Introduction
This hands-on exercise introduces the basic concepts of working with SCION and the Anapaya appliance. You will explore a running SCION network and inspect the corresponding SCION configurations of a SCION router in that network. At the same time, you will familiarize yourself with the training environment that is used throughout all tutorials.
At the end of this hands-on exercise, you should be able to understand how you can
explore a SCION network using basic command line tools via the Command Line
Interface (CLI) (scion and appliance-cli).
Make sure that the appliance-cli is set to the correct context, especially
when pushing new configurations. You can always verify the current context
by running:
appliance-cli context list
Ultimately, you will understand the SCION configuration of the Anapaya appliance. In later exercises, you will then learn how to create and change the most important aspects of the Anapaya appliance configuration and see the effects on the network.
Unless stated otherwise, all commands are assumed to be run from the
workspace directory on your training VM. The built-in terminal in
the editor will put you automatically in the right
directory. To open the built-in terminal use the Ctrl+` shortcut.
Alternatively, you can click the Menu button in the top left, then
select View -> Show Terminal . This will bring up the terminal and puts
you in the correct working directory (~/workspace) for all the tasks in
this training.
Overview
Refer to the diagram below, which visualizes the network topology we work on in this hands-on session. The depicted infrastructure consists of an ISD, called Finance ISD, which has three ASes:
- Webspeed (ISD-AS 1-ff00:1:1)
- Corpbank Switzerland (ISD-AS 1-ff00:1:2)
- Stabank Private Banking (ISD-AS 1-ff00:1:3)
The Webspeed AS consists of three sites in Zurich, Geneva, and Lugano. Each of these sites includes
exactly one host. These hosts are called core.zurich.webspeed, core.geneva.webspeed, and
core.lugano.webspeed, respectively. This is a core AS.
The Corpbank Switzerland AS has two sites, one in Geneva and one in Zurich. Both of them have a
host, respectively called edge.zurich.corpbank and edge.geneva.corpbank. Furthermore, the
Stabank Private Banking AS includes only one site, in Lugano, with one host, called
edge.lugano.stabank. They are both leaf ASes and each of them is connected to the Webspeed AS via
two links, as depicted in the diagram.
TODO: Topology image placeholder
Over the course of this lab, you will be working in a cloud-hosted playground of the SCION infrastructure. All the ASes run in a virtualized environment on a cloud machine.
Task 1. Connect to an Appliance
Time estimate: 10 minutes
From the training environment it is possible to log into all hosts in the network diagram infrastructure.
As mentioned, the Webspeed AS has three hosts where all its services, such as
the SCION control service, are running. For example, you can connect to the
core.zurich.webspeed host by running the following command:
operator@training:~/workspace$ lxc shell core-zurich-webspeed
The connection should succeed and open up a terminal on the host
core.zurich.webspeed. To close the connection, run exit.
All available hosts to which you can connect are managed via the LXC container system. To get a list of all the available hosts, you can run the following command:
operator@training:~/workspace$ lxc ls -c n --format csv
bgp-zurich-bgp-webspeed
core-geneva-webspeed
core-lugano-webspeed
core-zurich-webspeed
edge-geneva-corpbank
edge-lugano-stabank
edge-zurich-corpbank
endhost-lugano-stabank
endhost-zurich-bgp-webspeed
endhost-zurich-corpbank
gate-zurich-webspeed
mgmt-internal-training
Observe that the name of each LXC container is
the same as its corresponding host name, except that each .
is replaced with -.
All the hosts whose names start with core or edge, e.g.,
edge-geneva-corpbank and core-geneva-webspeed, are the hosts where the
SCION infrastructure runs. For this hands-on training, we will mostly be
focusing on these hosts.
From the list of LXC containers, find a host in the Stabank Private Banking AS and log into it.
Solution
operator@training:~/workspace$ lxc shell edge-lugano-stabank
What is the hostname of that host? (On the CLI you can run hostname)
Solution
root@edge-lugano-stabank:~# hostname
edge-lugano-stabank
Task 2. Appliance-CLI
Time estimate: 10 minutes
The appliance-cli is a command line tool that helps the operator to manage the appliance. The
CLI can connect to an appliance on the local host or to remote appliances over the network. For
complete documentation, see the appliance-cli
reference.
To get a list of the available commands, run the following in your terminal:
operator@training:~/workspace$ appliance-cli --help
Alternatively, you can first connect to a host and then run the appliance-cli command:
operator@training:~/workspace$ lxc shell edge-zurich-corpbank
root@edge-zurich-corpbank:~# appliance-cli --help
For this training, we will be using the appliance-cli directly from the operator workspace. To make
appliance interactions convenient, the appliance-cli supports different
contexts. Each
context defines how to connect to a given appliance. For your convenience, we have
pre-configured the contexts for the appliances in the training.
To get a list of the available contexts, run the following:
operator@training:~/workspace$ appliance-cli context list
You can select a new context with:
operator@training:~/workspace$ appliance-cli context select
or directly switch to a known context:
operator@training:~/workspace$ appliance-cli context select edge.zurich.corpbank
Task 2.1 State Overview
You can get an overview of the appliance state by running the following:
operator@training:~/workspace$ appliance-cli info
There are various info commands available to get more detailed information about the appliance state. For example, you can get the SCION state by running:
operator@training:~/workspace$ appliance-cli info scion
To get the list of all available commands, run the following:
operator@training:~/workspace$ appliance-cli info --help
Task 2.2 Appliance Management API
The appliance-cli allows you to interact with the appliance management
API There is a group of commands which are generated
from the endpoints that are available in the appliance management API.
