wiki:PoliciesCompliance

Site Navigation

  1. COSMOS Testbed Overview
    1. Concepts
    1. Testbed Workflow
    1. Availability and Resource Status
    1. Events and Conferences
  6. Getting Started
    1. Make an Account
    2. Create and Configure SSH Keys
    3. Make a Reservation
    4. Log in to your Reservation
    5. Control Resources with OMF
    6. Run a Hello World Experiment
    7. Get Help and Support
  7. COSMOS/ORBIT User Guide
    1. The COSMOS Portal
    2. Connecting to the Testbed
    3. Running Experiments
    4. Policies and Support
    5. Quick Links
    1. Policies
    1. Account Creation
    1. Camera Streaming
    1. Scheduling and Reservations
    1. Disk Images
    1. Frequently Asked Questions
    1. Resource Control with OMF
  15. COSMOS Portal
    1. Your First Visit
    2. Setting Up Your Account
    3. Reserving Testbed Time
    4. Monitoring Your Experiment
    5. Connecting via SSH
    6. Managing Disk Images
    7. Joining the Community
    8. Browsing Users and Groups
    9. Tips
  16. Account Management
    1. Edit Profile
    2. Change Password
    3. SSH Keys
  17. Portal Dashboard
    1. Profile Card
    2. Usage Statistics
    3. Community Forum
  18. Directory
    1. Users
    2. Groups
    3. Privacy Note
  19. Disk Images
    1. Browsing Images
    2. Image Details
    3. Searching and Sorting
    4. Managing Your Images
    5. Baseline Images
    6. Saving Custom Images
    7. Storage and Retention
  20. Community Forum
    1. Accessing the Forum
    2. Forum Categories
    3. How to Use the Forum
    4. Forum Etiquette
    5. Privacy and Access
  21. Getting Started with the COSMOS Portal
    1. Creating an Account
    2. Logging In
    3. What to Do After Logging In
  22. SSH Access to Testbed Nodes
    1. Access Model
    2. Console Servers
    3. Basic Connection
    4. SSH Config File
    5. SSH Tunneling
    6. File Transfer
    7. Troubleshooting
  23. Scheduler
    1. Calendar View
    2. Reservation Colors
    3. Creating a Reservation
    4. Competing for a Slot
    5. Modifying or Canceling Reservations
    6. My Reservations
    7. Resource Information
  24. Testbed Status
    1. Node Status Grid
    2. RF Matrix Control (SB4)
    3. Understanding Node States During Experiments
    1. Remote Access
    1. Chrome Remote Desktop Setup Page
  27. Installing Chrome Remote Desktop (CRD) on a Custom Image
    1. Measurement & Result Collection
    1. Storage
    1. Support
    1. Contributing to the Wiki
  32. Tutorials
    1. SDR and Wireless
    2. Wireless Digital Twins
    3. Optical Networking
    4. Wired Networking
    5. Edge Computing
    6. 4G/5G Systems
    7. Orchestration Platforms
  33. Architecture
    1. Data Flow
    1. Deployment Map
    1. Domains
    1. Naming Convention
    1. Networks
    1. Optical
  40. Resources, Services and APIs
    1. RF Control
    2. SDR Control
    3. Compute Control
    4. Network Control
    5. Optical Control
  41. Datasets
  42. Hardware Info
    1. Cameras
    1. Compute
    1. FR3 SDRs
    1. Network
    1. Nodes
    1. Optical
    1. RF Subsystems
    1. Antennas
    1. Full-Duplex Radio
    1. RF Front End
    1. Software Defined Radios (SDR)
  54. RF Policies & Compliance
    1. Outdoor Radio Frequency Allocation
    2. Program Experiment License
    3. Spectrum Monitoring
    4. Emergency Stop Procedures
    5. Network and Platform Security

RF Policies & Compliance

Since the testbed can radiate in a wide range of RF frequencies, and uses a considerable amount of power and other resources, we require that it be used for legitimate research purposes.

Efforts have been made to prevent accidental misuse or interference with other users or the public, however deliberate abusive or malicious actions will result in a ban from access.

Accidents, mistakes, misconfigurations and the like happen. Some actions, such as transmitting on a forbidden frequency, or accidental network denial of service, will result in a warning to you, and your group administrator.

