Friday, May 30, 2008

Have your say about the IIIT Network!

After getting into the finer points of administration in IIIT,The faculty, kulbir saini and I have come up with a list of things we would try and do by the end of the year. Here are a few things. If you have any suggestions please leave them as comments.

1. Wired LAN to replace Wireless LAN as primary LAN. They new LAN will be Gbps!
2. New LDAP server to replace SAS that runs on 200. Each student will have a single IIIT Id.
3. Stop forwarding of e-mail for current students. We will give you 5gb space insted to store e-mail
4. Un-block all internet resources in IIIT. Webcams, VoIP, torrents rapidshare etc..
5. Each student will have to enter his IIIT Id in the proxy for authentication.
6. Each student will have a 3 Gb limit of internet usage per month! Do whatever you want with it! (This is where I expect a lot of comments)
7.Each batch will have a 100 GB multimedia download account per month.
8. We will buy a blade server. This will run mirage, teaching lab servers , ldap etc..
9. Setup VPN system in IIIT . This would be to a secure and efficient way to access IIIT from outside.
10. Restart the sysAdmin blog and be transparent about all configurations we make(available on the intranet only)

Plz don't comment like anony-mouse cowards. Leave your name, link/e-mail ID! All constructive suggestions/queries are welcome!

I would be especially happy if IIIT alumni would share their experiences from working in the industry and from what they see there.

18 comments:

Anonymous said...

3. Stop forwarding of e-mail for current students. We will give you 5gb space insted to store e-mail.

Outgoing bandwidth almost go unutilized. Forwarding hardly affects the bandwidth. 5gb of storage does not make any sense. If our friends start sending 20 MB of attachments, as they do on gmail, more bandwidth will go waste. There are other advantages on gmail(assume everyone forwards their mails to gmail not to yahoo :P) which IIIT mailing server cant provide like privacy (wrt sysadmins :P and key loggies), backups (dont tell me it's very robust. 5GB of backup for 1200 students in IIIT after every 12 hours), searching (wtf would I do with 5GB of emails if I cant search them), spam protection (gmail has the best), future usage (I want all my mails after I go out of this place. I love my college) etc.

4. Un-block all internet resources in IIIT. Webcams, VoIP, torrents rapidshare etc..

Apart from rapidshare everything else will bring the internet down. But I wont say anything against it. More the better :D.

5. Each student will have to enter his IIIT Id in the proxy for authentication.

Bah..we live in IIIT not VIT. There was no problem ever due to open access in the history of IIIT. Anyways all the wireless ips are registered.

6. Each student will have a 3 Gb limit of internet usage per month! Do whatever you want with it! (This is where I expect a lot of comments)

3Gb!! what ?? seriously, WHAT THE FUCK ?? Again we live in IIIT not VIT.

9. Setup VPN system in IIIT . This would be to a secure and efficient way to access IIIT from outside.

wastage of bandwidth except in summers when bandwidth is not utilized properly. BTW apart from emails what do we access from IIIT when we are outside.

Come with something new so that it change the way we use internet in a positive way.

Anonymous said...

Could you please separate what administration in IIIT suggested, faculty and you suggested. We would like to know how "Good and Sincere" our new sysadmins are.

Satya Krishna said...

seriously, what's the problem with forwarding? with all the spam we get, its better off to use gmail ..

unblocking everything is awesome but setting a 3 GB limit isn't! :P any chance of that being increased? :)

Anonymous said...

Do you really think all this is possible with the current bandwidth we have? OR are we going to add a '0' to it? :D
80 will be really nice.. :P

And yeah, no offence meant, but ppl shud know what u guys are logging when they are asked to fill in their "credentials" in the proxy. It shud be foretold.

Regardin the mail thing, I don't think forwarding create any bandwidth crisis. As a matter of fact, if not for attachment, our day count for mails is still in KBs. The suggested 5 GB plan won't be that much convenient.

As far as 3 GB limit is concerned, though it seems really enough, it will still help if you can give stats on what's the current usage per person right now. And yeah, we wud have some sort of meter na, to see how much is left ? :P

Best of luck with the plans. :)

Anonymous said...

4. Un-block all internet resources in IIIT. Webcams, VoIP, torrents rapidshare etc..
7.Each batch will have a 100 GB multimedia download account per month.

Faculty agreed for these things?? :O
Well frankly speaking.. I think unblocking all these things will slow down the net considerably which is not in a good shape now.. We can have restricted access for these things.. Sumthin like few ppl per batch..

BullzY said...

3) We have been through this before, in the meeting between "Student Lab Committee" and Mr. Rawat's team. His team simply stated that .forward is a waste. When we put down most of the points mentioned by Anonymous#1, they had absolutely NO answer. Agreed that forwarding to more than one account is too much. SO, it would be better to restrict to just one email account.

once again, removing .forward is NOT an option!

very well put by Anonymous#1

5) Compromising on the privacy of students for the sake of monitoring internet activity? That is outrageous!

