Tutorial 3: Security provider net
The goal of this tutorial is to experiment with authentication and SDU protection policies. The scenario to be setup is illustrated in the figure below.
Configuration files must be copied to the stack's installation path "etc" folder (e.g. if you installed it in /usr/local/irati, config files must be in /usr/local/irati/etc).
Copy the following files into <installation_path>/etc. The configuration assumes that this system will communicate via the Ethernet interface "eth1", configured with VLAN "300".
- IPCM config file
- DIF (shim) 300 template
- Default DIF template
- Access DIF template
- Multi-provider DIF template
- Application to DIF mappings
- Access DIF RSA key
- Multi-provider DIF RSA key
Copy the following files into <installation_path>/etc. The configuration assumes that this system will communicate via the Ethernet interface "eth1", configured with VLAN "300" and via the Ethernet interface "eth2", configured with VLAN 310.
- IPCM config file
- DIF (shim) 300 template
- DIF (shim) 310 template
- Default DIF template
- Access DIF template
- Regional DIF template
- Multi-provider DIF template
- Application to DIF mappings
- Access DIF RSA key
- Multi-provider DIF RSA key
Copy the following files into <installation_path>/etc. The configuration assumes that this system will communicate via the Ethernet interface "eth1", configured with VLAN "310".
- IPCM config file
- DIF (shim) 310 template
- Default DIF template
- Regional DIF template
- Multi-provider DIF template
- Application to DIF mappings
Configure the VLAN 300 on the eth1 interface
modprobe 8021q
ip link add link eth1 name eth1.300 type vlan id 300
ip link set dev eth1 up
ip link set dev eth1.300 up
Load the RINA kernel modules
modprobe shim-eth-vlan
modprobe rina-default-plugin
modprobe normal-ipcp
Startup the IPC Manager in the background
cd <installation_path>/bin
./ipcm -c ../etc/ipcm.conf -l DEBUG &
Log into the IPCM console
telnet localhost 32766
If everything went ok, you should see the following output when typing the "list-ipcps" command
IPCM >>> list-ipcps
Current IPC processes (id | name | type | state | Registered applications | Port-ids of flows provided)
1 | test-eth-vlan:1:: | shim-eth-vlan | ASSIGNED TO DIF 300 | A.IRATI-1-- | -
2 | A.IRATI:1:: | normal-ipc | ASSIGNED TO DIF access.DIF | E.IRATI-1-- | -
3 | E.IRATI:1:: | normal-ipc | ASSIGNED TO DIF multi-provider.DIF | - | -
Configure the VLAN 300 on the eth1 interface and VLAN 310 on the eth2 interface
modprobe 8021q
ip link add link eth1 name eth1.300 type vlan id 300
ip link set dev eth1 up
ip link set dev eth1.300 up
ip link add link eth2 name eth2.310 type vlan id 310
ip link set dev eth2 up
ip link set dev eth2.310 up
Load the RINA kernel modules
modprobe shim-eth-vlan
modprobe rina-default-plugin
modprobe normal-ipcp
Startup the IPC Manager in the background
cd <installation_path>/bin
./ipcm -c ../etc/ipcm.conf -l DEBUG &
Log into the IPCM console
telnet localhost 32766
If everything went ok, you should see the following output when typing the "list-ipcps" command
IPCM >>> list-ipcps
Current IPC processes (id | name | type | state | Registered applications | Port-ids of flows provided)
1 | test-eth-vlan:1:: | shim-eth-vlan | ASSIGNED TO DIF 300 | B.IRATI-1-- | -
2 | test-eth-vlan2:1:: | shim-eth-vlan | ASSIGNED TO DIF 310 | C.IRATI-1-- | -
3 | C.IRATI:1:: | normal-ipc | ASSIGNED TO DIF regional.DIF | F.IRATI-1-- | -
4 | B.IRATI:1:: | normal-ipc | ASSIGNED TO DIF access.DIF | F.IRATI-1-- | -
5 | F.IRATI:1:: | normal-ipc | ASSIGNED TO DIF multi-provider.DIF | - | -
