Paisal KIATTANANAN <firstname.lastname@example.org>
Thaweesak KOANANTAKOOL <email@example.com>
Taweesak CHAIRATANAYUT <firstname.lastname@example.org>
Pattara KIATISEVI <email@example.com>
Robert BECK <firstname.lastname@example.org>
National Electronic and Computer Technology Center
Starting in February 1998, schools all over Thailand were given free access to a specially designed Internet protocol (IP) network through the SchoolNet Thailand project. With cooperation from local telephone companies and a government policy to boost the nation's educational infrastructure, this large network was set up in 1997 to cover the country, which is the size of Texas. The work was an initiative of Thailand's Princess Maha Chakri Sirindhorn.
This paper describes our unique solution for the design and construction of a network that delivers Internet access to students everywhere in the country with a local telephone call. Under several constraints -- a severely limited budget and limited network resources and manpower -- we derived a solution that delivers reliable network access, which can be used with a high utilization factor despite the "synchronous" nature of classroom activities during class hours.
Our concepts of account categories and time-staggered account access control are explained. The automated user-management tools that we developed to increase the system's capacity to handle a large number of Internet beginners are described. Lessons learned from the SchoolNet Thailand project can easily be applied to other developing countries that are planning or are in the process of setting up an educational network during the current economic crisis in Asia.
A brief history of SchoolNet is presented. The SchoolNet Thailand project started as a small network in 1995. It served only schools in the capital city of Bangkok. In 1996, another nationwide network called the Golden Jubilee Network was established which gave everyone access to a large, IP-based bulletin board system (BBS). The BBS consisted of an electronic library containing information related to His Majesty the King of Thailand. In 1998, the SchoolNet Thailand project was granted a free 512 kbps international Internet link as well as permission to use the interprovincial leased circuits of the Golden Jubilee Network. The SchoolNet and Golden Jubilee Networks were merged in February 1998 in order to create a large-scale nationwide IP network for schools. This was the first nationwide, free-access network for education in the Association of Southeast Asian Nations region. The project was called SchoolNet@1509 to signify the special telephone number -- 1509 -- which could be used anywhere in Thailand to access the network.
Our design and implementation of this network and core management system are described. We discuss how 21 points of presence can support all the selected schools scattered in 76 provinces nationwide; as well as how we can manage the user sessions during class time. Our solution lies in the classification of school activities as either Web browsing or Web development. In order to serve as many schools as possible, each individual account is further assigned one of three interleaved timetables to maximize overall usage. To implement this dynamic access control, a set of applications written in PERL (practical extraction and report language) were developed to work with the RADIUS server and the database engine.
The advent of the Internet has had a significant impact on every aspect of our lives including the education of our young. Thailand, though regarded as a developing country, was among the first in Southeast Asia to venture into cyberspace. Early efforts were focused on an academic TCP/IP (transmission control protocol/Internet protocol)-based network called the Thai Social/Scientific, Academic and Research Network (ThaiSarn ). ThaiSarn has had continuous growth, both in number of nodes and bandwidth, since 1992. The success of ThaiSarn and the growing importance of the Internet have prompted the demand for Internet access in Thai schools.
The SchoolNet Thailand  project was launched in 1995. We (the National Electronics and Computer Technology Center [NECTEC ]) ran it as a pilot project. The early network was based solely in Bangkok; schools outside the capital city had to shoulder the high cost of long-distance telephone calls or leased circuits to get connected. As a result, only a few schools outside Bangkok participated in the early SchoolNet Thailand project. Even at the peak of Thailand's economic growth, government funding to support SchoolNet was unavailable.
We felt that technology could not produce sufficient growth of the network. So we started another project to promote Thai content on the Internet which we hoped would be accepted and would consequently lead to network expansion.
In 1996, the year of celebration of the 50th anniversary of His Majesty the King's ascension to the throne, there was a great opportunity to use information technology to join the celebration. During the 50 years, there had been many successful projects of His Majesty with information available in print but hardly any with information available on the Internet. It was a good time to start making such information available there. As an initiative of Princess Maha Chakri Sirindhorn , who is an advocate of education development in Thailand, the Golden Jubilee Network  project was implemented as a program to create Thai content on the Internet for mass education in Thailand.