6) In the aforementioned meeting, a proposal was made to set up a proxy server to cache frequently accessed stuff like videos, site like cricinfo during matches, etc.

If there is no point#5, there is not point#6.

Anonymous said...

Inline

1. Wired LAN to replace Wireless LAN as primary LAN. They new LAN will be Gbps!
Amen. High time. Leave wireless there as well :)

2. New LDAP server to replace SAS that runs on 200. Each student will have a single IIIT Id.
The first three lines of the wiki article on LDAP reveal it to be something like Active Directory. [MSPublicity] Use Active Directory [/MSPublicity] :)

3. Stop forwarding of e-mail for current students. We will give you 5gb space insted to store e-mail
This is just dumb. Someone else pointed out - what is outgoing bandwidth being used for anyway? I'd say limit space on 200 so that you can have a smaller, faster and cheaper server and spend the money on more bandwidth

4. Un-block all internet resources in IIIT. Webcams, VoIP, torrents rapidshare etc..
There are arguments for and against this. I'd suggest this unblocking should happen sometime during the night (3AM-6AM). Then those frustoo enough to play / download etc can do so then knowing degraded quality. I understand that you're trying to couple this with 5 so that with auth and limits you can control total bandwidth but someone will break it

5. Each student will have to enter his IIIT Id in the proxy for authentication.
NO. We are not a police state. This was suggested when I was labcom in first year and the then SysAdmins had shot this down before it even took off. Anyway, there is no shortage of smart people in IIIT and someone will find a way to break this

6. Each student will have a 3 Gb limit of internet usage per month! Do whatever you want with it! (This is where I expect a lot of comments)
Again - refer above - 3GB - bah

7.Each batch will have a 100 GB multimedia download account per month.
This is actually sensible - however if you don't do 5 and 6 its immaterial. I actually prefer a couple of people in each batch having access to unblocked internet. They could be elected or be the labcoms or whatever. However, the challenge as always is getting a Transparent system

8. We will buy a blade server. This will run mirage, teaching lab servers , ldap etc..
I thought there was already a server for the teaching labs and all. [MSPublicity]Switch to Microsoft[/MSPublicity] :)

9. Setup VPN system in IIIT . This would be to a secure and efficient way to access IIIT from outside.
[MSPublicity]Windows Server 2008 with Terminal Services Gateway[/MSPublicity] :)

10. Restart the sysAdmin blog and be transparent about all configurations we make(available on the intranet only)
Sensible

Now, the more important question is how much the faculty is ready to listen to you. Everyone has ideas, but before you implement them there are some big fat blockers in your way ...

Also, I feel that you might be jumping the gun with the limits that you are enforcing. I'm hoping you've had a look at how bandwidth is being used currently (especially how much bandwidth is used for forwarding). Perhaps you can do a trial run with all ports open for a couple of weeks to see what happens to the internet - all I'm saying is make a systematic approach to any numbers that you put in ... there should be a justification

Also, please keep everyone informed - lack of information is what causes most of the damn problems anyway ...

PS: I'm just kidding about the use MS stuff :)

Vishnu said...

1. Does this mean that there will be wired lan in hostels or a useless wireless one and the labs would become the main internet centres of IIIT ?

3. Refer to comment 1 by anonymous.

5. I feel there is no need to do this in IIIT. We are sensible people (though life may suggest otherwise :P). As already said we have wireless ip's registered.

6. A strict no no !! Not many people download from the net and others that do may have to download entire video series. Some of these file sizes are around 1 GB. If this is implemented we may have to go from friend to friend asking if he has some bandwidth left. It would be simply ridiculous.

7. Again not all batches download significantly e.g. UG1. If you want to set a limit, set it for the whole college. It would be more appropriate.

Also +1 to the extra's suggested by obelix.

ShArK said...

This will help explain how we arrived at those changes. Before that let me tell you that the faculty has already agreed to all the points I had written. They have committed to buying resources as well.

1. Wired Lan: After a lot of blah-blahing we have convinced the faculty to put wired lan. there will also be some other changes like purchase of lcd monitors only. We showed that a LCD uses less power and so we can break evev after 2 years of usage. stuff like that.

