Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Rahu Network Access Server
Rahu Network Access Server
Neutron [email protected]
RahuNAS Core Team
September 27, 2009Debian MiniDebConf 2009, Taiwan
Rahu Network Access Server
Introduction
What is RahuNAS ?
What is RahuNAS ?
Words combination
Rahu : The daemon that swallows the sun or the moonNAS : Network Access Server
Short description
RahuNAS is an extended ipset (iptables/netfilter extension) withdaemon and helper scripts which provides the web-based networkauthentication system or the captive portal like
Rahu Network Access Server
Introduction
What is RahuNAS ?
What is RahuNAS ?
Words combination
Rahu : The daemon that swallows the sun or the moonNAS : Network Access Server
Short description
RahuNAS is an extended ipset (iptables/netfilter extension) withdaemon and helper scripts which provides the web-based networkauthentication system or the captive portal like
Rahu Network Access Server
Introduction
Where is RahuNAS in the network ?
Where is RahuNAS in the network ?
Rahu Network Access Server
Software Goals
Software Goals
Fastnot too much delay the packets forwarding.
more Stableavailable whenever users request.
Trafic controlhas a capability to control the users’ bandwidth
Scalablehas a capablility to handle multiple networks.
Rahu Network Access Server
System Requirements
System Requirements
Debian GNU/Linux 5.0 (Lenny)Server OS
iptables/netfilter with ipset + RahuNAS patchincluded with mainstream kernel
ipset with RahuNAS patchspecial firewalls
FreeRADIUSAAA (Authentication Authorization Accounting)
PostgreSQLdatabase to store users information
DHCP, DNS Server
Rahu Network Access Server
Existing captive portal softwares
Existing captive portal softwares
chillispotopen source Linux daemon
CoovaChilliopen source software access controller, based on chillispot
captivator-gwopen source perl based written by Dale W.Carder atUniversity of Wisconsin Board of Regents
etc.
Rahu Network Access Server
Existing captive portal softwares
Review existing software
Review existing software
chillispot
Advantages
Well known, world wide used.
Disadvantages
The daemon is not stable enough when running in high load.
The project is seems to be abandoned.
It’s not well scalable, may or may not run multiple networkson single server.
Some overheads over the tunneling interface (tunX, tapX),sometimes it’s a bottle neck.
Rahu Network Access Server
Existing captive portal softwares
Review existing software
Review existing software
CoovaChilli
Advantages
Project still alive.
More documents and tools than chillispot.
Less problems when migrating from chillispot.
Disadvantages
The major disadvantages is as same as chillispot.
Rahu Network Access Server
Existing captive portal softwares
Review existing software
Review existing software
captivator-gw
Advantages
Simple.
Scalable, capable to handle multiple networks.
Disadvantages
Simple firewall technic, more users more rules added (slowdown in theoretical assumption)
Rahu Network Access Server
Why RahuNAS was born ?
Why RahuNAS was born ?
Problem
As mentioned before, none of any existing softwares areactually match our software goals
Solution
A. Seeking for another softwares ?orB. Construct it by myself ?
Answer
B. Construct it by myself ← RahuNAS was born here
Rahu Network Access Server
Why RahuNAS was born ?
Why RahuNAS was born ?
Problem
As mentioned before, none of any existing softwares areactually match our software goals
Solution
A. Seeking for another softwares ?orB. Construct it by myself ?
Answer
B. Construct it by myself ← RahuNAS was born here
Rahu Network Access Server
Why RahuNAS was born ?
Why RahuNAS was born ?
Problem
As mentioned before, none of any existing softwares areactually match our software goals
Solution
A. Seeking for another softwares ?orB. Construct it by myself ?
Answer
B. Construct it by myself ← RahuNAS was born here
Rahu Network Access Server
How to meet the software goals ?
How to meet the software goals ?
If our software meets the 4 major goals
meet Fast
meet more Stable
meet Traffic control
meet Scalable
it’s enough for our simple authentication system.
Rahu Network Access Server
How to meet the software goals ?
How to meet the software goals ?
If our software meets the 4 major goals
meet Fast
meet more Stable
meet Traffic control
meet Scalable
it’s enough for our simple authentication system.
Rahu Network Access Server
How to meet the software goals ?
How to meet the software goals ?
If our software meets the 4 major goals
meet Fast
meet more Stable
meet Traffic control
meet Scalable
it’s enough for our simple authentication system.
Rahu Network Access Server
How to meet the software goals ?
How to meet the software goals ?
If our software meets the 4 major goals
meet Fast
meet more Stable
meet Traffic control
meet Scalable
it’s enough for our simple authentication system.
Rahu Network Access Server
How to meet the software goals ?
How to meet the software goals ?
If our software meets the 4 major goals
meet Fast
meet more Stable
meet Traffic control
meet Scalable
it’s enough for our simple authentication system.
Rahu Network Access Server
How to meet the software goals ?
How to meet the software goals ?
If our software meets the 4 major goals
meet Fast
meet more Stable
meet Traffic control
meet Scalable
it’s enough for our simple authentication system.