The network consisted of two parts: the content and the access network. Content-creation tasks were assigned to 11 organizations which had served the country through many successful projects initiated by His Majesty's. Our task was to make available electronically existing knowledge and useful information for access by Thai people. We also managed the design and implementation of the access network. The design specifications were to give free, local, PPP (point-to-point protocol) access to everyone who wanted to read the contents.
Our solution was a special bulletin board system using TCP/IP and Web technologies. The network allowed access to a website  containing biographies, royal speeches, information on development projects under royal initiatives and royal activities, and other information related to His Majesty. The website of the Golden Jubilee Network was accessible by the Internet as well as by dial-in PPP telephone lines. The telephone number 1509 was used for these lines; it was billed as a local call in Thailand. Twenty-one points of presence (POPs) were established throughout Thailand for access from all 76 provinces. Each POP had six modems and was connected by a 64 kbps leased circuit to a main hub in Bangkok. Due to the noncommercial nature of the service, the network did not allow any users to use e-mail or transit to the global Internet.
Figure 1. Twenty-one telephone area codes in Thailand
So, at the end of the celebration year 1997, we had successfully completed three crucial components for Thailand's mass-education program on the Internet: school awareness, Thai language content, and a nationwide access network. The three components were then integrated in 1998 to form the national SchoolNet network.
In February 1998, the Golden Jubilee Network became the nationwide access network for schools in Thailand. An international gateway was also set up for SchoolNet so that every school could have full Internet access. This combination became the most comprehensive Internet infrastructure in Thailand for schools.
With additional support from the National Information Technology Committee  and the Ministry of Transport and Communications , the network capacity was expanded greatly, and the cost of the leased circuits linking all the POPs together was waived. This became the first large-scale nationwide IP network for schools in the Association of Southeast Asian Nations (ASEAN) region. This newly merged network was named SchoolNet@1509 to signify the special telephone number -- 1509 -- which could be dialed anywhere in Thailand to access SchoolNet.
The operational targets of SchoolNet@1509 were to serve 1,500 schools by June 1998, 2,500 schools by June 1999, and 5,000 schools by June 2000. These numbers were chosen because they were the forecasted numbers of schools in Thailand which would be ready with terminal equipment (such as personal computers [PCs], modems, knowledgeable teachers, and, in some cases, local area networks [LANs]) in each year. Our biggest problem was how to manage the network and the users so that we could meet the targets with minimum resources and maximum quality of service.
As a developing nation, Thailand cannot just develop SchoolNet without also considering other factors in addition to the networking infrastructure. Human resources and related school activities are necessary for students to be able to interact positively with the Internet. There is also a need to support and implement other parallel programs such as teacher training, school library and Internet integration, and student activities promoting the Internet at schools.
The design of the Golden Jubilee Network was based on the fact that Thailand has 21 telephone area codes nationwide (see figure 1). Access to the network was made through a POP in one of the area codes (1 POP in Bangkok and 20 POPs in the provinces as shown in figure 2). All 20 provincial POPs were located in the telephone exchange offices of the Telephone Organization of Thailand (TOT). Each provincial POP was connected to the Network Operation Center (NOC) at NECTEC in Bangkok by a 64 kbps leased circuit. The Bangkok POP was located at the NOC. Each provincial POP had six telephone lines, and the Bangkok POP had 20 lines, all of which supported true PPP 33.6 kbps dial-up access. A single four-digit telephone number, 1509, could be used by anybody anywhere in the country; the number would actually be routed to the nearest POP. The Golden Jubilee Network provided access only to domestic Internet sites, and had no international gateway of its own. A star topology was used to minimize the network maintenance complexity for the carrier (TOT).
Thailand has a flat-rate 3-baht-per-call fee for all telephone calls that originate and terminate within the same province. So, calls that originated in one of the 21 provinces where the POPs were located would be charged only 3 baht (US$0.08) per call. However, calls that originated in the other 55 provinces (Thailand has 76 provinces) would normally be charged on a time-metered basis (ranging from 3 to 9 baht per minute) even though these provinces share the same telephone area codes as the POPs.
This differential charging for different provinces was equalized by a special provision of TOT whereby all calls to 1509 would be charged at a flat rate of 3 baht per call regardless of where the calls originated. We therefore achieved our goal of providing equal access to every citizen in the country to this Golden Jubilee Network for the cost of just a local telephone call. There were no other charges for using this network.