Configure the VLAN 310 on the eth1 interface
modprobe 8021q
ip link add link eth1 name eth1.310 type vlan id 310
ip link set dev eth1 up
ip link set dev eth1.310 up
Load the RINA kernel modules
modprobe shim-eth-vlan
modprobe rina-default-plugin
modprobe normal-ipcp
Startup the IPC Manager in the background
cd <installation_path>/bin
./ipcm -c ../etc/ipcm.conf -l DEBUG &
Log into the IPCM console
telnet localhost 32766
If everything went ok, you should see the following output when typing the "list-ipcps" command
IPCM >>> list-ipcps
Current IPC processes (id | name | type | state | Registered applications | Port-ids of flows provided)
1 | test-eth-vlan:1:: | shim-eth-vlan | ASSIGNED TO DIF 310 | D.IRATI-1-- | -
2 | D.IRATI:1:: | normal-ipc | ASSIGNED TO DIF regional.DIF | G.IRATI-1-- | -
3 | G.IRATI:1:: | normal-ipc | ASSIGNED TO DIF multi-provider.DIF | - | -
From the provider border router 2, open the IPCM console and type the following commands
telnet localhost 32766
IPCM >>> enroll-to-dif 2 regional.DIF 310 C.IRATI 1
DIF enrollment successfully completed in 12 ms
IPCM >>> enroll-to-dif 3 multi-provider.DIF regional.DIF F.IRATI 1
DIF enrollment successfully completed in 16 ms
If everything went ok, you should see the "DIF enrollment successfully ..." statements. Now from the provider border router 1, open the IPCM console and type the following commands
telnet localhost 32766
IPCM >>> enroll-to-dif 4 access.DIF 300 A.IRATI 1
DIF enrollment successfully completed in 117 ms
IPCM >>> enroll-to-dif 5 multi-provider.DIF access.DIF E.IRATI 1 DIF enrollment successfully completed in 124 ms
As you have seen the enrollment takes much more time now, because both IPCPs have used the SSH2-based authentication policy, and encrypt all the traffic with the SDU Protection policy that uses AES128.
Open a rina-echo-time server at the provider border router 2
cd <stack installation path>/bin
./rina-echo-time -l
18924(1445007262)#librina.logs (DBG): New log level: INFO
18924(1445007262)#librina.nl-manager (INFO): Netlink socket connected to local port 18924
If everything went ok, you should see the log statements. Now, at the customer border router open a rina-echo-time client, which will be sending 10.000 SDUs of 1400 bytes and maximum speeds, and compute some statistics from the replies.
cd <stack installation path>/bin
./rina-echo-time -w 0 -c 10000 -s 1400
4063(1445007376)#librina.logs (DBG): New log level: INFO
4063(1445007376)#librina.nl-manager (INFO): Netlink socket connected to local port 4063
Flow allocation time = 8.332 ms
SDU size = 1400, seq = 0, RTT = 1.2622 ms
SDU size = 1400, seq = 1, RTT = 2.5178 ms
SDU size = 1400, seq = 2, RTT = 2.1021 ms
SDU size = 1400, seq = 3, RTT = 1.6331 ms
SDU size = 1400, seq = 4, RTT = 1.5633 ms
SDU size = 1400, seq = 5, RTT = 3.3219 ms
...
SDU size = 1400, seq = 9996, RTT = 0.53697 ms
SDU size = 1400, seq = 9997, RTT = 0.43168 ms
SDU size = 1400, seq = 9998, RTT = 0.48405 ms
SDU size = 1400, seq = 9999, RTT = 0.52331 ms
SDUs sent: 10000; SDUs received: 10000; 0% SDU loss
Minimum RTT: 0.3724 ms; Maximum RTT: 4.3496 ms; Average RTT:0.55281 ms; Standard deviation: 0.27377 ms
Open a rina-tgen server at the customer router
cd <rina-tgen installation path>/bin
./rina-tgen -l
8839(1445007850)#librina.logs (DBG): New log level: INFO
8839(1445007850)#librina.nl-manager (INFO): Netlink socket connected to local port 8839
If everything went ok, you should see the log statements. Now, at the provider border router 2 open a rina-tgen client, which will be sending SDUs of 1400 bytes for 20 seconds at maximum speed (the speed that can be handled by the DIF).
