Title: OWAMP and BWCTL: Installation and Configuration
1OWAMP and BWCTLInstallation and Configuration
- Jeff Boote (boote_at_internet2.edu)
- Network Performance Workshop
2Overview
- Intro
- Installation
- Policy
- Partitioning Resources
- Classifying Connections
- OWAMP configuration
- owampd general configuration
- owampd policy configuration
- Testing and troubleshooting
- BWCTL configuration
- bwctld general configuration
- bwctld policy configuration
- Testing and troubleshooting
3Review Website
- Most of the information from this talk is on the
web sites - http//e2epi.internet2.edu/owamp/
- http//e2epi.internet2.edu/bwctl/
4Overview
- Intro
- Installation
- Policy
- Partitioning Resources
- Classifying Connections
- OWAMP configuration
- owampd general configuration
- owampd policy configuration
- Testing and troubleshooting
- BWCTL configuration
- bwctld general configuration
- bwctld policy configuration
- Testing and troubleshooting
5Download
- http//e2epi.internet2.edu/owamp/download.html
- http//e2epi.internet2.edu/bwctl/download.html
6Unpack/Build/Install
- gzip -cd owamp-VERS.tar.gz tar xf -
- cd owamp-VERS
- ./configure --prefix/ami
- --prefix is only needed if you don't like the
default - (/usr/local on most systems)
- make
- make install
- Does not install configuration files
- (Same process for BWCTL - do it now)
7Overview
- Intro
- Installation
- Policy
- Partitioning Resources
- Classifying Connections
- OWAMP configuration
- owampd general configuration
- owampd policy configuration
- Testing and troubleshooting
- BWCTL configuration
- bwctld general configuration
- bwctld policy configuration
- Testing and troubleshooting
8General Security Considerations (review)
- Do no harm
- Dont want machines to be a source of denial of
service attacks - On the other hand, would like them to be as
available as possible, so as useful as possible
for debugging - Avoid being an attractive nuisance
- Again, obscurity lessens usefulness
- But do harden machines themselves
9OWAMP Security Considerations
- Limit the bandwidth that can be consumed
- Limit the memory/disk that can be consumed on the
test host
10BWCTL Security considerations
- Limit the bandwidth that can be consumed
- Including protocol type (UDP/TCP)
11Partitioning Resources
- Decide upon complete amount of resources it is
acceptable for the test host to consume - Decide how to allocate those resources among
users - How much disk space can be dedicated? Per group?
- How much bandwidth total? Per group?
- Keep system load in mind as well as network. The
data accuracy will suffer if the system is too
loaded.
12Resources Allocated Using Hierarchical
Limitclasses
- Users are grouped into hierarchical limitclasses
- One parent-less class allowed, it defines the
total amount of resources available - When limitclasses are defined, limits of the one
and only parent are inherited - When consumable resources are requested, the
limits of the limitclass and all parent
limitclasses must be satisfied (memory/bandwidth/t
imeslots)
13Example organization of limitclasses
- Classifications of users into limitclasses
- Root Complete set of resources available
- Hostile Used to jail hostile users
- NOC Super-user limits
- Peer Extended limits for peer tests
- Normal Reasonable limits for end-users
- Open Conservative limits for anyone
14Example Allocation for bandwidth (BWCTL)
- Available per limitclass
- Root Complete set of resources available
- Hostile No tests allowed
- NOC Inherit Root limits
- Peer Limit UDP to 500m
- Could make children limitclasses for each
individual peer if lower limits should be applied
to some - Normal UDP not needed for most end users
- Open No tests allowed
15Example limitclass definition
- total available
- limit root with \
- AllowTCPon, \
- AllowUDPon, \
- bandwidth900m
- Hostile
- limit hostile with parentroot, \
- AllowTCPoff, \
- AllowUDPoff
16Classifying Connections
- IP/netmask
- The IP address of the client is matched against a
list of IP netmask specified subnets and assigned
to a limitclass based on the address of the
client - Username and AES key
- Client specifies a username, the server must
already know the associated AES key - AES key is used as a symmetric session key
- Client and Server use the key as a shared secret
17IP/netmask matching rules
- The most specific matching mask wins
- No set bits are allowed in the address portion
beyond the number of mask bits - Does not need to be a real sub-net
18Example netmask assignment setup
- loopback
- assign net /127 noc
- assign net 127.0.0.1/32 noc
- abilene nmslan (observatory systems)
- assign net 20014680/40 peer
- assign net 198.32.10.0/23 peer
19Username and AES key rules
- Usernames are limited to 16 characters
- AES key is a 128 bit session key
- Not encrypted in the keys file, use UNIX
permissions to protect - Can use a pass phrase to generate the AES key
- Server use aespasswd to add pass phrase
generated keys into the keys file - Client application prompts user for pass phrase
20Example key file
- joe a0167ac6101b360d2f4dd164abba2337
- bob 2dc36fc4807894cdfbe180b71d2b4a0f
- sam 3fc763fb270ce6ba6e928bd10d4977d3
21aespasswd
- Similar command-line to htpasswd (apache web
server) - Specify an identity to be added to a key file,
prompted for a passphrase - http//e2epi.internet2.edu/owamp/aespasswd.man.htm
l
22Example username/key assignment setup
- local super users
- assign user boote noc
- assign user joe noc
- peers
- assign user warren peer
- assign user bob peer
- normal
- assign user sam normal
23Overview
- Intro
- Installation
- Policy
- Partitioning Resources
- Classifying Connections
- OWAMP configuration
- owampd general configuration
- owampd policy configuration
- Testing and troubleshooting
- BWCTL configuration
- bwctld general configuration
- bwctld policy configuration
- Testing and troubleshooting
24Configure (owampd.conf)
- http//e2epi.internet2.edu/owamp/owampd.conf.man.h
tml - These parameters control how the owampd runs
- General operations such as where it reports its
errors and where it stores buffered data files. - Most installations will only need to modify
- datadir
- vardir
- user
- group
25Configure (owampd.limits)
- http//e2epi.internet2.edu/owamp/owampd.limits.man
.html - Two parts
- Authentication
- Who is making the request?
