View
218
Download
1
Category
Tags:
Preview:
Citation preview
10-Jun-2005
OWAMP and BWCTL:Installation and Configuration
Jeff Boote (boote@internet2.edu)
Network Performance Workshop
2005-Mar-22 2Policies and Procedures
Overview
•Intro
•Installation
•Policy• Partitioning Resources• Classifying Connections
•OWAMP configuration• owampd general configuration• owampd policy configuration• Testing and troubleshooting
•BWCTL configuration• bwctld general configuration• bwctld policy configuration• Testing and troubleshooting
2005-Mar-22 3Policies and Procedures
Review Website
•Most of the information from this talk is on the web sites:
http://e2epi.internet2.edu/owamp/
http://e2epi.internet2.edu/bwctl/
2005-Mar-22 4Policies and Procedures
Overview
•Intro
•Installation
•Policy• Partitioning Resources• Classifying Connections
•OWAMP configuration• owampd general configuration• owampd policy configuration• Testing and troubleshooting
•BWCTL configuration• bwctld general configuration• bwctld policy configuration• Testing and troubleshooting
2005-Mar-22 5Policies and Procedures
Download
•http://e2epi.internet2.edu/owamp/download.html
•http://e2epi.internet2.edu/bwctl/download.html
2005-Mar-22 6Policies and Procedures
Unpack/Build/Install
%gzip -cd owamp-$VERS.tar.gz | tar xf -
%cd owamp-$VERS
%./configure --prefix=/ami#--prefix is only needed if you don't like the default#(/usr/local on most systems)
%make
%make installDoes not install configuration files
(Same process for BWCTL - do it now)
2005-Mar-22 7Policies and Procedures
Overview
•Intro
•Installation
•Policy• Partitioning Resources• Classifying Connections
•OWAMP configuration• owampd general configuration• owampd policy configuration• Testing and troubleshooting
•BWCTL configuration• bwctld general configuration• bwctld policy configuration• Testing and troubleshooting
2005-Mar-22 8Policies and Procedures
General Security Considerations (review)
•Do no harm•Don’t want machines to be a source of denial of service attacks
•On the other hand, would like them to be as available as possible, so as useful as possible for debugging
•Avoid being an attractive nuisance•Again, obscurity lessens usefulness•But do harden machines themselves
2005-Mar-22 9Policies and Procedures
OWAMP Security Considerations
•Limit the bandwidth that can be consumed
•Limit the memory/disk that can be consumed on the test host
2005-Mar-22 10Policies and Procedures
•BWCTL Security considerations
•Limit the bandwidth that can be consumed
• Including protocol type (UDP/TCP)
2005-Mar-22 11Policies and Procedures
•Partitioning Resources
•Decide upon complete amount of resources it is acceptable for the test host to consume
•Decide how to allocate those resources among users•How much disk space can be dedicated? Per group?•How much bandwidth total? Per group?• Keep system load in mind as well as network. The data accuracy will suffer if the system is too loaded.
2005-Mar-22 12Policies and Procedures
Resources Allocated Using Hierarchical Limitclasses
•Users are grouped into hierarchical limitclasses
•One parent-less class allowed, it defines the total amount of resources available
•When limitclasses are defined, limits of the one and only parent are inherited
•When consumable resources are requested, the limits of the limitclass and all parent limitclasses must be satisfied (memory/bandwidth/timeslots)
2005-Mar-22 13Policies and Procedures
•Classifications of users into limitclasses•Root: Complete set of resources available
•Hostile: Used to “jail” hostile users
•NOC: Super-user limits
•Peer: Extended limits for peer tests
•Normal: Reasonable limits for end-users
•Open == Conservative limits for *anyone*
Example organization of limitclasses
Peer
Open
Normal
NOC Hostile
Root
2005-Mar-22 14Policies and Procedures
•Available per limitclass•Root: Complete set of resources available
•Hostile: No tests allowed
•NOC: Inherit Root limits
•Peer: Limit UDP to 500m• Could make children limitclasses for each
individual peer if lower limits should be applied to some
