Skip to content

Tutorial 3: Security provider net

Eduard Grasa edited this page Feb 17, 2017 · 20 revisions

Introduction

The goal of this tutorial is to experiment with authentication and SDU protection policies. The scenario to be setup is illustrated in the figure below.

Tutorial 3 scenario

Configuration

Configuration files must be copied to the stack's installation path "etc" folder (e.g. if you installed it in /usr/local/irati, config files must be in /usr/local/irati/etc).

Customer border router

Copy the following files into <installation_path>/etc. The configuration assumes that this system will communicate via the Ethernet interface "eth1", configured with VLAN "300".

Provider border router 1

Copy the following files into <installation_path>/etc. The configuration assumes that this system will communicate via the Ethernet interface "eth1", configured with VLAN "300" and via the Ethernet interface "eth2", configured with VLAN 310.

Provider border router 2

Copy the following files into <installation_path>/etc. The configuration assumes that this system will communicate via the Ethernet interface "eth1", configured with VLAN "310".

System initialization

Customer border router

Configure the VLAN 300 on the eth1 interface

modprobe 8021q
ip link add link eth1 name eth1.300 type vlan id 300
ip link set dev eth1 up
ip link set dev eth1.300 up

Load the RINA kernel modules

modprobe shim-eth-vlan
modprobe rina-default-plugin
modprobe normal-ipcp

Startup the IPC Manager in the background

cd <installation_path>/bin
./ipcm -c ../etc/ipcm.conf -l DEBUG &

Log into the IPCM console

telnet localhost 32766

If everything went ok, you should see the following output when typing the "list-ipcps" command

IPCM >>> list-ipcps
Current IPC processes (id | name | type | state | Registered applications | Port-ids of flows provided)
    1 | test-eth-vlan:1:: | shim-eth-vlan | ASSIGNED TO DIF 300 | A.IRATI-1-- | -
    2 | A.IRATI:1:: | normal-ipc | ASSIGNED TO DIF access.DIF | E.IRATI-1-- | -
    3 | E.IRATI:1:: | normal-ipc | ASSIGNED TO DIF multi-provider.DIF | - | -

Provider 1 border router

Configure the VLAN 300 on the eth1 interface and VLAN 310 on the eth2 interface

modprobe 8021q
ip link add link eth1 name eth1.300 type vlan id 300
ip link set dev eth1 up
ip link set dev eth1.300 up
ip link add link eth2 name eth2.310 type vlan id 310
ip link set dev eth2 up
ip link set dev eth2.310 up

Load the RINA kernel modules

modprobe shim-eth-vlan
modprobe rina-default-plugin
modprobe normal-ipcp

Startup the IPC Manager in the background

cd <installation_path>/bin
./ipcm -c ../etc/ipcm.conf -l DEBUG &

Log into the IPCM console

telnet localhost 32766

If everything went ok, you should see the following output when typing the "list-ipcps" command

IPCM >>> list-ipcps
Current IPC processes (id | name | type | state | Registered applications | Port-ids of flows provided)
    1 | test-eth-vlan:1:: | shim-eth-vlan | ASSIGNED TO DIF 300 | B.IRATI-1-- | -
    2 | test-eth-vlan2:1:: | shim-eth-vlan | ASSIGNED TO DIF 310 | C.IRATI-1-- | -
    3 | C.IRATI:1:: | normal-ipc | ASSIGNED TO DIF regional.DIF | F.IRATI-1-- | -
    4 | B.IRATI:1:: | normal-ipc | ASSIGNED TO DIF access.DIF | F.IRATI-1-- | -
    5 | F.IRATI:1:: | normal-ipc | ASSIGNED TO DIF multi-provider.DIF | - | -

Provider 2 border router

Configure the VLAN 310 on the eth1 interface

modprobe 8021q
ip link add link eth1 name eth1.310 type vlan id 310
ip link set dev eth1 up
ip link set dev eth1.310 up

Load the RINA kernel modules

modprobe shim-eth-vlan
modprobe rina-default-plugin
modprobe normal-ipcp

Startup the IPC Manager in the background

cd <installation_path>/bin
./ipcm -c ../etc/ipcm.conf -l DEBUG &

Log into the IPCM console

telnet localhost 32766

If everything went ok, you should see the following output when typing the "list-ipcps" command