Now, try to get the health state of the edge.lugano.stabank appliance by
yourself.
The appliance management API has a health endpoint.
Solution
operator@training:~/workspace$ appliance-cli context select edge.lugano.stabank
operator@training:~/workspace$ appliance-cli get health
{
health: {
checks: [
{
check_id: "1001-0001"
component: "appliance"
name: "Service Responsive"
service_name: "appliance-cron"
status: "passing"
}
{
check_id: "1001-0001"
component: "control-plane"
name: "Service Responsive"
service_name: "control-1-ff00_1_3"
status: "passing"
}
{
check_id: "1001-0001"
component: "control-plane"
name: "Service Responsive"
service_name: "control-2-ff00_1_3"
status: "passing"
}
{
check_id: "1001-0001"
component: "control-plane"
name: "Service Responsive"
service_name: "daemon-1-ff00_1_3"
status: "passing"
}
{
check_id: "1001-0001"
component: "control-plane"
name: "Service Responsive"
service_name: "daemon-2-ff00_1_3"
status: "passing"
}
{
check_id: "1001-0001"
component: "data-plane"
name: "Service Responsive"
service_name: "dataplane-control"
status: "passing"
}
{
check_id: "1001-0001"
component: "data-plane"
name: "Service Responsive"
service_name: "dispatcher"
status: "passing"
}
{
check_id: "1001-0001"
component: "scion-tunneling"
name: "Service Responsive"
service_name: "gateway"
status: "passing"
}
{
check_id: "1001-0001"
component: "scion-tunneling"
name: "Service Responsive"
service_name: "mole"
status: "passing"
}
{
check_id: "1001-0001"
component: "data-plane"
name: "Service Responsive"
service_name: "router"
status: "passing"
}
{
check_id: "3003-2001"
component: "data-plane"
data: {
bfd_enabled: true
local_address: "169.254.1.3:30043"
local_interface: 2
local_isd_as: "2-ff00:1:3"
relationship: "PARENT"
remote_address: "169.254.1.2:30043"
remote_interface: 0
remote_isd_as: "2-ff00:1:1"
state: "UP"
}
detail: "External interface 2-ff00:1:3#2 to 2-ff00:1:1#0 is up"
name: "External Interface Up"
service_name: "router"
status: "passing"
}
{
check_id: "3003-2001"
component: "data-plane"
data: {
bfd_enabled: true
local_address: "169.254.1.5:30043"
local_interface: 1
local_isd_as: "2-ff00:1:3"
relationship: "PARENT"
remote_address: "169.254.1.4:30043"
remote_interface: 0
remote_isd_as: "2-ff00:1:1"
state: "UP"
}
detail: "External interface 2-ff00:1:3#1 to 2-ff00:1:1#0 is up"
name: "External Interface Up"
service_name: "router"
status: "passing"
}
{
check_id: "3003-2001"
component: "data-plane"
data: {
bfd_enabled: true
local_address: "169.254.1.3:30042"
local_interface: 2
local_isd_as: "1-ff00:1:3"
relationship: "PARENT"
remote_address: "169.254.1.2:30042"
remote_interface: 0
remote_isd_as: "1-ff00:1:1"
state: "UP"
}
detail: "External interface 1-ff00:1:3#2 to 1-ff00:1:1#0 is up"
name: "External Interface Up"
service_name: "router"
status: "passing"
}
{
check_id: "3003-2001"
component: "data-plane"
data: {
bfd_enabled: true
local_address: "169.254.1.5:30042"
local_interface: 1
local_isd_as: "1-ff00:1:3"
relationship: "PARENT"
remote_address: "169.254.1.4:30042"
remote_interface: 0
remote_isd_as: "1-ff00:1:1"
state: "UP"
}
detail: "External interface 1-ff00:1:3#1 to 1-ff00:1:1#0 is up"
name: "External Interface Up"
service_name: "router"
status: "passing"
}
{
check_id: "4001-1001"
component: "control-plane"
data: {
base: 1
data_type: "available"
grace_period_end: "0001-01-01T00:00:00Z"
id: "ISD1-B1-S1"
isd: 1
serial: 1
validity: {
not_after: "2025-10-03T08:49:02Z"
not_before: "2024-07-10T08:49:02Z"
}
}
detail: "TRC for ISD 1 is available"
name: "TRC for local ISD available"
service_name: "control-1-ff00_1_3"
status: "passing"
}
{
check_id: "4001-1001"
component: "control-plane"
data: {
base: 1
data_type: "available"
grace_period_end: "0001-01-01T00:00:00Z"
id: "ISD2-B1-S1"
isd: 2
serial: 1
validity: {
not_after: "2025-10-03T08:49:02Z"
not_before: "2024-07-10T08:49:02Z"
}
}
detail: "TRC for ISD 2 is available"
name: "TRC for local ISD available"
service_name: "control-2-ff00_1_3"
status: "passing"
}
{
check_id: "4001-1002"
component: "control-plane"
data: {
data_type: "available"
in_grace_period: false
isd_as: "1-ff00:1:3"
issuer: "1-ff00:1:1"
subject_key_id: "E3 DC 39 4E 10 47 1D 40 6B E8 2A 35 AF E3 82 CD B6 98 5A 43"
trc: {
base: 1
id: "ISD1-B1-S1"
isd: 1
serial: 1
}
valid_until: "2024-07-13T09:14:40Z"
validity: {
not_after: "2024-07-13T09:14:40Z"
not_before: "2024-07-10T09:14:10Z"
}
}
detail: "Certificate for AS 1-ff00:1:3 is available and valid until 2024-07-13 09:14:40 +0000 UTC"