- Authorization
- What is that identity allowed to do?
26Configure (owampd.limits)
- Authentication is done by assigning a limitclass
to each new connection as it comes in - IP/netmask method
- assign net 127.0.0.1/32 noc
- username method
- assign user boote noc
27Configure (owampd.limits)
- Authorization is done by associating a set of
hierarchical limits with each limitclass and
verifying that each incoming request adheres to
them. - Limit root with \
- Disk100M, \
- Bandwidth0, \
- Delete_on_fetchon, \
- Allow_open_modeoff
- Limit noc with parentroot, \
- Allow_open_modeon
28Configure (owampd.keys)
- http//e2epi.internet2.edu/owamp/owampd.keys.man.h
tml - http//e2epi.internet2.edu/owamp/aespasswd.man.htm
l - Used to hold the username/AESKey pairing
information for the daemon. - Use the aespasswd program to generate a key if
you want a passphrase associated with it
29Starting owampd
- http//e2epi.internet2.edu/owamp/owampd.man.html
- start in foreground during testing
- /usr/local/bin/owampd -c /usr/local/etc -Z
30Testing (owping)
- http//e2epi.internet2.edu/owamp/owping.man.html
- Simple localhost test
- /ami/bin/owping localhost
- Test to Internet2 test host
- /ami/bin/owping nmsy-aami.abilene.ucaid.edu
- Others
- /usr/local/bin/owping otherhost
31Troubleshooting
- No control connection
- Control connection denied
- 100 packet loss in test streams
- Clock offset (ntpq, loss timeout)
- Firewall
32Overview
- Intro
- Installation
- Policy
- Partitioning Resources
- Classifying Connections
- OWAMP configuration
- owampd general configuration
- owampd policy configuration
- Testing and troubleshooting
- BWCTL configuration
- bwctld general configuration
- bwctld policy configuration
- Testing and troubleshooting
33Configure (bwctld.conf)
- http//e2epi.internet2.edu/bwctl/bwctld.conf.man.h
tml - These parameters control how the bwctld runs
- General operations such as where it reports its
errors and other daemon wide configuration
options - Most installations will only need to modify
- vardir
- user
- group
34Configure (bwctld.limits)
- http//e2epi.internet2.edu/bwctl/bwctld.limits.man
.html - Two parts
- Authentication
- Who is making the request?
- Authorization
- What is that identity allowed to do?
35Configure (bwctld.limits)
- Authentication is done by assigning a limitclass
to each new connection as it comes in - IP/netmask method
- assign net 127.0.0.1/32 noc
- username method
- assign user boote noc
36Configure (bwctld.limits)
- Authorization is done by associating a set of
hierarchical limits with each limitclass and
verifying that each incoming request adheres to
them. - Limit root with \
- bandwidth900m, \
- duration0, \
- allow_tcpon, \
- allow_udpon, \
- allow_open_modeoff
- Limit noc with parentroot, \
- Allow_open_modeon
37Configure (bwctld.keys)
- http//e2epi.internet2.edu/bwctl/owampd.keys.man.h
tml - http//e2epi.internet2.edu/bwctl/aespasswd.man.htm
l - Used to hold the username/AESKey pairing
information for the daemon. - Use the aespasswd program to generate a key if
you want a passphrase associated with it
38Testing bwctl
- http//e2epi.internet2.edu/bwctl/bwctl.man.html
- Try to create a test from the Internet2 test
host - /ami/bin/bwctl -s nmsx-aami.abilene.ucaid.edu A
AESKEY jimbob - Try to create a test toward the Internet2 test
host - /ami/bin/bwctl -c nmsx-aami.abilene.ucaid.edu A
AESKEY jimbob
39Starting bwctld
- http//e2epi.internet2.edu/bwctl/bwctld.man.html
- start in foreground during testing
- /usr/local/bin/bwctld -c /usr/local/etc -Z
40Testing bwctl (With Your Daemon)
- If there is a local daemon running, the bwctl
client will automatically connect to it to
schedule the local resources instead of running
the test directly. (The same command-lines are
used from above to test this.) - Try to create a test from the Internet2 test
host - /ami/bin/bwctl -s nmsx-aami.abilene.ucaid.edu A
AESKEY jimbob - Try to create a test toward the Internet2 test
host - /ami/bin/bwctl -c nmsx-aami.abilene.ucaid.edu A
AESKEY jimbob
41Testing bwctl (3-Party)
- The bwctl client can be used to request a test
between 2 other hosts - If you have the same identity on the two hosts
- /ami/bin/bwctl -s sendhost -c recvhost -A A
AESKEY jimbob - If you have different identities, you must append
the auth args after the host - /ami/bin/bwctl -s sendhost A AESKEY jim -c
recvhost A AESKEY bob
42Troubleshooting
- No control connection
- Control connection denied
- Initial control connection works - peer
connection fails - Scheduling problems
- Iperf connections fail
- Iperf results are bad
43Questions?/Review?
- Intro
- Installation
- Policy
- Partitioning Resources
- Classifying Connections
- OWAMP configuration
- owampd general configuration
- owampd policy configuration
- Testing and troubleshooting
- BWCTL configuration
- bwctld general configuration
- bwctld policy configuration
- Testing and troubleshooting
44www.internet2.edu