IPCM >>> list-ipcps
Current IPC processes (id | name | type | state | Registered applications | Port-ids of flows provided)
    1 | test-eth-vlan:1:: | shim-eth-vlan | ASSIGNED TO DIF 310 | D.IRATI-1-- | -
    2 | D.IRATI:1:: | normal-ipc | ASSIGNED TO DIF regional.DIF | G.IRATI-1-- | -
    3 | G.IRATI:1:: | normal-ipc | ASSIGNED TO DIF multi-provider.DIF | - | -

Enrollment

From the provider border router 2, open the IPCM console and type the following commands

telnet localhost 32766
IPCM >>> enroll-to-dif 2 regional.DIF 310 C.IRATI 1
DIF enrollment successfully completed in 12 ms

IPCM >>> enroll-to-dif 3 multi-provider.DIF regional.DIF F.IRATI 1
DIF enrollment successfully completed in 16 ms

If everything went ok, you should see the "DIF enrollment successfully ..." statements. Now from the provider border router 1, open the IPCM console and type the following commands

telnet localhost 32766
IPCM >>> enroll-to-dif 4 access.DIF 300 A.IRATI 1
DIF enrollment successfully completed in 117 ms

IPCM >>> enroll-to-dif 5 multi-provider.DIF access.DIF E.IRATI 1 DIF enrollment successfully completed in 124 ms

As you have seen the enrollment takes much more time now, because both IPCPs have used the SSH2-based authentication policy, and encrypt all the traffic with the SDU Protection policy that uses AES128.

Trying some applications

rina-echo-time

Open a rina-echo-time server at the provider border router 2

cd <stack installation path>/bin
./rina-echo-time -l
18924(1445007262)#librina.logs (DBG): New log level: INFO
18924(1445007262)#librina.nl-manager (INFO): Netlink socket connected to local port 18924 

If everything went ok, you should see the log statements. Now, at the customer border router open a rina-echo-time client, which will be sending 10.000 SDUs of 1400 bytes and maximum speeds, and compute some statistics from the replies.

cd <stack installation path>/bin
./rina-echo-time -w 0 -c 10000 -s 1400
4063(1445007376)#librina.logs (DBG): New log level: INFO
4063(1445007376)#librina.nl-manager (INFO): Netlink socket connected to local port 4063 
Flow allocation time = 8.332 ms
SDU size = 1400, seq = 0, RTT = 1.2622 ms
SDU size = 1400, seq = 1, RTT = 2.5178 ms
SDU size = 1400, seq = 2, RTT = 2.1021 ms
SDU size = 1400, seq = 3, RTT = 1.6331 ms
SDU size = 1400, seq = 4, RTT = 1.5633 ms
SDU size = 1400, seq = 5, RTT = 3.3219 ms
                   ...
SDU size = 1400, seq = 9996, RTT = 0.53697 ms
SDU size = 1400, seq = 9997, RTT = 0.43168 ms 
SDU size = 1400, seq = 9998, RTT = 0.48405 ms
SDU size = 1400, seq = 9999, RTT = 0.52331 ms
SDUs sent: 10000; SDUs received: 10000; 0% SDU loss
Minimum RTT: 0.3724 ms; Maximum RTT: 4.3496 ms; Average RTT:0.55281 ms; Standard deviation: 0.27377 ms

rina-tgen

Open a rina-tgen server at the customer router

cd <rina-tgen installation path>/bin
./rina-tgen -l
8839(1445007850)#librina.logs (DBG): New log level: INFO
8839(1445007850)#librina.nl-manager (INFO): Netlink socket connected to local port 8839 

If everything went ok, you should see the log statements. Now, at the provider border router 2 open a rina-tgen client, which will be sending SDUs of 1400 bytes for 20 seconds at maximum speed (the speed that can be handled by the DIF).

cd <rina-tgen installation path>/bin
./rina-tgen --duration 20 -s 1400
25131(1445007877)#librina.logs (DBG): New log level: INFO
25131(1445007877)#librina.nl-manager (INFO): Netlink socket connected to local port 25131 
25131(1445007877)#traffic-generator (INFO): starting test
      (after 20 seconds)
25131(1445007897)#traffic-generator (INFO): sent statistics:    292605 SDUs,    409647000 bytes in  19999663 us, 163.8616 Mb/s

