question. There are a lot of things which Tim had believed were decided which now require reconsideration.

    2-1-5) The move-in date has slipped

    Tim wished that he had better news to relate. Originally they were hoping for a move-in date of October 2010. That date likely has now slipped at least six months.

    2-1-6) The next step

    Tim believes that as customers CNS (represented by himself) and the CIO (Chuck Frazier) should ask the project managers (Fred Rowe and Carol Walker of Facilities Planning & construction) where things stand and when things can get moving.

    2-2) Floor space allocation details

    Ty asked for details on how much floor space would be available and how space would be classified via the conventional Data Center Tier system.

    Tim responded that the plan is to provide 5000 sq. ft. of Tier III (rough compliance though perhaps not certifiably so) for the ERP systems and 5000 sq. ft. of Tier I (again roughly) for High Performance Computing. A fairly detailed aisle layout had already been planned based on the two areas being arranged on consecutive rectangular-shaped floors, one above the other. Now there are discussions about have the two areas side-by-side and Tim is uncertain how that will affect the existing aisle layout plans. It had been thought prior that building on two-floors might provide a path to additional space down-the-road. Now future expansion opportunities are unclear.

    2-3) Network planning for the new data center

    2-3-1) An opportunity for upgrading to new technology

    Dan Miller related that they obviously have more time for planning that was originally thought. They had begun by considering duplicating what is currently deployed in SSRB and CSE; that is, Cisco Catalyst 6509 switches with Application Control Engine (ACE) modules. After consultation with Cisco they realized that now may be the right time to consider the Nexus series of switches which represent Cisco's newer technology. Those newer switches are much higher performing in terms of frames, packets and 10 Gbps ports and offer a better price as well.

    2-3-2) Nexus capabilities will address redundancy needs

    Features do not overlap exactly between the two Cisco platforms, however, which presents some new design challenges. It also presents an opportunity as well. They had discussed many options for redundancy between the main campus and eastside campus data centers, but the current leading proposal involves two large Nexus 7000 series boxes virtually divided into two different logical routing and switching domains. This would provide redundancy for both their eastside and main campus customers.

    Dan Miller suggested that perhaps a network engineer could provide the committee a more detailed description at a later meeting.

    2-3-3) The HPC network will remain isolated

    Craig Gorme asked how the presence of the HPC facility out there might affect the network. Dan Miller responded that the HPC network will be completely isolated just as it is here currently. They do not plan to provide any redundancy for that network.

    2-3-4) FCoE not expected initially

    Ty asked if the Nexus boxes would include built-in FCoE (Fiber Channel over Ethernet). Dan Miller responded that while the Nexus series does permit many new technologies such as FCoE, it is the opinion of the planning group that FCoE is currently still too new for us to plan on migrating all the SANs to that. That might change or not prior to actual deployment; if it is not done on day one, it will remain a future option.

    2-1-6) Redundant fiber routes planned between the two campuses

    Route one

    John Madey reported that the current plan for one of the routes is to work with GRU under a contract they currently have in place with Shands and lease dark fiber. That route would involve coming out the southeast part of main campus, down 8th street over to SW Depot Avenue, around where the Alachua County Schools main office is and then up Waldo Road. This would be under a 15-year contract and would utilize 48-count fiber. They do have a one-time purchase option of some conduit that accompanies this agreement.

    Route two

    The second route will be a UF-owned route, again involving 48-count fiber. The path will extend from the HR building on University Avenue and zig-zag up on a route which is yet to be determined. The ideal path will utilize the Rails to Trails route to 23rd Avenue if that can be arranged. Otherwise they will try to go up 6th Street to 23rd.

    Two routes with various options for flexibility

    Consequently, the plan is to have both "northerly" and "southerly" connections. They are expecting roughly a twelve month lead time will be needed in order to arrange all the permits, etc. John likes having a lease/own option in order to minimize our risks down-the-road. We do already have a pretty good connection to FLR along Williston Road up to SW 23rd that has experienced no outages nor needed any repairs to-date. They are hoping to mirror that success with this.

    No time to waste

    Ty pointed out that the twelve month lead time would mean there is a need to get started nearly immediately. Tim agreed, saying that even though there is some confusion regarding location details of the data center itself he is lobbying for the funding to be committed, the vendors to be selected, and to get on with things immediately.

    3) IPv6 update

    This topic was last discussed at our November meeting.

    3-1) IPv6 working group met early last month

    Dan Miller reported that the IPv6 working group had had their first meeting on December 8th and it was relatively productive. They spent a lot of time talking about the address plan. Most people were in agreement that a general outline, in broad strokes with lots of room for growth, was a good thing. They heard some elaborate concerns from the security folks over the large amount of publicly viewable space within the address plan, however.