name: "Certificate for local AS available"
service_name: "control-1-ff00_1_3"
status: "passing"
}
{
check_id: "4001-1002"
component: "control-plane"
data: {
data_type: "available"
in_grace_period: false
isd_as: "2-ff00:1:3"
issuer: "2-ff00:1:1"
subject_key_id: "40 72 E0 37 45 3B 81 21 D3 B0 48 D7 3F A9 21 27 78 5E C8 72"
trc: {
base: 1
id: "ISD2-B1-S1"
isd: 2
serial: 1
}
valid_until: "2024-07-13T09:15:12Z"
validity: {
not_after: "2024-07-13T09:15:12Z"
not_before: "2024-07-10T09:14:42Z"
}
}
detail: "Certificate for AS 2-ff00:1:3 is available and valid until 2024-07-13 09:15:12 +0000 UTC"
name: "Certificate for local AS available"
service_name: "control-2-ff00_1_3"
status: "passing"
}
{
check_id: "4002-1001"
component: "control-plane"
data: {
base: 1
id: "ISD1-B1-S1"
isd: 1
not_after: "2025-10-03T08:49:02Z"
not_before: "2024-07-10T08:49:02Z"
serial: 1
}
detail: "TRC for ISD 1 is available as ISD1-B1-S1"
name: "TRC for local ISD available"
service_name: "daemon-1-ff00_1_3"
status: "passing"
}
{
check_id: "4002-1001"
component: "control-plane"
data: {
base: 1
id: "ISD2-B1-S1"
isd: 2
not_after: "2025-10-03T08:49:02Z"
not_before: "2024-07-10T08:49:02Z"
serial: 1
}
detail: "TRC for ISD 2 is available as ISD2-B1-S1"
name: "TRC for local ISD available"
service_name: "daemon-2-ff00_1_3"
status: "passing"
}
{
check_id: "5001-2001"
component: "scion-tunneling"
data: {
count: 1
domain: "gate"
prefixes: [
"0.0.0.0/5"
"8.0.0.0/7"
"10.0.0.0/15"
"10.2.1.0/24"
"10.2.2.0/23"
"10.2.4.0/22"
"10.2.8.0/21"
"10.2.16.0/20"
"10.2.32.0/19"
"10.2.64.0/18"
"10.2.128.0/17"
"10.3.0.0/16"
"10.4.0.0/14"
"10.8.0.0/13"
"10.16.0.0/12"
"10.32.0.0/11"
"10.64.0.0/10"
"10.128.0.0/9"
"11.0.0.0/8"
"12.0.0.0/6"
"16.0.0.0/4"
"32.0.0.0/3"
"64.0.0.0/2"
"128.0.0.0/1"
"::/0"
]
}
name: "Accept Filter Entry Matches Prefix"
service_name: "gateway"
status: "passing"
}
{
check_id: "5001-2001"
component: "scion-tunneling"
data: {
count: 1
domain: "corpbank"
prefixes: ["10.2.0.0/24"]
}
name: "Accept Filter Entry Matches Prefix"
service_name: "gateway"
status: "passing"
}
{
check_id: "5001-2002"
component: "scion-tunneling"
data: {
count: 1
domain: "gate"
prefixes: ["198.51.100.0/28"]
}
name: "Announce Filter Entry Matches Prefix"
service_name: "gateway"
status: "passing"
}
{
check_id: "5001-2002"
component: "scion-tunneling"
data: {
count: 2
domain: "corpbank"
prefixes: ["10.8.0.0/24"]
}
name: "Announce Filter Entry Matches Prefix"
service_name: "gateway"
status: "passing"
}
{
check_id: "5001-2003"
component: "scion-tunneling"
data: {
domain: "corpbank"
local_isd_as: "1-ff00:1:3"
paths: 4
remote_isd_as: "1-ff00:1:2"
}
name: "Domain has alive paths to remote AS"
service_name: "gateway"
status: "passing"
}
{
check_id: "5001-2003"
component: "scion-tunneling"
data: {
domain: "gate"
local_isd_as: "2-ff00:1:3"
paths: 2
remote_isd_as: "2-ff00:1:1"
}
name: "Domain has alive paths to remote AS"
service_name: "gateway"
status: "passing"
}
{
check_id: "5001-2004"
component: "scion-tunneling"
data: {
domain: "gate"
local_isd_as: "2-ff00:1:3"
remote_gateways: [
{
address: "10.1.0.5:40200"
isd_as: "2-ff00:1:1"
}
]
}
name: "Domain has reachable remote Gateways"
service_name: "gateway"
status: "passing"
}
{
check_id: "5001-2004"
component: "scion-tunneling"
data: {
domain: "corpbank"
local_isd_as: "1-ff00:1:3"
remote_gateways: [
{
address: "10.2.0.1:40200"
isd_as: "1-ff00:1:2"
}
{
address: "10.2.0.2:40200"
isd_as: "1-ff00:1:2"
}
]
}
name: "Domain has reachable remote Gateways"
service_name: "gateway"
status: "passing"
}
{
check_id: "5001-2005"
component: "scion-tunneling"
data: {
domain: "gate"
failover_sequence: [
{
name: "allow-all-path-filter"
paths: 2
}
]
traffic_matcher: "match-all-traffic-matcher"
}
name: "Domain traffic policy has alive paths"
service_name: "gateway"
status: "passing"
}
{
check_id: "5001-2005"
component: "scion-tunneling"
data: {
domain: "corpbank"
failover_sequence: [
{
name: "allow-all-path-filter"
paths: 4
}
]
traffic_matcher: "match-all-traffic-matcher"
}
name: "Domain traffic policy has alive paths"
service_name: "gateway"
status: "passing"
}
{
check_id: "5001-2006"
component: "scion-tunneling"
name: "Any domain has healthy remote Gateways"
service_name: "gateway"
status: "passing"
}
{
check_id: "5001-2007"
component: "scion-tunneling"
data: {
announced_prefixes: 2
domain: "corpbank"
received_prefixes: 1
}
name: "Domain exchanged IP Prefixes"
service_name: "gateway"
status: "passing"
}
{
check_id: "5001-2007"