cd <rina-tgen installation path>/bin
./rina-tgen --duration 20 -s 1400
25131(1445007877)#librina.logs (DBG): New log level: INFO
25131(1445007877)#librina.nl-manager (INFO): Netlink socket connected to local port 25131
25131(1445007877)#traffic-generator (INFO): starting test
(after 20 seconds)
25131(1445007897)#traffic-generator (INFO): sent statistics: 292605 SDUs, 409647000 bytes in 19999663 us, 163.8616 Mb/s
The server has produced the following logs
8839(1445007877)#traffic-generator (INFO): New flow allocated [port-id = 37]
8839(1445007877)#traffic-generator (INFO): Starting test from client traffic.generator.client-1 on port-id 37
8839(1445007877)#traffic-generator (INFO): Duration: 20 s, count: 0 sdus, sdu size: 1400 bytes, reporting interval: 1000 ms
8839(1445007878)#traffic-generator (INFO): Port 37: 15173 SDUs ( 21242200 bytes) in 1001515 us => 15150.0477 p/s, 169.6805 Mb/s
8839(1445007879)#traffic-generator (INFO): Port 37: 15120 SDUs ( 21168000 bytes) in 1000143 us => 15117.8381 p/s, 169.3198 Mb/s
8839(1445007880)#traffic-generator (INFO): Port 37: 15226 SDUs ( 21316400 bytes) in 1000382 us => 15220.1859 p/s, 170.4661 Mb/s
8839(1445007881)#traffic-generator (INFO): Port 37: 15186 SDUs ( 21260400 bytes) in 1000219 us => 15182.6750 p/s, 170.0460 Mb/s
8839(1445007882)#traffic-generator (INFO): Port 37: 11460 SDUs ( 16044000 bytes) in 1053536 us => 10877.6539 p/s, 121.8297 Mb/s
8839(1445007883)#traffic-generator (INFO): Port 37: 13862 SDUs ( 19406800 bytes) in 1000525 us => 13854.7263 p/s, 155.1729 Mb/s
8839(1445007884)#traffic-generator (INFO): Port 37: 15064 SDUs ( 21089600 bytes) in 1000641 us => 15054.3502 p/s, 168.6087 Mb/s
8839(1445007885)#traffic-generator (INFO): Port 37: 14890 SDUs ( 20846000 bytes) in 1000001 us => 14889.9851 p/s, 166.7678 Mb/s
8839(1445007886)#traffic-generator (INFO): Port 37: 15100 SDUs ( 21140000 bytes) in 1000307 us => 15095.3657 p/s, 169.0681 Mb/s
8839(1445007887)#traffic-generator (INFO): Port 37: 15149 SDUs ( 21208600 bytes) in 1000434 us => 15142.4282 p/s, 169.5952 Mb/s
8839(1445007888)#traffic-generator (INFO): Port 37: 15007 SDUs ( 21009800 bytes) in 1000136 us => 15004.9593 p/s, 168.0555 Mb/s
8839(1445007889)#traffic-generator (INFO): Port 37: 14923 SDUs ( 20892200 bytes) in 1000240 us => 14919.4193 p/s, 167.0975 Mb/s
8839(1445007890)#traffic-generator (INFO): Port 37: 15138 SDUs ( 21193200 bytes) in 1000020 us => 15137.6972 p/s, 169.5422 Mb/s
8839(1445007891)#traffic-generator (INFO): Port 37: 15134 SDUs ( 21187600 bytes) in 1000307 us => 15129.3553 p/s, 169.4488 Mb/s
8839(1445007892)#traffic-generator (INFO): Port 37: 15005 SDUs ( 21007000 bytes) in 1000319 us => 15000.2149 p/s, 168.0024 Mb/s
8839(1445007893)#traffic-generator (INFO): Port 37: 15168 SDUs ( 21235200 bytes) in 1000153 us => 15165.6797 p/s, 169.8556 Mb/s
8839(1445007894)#traffic-generator (INFO): Port 37: 10537 SDUs ( 14751800 bytes) in 1000029 us => 10536.6944 p/s, 118.0110 Mb/s
8839(1445007895)#traffic-generator (INFO): Port 37: 15191 SDUs ( 21267400 bytes) in 1000373 us => 15185.3359 p/s, 170.0758 Mb/s
8839(1445007896)#traffic-generator (INFO): Port 37: 15158 SDUs ( 21221200 bytes) in 1000034 us => 15157.4846 p/s, 169.7638 Mb/s
8839(1445007897)#traffic-generator (INFO): Port 37: 15114 SDUs ( 21159600 bytes) in 1000134 us => 15111.9750 p/s, 169.2541 Mb/s
8839(1445007897)#traffic-generator (INFO): Port 37: 292605 SDUs, 409647000 bytes in 20000 ms, 163.8588 Mb/s
8839(1445007897)#traffic-generator (INFO): Flow torn down remotely [port-id = 37]