    3-2) The security group needs to limit and monitor publicly viewable space

    Network Services had a follow-up meeting with the security group later where network services stated that they do not expect a "land rush" to new public viewable address space within the IPv6 range. Rather they are expecting less than 100 hosts over the next five months and Dan Miller agreed to keep explicit track of all IPv6 addresses handed out as part of this pilot phase. That seemed to assuage their concerns.

    Network Services and the security group also further agreed that the policy or project to explicitly manage public IP space on campus is something that would be separate from the IPv6 project. We might be hearing something from security on that front in the future. They are interested in limiting the exposure of public web servers and other hosts--similar to what Shands and HealthNet have done.

    Marcus said that he felt this second meeting with the security group was helpful in conveying Network Service's interest for having a simple address allocation plan and that both groups agreed that security needs a way to determine what is in a particular address space. An inspection process is needed to ensure compliance.

    3-3) DNS being readied for IPv6

    Marcus Morgan reported that they are getting ready to roll out DNS for IPv6. He has prepared servers which they are testing in their lab and which will provide dual addresses for any resources that we have. The plan is to provide dual stack processing on our outward facing servers; each host would have both an IPv4 and an IPv6 address. DNS need to be capable of handling that and Marcus is confident that he can have this in production within the next two weeks.

    3-4) An experiment with DNS security is planned

    At Dan Miller's prompting, Marcus also added that this seems an opportune time to experiment with DNS security. The root segment of the EDU domain is either signed currently or will be signed very soon. Consequently, Marcus believes we will see requirements for DNS security in the not-too-distant future and this is a good time to experiment with little risk since we don't really have any IPv6 resource currently.

    3-5) Security tool development

    Dan Miller reported that the working group also had security tool development as another agenda item. Kathy Bergsma definitely wants to test security tools before students get IPv6. There was general agreement on that point. Kathy wants to test the IDS before anyone uses IPv6, but Dan Miller said that this should be relatively straight-forward since it runs on Snort and a modern build of Linux. The drivers should be there and the testing relatively straight-forward. Dan has requested of the security group that they be ready at the next meeting to provide an ETA for address deployment.

    They very briefly reviewed the start-up schedule, but were out of time by then. Dan Miller said that Tim Nance is waiting for a new firewall installation before connecting Shands to the core via IPv6; that should happen within the next six months or so.

    3-6) Next workgroup meeting being arranged

    Dan Miller said that they are trying to arrange a time all can meet next. He still needs to finalize the minutes from the first meeting and forward the address plan to the CIO with a recommendation that it be blessed.

    Dan Miller had noted that HSC had been invited to the first meeting, but no representative had attended. Ty and Tom appeared to be interested in taking steps to get the HSC involved with this workgroup.

    4) Should UF provide a centralized service for web certificates to save money and improve management?

    4-1) Overall money savings could be considerable

    Chris Leopold stated his belief that UF could save thousands of dollars overall by getting into the certificate authority business. Chris noted that he had just spent $500 on a wildcard SSL certificate for IFAS. Craig Gorme said that he had just purchased three at $500 each himself

    4-2) A number of options exist for providing a central UF service

    Chris related that Joe Gasper had just found a company that would authorize individuals here to submit free certificates for UF. Joe admitted to not knowing a great deal about the company, but it did appear that some attractive options might be available either there or elsewhere. This particular company can supply free certs but charge a minimal amount in order to ensure that applicants are authorized for their particular institution. They would allow multiple people to manage one organization.

    4-3) The need is there but past efforts never panned out

    Nobody disagreed that having UF provide certs for sub-domains would be a good idea. Marcus noted that there are several hundred subdomains at UF and of those likely a couple of hundred have wildcard certs or have the need for certs on one occasion or another. There is plenty of business here that could be made internal. Marcus said that this has been proposed several times in the past, but has never come to fruition.

    4-4) Encouraging and tracking the use of proper certificates could be another plus

    Marcus believed that providing a service would not only save money overall, but that it would encourage the use of commercial/quality certs wherever those were called for. Chris added that this would additionally provide us some idea of who is using what within our organization.

    4-5) This could be handled locally via automated processes

    When Shawn Lander asked Marcus if he was willing to take the responsibility for this, Marcus responded that he already has the task of approving all of UF's cert requests as is. Requests go to the vendor first, then the vendor takes your money and send the requests on to Marcus (as the authority for the UFL.EDU domain) for his approval. As long as Marcus can determine that the requestor is associated with the appropriate department or group, he automatically approves those. Marcus believes we could have a web site where a requestor would logon, that authentication process could determine if they had proper scope, and the certificate could be provided immediately.