2. E-mail Forwarding:

We have 8mbps of bandwidth, soon to become 10. This is means (traffic up+traffic down) = 8mbps and not 8mbps down and a seperate 8mbps up. At the beginning of this month I spent 6 days in the server room analysing traffic. The current upload limit is set to 2 mbps which is reached around 80% of the times. Of this more then half comes from 200 that is pushing out mails. Again consider the down bandwidth used when these mails have to be downloaded from g-mail to be read. All in all I estimate that we use atleast 1.5 mbps of our 8mbps to deal with e-mail. That is bandwidth worth 5 lakhs! and these stats are for summer! And understand this. The spam you get on 200 is also forwarded to g-mail. It's just that g-mail will reject it or put it into the spam folder. But the mail is forwarded and the bandwidth is used . I tried tracing the spam. 80% of it is genereated from inside IIIT. People please clean your systems or switch to linux :D
I had suggested that we migrate to google apps since everybody loves g-mail so much. this was shot down by the faculty coz then we would have no control or privacy over our e-mail. Another problem expressed by many was that there was no storage on 200. Well we can arrange that. it is still cheaper to buy every student 5 gb of storage then 2mbps of internet. Thats bandwidth for you in India! Forwarding will still be allowed for alumni.

3. Proxy authorization: First for all the paranoid people out there: we will not log any information about what you visit and all. We will just count your traffic. thats it. This measure is purely for bandwidth control. Right now we have absolutely no mechanism to account for bandwidth usage. Places like msit and gurukul etc also use bandwidth from us without any control. People are now doanloading all sorts of crap and there is no way to stop that. Time and again people have been told to use mechanisms like download forums but nobody gives a rats ass. We pay almost 30 lakhs per annum for bandwidth and there is no accountabiliaty at all. This is *NOT* acceptable. The limits of 3 GB coupled with no restrictions is aimed at making your internet experience better. 3Gb is a lot for browsing but not enough for dowloading.We want individuals to stop downloading. We will give special downloading accounts to labcoms of every batch mainly ug3/ug4 so that they can download stuff. This authentication business is not something I'm pleased to suggest but the total lack of co-operation from people leaves us with no other choice. If you do have something unusually big to download, come and tell us, and we will be happy to help you if it is genuine. We will setup things like repositories, a better digilib etc so you don't waste your bandwidth downloading genuine stuff.

4. At the first anonymous guy: Dude do you even know what a VPN is? How is it a waste of bandwidth? It's just a secure way of accessing the LAN from outside. The same traffic would have been there even in the absence of a VPN. The present "state of the art" is using stuff like turbo's lan browser or elinks from 200. All this is mighty insecure as exposing 200 directly to the world puts the IIIT network at grave risk. we can become a hop for somebody who is trying to break in somewhere else. There will be legal implications if something like this were to happen.

5. We are keen to share all configuration information with students. This will ensure that people also learn how to use the network better and that somebody can easily continue after us. Also with configs open to scrutiny mistakes and improvements will be pointed out. We are after all a few people in the server room and there is alwyas the chance that we may miss or overlook something.

We will be putting all this up over the course of the next semeseter. the server room is also in for a major over-haul. It will get bigger and neater.

@bullzy: We tried caching orkut/you-tube etc...It's dynamic content and is very hard to cache. I have tried a lot but I can currently cache only about 30% videos and zero orkut :(. And stop being so paranoid about your privacy :P

and @obelix.....Sure we will use M$ products...if M$ gives us the product and support free of cost :P

Anonymous said...

@Shark.
comments in response to your comment at #9 (BTW I'm anony-mouse coward number 1 and 2 :D)

1. Laudable effort.

2. We can forward our mails anyways as long as sendmail is running either you allow .forward or not. Leave it anyways. BTW I'm wondering if you can take backups after every 12 hours (5x1200 GB = 6TB of data). Look at the amount of electricity that will be wasted and resources that will be required. It is near impossible to load 2 GB of ~/mbox into RAM to read the mails by pine. We can do one thing, we can stop forwarding junkmails. This will save huge amount of bandwidth. If 80% of spam is generated inside IIIT then we must block those ips who are generating it. Stopping .forward because of these ass-holes is not a solution. Migrating on google apps is again a dumb idea(wrt current students). We can do it for alumni though.

3. IPs dont change regularly, profiling based on ips are enough. More the freedom better it is. MSITs and Gurukul have separate labs and hence separate ips. Institute should pay extra for their internet usage. They pay fees (or govt on behalf of them) and the fees must be utilized. If institute is not utilizing their money then it is corruption on their part. I still dont think that 3GB is lot for browsing. People read research papers. They download data sets which run into GBs. They download videos (educational one) from youtube and googlevideos which are very useful. It would be very stupid to ask someone if he has some bandwidth remaining (as pointed out by someone). I dont see any logic here.

4. Dood I know what VPN is. BTW do you know what VPN is. I got a VPN account in the company where I interned last year. Apart from browsing intranet you can download stuff directly from institute's LAN to you comp(say at home). People will do that and it will consume all the bandwidth. Additional security features would consumes double the bandwidth (hopefully you have used scp and ftp and know the speed difference). We can provide it only during summers when people are outside the campus. You can provide this service but keep it on a low priority. Making turbo's implementation more secure is just okay and enough.

