OWAMP and BWCTL: Installation and Configuration - PowerPoint PPT Presentation

1 / 44
About This Presentation
Title:

OWAMP and BWCTL: Installation and Configuration

Description:

http://e2epi.internet2.edu/owamp/download.html. http://e2epi.internet2. ... Again, obscurity lessens usefulness. But do harden machines themselves. 2006-Apr-05 ... – PowerPoint PPT presentation

Number of Views:312
Avg rating:3.0/5.0
Slides: 45
Provided by: peopleIn
Category:

less

Transcript and Presenter's Notes

Title: OWAMP and BWCTL: Installation and Configuration


1
OWAMP and BWCTLInstallation and Configuration
  • Jeff Boote (boote_at_internet2.edu)
  • Network Performance Workshop

2
Overview
  • Intro
  • Installation
  • Policy
  • Partitioning Resources
  • Classifying Connections
  • OWAMP configuration
  • owampd general configuration
  • owampd policy configuration
  • Testing and troubleshooting
  • BWCTL configuration
  • bwctld general configuration
  • bwctld policy configuration
  • Testing and troubleshooting

3
Review Website
  • Most of the information from this talk is on the
    web sites
  • http//e2epi.internet2.edu/owamp/
  • http//e2epi.internet2.edu/bwctl/

4
Overview
  • Intro
  • Installation
  • Policy
  • Partitioning Resources
  • Classifying Connections
  • OWAMP configuration
  • owampd general configuration
  • owampd policy configuration
  • Testing and troubleshooting
  • BWCTL configuration
  • bwctld general configuration
  • bwctld policy configuration
  • Testing and troubleshooting

5
Download
  • http//e2epi.internet2.edu/owamp/download.html
  • http//e2epi.internet2.edu/bwctl/download.html

6
Unpack/Build/Install
  • gzip -cd owamp-VERS.tar.gz tar xf -
  • cd owamp-VERS
  • ./configure --prefix/ami
  • --prefix is only needed if you don't like the
    default
  • (/usr/local on most systems)
  • make
  • make install
  • Does not install configuration files
  • (Same process for BWCTL - do it now)

7
Overview
  • Intro
  • Installation
  • Policy
  • Partitioning Resources
  • Classifying Connections
  • OWAMP configuration
  • owampd general configuration
  • owampd policy configuration
  • Testing and troubleshooting
  • BWCTL configuration
  • bwctld general configuration
  • bwctld policy configuration
  • Testing and troubleshooting

8
General Security Considerations (review)
  • Do no harm
  • Dont want machines to be a source of denial of
    service attacks
  • On the other hand, would like them to be as
    available as possible, so as useful as possible
    for debugging
  • Avoid being an attractive nuisance
  • Again, obscurity lessens usefulness
  • But do harden machines themselves

9
OWAMP Security Considerations
  • Limit the bandwidth that can be consumed
  • Limit the memory/disk that can be consumed on the
    test host

10
BWCTL Security considerations
  • Limit the bandwidth that can be consumed
  • Including protocol type (UDP/TCP)

11
Partitioning Resources
  • Decide upon complete amount of resources it is
    acceptable for the test host to consume
  • Decide how to allocate those resources among
    users
  • How much disk space can be dedicated? Per group?
  • How much bandwidth total? Per group?
  • Keep system load in mind as well as network. The
    data accuracy will suffer if the system is too
    loaded.

12
Resources Allocated Using Hierarchical
Limitclasses
  • Users are grouped into hierarchical limitclasses
  • One parent-less class allowed, it defines the
    total amount of resources available
  • When limitclasses are defined, limits of the one
    and only parent are inherited
  • When consumable resources are requested, the
    limits of the limitclass and all parent
    limitclasses must be satisfied (memory/bandwidth/t
    imeslots)

13
Example organization of limitclasses
  • Classifications of users into limitclasses
  • Root Complete set of resources available
  • Hostile Used to jail hostile users
  • NOC Super-user limits
  • Peer Extended limits for peer tests
  • Normal Reasonable limits for end-users
  • Open Conservative limits for anyone

14
Example Allocation for bandwidth (BWCTL)
  • Available per limitclass
  • Root Complete set of resources available
  • Hostile No tests allowed
  • NOC Inherit Root limits
  • Peer Limit UDP to 500m
  • Could make children limitclasses for each
    individual peer if lower limits should be applied
    to some
  • Normal UDP not needed for most end users
  • Open No tests allowed