    4-6) Intermediate certificates could make this easy while supporting most needs

    Shawn asked how this process could be automated. Marcus said that there are several ways certificates could be handled, but one option is to obtain an intermediate certificate and generate tickets from that on demand. That process could be automated. When Craig noted that not all devices could hold an intermediate chain, Marcus responded that there will always be special circumstances and we wouldn't be able to address all potential needs. Consequently, Marcus would not envision making the use of such a service mandatory for that reason. The majority, however, only care if a browser will recognize the certificate, that it encrypts okay, and they can follow the chain back.

    4-7) General agreement but how to proceed?

    Chris Leopold said that it appears everyone was in agreement, but the question was how to proceed. Marcus suggested that we review the past plans as he was aware of at least twice when this had been proposed and written up prior. When Shawn asked why those attempts failed, Marcus replied that the last proposal died because the hardware proposed to house it was outlandishly expensive.

    4-8) A written proposal would be helpful

    Tim suggested that it would be helpful to have a proposal in writing that described how we do it now and how we propose to do it differently. When Marcus suggested pulling and modifying the previous proposal which was done by Steve Ulmer, Tim responded that he would prefer Craig, Chris and others who are suffering with things the way they are currently to provide a succinct proposal. Chris Leopold and Craig Gorme agreed to meet and proceed along those lines.

    4-9) Options as to who might manage this for UF

    Tim also mentioned that, while Marcus had spoken as if it was obvious that his group would provide management/oversight for such a service, he wondered if there were other groups on campus that might be an alternative for that. Marcus said that he was only describing what he does now and that doesn't mean that this has to be something he will continue in the future. Marcus offered that Web Administration comes to mind because they already know about all the domains; they basically authorize domains anyway and are concerned with the database and its accuracy. Security might be another group who could handle this task.

    4-10) Service must be responsive to be useful

    There was a concern mentioned with having Web Administration handling this. Certificates would have to be quick and easy to obtain. Some have experienced considerable difficulty in getting domains approved, for example; on some occasions the involvement of Deans has been required. Fast turnaround time on getting a certificate would be crucial to such a service being successful. Marcus envisions a service where a requester who was authoritative for a particular subdomain could get certificates basically on demand.

    4-11) Too good to be true?

    Tim additionally mentioned that the potential cost savings seemed almost too good to be true; consequently he cautioned that this be investigated thoroughly to make sure that this wasn't the case.

    4-12) Chris Leopold and Craig Gorme to develop written proposal for consideration

    Chris and Craig said that they would look at the various options available, determine which would work best for UF, and bring a proposal back to the ITAC-NI for approval before forwarding it on to the CIO.

    The proposal creation framework will involve:

    • Needs assessment and background work
      • Identify the SSL certificate costs that are associated with UF
        • Send e-mail to the CCC list asking departments to respond off-line
        • Investigate UF purchasing to tally costs for specific CA vendors
      • Poll other universities as to how PKI is implemented
        • Send email windows-hied@lists.stanford.edu
    • Review pros/cons of potential solution options

     

    5) Governance update, and the role of ITAC-NI

    5-1) IT Action Plan rearranged IT governance considerably

    This topic was last discussed at our October meeting. Tim said that restructuring IT governance was one of the IT Action Plan focus items. There were recommendations for restructuring governance at the cabinet level, at a policy council level, at what is currently the topical ITAC committee level and then at a number of distributed levels within colleges and departments. Tim feels that the next action will be to figure out how to augment or replace the current ITAC topical committees.

    5-2) New IT committee structure under consideration

    Committees were recommended for Information Security and Compliance, Infrastructure, Applications/University Systems, and Academic Technology. Tim believes that the fit of existing committees into the new structure is just now starting to be considered. Bylaws need to be considered which specify how committee members are nominated and selected, term lengths, etc. Tim feels there should be some formality about what kinds of issues these committees review and comment on and what is the path for their recommendations.

    5-3) Status of ITAC-NI still not clear

    Tim realizes this is one of the final IT Action Plan items which is still "hanging" out there and he believes it is on Chuck Frazier's list of things to pursue within the last several months in his interim position. Tim did relate that he has heard there would be an Infrastructure Committee which was not limited to just network infrastructure or computing infrastructure. If that is true, then it is possible that a committee like this would become a sub-committee to an Infrastructure Committee. Tim is certainly not leading that, rather he is deferring to Chuck for guidance as to the next step. Tim realizes that this has been in limbo for quite some time and he believes some action will be coming sooner rather than later.

    5-4) CIO search status

    Ty asked about the status of the CIO search (see "Change in the Air" within the "Open Letter to UF IT Staff" article). Tim responded that the CIO job was posted on November 1st. A headhunter for a firm called Korn/Ferry was selected just prior to that and held the first search committee meeting the last week of October. Immediately following that the job description was posted on Educause and other external boards. No further meetings have been held since then, but there will be a meeting on February 4th where the search committee will present their refined list of candidates (as opposed to the broad list of applicants) as potential targets for interviews. Tim has been told that "airport" interviews are being scheduled in Orlando for February 18th and 19th.