component: "scion-tunneling"
data: {
announced_prefixes: 1
domain: "gate"
received_prefixes: 1
}
name: "Domain exchanged IP Prefixes"
service_name: "gateway"
status: "passing"
}
]
status: "passing"
}
}
As the CLI simply interacts with the appliance management API, you can also use the query parameters for the specific API endpoints.
Use query parameters to view only the health status for checks from the router service.
Solution
operator@training:~/workspace$ appliance-cli context select edge.lugano.stabank
operator@training:~/workspace$ appliance-cli get health --query service_name=router
{
health: {
checks: [
{
check_id: "1001-0001"
component: "data-plane"
name: "Service Responsive"
service_name: "router"
status: "passing"
}
{
check_id: "3003-2001"
component: "data-plane"
data: {
bfd_enabled: true
local_address: "169.254.1.3:30043"
local_interface: 2
local_isd_as: "2-ff00:1:3"
relationship: "PARENT"
remote_address: "169.254.1.2:30043"
remote_interface: 0
remote_isd_as: "2-ff00:1:1"
state: "UP"
}
detail: "External interface 2-ff00:1:3#2 to 2-ff00:1:1#0 is up"
name: "External Interface Up"
service_name: "router"
status: "passing"
}
{
check_id: "3003-2001"
component: "data-plane"
data: {
bfd_enabled: true
local_address: "169.254.1.5:30043"
local_interface: 1
local_isd_as: "2-ff00:1:3"
relationship: "PARENT"
remote_address: "169.254.1.4:30043"
remote_interface: 0
remote_isd_as: "2-ff00:1:1"
state: "UP"
}
detail: "External interface 2-ff00:1:3#1 to 2-ff00:1:1#0 is up"
name: "External Interface Up"
service_name: "router"
status: "passing"
}
{
check_id: "3003-2001"
component: "data-plane"
data: {
bfd_enabled: true
local_address: "169.254.1.3:30042"
local_interface: 2
local_isd_as: "1-ff00:1:3"
relationship: "PARENT"
remote_address: "169.254.1.2:30042"
remote_interface: 0
remote_isd_as: "1-ff00:1:1"
state: "UP"
}
detail: "External interface 1-ff00:1:3#2 to 1-ff00:1:1#0 is up"
name: "External Interface Up"
service_name: "router"
status: "passing"
}
{
check_id: "3003-2001"
component: "data-plane"
data: {
bfd_enabled: true
local_address: "169.254.1.5:30042"
local_interface: 1
local_isd_as: "1-ff00:1:3"
relationship: "PARENT"
remote_address: "169.254.1.4:30042"
remote_interface: 0
remote_isd_as: "1-ff00:1:1"
state: "UP"
}
detail: "External interface 1-ff00:1:3#1 to 1-ff00:1:1#0 is up"
name: "External Interface Up"
service_name: "router"
status: "passing"
}
]
status: "passing"
}
}
This information can be useful to track down an issue by using other API
endpoints to track down an issue. So for example, if the router service contains
a failing health check for an interface, you can get more detailed information
when checking the interface states of the appliance on the
edge.zurich.corpbank host. To do so, run the following commands:
operator@training:~/workspace$ appliance-cli context select edge.zurich.corpbank
operator@training:~/workspace$ appliance-cli get debug/scion/interfaces
Solution
{
interfaces: [
{
local: {
address: "169.254.1.3:30042"
interface_id: 2
isd_as: "1-ff00:1:2"
}
mtu: 1472
relationship: "PARENT"
remote: {
address: "169.254.1.2:30042"
interface_id: 3
isd_as: "1-ff00:1:1"
}
state: "up"
}
]
sibling_interfaces: [
{
local_interface_id: 1
local_isd_as: "1-ff00:1:2"
mtu: 1472
next_hop_address: "10.2.0.1:40100"
relationship: "parent"
remote_isd_as: "1-ff00:1:1"
}
]
}
You can customize the output format of the appliance-cli with the
--format parameter. Use the --help parameter to get a list of all the
available output formats. For example, to get the output in YAML format, run the
following:
operator@training:~/workspace$ appliance-cli get debug/scion/interfaces --format yaml
Solution
interfaces:
- local:
address: 169.254.1.3:30042
interface_id: 2
isd_as: 1-ff00:1:2
mtu: 1472
relationship: PARENT
remote:
address: 169.254.1.2:30042
interface_id: 3
isd_as: 1-ff00:1:1
state: up
sibling_interfaces:
- local_interface_id: 1
local_isd_as: 1-ff00:1:2
mtu: 1472
next_hop_address: 10.2.0.1:40100
relationship: parent
remote_isd_as: 1-ff00:1:1
Task 3. Basic AS Information
Time estimate: 20 minutes
All the AS-related configuration is a part of the Anapaya appliance
configuration. The Anapaya appliance configuration is a JSON-formatted
configuration which is used by an appliance controller to configure and start
all the necessary services. To inspect the AS configuration of
edge.zurich.corpbank host, you can either download the current appliance
config or inspect it in place using the appliance-cli.