Figure 2. Golden Jubilee Network before combining with SchoolNet
The original SchoolNet had only one POP in Bangkok with 39 telephone lines for dial-up access. It used ThaiSarn for its international gateway. The network could serve only Bangkok schools cheaply while schools in other provinces had to pay for long-distance telephone charges, which were considerable. The Golden Jubilee Network could provide cheap local access to rural areas because no charges were made for use of the long-distance leased circuits. Utilizing the existing network infrastructure and resources of the Golden Jubilee Network seemed like the simplest and quickest solution to providing low-cost Internet access for schools nationwide. The idea was proposed to the government, and after being formally approved by Princess Maha Chakri Sirindhorn, the original SchoolNet was combined with the Golden Jubilee Network in February 1998 giving birth to a new network called SchoolNet@1509.
Strictly speaking, SchoolNet@1509 is not just a combination of the previous two projects because many additional upgrades and improvements were also made. With full cooperation from TOT, the number of telephone lines in each provincial POP was increased from 6 to 15 and all the 64 kbps leased circuits from the provincial POPs to the NOC in Bangkok were upgraded to 128 kbps. The number of telephone lines in Bangkok was increased to 120 and the speed of the dial-up access was increased to 56 kbps (see figure 3). The international Internet gateway for SchoolNet@1509 was sponsored by the Communication Authority of Thailand. Although the initial bandwidth was only 512 kbps, this marked the first time that the SchoolNet Thailand project had an international gateway of its own.
Figure 3. SchoolNet after merging with the Golden Jubilee Network
Due to the limited network resources that we have in SchoolNet@1509, it is important to maintain reliable network access with an acceptable quality of service to all schools in the project. We consider that a school's Internet activities will generally fall into two categories: Web browsing and Web development. Each category has different characteristics and requirements. We therefore provide for each category Internet accounts that have different privileges and quotas.
A Web browsing account simply provides access to true PPP services. It does not provide e-mail or disk space on SchoolNet servers. (Of course, users can still get e-mail accounts from providers like Hotmail and Yahoo.) This type of account will be used mainly in the library or in a classroom so students can explore the Web and participate in group activities under a teacher's guidance. Most schools find that this is the best way to use their first computer to perform some Internet activities.
A Web development account comes with e-mail (POP3 and IMAP4 access) and 3 MB of disk space for hosting a school's home page. These accounts are for school users who are responsible for a school's home page development as well as for instruction and learning in an HTML (hypertext markup language) class.
Initially, each school in the project will receive one Web browsing account and a maximum of two Web development accounts. SchoolNet's appropriate-use policy permits Web browsing accounts to be shared by several students but they must all be supervised by one teacher who is designated as the account owner.
There are some schools in Thailand that are connected to the Internet as independent nodes serving hundreds of computers in the school. These schools are beyond the scope of SchoolNet@1509's services. However, they can join the SchoolNet program by participating in activities with other SchoolNet schools and by linking their websites with the main SchoolNet Thailand website.
Because SchoolNet@1509 has only 420 dial-in telephone lines (120 lines in Bangkok and 300 lines in the provinces) to serve 1,500 schools (with 3 accounts each), without any access control it is very likely that all the lines would be busy during peak hours. To avoid the problem of frequent busy signals, we devised an interleaved access timetable scheme: Web browsing and Web development accounts are further divided into one of the three classes shown in figure 4. Web browsing accounts are divided into classes A1, A2, and A3, and Web development accounts are divided into classes B1, B2, and B3. For example, A1 is associated with a unique timetable which specifies the days of the week and times each day that an account is allowed to access the network. The timetables are designed in such a way that they nicely interleave and complement each other so as to maximize the overall usage of the network. For example, a school that receives an A1 account will be able to use the network between 6 a.m. and 2 p.m. on Mondays, 10 a.m. and 6 p.m. on Wednesdays, and so on.
There is an important difference between the timetables for Web browsing and Web development accounts. Since Web browsing activities will normally be carried out during class hours in the library or classroom, their associated timetables reflect this by restricting network access after class hours (from 6 p.m. to 6 a.m.). On the other hand, Web development activities are expected to take place mainly outside class hours; in fact, home page development can occur off-line (anytime) and it is not even necessary that the online update be done during class hours. Therefore, Web development accounts are accessible mainly outside class hours -- from 6 p.m. to 6 a.m. on weekdays, all day Sundays, and for a few time slots during class hours.
