OWAMP and BWCTL: Installation and Configuration

1
OWAMP and BWCTLInstallation and Configuration

• Jeff Boote (boote_at_internet2.edu)
• Network Performance Workshop

2
Overview

• Intro
• Installation
• Policy
• Partitioning Resources
• Classifying Connections
• OWAMP configuration
• owampd general configuration
• owampd policy configuration
• Testing and troubleshooting
• BWCTL configuration
• bwctld general configuration
• bwctld policy configuration
• Testing and troubleshooting

3
Review Website

• Most of the information from this talk is on the
  web sites
• http//e2epi.internet2.edu/owamp/
• http//e2epi.internet2.edu/bwctl/

4
Overview

• Intro
• Installation
• Policy
• Partitioning Resources
• Classifying Connections
• OWAMP configuration
• owampd general configuration
• owampd policy configuration
• Testing and troubleshooting
• BWCTL configuration
• bwctld general configuration
• bwctld policy configuration
• Testing and troubleshooting

5
Download

• http//e2epi.internet2.edu/owamp/download.html
• http//e2epi.internet2.edu/bwctl/download.html

6
Unpack/Build/Install

• gzip -cd owamp-VERS.tar.gz tar xf -
• cd owamp-VERS
• ./configure --prefix/ami
• --prefix is only needed if you don't like the
  default
• (/usr/local on most systems)
• make
• make install
• Does not install configuration files
• (Same process for BWCTL - do it now)

7
Overview

• Intro
• Installation
• Policy
• Partitioning Resources
• Classifying Connections
• OWAMP configuration
• owampd general configuration
• owampd policy configuration
• Testing and troubleshooting
• BWCTL configuration
• bwctld general configuration
• bwctld policy configuration
• Testing and troubleshooting

8
General Security Considerations (review)

• Do no harm
• Dont want machines to be a source of denial of
  service attacks
• On the other hand, would like them to be as
  available as possible, so as useful as possible
  for debugging
• Avoid being an attractive nuisance
• Again, obscurity lessens usefulness
• But do harden machines themselves

9
OWAMP Security Considerations

• Limit the bandwidth that can be consumed
• Limit the memory/disk that can be consumed on the
  test host

10
BWCTL Security considerations

• Limit the bandwidth that can be consumed
• Including protocol type (UDP/TCP)

11
Partitioning Resources

• Decide upon complete amount of resources it is
  acceptable for the test host to consume
• Decide how to allocate those resources among
  users
• How much disk space can be dedicated? Per group?
• How much bandwidth total? Per group?
• Keep system load in mind as well as network. The
  data accuracy will suffer if the system is too
  loaded.

12
Resources Allocated Using Hierarchical
Limitclasses

• Users are grouped into hierarchical limitclasses
• One parent-less class allowed, it defines the
  total amount of resources available
• When limitclasses are defined, limits of the one
  and only parent are inherited
• When consumable resources are requested, the
  limits of the limitclass and all parent
  limitclasses must be satisfied (memory/bandwidth/t
  imeslots)

13
Example organization of limitclasses

• Classifications of users into limitclasses
• Root Complete set of resources available
• Hostile Used to jail hostile users
• NOC Super-user limits
• Peer Extended limits for peer tests
• Normal Reasonable limits for end-users
• Open Conservative limits for anyone

14
Example Allocation for bandwidth (BWCTL)

• Available per limitclass
• Root Complete set of resources available
• Hostile No tests allowed
• NOC Inherit Root limits
• Peer Limit UDP to 500m
• Could make children limitclasses for each
  individual peer if lower limits should be applied
  to some
• Normal UDP not needed for most end users
• Open No tests allowed

15
Example limitclass definition

• total available
• limit root with \
• AllowTCPon, \
• AllowUDPon, \
• bandwidth900m
• Hostile
• limit hostile with parentroot, \
• AllowTCPoff, \
• AllowUDPoff