To download the current appliance configuration and open it in the editor, run the following commands:
operator@training:~/workspace$ appliance-cli get config > edge.zurich.corpbank.appliance.json
operator@training:~/workspace$ code-server edge.zurich.corpbank.appliance.json
The editor has built-in support for the appliance configuration schema. You can get contextual help for each configuration entry by hovering your mouse over the entry. Furthermore, you can use the Ctrl+Space shortcut to get autocompletion suggestions (useful for editing the configuration in later exercises).
Using the appliance-cli you can also inspect and edit the configuration in place:
operator@training:~/workspace$ appliance-cli edit config -i
When editing the configuration in place, changes will be applied immediately once the configuration file is closed in the editor. Changes do not take effect live while the configuration file is open and being modified.
Open the configuration for the Corpbank EDGE in Zurich and look for the
scion.ases section. This section contains a list of all SCION ASes
configured on the appliance. Find the configuration data for the first configured AS.
The detailed documentation for the appliance configuration schema is available as part of the configuration reference.
Solution
Task 3.1 General AS Configuration
Let us first look at general AS configuration items.
isd_as: the SCION ISD-AS number of the corresponding AS.core: indicates whether the AS is a core in its ISD.forwarding_key_ref: reference to the forwarding key for this AS.scion_mtu: the Maximum Transmission Unit (MTU) in bytes for SCION packets. This represents the Protocol Data Unit (PDU) of the SCION layer on this interface. As SCION packets are encapsulated in IP/UDP packets, the PDU is dependent on the size of the Ethernet frame and the IP header. A typical value is 1472 bytes: 1500 bytes (Ethernet frame) - 20 bytes (IPv4 header) - 8 bytes (UDP header).details: user-defined details about the SCION AS (name, description).default: if multiple ISD-ASes are configured, this entry indicates whether the respective SCION AS should be used by default as the source AS in the SCION applications, e.g.,scion pingorscion showpaths.
Answer the following questions:
-
What is the value of the ISD-AS number?
-
Is the configured AS a core AS?
-
What is the SCION MTU configured in the AS?
Solution
- ISD-AS number: 1-ff00:1:2
- core AS: no
- MTU: 1472
Task 3.2 SCION Dataplane Configuration
The dataplane configuration consists of the internal SCION interface and the list
of external SCION interfaces of the router. The former is configured in the router
section, while the latter can be found in the neighbors section.
Let us first look at the router section.
router is the configuration for the SCION router service. The internal interface
configures where the router is exposed. AS internal hosts send SCION data
plane traffic to this address for forwarding over the external SCION interfaces. With
enabled the SCION router can be enabled or disabled.
Next, let us take a look at the neighbors section.
It contains the following entries:
neighbor_isd_as: the ISD-AS number of the neighbor AS.relationship: relationship to the neighbor AS (e.g.,CORE,CHILD).interfaces: external SCION interfaces on this appliance that link to the neighbor AS.
Furthermore the interfaces section contains the configuration of all the
external SCION interfaces on the appliance. It has the following fields:
interface_id: the unique SCION interface identifier for this interface.address: a UDP/IP underlay endpoint. The data plane traffic is received on this address.administrative_state: the state of the SCION interface.scion_mtu: the maximum transmission unit in bytes for SCION packets. This represents the PDU of the SCION layer on this interface.remote: the remote SCION interface endpoint of the link. It consists of theaddressandinterface_idof the remote interface.bfd: configuration for the BFD session between the local and neighboring router. This session is used to track the state of the neighboring router.
Answer the following questions either by inspecting the config file of the Zurich EDGE:
-
How many external interfaces are configured on the appliance?
Solution
1
-
What is the ISD-AS number of the first neighbor?
Solution
1-ff00:1:1
-
What is the relationship with the first neighbor?
Solution
The first neighbor is a parent of this AS.
-
What is the UDP/IP endpoint of the SCION interface of the neighboring AS?
Solution
169.254.1.2:30042
Task 3.3 SCION Control Plane Configuration
The control plane configuration consists of the control service (section control)
and the SCION control plane PKI related configuration (section cppki).
Let us first look at the control section.
Section control is the configuration for the SCION control service. The address
configures where the control service is exposed. Clients connect to this
address to request control plane data, e.g., SCION path segments.
Next, let us take a look at the cppki section.