Rahu Network Access Server
How to meet the software goals ?
meet Fast
meet Fast
Most wanted
We need the special firewalls
Special firewalls
High number of rules:Fast matching algorithms.
Often changed rules:Storage structures which can be changed fast.
Low RAM machines:Memory optimized storage structures.
Reference: Jozsef Kadlecsik - 6th Netfilter workshop Paris 29.09.2008
Rahu Network Access Server
How to meet the software goals ?
meet Fast
meet Fast
Special firewalls: iptables ?
High number of rules: slowLinear evaluation.
Often changed rules: slowBetween kernel-userspace are passed back and forth atadding/deleting a single rule. Rules are stored in a blob.
Medium RAM requirements.
Reference: Jozsef Kadlecsik - 6th Netfilter workshop Paris 29.09.2008
Rahu Network Access Server
How to meet the software goals ?
meet Fast
meet Fast
Special firewalls: nf-hipac ?
nf-hipac: http://www.hipac.org/
High number of rules: fastComplex matching algorithms.
Often changed rules: fastJust the new/to be deleted rule passed; hashes, trees.
Memory requirements ?
Reference: Jozsef Kadlecsik - 6th Netfilter workshop Paris 29.09.2008
Rahu Network Access Server
How to meet the software goals ?
meet Fast
meet Fast
Special firewalls: ipset ?
ipset: http://ipset.netfilter.org/
High number of rules: fastSimple algorithms.
Often changed rules: fastJust the new/to be deleted rule passed; arrays, hashes, trees.
Memory requirements can be low.
Reference: Jozsef Kadlecsik - 6th Netfilter workshop Paris 29.09.2008
Rahu Network Access Server
How to meet the software goals ?
meet Fast
meet Fast
Reference: Jozsef Kadlecsik - 6th Netfilter workshop Paris 29.09.2008
Rahu Network Access Server
How to meet the software goals ?
meet Fast
meet Fast
Choices
A. nf-hipacB. ipset
Choosing
B. ipset ← a good choice, more simple than nf-hipac.
Then hack
hack: macipmap → rahunasreason: conventional of authentication system using IP address
and MAC address to identify users.why: needs to state each users’ idle time for idle timeout
checking.todo: add the code to state the users’ idle timeout
Rahu Network Access Server
How to meet the software goals ?
meet Fast
meet Fast
Before
# ipset -nLName: rahunasnetType: macipmapReferences: 4Default binding:Header: from: 192.168.1.0 to: 192.168.1.255Members:192.168.1.13:00:AA:BB:CC:DD:EEBindings:
Rahu Network Access Server
How to meet the software goals ?
meet Fast
meet Fast
After
# ipset -nLName: rahunasnetType: rahunasReferences: 4Default binding:Header: from: 192.168.1.0 to: 192.168.1.255Members:192.168.1.13:00:AA:BB:CC:DD:EE ==> idle 81 secondsBindings:
Rahu Network Access Server
How to meet the software goals ?
meet Fast
meet Fast
How to state the idle time ?
Idle time reset condition192.168.1.13:00:AA:BB:CC:DD:EE ==> idle 81 seconds
Authenticated User’s packet → RahuNAS → Internet
Authenticated User’s packet ← RahuNAS ← Internet
192.168.1.13:00:AA:BB:CC:DD:EE ==> idle 0 seconds
Rahu Network Access Server
How to meet the software goals ?
meet Fast
meet Fast
How to state the idle time ?
Idle time reset condition192.168.1.13:00:AA:BB:CC:DD:EE ==> idle 81 seconds
Authenticated User’s packet → RahuNAS → Internet
Authenticated User’s packet ← RahuNAS ← Internet
192.168.1.13:00:AA:BB:CC:DD:EE ==> idle 0 seconds
Rahu Network Access Server
How to meet the software goals ?
meet Fast
meet Fast
How to state the idle time ?
Idle time reset condition192.168.1.13:00:AA:BB:CC:DD:EE ==> idle 81 seconds
Authenticated User’s packet → RahuNAS → Internet
Authenticated User’s packet ← RahuNAS ← Internet
192.168.1.13:00:AA:BB:CC:DD:EE ==> idle 0 seconds
Rahu Network Access Server
How to meet the software goals ?
meet more Stable
meet more Stable
RahuNAS daemon
Keep it simple and stupid, does not try to handle any complextasks.
Provides internal state database powered by sqlite3, it will beresume the operation in case of accidents such as power lostor daemon crash.
Rahu Network Access Server
How to meet the software goals ?
meet more Stable
meet more Stable
RahuNAS daemon
Written in C.
License GPL-2, 100% open source
GLib
libgnet (XML-RPC Server/Client)
Rahu Network Access Server
How to meet the software goals ?
meet more Stable
meet more Stable
RahuNAS daemon security
Listen on localhost (127.0.0.1) only.web-based login page is running on the same host
TODO: do some encryption between XML-RPCServer/Clientneeded if we want to run RahuNAS and web-based login pageon different host.