This is a shared resource, please make every effort to be considerate to other users.

  1. Outdoor Radio Frequency Allocation
  2. Program Experiment License
  3. Spectrum Monitoring
  4. Emergency Stop Procedures
  5. Network and Platform Security
    1. External Network Access
    2. Internal Network Access
    3. Shared Machines
    4. Testbed Compute resources

Outdoor Radio Frequency Allocation

Reception in COSMOS is unrestricted on any frequency capable of being received by a given piece of hardware (refer to specific hardware details for capabilities).

Transmission on any frequency is allowed only with prior approval and limited to frequency bands authorized for such use by the FCC.

In addition to the unlicensed ISM bands (subject to regulation by part 15 of the FCC rules), the following bands are available for use by the outdoor COSMOS deployment as part of the New York City Innovation Zone for Program Experimental Licenses as designated by the FCC.

Frequency BandType of operationAllocationMaximum EIRP (dBm)
2500-2690 MHz Fixed Non-federal 20
3700-4200 MHz1 Mobile Non-federal 20
5850-5925 MHz Mobile Shared 20
5925-7125 MHz Fixed & Mobile Non-federal 20
27.5-28.35 GHz Fixed Non-federal 402
38.6-40.0 GHz Fixed Non-federal 402

Notes

1 Commission rules do not permit airborne use in this band. Any experimental use must

be coordinated with authorized users and registered receive-only fixed satellite earth stations

2 These power limits are an increase from the previously permitted 20 dBm limit.

Map of the FCC Innovation Zones

Program Experiment License

Spectrum Monitoring

Each Node has, at minimum, one SDR for spectrum monitoring, and one for experiment usage, although they can be configured independently.

Their external RF frontends contain filters, to restrict transmission to allowed bands. The filters are configured by a central service, disallowing experimenters from selecting unacceptable frequencies and power levels.

Emergency Stop Procedures

All transmit capable devices have either a method to either disconnect the RF front-end, cut the power entirely, or both.

In the event of an emergency, the testbed operators can hard power off any offending device.

In the event of an issue with the central co-ordination service, watchdogs on each node will, after a short timeout, automatically power off the RF components.

Network and Platform Security

External Network Access

Only authenticated users can log in to the Consoles and and other SSH jump hosts. We assume that the user connecting with a given SSH key is the same user that uploaded it to the portal.

Important The user takes all responsibility for safeguarding their local SSH keys. Best practices, such as strong passphrases should be followed.

Our SSH endpoints are configured following the Mozilla best practices guidelines.

VPN access is similarly gated on the testbed access credentials. SSH and VPN connections may only be initiated during a reservation, and are closed automatically at the end of said reservation.

All externally facing machines are behind a firewall, as well as having their own security mechanisms configured.

To access their own files, or the testbed resources, a user has to connect through one of the configure Jump Hosts. All Jump Hosts log user access to a central location.

Internal Network Access

External Access, Experiment Control, and Experiment Dataplane networks are isolated with VLANs and ACLs on the core network switches.

To connect to Domain Resources, a User must pass through the Domain's Console.

Shared Machines

User data is safeguarded by standard POSIX permissions. Safe defaults have been set, but it is the users' responsibility to avoid running untrusted code, or setting their own files to world writable.

Shared machines are treated as if public, from a security perspective. It is assumed that all connections, both from external networks, and from experiment networks, are untrusted by default.

Cron jobs or other long running commands are NOT permitted after the end of a reservation, as the management process will kill all processes spawned by said user.

Testbed Compute resources

Within a Domain, and during their Reservation, users have full rights to the Compute Resources, and have both root and serial console access.

These machines are insecure by default, except for these factors:

  • No network access from outside. A combination of a stateful firewall and NAT prevents external entities from initiating connections. This is the standard assumption for say, a properly configure Home LAN.
  • No access between experiment networks, unless configured. Users are able to manually bridge networks, during their reservation, if they have the relevant rights. Users must act according to their own security model.

When a compute resource is provisioned, the disk is overwritten. At the same time, if sensitive information is saved to disk, it is the experimenter's responsibility to erase the disk with our provided commands.

Last modified 22 months ago Last modified on Jun 24, 2024, 9:08:16 PM
Note: See TracWiki for help on using the wiki.