15
Example limitclass definition
  • total available
  • limit root with \
  • AllowTCPon, \
  • AllowUDPon, \
  • bandwidth900m
  • Hostile
  • limit hostile with parentroot, \
  • AllowTCPoff, \
  • AllowUDPoff

16
Classifying Connections
  • IP/netmask
  • The IP address of the client is matched against a
    list of IP netmask specified subnets and assigned
    to a limitclass based on the address of the
    client
  • Username and AES key
  • Client specifies a username, the server must
    already know the associated AES key
  • AES key is used as a symmetric session key
  • Client and Server use the key as a shared secret

17
IP/netmask matching rules
  • The most specific matching mask wins
  • No set bits are allowed in the address portion
    beyond the number of mask bits
  • Does not need to be a real sub-net

18
Example netmask assignment setup
  • loopback
  • assign net /127 noc
  • assign net 127.0.0.1/32 noc
  • abilene nmslan (observatory systems)
  • assign net 20014680/40 peer
  • assign net 198.32.10.0/23 peer

19
Username and AES key rules
  • Usernames are limited to 16 characters
  • AES key is a 128 bit session key
  • Not encrypted in the keys file, use UNIX
    permissions to protect
  • Can use a pass phrase to generate the AES key
  • Server use aespasswd to add pass phrase
    generated keys into the keys file
  • Client application prompts user for pass phrase

20
Example key file
  • joe a0167ac6101b360d2f4dd164abba2337
  • bob 2dc36fc4807894cdfbe180b71d2b4a0f
  • sam 3fc763fb270ce6ba6e928bd10d4977d3

21
aespasswd
  • Similar command-line to htpasswd (apache web
    server)
  • Specify an identity to be added to a key file,
    prompted for a passphrase
  • http//e2epi.internet2.edu/owamp/aespasswd.man.htm
    l

22
Example username/key assignment setup
  • local super users
  • assign user boote noc
  • assign user joe noc
  • peers
  • assign user warren peer
  • assign user bob peer
  • normal
  • assign user sam normal

23
Overview
  • Intro
  • Installation
  • Policy
  • Partitioning Resources
  • Classifying Connections
  • OWAMP configuration
  • owampd general configuration
  • owampd policy configuration
  • Testing and troubleshooting
  • BWCTL configuration
  • bwctld general configuration
  • bwctld policy configuration
  • Testing and troubleshooting

24
Configure (owampd.conf)
  • http//e2epi.internet2.edu/owamp/owampd.conf.man.h
    tml
  • These parameters control how the owampd runs
  • General operations such as where it reports its
    errors and where it stores buffered data files.
  • Most installations will only need to modify
  • datadir
  • vardir
  • user
  • group

25
Configure (owampd.limits)
  • http//e2epi.internet2.edu/owamp/owampd.limits.man
    .html
  • Two parts
  • Authentication
  • Who is making the request?
  • Authorization
  • What is that identity allowed to do?

26
Configure (owampd.limits)
  • Authentication is done by assigning a limitclass
    to each new connection as it comes in
  • IP/netmask method
  • assign net 127.0.0.1/32 noc
  • username method
  • assign user boote noc

27
Configure (owampd.limits)
  • Authorization is done by associating a set of
    hierarchical limits with each limitclass and
    verifying that each incoming request adheres to
    them.
  • Limit root with \
  • Disk100M, \
  • Bandwidth0, \
  • Delete_on_fetchon, \
  • Allow_open_modeoff
  • Limit noc with parentroot, \
  • Allow_open_modeon

28
Configure (owampd.keys)
  • http//e2epi.internet2.edu/owamp/owampd.keys.man.h
    tml
  • http//e2epi.internet2.edu/owamp/aespasswd.man.htm
    l
  • Used to hold the username/AESKey pairing
    information for the daemon.
  • Use the aespasswd program to generate a key if
    you want a passphrase associated with it

29
Starting owampd
  • http//e2epi.internet2.edu/owamp/owampd.man.html
  • start in foreground during testing
  • /usr/local/bin/owampd -c /usr/local/etc -Z

30
Testing (owping)
  • http//e2epi.internet2.edu/owamp/owping.man.html
  • Simple localhost test
  • /ami/bin/owping localhost
  • Test to Internet2 test host
  • /ami/bin/owping nmsy-aami.abilene.ucaid.edu
  • Others
  • /usr/local/bin/owping otherhost