16
Classifying Connections

• IP/netmask
• The IP address of the client is matched against a
  list of IP netmask specified subnets and assigned
  to a limitclass based on the address of the
  client
• Username and AES key
• Client specifies a username, the server must
  already know the associated AES key
• AES key is used as a symmetric session key
• Client and Server use the key as a shared secret

17
IP/netmask matching rules

• The most specific matching mask wins
• No set bits are allowed in the address portion
  beyond the number of mask bits
• Does not need to be a real sub-net

18
Example netmask assignment setup

• loopback
• assign net /127 noc
• assign net 127.0.0.1/32 noc
• abilene nmslan (observatory systems)
• assign net 20014680/40 peer
• assign net 198.32.10.0/23 peer

19
Username and AES key rules

• Usernames are limited to 16 characters
• AES key is a 128 bit session key
• Not encrypted in the keys file, use UNIX
  permissions to protect
• Can use a pass phrase to generate the AES key
• Server use aespasswd to add pass phrase
  generated keys into the keys file
• Client application prompts user for pass phrase

20
Example key file

• joe a0167ac6101b360d2f4dd164abba2337
• bob 2dc36fc4807894cdfbe180b71d2b4a0f
• sam 3fc763fb270ce6ba6e928bd10d4977d3

21
aespasswd

• Similar command-line to htpasswd (apache web
  server)
• Specify an identity to be added to a key file,
  prompted for a passphrase
• http//e2epi.internet2.edu/owamp/aespasswd.man.htm
  l

22
Example username/key assignment setup

• local super users
• assign user boote noc
• assign user joe noc
• peers
• assign user warren peer
• assign user bob peer
• normal
• assign user sam normal

23
Overview

• Intro
• Installation
• Policy
• Partitioning Resources
• Classifying Connections
• OWAMP configuration
• owampd general configuration
• owampd policy configuration
• Testing and troubleshooting
• BWCTL configuration
• bwctld general configuration
• bwctld policy configuration
• Testing and troubleshooting

24
Configure (owampd.conf)

• http//e2epi.internet2.edu/owamp/owampd.conf.man.h
  tml
• These parameters control how the owampd runs
• General operations such as where it reports its
  errors and where it stores buffered data files.
• Most installations will only need to modify
• datadir
• vardir
• user
• group

25
Configure (owampd.limits)

• http//e2epi.internet2.edu/owamp/owampd.limits.man
  .html
• Two parts
• Authentication
• Who is making the request?
• Authorization
• What is that identity allowed to do?

26
Configure (owampd.limits)

• Authentication is done by assigning a limitclass
  to each new connection as it comes in
• IP/netmask method
• assign net 127.0.0.1/32 noc
• username method
• assign user boote noc

27
Configure (owampd.limits)

• Authorization is done by associating a set of
  hierarchical limits with each limitclass and
  verifying that each incoming request adheres to
  them.
• Limit root with \
• Disk100M, \
• Bandwidth0, \
• Delete_on_fetchon, \
• Allow_open_modeoff
• Limit noc with parentroot, \
• Allow_open_modeon

28
Configure (owampd.keys)

• http//e2epi.internet2.edu/owamp/owampd.keys.man.h
  tml
• http//e2epi.internet2.edu/owamp/aespasswd.man.htm
  l
• Used to hold the username/AESKey pairing
  information for the daemon.
• Use the aespasswd program to generate a key if
  you want a passphrase associated with it

29
Starting owampd

• http//e2epi.internet2.edu/owamp/owampd.man.html
• start in foreground during testing
• /usr/local/bin/owampd -c /usr/local/etc -Z

30
Testing (owping)

• http//e2epi.internet2.edu/owamp/owping.man.html
• Simple localhost test
• /ami/bin/owping localhost
• Test to Internet2 test host
• /ami/bin/owping nmsy-aami.abilene.ucaid.edu
• Others
• /usr/local/bin/owping otherhost

31
Troubleshooting

• No control connection
• Control connection denied
• 100 packet loss in test streams
• Clock offset (ntpq, loss timeout)
• Firewall

