What is the Illinois Research Network?
The Illinois Research Network is a section of the campus network which is designed to provide unrestricted high-speed access to off-campus locations for specific research purposes, based on the science DMZ model.
What is CARNE?
CARNE (Campus Advanced Research Network Environment) is the campus implementation of the science DMZ principle. The guiding principle behind CARNE is that the campus research community should be able to optimize their access options according to the needs of their individual project so that they can overcome barriers of bandwidth constraint, low-latency requirements, or the restrictions of an active security perimeter and provision themselves with the most efficient network possible.
CARNE represents a cooperative effort between Technology Services and NCSA to facilitate collaboration among on-campus researchers and the campus' remote research partners.
What is a science DMZ?
A "Science DMZ" ("science demilitarized zone") is a portion of a larger network that has been configured and optimized for high-volume bulk data transfer, remote experiment control, and data visualization for high-performance science applications. A science DMZ should be scalable, incrementally deployable, and adaptable to new technologies. In order to achieve the maximum speed and throughput possible, the Illinois Research Network implementation of the science DMZ model, CARNE, doesn't pass through the regular campus exit architecture, and is neither restricted nor protected by the campus firewalls.
Frequently Asked Questions
Will I need a hardware upgrade before I can access CARNE?
The campus will leverage the existing infrastructure to provide CARNE wherever possible; however, in some cases, investing in new equipment may be necessary to meet the needs of a particular research project.
Is CARNE different from the research network?
CARNE is a vital portion of the Illinois Research Network.
Who is using CARNE?
How is CARNE secured without firewalls or other conventional security measures?
CARNE uses a network security strategy called a passive security perimeter. A passive security perimeter does not sit in the path of network traffic so it doesn't slow down or hinder traffic. Instead, the passive security perimeter receives a copy of network traffic for analysis off-line. If suspicious activity is detected, action can be taken to block compromised hosts. Technology Services Privacy and Information Security is responsible for the passive security monitoring service. A partnership between Technology Services Privacy and Information Security and system administrators ensures the security of systems on the Illinois Research Network.
Is there a limit to how long my system can be on the Illinois Research Network or CARNE?
Because of its security implications, systems should only be placed on the Illinois Research Network for the duration of the project it has been requested for, and permission is renewed annually.
For Departmental Researchers
While the University's network core is a high speed network, the processing time required by the campus firewalls and exit architecture can slow down traffic to off-campus sites — particularly when there is a large quantity of data being transferred, as is frequently the case for high end research networking.
In order to provide high-speed, high-volume network access to off-campus locations, the Illinois Research Network is positioned "outside" the campus firewalls despite the fact that the core routers handle the research network data. Data on the research network doesn't cross through the campus exit architecture on its way to other researchers at other locations.
Latency is the delay between the time that the source computer sends data and the time that the target system receives it. This can affect time-sensitive applications ranging from videoconferencing to remotely monitored surgical procedures.
Because the research network is positioned outside the campus firewalls and exit architecture, research network traffic undergoes far less processing between its source on campus and the Internet. This reduction in campus-based processing significantly reduces latency.
With the large 9000-byte packet size used as a standard on the research network, and without the restrictions of the firewalls and campus exit architecture, research network participants can transmit a much greater volume of data at higher speeds than would be possible from the standard campus network.
There is no direct cost to departments for assigning research computing systems to the Illinois Research Network. However, since the Illinois Research Network is positioned outside the campus firewalls and a security design will be needed for each project, there may be indirect costs to your department in the form of increased support time from your departmental IT professionals.
Individual responsibility for system security: Because the research network is positioned outside the campus firewalls and the associated security they provide, you and your department's team of IT pros will need to design your research systems' security carefully in order to balance speed, latency, and throughput with the importance of protecting both your data and your systems from compromise.
Network isolation: Because the research network is positioned outside the campus firewalls, machines placed in the research network will not receive "on campus" access to other University systems. Traffic from the research network to the campus network will pass through the campus firewalls and exit architecture just as though you were working at another location. You may find the campus VPN system valuable in order to access other University systems (within the campus firewalls) from your research computers. ("Outbound" access from University systems to your research computers is not restricted by the firewalls; "inbound" access from your research computers to the University systems can be.)
For Departmental IT Professionals
Limited membership and duration
Departmental systems with a demonstrated need for high-speed, high-bandwidth, low-latency access to other research sites can be placed on this network. Departmental systems with a demonstrated need to be positioned outside the campus firewalls can also be placed on this network. Researchers' desktop systems, web servers, mail servers, and other ordinary computing equipment should remain within the protection of the campus firewalls and within your department's regular IP range(s). Research systems should only remain on the Illinois Research Network for the duration of the project. When the grant ends or the project concludes, the research computing systems should be brought back within your departmental network.
Membership in the Illinois Research Network is available in any campus building with a direct, wired connection to a campus core node. You cannot place a computer on this network if the network connection you are using is to IllinoisNet Wireless or another wireless network. You must have a physical cable connection to the campus network. You also cannot host a computer off campus, connect via a third party ISP, and join the Illinois Research Network. Research network systems must be located on campus and be connected to the UIUCnet network.
Network configuration settings
Technology Services DNS management: The research network will use the Technology Services DNS servers for identity management. Use the following DNS settings on research network computers: DNS server: 22.214.171.124
IP address ranges used: The research network IP address range available to your department's hosts will be within the 126.96.36.199/21 range. In most cases, your department's section of the research network will be a /28 or /29 segment (providing space for 14 hosts or 6 hosts, respectively). If you need more than 14 hosts allocated to the research network at one time, special arrangements can be made with Technology Services Networking.
Packet Size: Systems placed on the Illinois Research Network must have their standard packet size changed to 9000 bytes in order to function properly.
Security considerations: Because the Illinois Research Network is positioned outside the campus firewall, there are several security issues to consider. Departmental IT pros will need to work with your researcher(s) to come up with a plan for securing your departmental subnet within the Illinois Research Network.
Access to resources within the campus firewall: The campus firewall offers different protection levels, from Fully Open to Fully Closed and with several options in between. Computers on the Illinois Research Network are treated as off-campus systems, which means that connections from this network to other University computers will be affected by the firewall protection levels surrounding on-campus systems. If your research systems support PPTP connections, you can connect to the campus VPN using the instructions for your operating system. You'll need to implement split tunneling so that your research data can have unrestricted high-speed access to the Internet and won't be sent through the VPN server, which will slow down the data transfer rates. The only data you should send through the VPN server is the data intended for an on-campus destination. Once you've set up a split tunneling VPN connection, your research network computers will have a secure way to access University resources protected by the campus firewall.
Access to departmental resources: If you have a firewall surrounding your departmental network, you'll also need to make arrangements for your computers on the Illinois Research Network to be able to connect to your departmental network. This may involve moving departmental servers into a different access category in your departmental firewall.
How to join the Illinois Research Network
If you've decided that your project would benefit from use of the Illinois Research Network, please send an email to firstname.lastname@example.org with the subject line containing "Illinois Research Network" or "CARNE".