Rahu Network Access Server
How to meet the software goals ?
meet more Stable
meet more Stable
Web-based login
iptables rule setting to intercept unauthenticated connectionsand redirecting to web-based login page
Apache2 and PHP5 to serve the users’ login request
PHP PEAR for FreeRADIUS and XML-RPC communicating
Rahu Network Access Server
How to meet the software goals ?
meet Traffic control
meet Traffic control
RahuNAS daemon
To keep it simple, it does not handle the tc itself but left toiproute (tc).
BitTorrent blocking is optional (layer 7 filter extension needed)
Rahu Network Access Server
How to meet the software goals ?
meet Scalable
meet Scalable
RahuNAS daemon
Provides the capability of multiple networks authentication
VLAN, two or more NICs could handle in single server
Rahu Network Access Server
RahuNAS in action
RahuNAS in action
Proof of Concept code test
For every hack and some coding from scratch, we finally have thesimple authentication system which meets the 4 major goals.Now, need to test.
Rahu Network Access Server
RahuNAS in action
RahuNAS login page
Rahu Network Access Server
RahuNAS performance
RahuNAS performance
more than 2000 concurrent users
Site refernece
Khon Kaen University, Thailand
Rahu Network Access Server
RahuNAS performance
RahuNAS performance
A whole week
Site refernece
Khon Kaen University, Thailand
Rahu Network Access Server
RahuNAS performance
RahuNAS performance
Bandwidth status
Site refernece
Khon Kaen University, Thailand
Rahu Network Access Server
Additional tools in RahuNAS project
Additional tools in RahuNAS project
Additional tools
RahuNAS Drupal module
RahuNAS Drupal theme (based on RootCandy)
RahuNAS Cacti plugin
Rahu Network Access Server
Additional tools in RahuNAS project
RahuNAS Drupal module
RahuNAS Drupal module
Description
The RahuNAS Drupal module is the simple FreeRADIUS accountmanager, it’s a Drupal 6 module and it takes the advantages fromDrupal well design. It also include simple users’ access data reportand graphs.
Written by Suriya Soutmun (RahuNAS Core Team)
Rahu Network Access Server
Additional tools in RahuNAS project
RahuNAS Drupal module
RahuNAS Drupal module and theme
Rahu Network Access Server
Additional tools in RahuNAS project
RahuNAS Cacti plugin
RahuNAS Cacti plugin
Description
RahuNAS Cacti plugin is the additional function added into Cactisuch as RahuNAS clients monitoring and configuration settings,Cacti plugin architecture is needed (need patch). Cacti is a goodRRD-Tools based monitoring web-based software.
Rahu Network Access Server
Additional tools in RahuNAS project
RahuNAS Cacti plugin
RahuNAS Cacti plugin
Rahu Network Access Server
Who are using (testing) RahuNAS ?
Who are using (testing) RahuNAS ?
Khon Kaen University, ThailandNow running 4 servers, service for more than 6000 concurrentusers
MahaThai Sueksa, North Eastern School, Khon Kaen,ThailandNow running 1 server, service at least 150 concurrent users
Siridhon School, Surin, ThailandNow running 1 server, service at least 200 concurrent users
Streesiriket School, Sisaket, ThailandNow running 1 server, service at least 120 concurrent users
Manchakiri Hospital - Khon Kaen, SamrongthapHospital - Surin
Hopefully, if it useful will be more in the future
Rahu Network Access Server
Debian Package
Debian Package
git-buildpackage
RahuNAS and additional tools source code is in git repository(http://git.rahunas.org) and using the awesome tool,git-buildpackage to maintain the Debian package.
RahuNAS Debian Package status
Local experimental.
Uploaded to the local repository only.
Rahu Network Access Server
Debian Package
deb
deb ftp://ftp.rahunas.org/rahunas unstable main
packages list
rahunas - RahuNAS daemon and helper scripts
rahunas-weblogin - RahuNAS web-based login support files
netfilter-extensions - netfilter extensions which ipset andRahuNAS patched included
rahunas-config-freeradius - autogenerated config files anddatabase preparation for FreeRADIUS to support RahuNAS
linux-image-*+rahunas - the customized kernel build with layer 7filter and multi-path routing patched
drupal6-mod-rahunas - RahuNAS Drupal module
drupal6-theme-rahunas+rootcandy - RahuNAS Drupal themebased on RootCandy written by Marek Sotak
Rahu Network Access Server
Who is sponsoring RahuNAS ?
Who is sponsoring RahuNAS ?
Gold sponsor: Khon Kaen University, ThailandGive a fund for RahuNAS research and development, also thefacilities for testing.
Rahu Network Access Server
Who is sponsoring RahuNAS ?
Who is sponsoring RahuNAS ?
Gold sponsor: Plawan Central Log, ThailandGive a fund for RahuNAS research and development. Nowconsidered to integrate RahuNAS into their software anddistribute in free/open source software culture.
Rahu Network Access Server
Special Thanks
Special Thanks
Special thanks: Software Liberty Association of TaiwanGive a great opportunity to me to talk at DebianMiniDebConf 2009.
Rahu Network Access Server
Follow RahuNAS
Follow RahuNAS
Official Website: http://www.rahunas.org
Debian package:ftp://ftp.rahunas.org/rahunas
Git repository: http://git.rahunas.org