31
Troubleshooting
  • No control connection
  • Control connection denied
  • 100 packet loss in test streams
  • Clock offset (ntpq, loss timeout)
  • Firewall

32
Overview
  • Intro
  • Installation
  • Policy
  • Partitioning Resources
  • Classifying Connections
  • OWAMP configuration
  • owampd general configuration
  • owampd policy configuration
  • Testing and troubleshooting
  • BWCTL configuration
  • bwctld general configuration
  • bwctld policy configuration
  • Testing and troubleshooting

33
Configure (bwctld.conf)
  • http//e2epi.internet2.edu/bwctl/bwctld.conf.man.h
    tml
  • These parameters control how the bwctld runs
  • General operations such as where it reports its
    errors and other daemon wide configuration
    options
  • Most installations will only need to modify
  • vardir
  • user
  • group

34
Configure (bwctld.limits)
  • http//e2epi.internet2.edu/bwctl/bwctld.limits.man
    .html
  • Two parts
  • Authentication
  • Who is making the request?
  • Authorization
  • What is that identity allowed to do?

35
Configure (bwctld.limits)
  • Authentication is done by assigning a limitclass
    to each new connection as it comes in
  • IP/netmask method
  • assign net 127.0.0.1/32 noc
  • username method
  • assign user boote noc

36
Configure (bwctld.limits)
  • Authorization is done by associating a set of
    hierarchical limits with each limitclass and
    verifying that each incoming request adheres to
    them.
  • Limit root with \
  • bandwidth900m, \
  • duration0, \
  • allow_tcpon, \
  • allow_udpon, \
  • allow_open_modeoff
  • Limit noc with parentroot, \
  • Allow_open_modeon

37
Configure (bwctld.keys)
  • http//e2epi.internet2.edu/bwctl/owampd.keys.man.h
    tml
  • http//e2epi.internet2.edu/bwctl/aespasswd.man.htm
    l
  • Used to hold the username/AESKey pairing
    information for the daemon.
  • Use the aespasswd program to generate a key if
    you want a passphrase associated with it

38
Testing bwctl
  • http//e2epi.internet2.edu/bwctl/bwctl.man.html
  • Try to create a test from the Internet2 test
    host
  • /ami/bin/bwctl -s nmsx-aami.abilene.ucaid.edu A
    AESKEY jimbob
  • Try to create a test toward the Internet2 test
    host
  • /ami/bin/bwctl -c nmsx-aami.abilene.ucaid.edu A
    AESKEY jimbob

39
Starting bwctld
  • http//e2epi.internet2.edu/bwctl/bwctld.man.html
  • start in foreground during testing
  • /usr/local/bin/bwctld -c /usr/local/etc -Z

40
Testing bwctl (With Your Daemon)
  • If there is a local daemon running, the bwctl
    client will automatically connect to it to
    schedule the local resources instead of running
    the test directly. (The same command-lines are
    used from above to test this.)
  • Try to create a test from the Internet2 test
    host
  • /ami/bin/bwctl -s nmsx-aami.abilene.ucaid.edu A
    AESKEY jimbob
  • Try to create a test toward the Internet2 test
    host
  • /ami/bin/bwctl -c nmsx-aami.abilene.ucaid.edu A
    AESKEY jimbob

41
Testing bwctl (3-Party)
  • The bwctl client can be used to request a test
    between 2 other hosts
  • If you have the same identity on the two hosts
  • /ami/bin/bwctl -s sendhost -c recvhost -A A
    AESKEY jimbob
  • If you have different identities, you must append
    the auth args after the host
  • /ami/bin/bwctl -s sendhost A AESKEY jim -c
    recvhost A AESKEY bob

42
Troubleshooting
  • No control connection
  • Control connection denied
  • Initial control connection works - peer
    connection fails
  • Scheduling problems
  • Iperf connections fail
  • Iperf results are bad

43
Questions?/Review?
  • Intro
  • Installation
  • Policy
  • Partitioning Resources
  • Classifying Connections
  • OWAMP configuration
  • owampd general configuration
  • owampd policy configuration
  • Testing and troubleshooting
  • BWCTL configuration
  • bwctld general configuration
  • bwctld policy configuration
  • Testing and troubleshooting

44
www.internet2.edu
Write a Comment
User Comments (0)
About PowerShow.com