•Normal: UDP not needed for most end users
•Open: No tests allowed
Example Allocation for bandwidth (BWCTL)
Peerbandwidth=500m
OpenAllowTCP=False
NormalAllowUDP=False
NOC HostileAllowTCP=FalseAllowUDP=False
RootAllowTCP=TrueAllowUDP=Truebandwidth=900m
2005-Mar-22 15Policies and Procedures
Example limitclass definition
# total available
limit root with \
AllowTCP=on, \
AllowUDP=on, \
bandwidth=900m
# Hostile
limit hostile with parent=root, \
AllowTCP=off, \
AllowUDP=off
2005-Mar-22 16Policies and Procedures
Classifying Connections
•IP/netmask• The IP address of the client is matched against a list of IP netmask specified subnets and assigned to a limitclass based on the address of the client
•Username and AES key• Client specifies a username, the server must already know the associated AES key
• AES key is used as a symmetric session key–Client and Server use the key as a shared secret
2005-Mar-22 17Policies and Procedures
IP/netmask matching rules
•The most specific matching mask wins
•No set bits are allowed in the address portion beyond the number of mask bits
•Does not need to be a “real” sub-net
2005-Mar-22 18Policies and Procedures
Example netmask assignment setup
# loopback
assign net ::/127 noc
assign net 127.0.0.1/32 noc
# abilene nmslan (observatory systems)
assign net 2001:468:0::/40 peer
assign net 198.32.10.0/23 peer
2005-Mar-22 19Policies and Procedures
Username and AES key rules
•Usernames are limited to 16 characters
•AES key is a 128 bit session key
•Not encrypted in the keys file, use UNIX permissions to protect
•Can use a pass phrase to generate the AES key
• Server: use aespasswd to add pass phrase generated keys into the keys file
• Client: application prompts user for pass phrase
2005-Mar-22 20Policies and Procedures
Example key file
joe a0167ac6101b360d2f4dd164abba2337
bob 2dc36fc4807894cdfbe180b71d2b4a0f
sam 3fc763fb270ce6ba6e928bd10d4977d3
2005-Mar-22 21Policies and Procedures
aespasswd
•Similar command-line to htpasswd (apache web server)
•Specify an identity to be added to a key file, prompted for a passphrase
http://e2epi.internet2.edu/owamp/aespasswd.man.html
2005-Mar-22 22Policies and Procedures
Example username/key assignment setup
# local super users
assign user boote noc
assign user joe noc
# peers
assign user warren peer
assign user bob peer
# normal
assign user sam normal
2005-Mar-22 23Policies and Procedures
Overview
•Intro
•Installation
•Policy• Partitioning Resources• Classifying Connections
•OWAMP configuration• owampd general configuration• owampd policy configuration• Testing and troubleshooting
•BWCTL configuration• bwctld general configuration• bwctld policy configuration• Testing and troubleshooting
2005-Mar-22 24Policies and Procedures
Configure (owampd.conf)
http://e2epi.internet2.edu/owamp/owampd.conf.man.html
• These parameters control how the owampd runs–General operations such as where it reports its errors
and where it stores buffered data files.
• Most installations will only need to modify–datadir–vardir–user–group
2005-Mar-22 25Policies and Procedures
Configure (owampd.limits)
http://e2epi.internet2.edu/owamp/owampd.limits.man.html
Two parts:
1. AuthenticationWho is making the request?
2. AuthorizationWhat is that identity allowed to do?
2005-Mar-22 26Policies and Procedures
Configure (owampd.limits)
Authentication is done by assigning a limitclass to each new connection as it comes in
IP/netmask method:
assign net 127.0.0.1/32 noc
username method:
assign user boote noc
2005-Mar-22 27Policies and Procedures
Configure (owampd.limits)
Authorization is done by associating a set of hierarchical limits with each limitclass and verifying that each incoming request adheres to them.
Limit root with \Disk=100M, \Bandwidth=0, \Delete_on_fetch=on, \Allow_open_mode=off
Limit noc with parent=root, \Allow_open_mode=on
2005-Mar-22 28Policies and Procedures
Configure (owampd.keys)
http://e2epi.internet2.edu/owamp/owampd.keys.man.html
http://e2epi.internet2.edu/owamp/aespasswd.man.html
•Used to hold the username/AESKey pairing information for the daemon.