The cppki section contains the configuration of the SCION control plane PKI.
issuers is a list of SCION certificate authorities that should be used to renew
the SCION AS certificate of this appliance. isd_as is the ISD-AS identifier of
the AS that runs the CA. priority indicates the priority of the issuing AS.
The appliance attempts to get certificates issued from the AS with the highest priority.
The value 0 indicates the highest priority, higher numbers are lower priority.
Answer the following questions:
-
How many issuers are configured?
Solution
1
-
How could a fallback certificate issuer be configured?
Solution
A second issuer entry could be added to the
issuerslist. This entry would need a lower priority (=higher priority number) than the first. With such a configuration, certificate renewal would be attempted always trying the issuer with the highest priority first and if that fails, the second issuer.
Task 3.4 Cluster Configuration
The cluster.peers section of the appliance configuration
and the shard_id of the SCION AS section define the cluster
configuration of the appliance. Note, this is an Anapaya-specific extension of
how a SCION AS is internally implemented while fully adhering to the
specification of the SCION protocol.
The cluster configuration is located in the cluster
section. Let us take a closer look:
For deployments with multiple appliances, this section contains the information
about other peers of the cluster and is used to synchronize SCION control-plane
(path, beacon, and topology data). In the Corpbank AS the cluster information is
configured statically and therefore the cluster.peers are listed but no
cluster.synchronization section is configured. In the list of peers, the
structure is similar to the local configuration but only the relevant fields for
the cluster configuration are present. The configuration includes:
control.address: The address for peer-to-peer communication of the SCION control service.isd_as: The ISD-AS number.shard_id: The unique identifier of the peer within the AS.neighbors: The list of neighbors that the peer is connected to.
Answer the following questions:
-
How many appliances are in the cluster?
Solution
There are 2 appliances in the cluster. One is the local appliance that you are investigating in this exercise. The other appliance is listed in the
clustersection. It isedge.geneva.corpbank. -
What is the shard ID of the local shard?
Solution
The shard ID is 2.
Task 4. Secret Management
Time estimate: 5 minutes
The appliance requires various secrets to operate. The secret management architecture is designed to safeguard sensitive information by preventing unauthorized access and disclosure.
The plain text secrets are provisioned with a unique secret identifier. The identifier is then used to securely reference the secret within the appliance configuration.
Once the secret is provisioned, only components that need access to the secrets can access the plain text secret.
Use the appliance-cli command to view the existing secret identifiers.
operator@training:~/workspace$ appliance-cli context select edge.lugano.stabank
operator@training:~/workspace$ appliance-cli get secrets
Let's now add a dummy secret to the appliance with an identifier that can be used later in the appliance configuration:
operator@training:~/workspace$ appliance-cli secrets add my-new-secret@1
You can also pipe your plaintext secret from a file:
operator@training:~/workspace$ echo "myPassword" > secret.txt
operator@training:~/workspace$ cat secret.txt | appliance-cli secrets add another-secret@1
Check the existing secret identifiers again to see the newly added secret identifier:
operator@training:~/workspace$ appliance-cli get secrets
Task 5. Exploring the SCION Network
Time estimate: 15 minutes
The scion showpaths command lets network administrators explore the
SCION network. The command showpaths takes
the destination AS as input, and then requests paths from the SCION Daemon
and displays them in a human-readable format. Showpaths
also supports command line arguments to display additional information
about the path (e.g., path expiration time or path status).
To run showpaths, in the CLI log into a host with a running SCION Daemon.
For example, log into edge.zurich.corpbank host by running:
operator@training:~/workspace$ lxc shell edge-zurich-corpbank
Then, use the showpaths command to display all the paths to the
Webspeed AS:
root@edge-zurich-corpbank:~# scion showpaths 1-ff00:1:1
Available paths to 1-ff00:1:1
[0] Hops: [1-ff00:1:2 1>1 1-ff00:1:1] MTU: 1472 NextHop: 10.2.0.1:30042 Status: alive LocalIP: 10.2.0.2
[1] Hops: [1-ff00:1:2 2>3 1-ff00:1:1] MTU: 1472 NextHop: 10.2.0.2:30042 Status: alive LocalIP: 10.2.0.2
Note that in this command we used 1-ff00:1:1 because this is the
ISD-AS for the Webspeed AS, as you can see in the diagram from above.
The output indicates that there are two paths to the Webspeed AS. The paths are represented as a sequence of AS hops and interface-pairs that are traversed. An interface pair is represented as eg>in, where eg is the egress interface ID, and in is the ingress interface ID. In the second path in the example above, a packet on the path exits the Corpbank Switzerland AS (1-ff00:1:2) on the egress interface 2 and enters the Webspeed AS (1-ff00:1:1) on the ingress interface 3.
The MTU and the next hop on this path are also displayed. The next hop indicates the internal address of the border router a packet has to be forwarded to when using this path.
Due to path caching, sometimes showpaths might show less paths than
the solutions to these questions. If that is the case, you ask showpaths
to fetch new paths using the --refresh flag.
Using showpaths, answer the following questions:
-
How many paths are available to the Stabank Private Banking AS (1-ff00:1:3)?