Figure 4. Interleaved access timetable scheme
A main target of SchoolNet@1509 is to serve 2,500 schools by June 1999, but our resources limit us to only 420 telephone lines nationwide. By simple calculation, this ratio of schools to telephone lines is approximately six to one (2,500/420). If we regard the 12-hour period between 6 a.m. and 6 p.m. as regular school hours, each school will get an average access time of 2 hours (12/6) per day for their Web browsing accounts. This translates into approximately 40 hours per month (assuming 20 school days per month). We therefore give 40 hours of access time to all accounts in SchoolNet@1509. We think this restriction is necessary because without any limitations schools may tend to dial in to the network and stay connected for a long time, preventing other schools from dialing in.
We also believe that 40 hours of access time is quite reasonable considering that so far no commercial Internet service provider in Thailand has ever offered unlimited access service to consumers and an average service offering is US$20 for 20 hours per month of Internet access time.
In addition to this monthly access-time limitation, SchoolNet@1509 also imposes a time limit per day as well as per online session. This is intended to avoid account overuse during a short time. All SchoolNet accounts have a 4-hour limit per day and a 3-hour limit per online session.
In order to implement the aforementioned policies (i.e., the interleaved access timetable scheme and usage time limits), it was necessary to have a dynamic authentication and accounting system. The system needed up-to-date information to decide whether to allow a user to access the network and how many minutes to grant the user for that particular session. That meant that we needed a system that could manage user accounts and accesses. The system also required a minimum amount of human intervention because of the limited resources and manpower in this project. The challenge then was how to automate this whole process.
When we first tackled this problem, we studied various implementations of RADIUS servers and found that none of them completely fit our requirements. The choice was either to modify the RADIUS server software itself or to develop add-on programs to achieve our objectives. In the end we decided to write additional programs in PERL (practical extraction and report language) to work with the unmodified RADIUS server software because modifying the RADIUS server software would require a significant amount of resources, take too long, and cause a dependency on that particular implementation of the RADIUS server.
Figure 5. Interaction of different modules for dynamic authentication
Our unique implementation lies in generating the user file for the RADIUS server every five minutes. We developed two programs in PERL to do this, namely the Log Manager and the Database Manager. As shown in figure 5, the Log Manager first takes raw data from the RADIUS server's access log file (1) and processes it into individual user-access records; it then puts these access records into the Access Log Database (2). The Access Log Database will contain information such as:
Session start: 12:08:50 on 1 Aug 1998
Session stop: 12:59:30 on 1 Aug 1998
Session time: 3040 sec
Records in the User Database indicate account type and usage restriction as shown below:
Account type: A1
Monthly limit: 40 hours
Daily limit: 4 hours
Session limit: 3 hours
The Database Manager subtracts the session time in the Access Log Database (3) from the monthly and daily limits in the User Database (4). It then compares these values with the session limit and updates the session limit in the Online Database (5) with the lowest of the values. The record in the Online Database may look like:
Total number of sessions used: 1
Time used: 3040 sec
Monthly time remaining: 140960 sec (40 hours - 3040 seconds)
Daily time remaining: 11360 sec (4 hours - 3040 seconds)
Session time limit: 10800 sec
Finally, the Database Manager checks whether a user is eligible to access the network at that particular point in time (according to the access timetable). We represent the access timetables by a series of six-digit hexadecimal numbers separated by colons as follows:
Timetable A1 is associated with
where each 6-digit hexadecimal number represents one day of the week starting on Monday. To decode the usage restrictions of timetable A1 on Mondays, examine the first number: 03fc00. This hexadecimal number is equivalent to the 24-digit binary number
03fc00 -- 0000 0011 1111 1100 0000 0000
Each binary digit represents one hour of the day starting at 0:00 a.m. The binary digit 1 means that access is allowed during that hour; 0 means that access is not allowed. The first six 0s in this example mean that access is not allowed between 0:00 a.m. and 6:00 a.m.; the next eight 1s mean that access is allowed between 6:00 a.m. and 2:00 p.m.; and so on.
The Database Manager then uses the access timetable, together with the current time, to determine access eligibility. If the user is eligible, an entry will be put in the RADIUS server's user's file with a session timeout equal to the session limit in the Online Database (6). If the user is not eligible, then no entry for the user will be put in the RADIUS server's user's file.
The Log Manager and the Database Manager repeat themselves every five minutes.