•Use the aespasswd program to generate a key if you want a passphrase associated with it
2005-Mar-22 29Policies and Procedures
Starting owampd
http://e2epi.internet2.edu/owamp/owampd.man.html
•start in foreground during testing• /usr/local/bin/owampd -c /usr/local/etc -Z
2005-Mar-22 30Policies and Procedures
Testing (owping)
http://e2epi.internet2.edu/owamp/owping.man.html
Simple localhost test:• /ami/bin/owping localhost
Test to Internet2 test host:• /ami/bin/owping nmsy-aami.abilene.ucaid.edu
Others:• /usr/local/bin/owping otherhost
2005-Mar-22 31Policies and Procedures
Troubleshooting
•No control connection
•Control connection denied
•100% packet loss in test streams•Clock offset (ntpq, loss timeout)•Firewall
2005-Mar-22 32Policies and Procedures
Overview
•Intro
•Installation
•Policy• Partitioning Resources• Classifying Connections
•OWAMP configuration• owampd general configuration• owampd policy configuration• Testing and troubleshooting
•BWCTL configuration• bwctld general configuration• bwctld policy configuration• Testing and troubleshooting
2005-Mar-22 33Policies and Procedures
Configure (bwctld.conf)
http://e2epi.internet2.edu/bwctl/bwctld.conf.man.html
•These parameters control how the bwctld runs• General operations such as where it reports its errors and
other daemon wide configuration options
•Most installations will only need to modify• vardir• user• group
2005-Mar-22 34Policies and Procedures
Configure (bwctld.limits)
http://e2epi.internet2.edu/bwctl/bwctld.limits.man.html
Two parts:1. Authentication
Who is making the request?
2. AuthorizationWhat is that identity allowed to do?
2005-Mar-22 35Policies and Procedures
Configure (bwctld.limits)
Authentication is done by assigning a limitclass to each new connection as it comes in
IP/netmask method:
assign net 127.0.0.1/32 noc
username method:
assign user boote noc
2005-Mar-22 36Policies and Procedures
Configure (bwctld.limits)
Authorization is done by associating a set of hierarchical limits with each limitclass and verifying that each incoming request adheres to them.
Limit root with \bandwidth=900m, \duration=0, \allow_tcp=on, \allow_udp=on, \allow_open_mode=off
Limit noc with parent=root, \Allow_open_mode=on
2005-Mar-22 37Policies and Procedures
Configure (bwctld.keys)
http://e2epi.internet2.edu/bwctl/owampd.keys.man.html
http://e2epi.internet2.edu/bwctl/aespasswd.man.html
•Used to hold the username/AESKey pairing information for the daemon.
•Use the aespasswd program to generate a key if you want a passphrase associated with it
2005-Mar-22 38Policies and Procedures
Testing bwctl
http://e2epi.internet2.edu/bwctl/bwctl.man.html
Try to create a test from the Internet2 test host:% /ami/bin/bwctl -s nmsx-aami.abilene.ucaid.edu A AESKEY jimbob
Try to create a test toward the Internet2 test host:% /ami/bin/bwctl -c nmsx-aami.abilene.ucaid.edu A AESKEY jimbob
2005-Mar-22 39Policies and Procedures
Starting bwctld
http://e2epi.internet2.edu/bwctl/bwctld.man.html
•start in foreground during testing• /usr/local/bin/bwctld -c /usr/local/etc -Z
2005-Mar-22 40Policies and Procedures
Testing bwctl (With Your Daemon)
If there is a local daemon running, the bwctl client will automatically connect to it to schedule the local resources instead of running the test directly. (The same command-lines are used from above to test this.)
Try to create a test from the Internet2 test host:% /ami/bin/bwctl -s nmsx-aami.abilene.ucaid.edu A AESKEY jimbob
Try to create a test toward the Internet2 test host:% /ami/bin/bwctl -c nmsx-aami.abilene.ucaid.edu A AESKEY jimbob
2005-Mar-22 41Policies and Procedures
Testing bwctl (3-Party)
The bwctl client can be used to request a test between 2 other hosts
If you have the same identity on the two hosts:% /ami/bin/bwctl -s sendhost -c recvhost -A A AESKEY jimbob
If you have different identities, you must append the auth args after the host:
% /ami/bin/bwctl -s sendhost A AESKEY jim -c recvhost A AESKEY bob
2005-Mar-22 42Policies and Procedures
Troubleshooting
•No control connection
•Control connection denied
•Initial control connection works - peer connection fails
•Scheduling problems
•Iperf connections fail
•Iperf results are bad
2005-Mar-22 43Policies and Procedures
Questions?/Review?
•Intro
•Installation
•Policy• Partitioning Resources• Classifying Connections
•OWAMP configuration• owampd general configuration• owampd policy configuration• Testing and troubleshooting
•BWCTL configuration• bwctld general configuration• bwctld policy configuration• Testing and troubleshooting
www.internet2.edu
Recommended