Solution
There should exist four alive paths:
root@edge-zurich-corpbank:~# scion showpaths 1-ff00:1:3
Available paths to 1-ff00:1:3
[0] Hops: [1-ff00:1:2 1>1 1-ff00:1:1 2>1 1-ff00:1:3] MTU: 1472 NextHop: 10.2.0.1:30042 Status: alive LocalIP: 10.2.0.2
[1] Hops: [1-ff00:1:2 1>1 1-ff00:1:1 4>2 1-ff00:1:3] MTU: 1472 NextHop: 10.2.0.1:30042 Status: alive LocalIP: 10.2.0.2
[2] Hops: [1-ff00:1:2 2>3 1-ff00:1:1 2>1 1-ff00:1:3] MTU: 1472 NextHop: 10.2.0.2:30042 Status: alive LocalIP: 10.2.0.2
[3] Hops: [1-ff00:1:2 2>3 1-ff00:1:1 4>2 1-ff00:1:3] MTU: 1472 NextHop: 10.2.0.2:30042 Status: alive LocalIP: 10.2.0.2 -
What is the SCION MTU on the paths to the Stabank Private Banking AS?
Solution
The SCION MTU is 1472.
-
How long does it take until the paths to the Stabank Private Banking AS expire?
You will need to supply an additional flag to showpaths to find this out. Use
scion help showpathsorscion showpaths --helpto see the list of supported flags.Solution
root@edge-zurich-corpbank:~# scion help showpaths
# [... output omitted ...]
Flags:
--dispatcher string Path to the dispatcher socket (default "/run/shm/dispatcher/default.sock")
--epic Enable EPIC.
-e, --extended Show extended path meta data information
-h, --help help for showpaths
--isd-as isd-as The local ISD-AS to use. (default 0-0)
-j, --json Write the output as machine readable json
-l, --local ip Local IP address to listen on. (default zero IP)
--log.level string Console logging level verbosity (debug|info|error)
-m, --maxpaths int Maximum number of paths that are displayed (default 10)
--no-color disable colored output
--no-probe Do not probe the paths and print the health status
-r, --refresh Set refresh flag for SCION Daemon path request
--sciond string SCION Daemon address. (default "127.0.0.1:30255")
--sequence string Space separated list of hop predicates
--timeout duration Timeout (default 5s)
--tracing.agent string Tracing agent addressThe
-eflag is the one we are looking for here:
root@edge-zurich-corpbank:~# scion showpaths -e 1-ff00:1:3
Available paths to 1-ff00:1:3
3 Hops:
[0] Hops: [1-ff00:1:2 1>1 1-ff00:1:1 2>1 1-ff00:1:3]
MTU: 1472
NextHop: 10.2.0.1:30042
Expires: 2023-03-14 14:40:38 +0000 UTC (5h55m16s)
SupportsEPIC: false
Status: alive
LocalIP: 10.2.0.2
[1] Hops: [1-ff00:1:2 1>1 1-ff00:1:1 4>2 1-ff00:1:3]
MTU: 1472
NextHop: 10.2.0.1:30042
Expires: 2023-03-14 14:40:41 +0000 UTC (5h55m19s)
SupportsEPIC: false
Status: alive
LocalIP: 10.2.0.2
[2] Hops: [1-ff00:1:2 2>3 1-ff00:1:1 2>1 1-ff00:1:3]
MTU: 1472
NextHop: 10.2.0.2:30042
Expires: 2023-03-14 14:40:38 +0000 UTC (5h55m16s)
SupportsEPIC: false
Status: alive
LocalIP: 10.2.0.2
[3] Hops: [1-ff00:1:2 2>3 1-ff00:1:1 4>2 1-ff00:1:3]
MTU: 1472
NextHop: 10.2.0.2:30042
Expires: 2023-03-14 14:40:41 +0000 UTC (5h55m19s)
SupportsEPIC: false
Status: alive
LocalIP: 10.2.0.2
By default, showpaths probes the paths it displays by sending probe packets across each of them and waiting for a response. A path is in one of the following three states:
- Alive: The response from the destination AS was received.
- Timeout: No response to the probe packet was received from the destination AS.
- SCMP: A SCION Control Message Protocol (SCMP) error was received in response to the probe packet. (You will learn more about SCMP in the SCMP task.)
If this behavior is not desired, probing can be deactivated by providing
the --no-probe flag.
Using showpaths, answer the following questions from the perspective of the
Stabank Private Banking AS. Note that you need to run the showpaths command
from the edge.lugano.stabank host of the Stabank Private Banking AS.
operator@training:~/workspace$ lxc shell edge-lugano-stabank
-
How many paths to the Corpbank Switzerland AS (1-ff00:1:2) are alive?
Solution
root@edge-lugano-stabank:~# scion showpaths 1-ff00:1:2
Available paths to 1-ff00:1:2
[0] Hops: [1-ff00:1:3 1>2 1-ff00:1:1 1>1 1-ff00:1:2] MTU: 1472 NextHop: 10.8.0.1:30042 Status: alive LocalIP: 10.8.0.1
[1] Hops: [1-ff00:1:3 1>2 1-ff00:1:1 3>2 1-ff00:1:2] MTU: 1472 NextHop: 10.8.0.1:30042 Status: alive LocalIP: 10.8.0.1
[2] Hops: [1-ff00:1:3 2>4 1-ff00:1:1 1>1 1-ff00:1:2] MTU: 1472 NextHop: 10.8.0.1:30042 Status: alive LocalIP: 10.8.0.1
[3] Hops: [1-ff00:1:3 2>4 1-ff00:1:1 3>2 1-ff00:1:2] MTU: 1472 NextHop: 10.8.0.1:30042 Status: alive LocalIP: 10.8.0.1There should be four alive paths.
