440 likes | 606 Views
OWAMP and BWCTL: Installation and Configuration. Jeff Boote ( boote@internet2.edu ) Network Performance Workshop. Overview. Intro Installation Policy Partitioning Resources Classifying Connections OWAMP configuration owampd general configuration owampd policy configuration
E N D
OWAMP and BWCTL:Installation and Configuration Jeff Boote (boote@internet2.edu) Network Performance Workshop
Overview • Intro • Installation • Policy • Partitioning Resources • Classifying Connections • OWAMP configuration • owampd general configuration • owampd policy configuration • Testing and troubleshooting • BWCTL configuration • bwctld general configuration • bwctld policy configuration • Testing and troubleshooting
Review Website • Most of the information from this talk is on the web sites: http://e2epi.internet2.edu/owamp/ http://e2epi.internet2.edu/bwctl/
Overview • Intro • Installation • Policy • Partitioning Resources • Classifying Connections • OWAMP configuration • owampd general configuration • owampd policy configuration • Testing and troubleshooting • BWCTL configuration • bwctld general configuration • bwctld policy configuration • Testing and troubleshooting
Download • http://e2epi.internet2.edu/owamp/download.html • http://e2epi.internet2.edu/bwctl/download.html
Unpack/Build/Install • gzip -cd owamp-$VERS.tar.gz | tar xf - • cd owamp-$VERS • ./configure --prefix=/ami • --prefix is only needed if you don't like the default • (/usr/local on most systems) • make • make install Does not install configuration files (Same process for BWCTL - do it now)
Overview • Intro • Installation • Policy • Partitioning Resources • Classifying Connections • OWAMP configuration • owampd general configuration • owampd policy configuration • Testing and troubleshooting • BWCTL configuration • bwctld general configuration • bwctld policy configuration • Testing and troubleshooting
General Security Considerations (review) • Do no harm • Don’t want machines to be a source of denial of service attacks • On the other hand, would like them to be as available as possible, so as useful as possible for debugging • Avoid being an attractive nuisance • Again, obscurity lessens usefulness • But do harden machines themselves
OWAMP Security Considerations • Limit the bandwidth that can be consumed • Limit the memory/disk that can be consumed on the test host
BWCTL Security considerations • Limit the bandwidth that can be consumed • Including protocol type (UDP/TCP)
Partitioning Resources • Decide upon complete amount of resources it is acceptable for the test host to consume • Decide how to allocate those resources among users • How much disk space can be dedicated? Per group? • How much bandwidth total? Per group? • Keep system load in mind as well as network. The data accuracy will suffer if the system is too loaded.
Resources Allocated Using Hierarchical Limitclasses • Users are grouped into hierarchical limitclasses • One parent-less class allowed, it defines the total amount of resources available • When limitclasses are defined, limits of the one and only parent are inherited • When consumable resources are requested, the limits of the limitclass and all parent limitclasses must be satisfied (memory/bandwidth/timeslots)
Example organization of limitclasses • Classifications of users into limitclasses • Root: Complete set of resources available • Hostile: Used to “jail” hostile users • NOC: Super-user limits • Peer: Extended limits for peer tests • Normal: Reasonable limits for end-users • Open == Conservative limits for *anyone*
Example Allocation for bandwidth (BWCTL) • Available per limitclass • Root: Complete set of resources available • Hostile: No tests allowed • NOC: Inherit Root limits • Peer: Limit UDP to 500m • Could make children limitclasses for each individual peer if lower limits should be applied to some • Normal: UDP not needed for most end users • Open: No tests allowed
Example limitclass definition # total available limit root with \ AllowTCP=on, \ AllowUDP=on, \ bandwidth=900m # Hostile limit hostile with parent=root, \ AllowTCP=off, \ AllowUDP=off
Classifying Connections • IP/netmask • The IP address of the client is matched against a list of IP netmask specified subnets and assigned to a limitclass based on the address of the client • Username and AES key • Client specifies a username, the server must already know the associated AES key • AES key is used as a symmetric session key • Client and Server use the key as a shared secret
IP/netmask matching rules • The most specific matching mask wins • No set bits are allowed in the address portion beyond the number of mask bits • Does not need to be a “real” sub-net
Example netmask assignment setup # loopback assign net ::/127 noc assign net 127.0.0.1/32 noc # abilene nmslan (observatory systems) assign net 2001:468:0::/40 peer assign net 198.32.10.0/23 peer
Username and AES key rules • Usernames are limited to 16 characters • AES key is a 128 bit session key • Not encrypted in the keys file, use UNIX permissions to protect • Can use a pass phrase to generate the AES key • Server: use aespasswd to add pass phrase generated keys into the keys file • Client: application prompts user for pass phrase
Example key file joe a0167ac6101b360d2f4dd164abba2337 bob 2dc36fc4807894cdfbe180b71d2b4a0f sam 3fc763fb270ce6ba6e928bd10d4977d3
aespasswd • Similar command-line to htpasswd (apache web server) • Specify an identity to be added to a key file, prompted for a passphrase http://e2epi.internet2.edu/owamp/aespasswd.man.html
Example username/key assignment setup # local super users assign user boote noc assign user joe noc # peers assign user warren peer assign user bob peer # normal assign user sam normal
Overview • Intro • Installation • Policy • Partitioning Resources • Classifying Connections • OWAMP configuration • owampd general configuration • owampd policy configuration • Testing and troubleshooting • BWCTL configuration • bwctld general configuration • bwctld policy configuration • Testing and troubleshooting
Configure (owampd.conf) http://e2epi.internet2.edu/owamp/owampd.conf.man.html • These parameters control how the owampd runs • General operations such as where it reports its errors and where it stores buffered data files. • Most installations will only need to modify • datadir • vardir • user • group
Configure (owampd.limits) http://e2epi.internet2.edu/owamp/owampd.limits.man.html Two parts: • Authentication Who is making the request? • Authorization What is that identity allowed to do?