To simplify the routine tasks of adding, deleting, and modifying user accounts, we developed a Web-based tool that facilitates these administrative functions and eliminates the need for any technical background to perform the tasks. All the data are entered in a Web-based form, and the changes are made to the central database by a script program. This tool also provides decision-support information for an administrator when he or she is about to add a new account.
According to the interleaved access timetable scheme, it is important that the different access timetables (as determined by the class: A1, A2, or A3 or B1, B2, or B3) for each type of user (Web browsing and Web development) be distributed equally among the users of each type in each POP or else the scheme will fail to achieve the maximum overall usage. So, before adding a new account in a province, the administrator will obtain information about the distribution of the accounts in each class (A1, A2, and A3 or B1, B2, and B3) in the POP that the province belongs to. The administrator then assigns the account class such that the balance among them is maintained.
With the same tool, other information about user accounts can be queried online from the database through a standard Web browser. (Access to private information is protected by password over an SSL [secure sockets layer] connection.) This makes it easy to check how many accounts a particular school has and to which categories and classes the accounts have been assigned. Information about every user's sessions is kept for 12 months. Information about a user's current and previous sessions for the past month are available to both administrators and the users themselves (http://www.school.net.th/status). Users can also check how much time they have left in a particular month. They can also change their passwords through a standard Web browser.
To handle users' telephone calls for assistance and support it was necessary to set up a help desk for SchoolNet. At present, three tools support this operation. First, when responding to inquiries concerning unsuccessful log-ons, the help-desk staff can verify a user's password through a standard Web browser interface. Second, in addition to the e-mail alert that the system sends to the team in case a network link is unreachable, the help desk staff also have, at their disposal, a link status Web page that indicates whether a particular link is up or down and additional data about packet loss and round-trip time. Third, information is available for the staff to check how many accounts a school has, what the login names are, and to which categories and classes the accounts have been assigned.
In order to help users better manage their accounts, we developed a tool that automatically sends alert messages by e-mail to any SchoolNet user when:
To conserve SchoolNet's 512 kbps international bandwidth and filter out inappropriate sites for students, use of TCP port 80, which is used for Web traffic, is blocked. All users must access the Web via SchoolNet's central cache server called cache.school.net.th. The SchoolNet cache server is operated by our NOC team in Bangkok. It forms part of the Global Caching Hierarchy at the National Laboratory for Applied Network Research. The implementation of this cache in SchoolNet has proved successful. Our data show that it saves about 500 MB of traffic per day with an average hit rate of 30 percent.
This paper has so far described only the dial-in access part of SchoolNet. Although constituting a smaller part, some relatively advanced and financially well-to-do schools are connected to the SchoolNet backbone in Bangkok by permanent leased circuits (represented by "school nodes" in figure 3). These schools number around 14. They all have their own campus LAN and a dedicated teacher-student team to operate routers as well as Internet servers.
However, as previously mentioned, most schools outside Bangkok cannot afford to pay for such leased circuits. To solve this problem, we plan to allow provincial schools to connect to our nearest POPs via a leased circuit. Due to limited resources, currently each POP can accommodate only one leased-circuit connection. We are in the process of drafting a policy for selecting which schools can connect in this way. The criteria will likely be based on the technical potential of the school to operate an Internet node and the level of school activities on the Net.
We also plan to expand the dial-in access part of SchoolNet so more schools can be brought online and more users can be handled. The target is to have 5,000 schools connecting to SchoolNet by the year 2001 and each school eligible for five Internet accounts instead of three. Moreover, the online time will be increased from 40 hours per month to 80 hours per month so students will have more time to explore the Web. The number of modem lines in each provincial POP will be increased from 15 to 60 and in Bangkok from 120 to 450 to accommodate more SchoolNet users.
The initial success of SchoolNet@1509 has shown that a good project with a huge impact on society need not be expensive. Technical foresight, careful planning, and sheer hard work can almost always accomplish the job.
Needless to say, NECTEC should be viewed as just an incubator of the early effort to introduce the Internet in Thai schools. The project's eventual success will depend on many more factors including the creation of content, training, better network infrastructure, and a sincere effort on the part of the government to improve the overall education of its citizens.
It is clear that no single organization in the country can accomplish this task alone. Thailand urgently needs a joint effort by different government ministries if it really wants to see that every student has a chance to get online.