    Tim is hoping that the interview process will be announced at the February 4th search committee meeting, detailing whether the entire committee or only a selected subset will participate. Tim presumes that those interview will take a group of perhaps ten and reduce it to something like five. No one knows how many were in the broad pool or how things were narrowed down to ten or so.

    5-5) UF Information Security Officer search status

    Ty asked if the hiring of a UF Information Security Officer would follow the selection of a CIO. Tim responded that those processes are proceeding in parallel. He has heard that it is deemed preferable that the CIO finalist be selected and confirmed prior to an offer being made to the security person. As of the first week of January, the job position for the new Director of University Systems (which is basically the Director of what is today Bridges) has been posted. That committee is now operational and will proceed in parallel as well, though it is clearly a month or two behind these other processes.

    Dan Cromer is on the Enterprise Systems Committee and he reported that their instructions were to proceed in parallel. If there was a delay in the CIO selection and obvious candidates existed for the other two positions, they would go ahead with the hires. It would be nice, however, if the CIO position was filled early enough that they could be given a choice among several top candidates for those other positions.

    5-6) Search for a CIO for the Health Science Center

    Dan Cromer asked Ty if he had any information about the search for a CIO for HSC. Ty said that a similar process had occurred and the candidates have now been narrowed down to two finalists who were here for interviews on Monday and Tuesday. The interviewers plan to prepare their summary recommendations and get those to the Senior VP. A final decision could be made over the next few days.

    There was some discussion about the fact that some very highly qualified people have applied for all these positions, though no one is privy to actual names. Dan Cromer suggested that this reflects the state of our current economy; there are many good people out there looking for new jobs.

    5-7) ITAC-NI should wait and see what happens

    Dan Miller asked if this committee should comment on its role or wait to be instructed. Dan had provided some feedback on this committee to Jan Vander Aa when he was interviewing the various ITAC committee chairs about how their committees worked. Dan Cromer responded that he felt there is already a clear understanding at the higher levels and he doesn't think comment from us would have any affect. Dan did say that he felt this committee and a couple of others are viewed very positively and he feels that it is likely to be continued in some fashion.

    6) Should we track the outline of committee issues on the UF IT Wiki?

    6-1) Tracking ITAC-NI discussion items

    Dan Miller said that he has the agendas, some hand-written notes and very detailed minutes. While he feels the minutes are wonderful and essential, it is difficult for him to condense those down into a flow of issues to make it easy to track. He is thinking of something one level deeper/more detailed than action items. Dan believes that would help define the scope of what the committee talks about by example. It would also help him as the chair and hopefully would help other committee members pick up items, readdress them and cover progress that has been made since the last time they were discussed.

    6-2) Broad access and input desirable

    Craig said that getting the topics we are discussing in front of the broader networking community would be a good thing. He noted that we cover similar topics repeatedly; perhaps we could put those recurring items on the Wiki along with our thoughts of where things are leading on those issues.

    6-3) Organization by IT topic rather than IT committee suggested

    Erik Deumens suggested considering a broader framework that encompassed all IT issues. He would prefer having things organized by issue rather than by committee because so many topics touch multiple areas.

    6-4) IT Wiki is not suited to a hierarchical organization

    Dan Cromer tried to make the point that a Wiki doesn't "organize" pages into any hierarchical structure. Rather it is more like a dictionary where each item stands alone. There can be cross-references among items, but there is no "table of contents". Topics are discovered rather by searching on them as one does with Wikipedia. The free-form nature of a Wiki means that the organizational issues which Erik mentions would not really apply.

    6-5) IT Wiki cannot be authoritative but is still a useful collaborative tool

    When Dan Miller offered to coordinate with other committee chairs and possibly the CIO to discuss how Wiki use might be coordinated across the entire committee structure, Dan Cromer pointed out that the Wiki would not and could not be an authoritative source for any information, rather it could only link out to that sort of information. Those linkages can help make the Wiki very useful, however.

    6-6) Wiki usage for real-time committee meeting updates?

    Joe Gasper suggested that committee topics could have associated Wiki entries which were actively edited during our meetings; there were no volunteers to take that on, however.

    6-7) Dan Miller to seek input of other committees on this matter

    Dan ending the topic by saying that he would approach the other chairs, see what their thoughts are, and try and come back with some results.

    Action Items

    1. Follow-up of the proposal for a UF centralized service for web certificates
    2. Arrange for Dave Pokorney to speak regarding "telepresence" (from previous meeting)

     

    Next Meeting

    February 11, 2010

last edited 20 January 2010 by Steve Lasley