Configure (owampd.limits) Authentication is done by assigning a limitclass to each new connection as it comes in IP/netmask method: assign net 127.0.0.1/32 noc username method: assign user boote noc
Configure (owampd.limits) Authorization is done by associating a set of hierarchical limits with each limitclass and verifying that each incoming request adheres to them. Limit root with \ Disk=100M, \ Bandwidth=0, \ Delete_on_fetch=on, \ Allow_open_mode=off Limit noc with parent=root, \ Allow_open_mode=on
Configure (owampd.keys) http://e2epi.internet2.edu/owamp/owampd.keys.man.html http://e2epi.internet2.edu/owamp/aespasswd.man.html • Used to hold the username/AESKey pairing information for the daemon. • Use the aespasswd program to generate a key if you want a passphrase associated with it
Starting owampd http://e2epi.internet2.edu/owamp/owampd.man.html • start in foreground during testing • /usr/local/bin/owampd -c /usr/local/etc -Z
Testing (owping) http://e2epi.internet2.edu/owamp/owping.man.html Simple localhost test: • /ami/bin/owping localhost Test to Internet2 test host: • /ami/bin/owping nmsy-aami.abilene.ucaid.edu Others: • /usr/local/bin/owping otherhost
Troubleshooting • No control connection • Control connection denied • 100% packet loss in test streams • Clock offset (ntpq, loss timeout) • Firewall
Overview • Intro • Installation • Policy • Partitioning Resources • Classifying Connections • OWAMP configuration • owampd general configuration • owampd policy configuration • Testing and troubleshooting • BWCTL configuration • bwctld general configuration • bwctld policy configuration • Testing and troubleshooting
Configure (bwctld.conf) http://e2epi.internet2.edu/bwctl/bwctld.conf.man.html • These parameters control how the bwctld runs • General operations such as where it reports its errors and other daemon wide configuration options • Most installations will only need to modify • vardir • user • group
Configure (bwctld.limits) http://e2epi.internet2.edu/bwctl/bwctld.limits.man.html Two parts: • Authentication Who is making the request? • Authorization What is that identity allowed to do?
Configure (bwctld.limits) Authentication is done by assigning a limitclass to each new connection as it comes in IP/netmask method: assign net 127.0.0.1/32 noc username method: assign user boote noc
Configure (bwctld.limits) Authorization is done by associating a set of hierarchical limits with each limitclass and verifying that each incoming request adheres to them. Limit root with \ bandwidth=900m, \ duration=0, \ allow_tcp=on, \ allow_udp=on, \ allow_open_mode=off Limit noc with parent=root, \ Allow_open_mode=on
Configure (bwctld.keys) http://e2epi.internet2.edu/bwctl/owampd.keys.man.html http://e2epi.internet2.edu/bwctl/aespasswd.man.html • Used to hold the username/AESKey pairing information for the daemon. • Use the aespasswd program to generate a key if you want a passphrase associated with it
Testing bwctl http://e2epi.internet2.edu/bwctl/bwctl.man.html Try to create a test from the Internet2 test host: % /ami/bin/bwctl -s nmsx-aami.abilene.ucaid.edu A AESKEY jimbob Try to create a test toward the Internet2 test host: % /ami/bin/bwctl -c nmsx-aami.abilene.ucaid.edu A AESKEY jimbob
Starting bwctld http://e2epi.internet2.edu/bwctl/bwctld.man.html • start in foreground during testing • /usr/local/bin/bwctld -c /usr/local/etc -Z
Testing bwctl (With Your Daemon) If there is a local daemon running, the bwctl client will automatically connect to it to schedule the local resources instead of running the test directly. (The same command-lines are used from above to test this.) Try to create a test from the Internet2 test host: % /ami/bin/bwctl -s nmsx-aami.abilene.ucaid.edu A AESKEY jimbob Try to create a test toward the Internet2 test host: % /ami/bin/bwctl -c nmsx-aami.abilene.ucaid.edu A AESKEY jimbob
Testing bwctl (3-Party) The bwctl client can be used to request a test between 2 other hosts If you have the same identity on the two hosts: % /ami/bin/bwctl -s sendhost -c recvhost -A A AESKEY jimbob If you have different identities, you must append the auth args after the host: % /ami/bin/bwctl -s sendhost A AESKEY jim -c recvhost A AESKEY bob
Troubleshooting • No control connection • Control connection denied • Initial control connection works - peer connection fails • Scheduling problems • Iperf connections fail • Iperf results are bad
Questions?/Review? • Intro • Installation • Policy • Partitioning Resources • Classifying Connections • OWAMP configuration • owampd general configuration • owampd policy configuration • Testing and troubleshooting • BWCTL configuration • bwctld general configuration • bwctld policy configuration • Testing and troubleshooting