32
Overview

• Intro
• Installation
• Policy
• Partitioning Resources
• Classifying Connections
• OWAMP configuration
• owampd general configuration
• owampd policy configuration
• Testing and troubleshooting
• BWCTL configuration
• bwctld general configuration
• bwctld policy configuration
• Testing and troubleshooting

33
Configure (bwctld.conf)

• http//e2epi.internet2.edu/bwctl/bwctld.conf.man.h
  tml
• These parameters control how the bwctld runs
• General operations such as where it reports its
  errors and other daemon wide configuration
  options
• Most installations will only need to modify
• vardir
• user
• group

34
Configure (bwctld.limits)

• http//e2epi.internet2.edu/bwctl/bwctld.limits.man
  .html
• Two parts
• Authentication
• Who is making the request?
• Authorization
• What is that identity allowed to do?

35
Configure (bwctld.limits)

• Authentication is done by assigning a limitclass
  to each new connection as it comes in
• IP/netmask method
• assign net 127.0.0.1/32 noc
• username method
• assign user boote noc

36
Configure (bwctld.limits)

• Authorization is done by associating a set of
  hierarchical limits with each limitclass and
  verifying that each incoming request adheres to
  them.
• Limit root with \
• bandwidth900m, \
• duration0, \
• allow_tcpon, \
• allow_udpon, \
• allow_open_modeoff
• Limit noc with parentroot, \
• Allow_open_modeon

37
Configure (bwctld.keys)

• http//e2epi.internet2.edu/bwctl/owampd.keys.man.h
  tml
• http//e2epi.internet2.edu/bwctl/aespasswd.man.htm
  l
• Used to hold the username/AESKey pairing
  information for the daemon.
• Use the aespasswd program to generate a key if
  you want a passphrase associated with it

38
Testing bwctl

• http//e2epi.internet2.edu/bwctl/bwctl.man.html
• Try to create a test from the Internet2 test
  host
• /ami/bin/bwctl -s nmsx-aami.abilene.ucaid.edu A
  AESKEY jimbob
• Try to create a test toward the Internet2 test
  host
• /ami/bin/bwctl -c nmsx-aami.abilene.ucaid.edu A
  AESKEY jimbob

39
Starting bwctld

• http//e2epi.internet2.edu/bwctl/bwctld.man.html
• start in foreground during testing
• /usr/local/bin/bwctld -c /usr/local/etc -Z

40
Testing bwctl (With Your Daemon)

• If there is a local daemon running, the bwctl
  client will automatically connect to it to
  schedule the local resources instead of running
  the test directly. (The same command-lines are
  used from above to test this.)
• Try to create a test from the Internet2 test
  host
• /ami/bin/bwctl -s nmsx-aami.abilene.ucaid.edu A
  AESKEY jimbob
• Try to create a test toward the Internet2 test
  host
• /ami/bin/bwctl -c nmsx-aami.abilene.ucaid.edu A
  AESKEY jimbob

41
Testing bwctl (3-Party)

• The bwctl client can be used to request a test
  between 2 other hosts
• If you have the same identity on the two hosts
• /ami/bin/bwctl -s sendhost -c recvhost -A A
  AESKEY jimbob
• If you have different identities, you must append
  the auth args after the host
• /ami/bin/bwctl -s sendhost A AESKEY jim -c
  recvhost A AESKEY bob

42
Troubleshooting

• No control connection
• Control connection denied
• Initial control connection works - peer
  connection fails
• Scheduling problems
• Iperf connections fail
• Iperf results are bad

43
Questions?/Review?

• Intro
• Installation
• Policy
• Partitioning Resources
• Classifying Connections
• OWAMP configuration
• owampd general configuration
• owampd policy configuration
• Testing and troubleshooting
• BWCTL configuration
• bwctld general configuration
• bwctld policy configuration
• Testing and troubleshooting

44
www.internet2.edu