The server has produced the following logs

8839(1445007877)#traffic-generator (INFO): New flow allocated [port-id = 37]
8839(1445007877)#traffic-generator (INFO): Starting test from client traffic.generator.client-1 on port-id 37
8839(1445007877)#traffic-generator (INFO): Duration: 20 s, count: 0 sdus, sdu size: 1400 bytes, reporting interval: 1000 ms
8839(1445007878)#traffic-generator (INFO): Port   37:     15173 SDUs (    21242200 bytes) in      1001515 us => 15150.0477 p/s,  169.6805 Mb/s
8839(1445007879)#traffic-generator (INFO): Port   37:     15120 SDUs (    21168000 bytes) in      1000143 us => 15117.8381 p/s,  169.3198 Mb/s
8839(1445007880)#traffic-generator (INFO): Port   37:     15226 SDUs (    21316400 bytes) in      1000382 us => 15220.1859 p/s,  170.4661 Mb/s
8839(1445007881)#traffic-generator (INFO): Port   37:     15186 SDUs (    21260400 bytes) in      1000219 us => 15182.6750 p/s,  170.0460 Mb/s
8839(1445007882)#traffic-generator (INFO): Port   37:     11460 SDUs (    16044000 bytes) in      1053536 us => 10877.6539 p/s,  121.8297 Mb/s
8839(1445007883)#traffic-generator (INFO): Port   37:     13862 SDUs (    19406800 bytes) in      1000525 us => 13854.7263 p/s,  155.1729 Mb/s
8839(1445007884)#traffic-generator (INFO): Port   37:     15064 SDUs (    21089600 bytes) in      1000641 us => 15054.3502 p/s,  168.6087 Mb/s
8839(1445007885)#traffic-generator (INFO): Port   37:     14890 SDUs (    20846000 bytes) in      1000001 us => 14889.9851 p/s,  166.7678 Mb/s
8839(1445007886)#traffic-generator (INFO): Port   37:     15100 SDUs (    21140000 bytes) in      1000307 us => 15095.3657 p/s,  169.0681 Mb/s
8839(1445007887)#traffic-generator (INFO): Port   37:     15149 SDUs (    21208600 bytes) in      1000434 us => 15142.4282 p/s,  169.5952 Mb/s
8839(1445007888)#traffic-generator (INFO): Port   37:     15007 SDUs (    21009800 bytes) in      1000136 us => 15004.9593 p/s,  168.0555 Mb/s
8839(1445007889)#traffic-generator (INFO): Port   37:     14923 SDUs (    20892200 bytes) in      1000240 us => 14919.4193 p/s,  167.0975 Mb/s
8839(1445007890)#traffic-generator (INFO): Port   37:     15138 SDUs (    21193200 bytes) in      1000020 us => 15137.6972 p/s,  169.5422 Mb/s
8839(1445007891)#traffic-generator (INFO): Port   37:     15134 SDUs (    21187600 bytes) in      1000307 us => 15129.3553 p/s,  169.4488 Mb/s
8839(1445007892)#traffic-generator (INFO): Port   37:     15005 SDUs (    21007000 bytes) in      1000319 us => 15000.2149 p/s,  168.0024 Mb/s
8839(1445007893)#traffic-generator (INFO): Port   37:     15168 SDUs (    21235200 bytes) in      1000153 us => 15165.6797 p/s,  169.8556 Mb/s
8839(1445007894)#traffic-generator (INFO): Port   37:     10537 SDUs (    14751800 bytes) in      1000029 us => 10536.6944 p/s,  118.0110 Mb/s
8839(1445007895)#traffic-generator (INFO): Port   37:     15191 SDUs (    21267400 bytes) in      1000373 us => 15185.3359 p/s,  170.0758 Mb/s
8839(1445007896)#traffic-generator (INFO): Port   37:     15158 SDUs (    21221200 bytes) in      1000034 us => 15157.4846 p/s,  169.7638 Mb/s
8839(1445007897)#traffic-generator (INFO): Port   37:     15114 SDUs (    21159600 bytes) in      1000134 us => 15111.9750 p/s,  169.2541 Mb/s
8839(1445007897)#traffic-generator (INFO): Port   37:    292605 SDUs,    409647000 bytes in     20000 ms, 163.8588 Mb/s
8839(1445007897)#traffic-generator (INFO): Flow torn down remotely [port-id = 37]