5. Good effort.

Listen, more the freedom better things are.

Also,
1. Make sure that people use google reader. It save lot of bandwidth and tremendous amount of time.

2. From next academic year and onwards give login names like rmshark08, sangal08 etc. so that we dont run out of the meaningful login names and the alumni (which we'll be soon) can retain their logins for years after leaving the institute. Alumni accounts might be deleted in future if name clashes become a serious problem.

3. Just want to know how much bandwidth that orkut, gmail, googlenews, rediff, cricinfo, yahoo, chats etc. consume.

4. Move all alumni accounts to gmail. Let google collect their junk mails. Move only the mailing account (I can tell you how to do it in the control panel). public_html thing can remain on 200.

Anonymous said...

Want to point out a little thing here..

@Shark.. u mentioned that about more than half of upload traffic comes from e-mail.. are u sure of that... or is it that more than half of upload traffic is from students....

U see the difference - email v/s students... ??

ShArK said...

@ anony-mouse no.1/2 :)

As I said migrating to g-apps is not going to be allowed by the faculty :(

As goes alumni we will be giving them a new mail domain. there user names will also be changed to fname.lname@alumni.iiit.ac.in

As for blocking forwarding we will run a script that periodically checks for .forward and removes it. We will also cut off traffic to 200 from outside IIIT once the vpn is put up.

People can still download files from outside using turbo's lan browser. I once downloaded a full episode of one tree hill from my office using turbos lan browser!!VPN will put a ssl wrapper over your traffic thats it. Not much of a speed/bandwidth loss. I'm not going to write more details here as this is a public space. Drop me a mail and i'll be happy yo share details :)

As far msit and gurukul are concerned using ip's to restrict traffic is not any sort of a solution. There are plenty of workarounds to this:) Apart from these people even some corporate offices use our bandwidth. As far as research goes each research center will have a seperate quota so don't worry about your large data sets. This forum is not the correct one to release all details. Drop me a mail and i'll give you precise info :P

For info related to traffic i don't have the current info but I do have some info collected by Jimmy Narang back in august 2007 as part of his BTP. gmail/orkut/yahoo/cricinfo/gtalk/yahoomsngr is the order of popularity. Put together this accounts for around 50% of our bandwidth. Again mail me for the report :P The rest of the bandwidths goes mainly to downloads.

as far as mail bkp is concerned this would be done using raid 1 or 5. (yes you can configure raid to store old data!)You cant directly bkp data of that magnitude to external machines. Again not the place for excat details mail me :P

@ wizardfingers
The data was measured on the sendmail/imap ports. simple and effective :). you can have google pickup your mail as well without a .froward entry. hence measuring imap as well.

Rohan Monga said...

This is interesting.
i just have one question. does this apply to even lab machines ?
cause
1. if the ports are open and limits are there then it makes no sense. lab machines are for "research"
2. if the ports are not open and there are no limits. why would people goto labs ?
3. if the ports are open and their no limits. hey, people run proxies on lab machines and be happy

Rohan Monga said...
This comment has been removed by a blog administrator.
ShArK said...

@rohan

each research center will get a quota as well. That quota will have to be justified. For example CDE would definately need more quota then say VLSI because of the downloads of data sets and all. And there aren't any more lab's like there were for our batches. All the present batches have laptops and the college really doesn't give machines to ug students anymore. pg can use the quota of their research center for their "research"

and as far as downloads are considered here is the deal. Faculty has finally moved past the BS of legality. Downloads will happen one way or another. The aim is to bring some discipline to it.

Btw I stay 8 buildings away from you right now....kabhi time ho to darshan do :P

Rohan Monga said...

The legal stuff isnt BS. ask the sysadmins what happened when a some one got phished and a bank site was hosted on IIIT servers.

where are you these days ?
i would be glad to meet you

ShArK said...

@rohan

Well I was referring to the downloading only. Other legal stuff like compliance and security is to be taken very very seriously :)

Im in Bangalore right now. Intern@ RSA labs. I came to ur place some time back. You had gone home that time. I stay just a few buildings before ur place :)

lsdkf said...

Well, I don't want to comment on any of your decisions as such, but some of them looked very good to me ( VPN, blade server, un-block all internet resources, ldap server, wired lan ).
I'll be happy to help regarding any of them after August ( though I have very little networks knowledge ), please let me know if you guys have something which I can do.

Another thing, a script which periodically checks for .forward and removes it may not be a good solution,

consider a script which periodically checks for .forward and puts it back :).

And there are several of those workarounds.