-
How many ASes are in the paths to the Corpbank Switzerland AS (1-ff00:1:2)?
Solution
root@edge-lugano-stabank:~# scion showpaths 1-ff00:1:2
Available paths to 1-ff00:1:2
[0] Hops: [1-ff00:1:3 1>2 1-ff00:1:1 1>1 1-ff00:1:2] MTU: 1472 NextHop: 10.8.0.1:30042 Status: alive LocalIP: 10.8.0.1
[1] Hops: [1-ff00:1:3 1>2 1-ff00:1:1 3>2 1-ff00:1:2] MTU: 1472 NextHop: 10.8.0.1:30042 Status: alive LocalIP: 10.8.0.1
[2] Hops: [1-ff00:1:3 2>4 1-ff00:1:1 1>1 1-ff00:1:2] MTU: 1472 NextHop: 10.8.0.1:30042 Status: alive LocalIP: 10.8.0.1
[3] Hops: [1-ff00:1:3 2>4 1-ff00:1:1 3>2 1-ff00:1:2] MTU: 1472 NextHop: 10.8.0.1:30042 Status: alive LocalIP: 10.8.0.1All paths have three ASes in their list.
-
Compare the paths from the Corpbank Switzerland AS to the Stabank Private Banking AS with the paths from the Stabank Private Banking AS to the Corpbank Switzerland AS. What are the differences?
tiproot@edge-zurich-corpbank:~# scion showpaths 1-ff00:1:3Solution
The set of paths in both settings are essentially the same, except that the hops on each path are in the reverse order.
The tool gets its paths by requesting them from the SCION Daemon, which maintains a path cache. Subsequent path requests to the SCION Daemon will be served from this cache, until a predefined interval has passed and the SCION Daemon fetches new paths.
While you are still on the host of the Stabank Private Banking AS, run:
root@edge-lugano-stabank:~# watch scion showpaths -e 1-ff00:1:2
The showpaths command is executed every 2 seconds. The expiration times of the paths change. The time to expiry, indicated in the brackets after the expiration time, is decreasing.
Stop the command by hitting Ctrl+C.
Task 6. Network Checks using SCMP
Time estimate: 15 minutes
The SCION Control Message Protocol (SCMP) is analogous to the Internet Control Message Protocol (ICMP) and provides the following functionalities:
- Network diagnostic: SCMP is used to implement network debugging tools such
as the SCION equivalents of
pingortraceroute. - Error messages: SCMP is used by SCION applications (e.g., routers and dispatchers) to signal problems encountered during packet processing or to inform end hosts about network-layer problems.
The scion tool uses SCMP to gather information about the
network.
To see the command line arguments of scion, log into
one of the hosts, e.g. edge.zurich.corpbank, and then run scion help:
operator@training:~/workspace$ lxc shell edge-zurich-corpbank
root@edge-zurich-corpbank:~# scion help
The scion tool provides two sub-commands which use SCMP to gather information:
traceroute and ping.
tracerouteis similar to IP traceroute; it sends multiple SCMP packets and each packet is crafted so that a different router in the path replies.pingis similar to IP ping; it sends a specified number of packets at a given interval and prints out the round-trip time.
Check how the Corpbank Switzerland AS communicates to the Stabank Private Banking AS over SCION:
Run the following scion commands from the host
edge.zurich.corpbank, which you should already be logged into
root@edge-zurich-corpbank:~# scion ping -c 1 1-ff00:1:3,10.8.0.1
Resolved local address:
10.2.0.2
Using path:
Hops: [1-ff00:1:2 1>1 1-ff00:1:1 2>1 1-ff00:1:3] MTU: 1472 NextHop: 10.2.0.1:30042
PING 1-ff00:1:3,10.8.0.1:0 pld=0B scion_pkt=112B
120 bytes from 1-ff00:1:3,10.8.0.1: scmp_seq=0 time=2.384ms
--- 1-ff00:1:3,10.8.0.1 statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 3.486ms
And also run
root@edge-zurich-corpbank:~# scion traceroute 1-ff00:1:3,10.8.0.1
Resolved local address:
10.2.0.2
Using path:
Hops: [1-ff00:1:2 1>1 1-ff00:1:1 2>1 1-ff00:1:3] MTU: 1472 NextHop: 10.2.0.1:30042
0 1-ff00:1:2,10.2.0.1:0 IfID=1 813µs 462µs 333µs
1 1-ff00:1:1,10.1.0.1:0 IfID=1 897µs 529µs 487µs
2 1-ff00:1:1,10.1.0.1:0 IfID=2 810µs 661µs 464µs
3 1-ff00:1:3,10.8.0.1:0 IfID=1 878µs 687µs 663µs
Above, we used the fact that the ISD-AS of the Stabank Private
Banking AS is equal to 1-ff00:1:3. To find the IP address which is used in
the commands, you can check the information of the relevant host in the diagram from above.
Note, you can only scion ping a host that has a SCION network stack, i.e., the EDGE
gateway (10.8.0.1). The endhost (10.8.0.2) will not respond to scion ping.
Furthermore, when the -c flag is set, ping sends
the specified number of SCMP echo packets and reports back the statistics. You
can familiarize yourself with different flags supported by the SCION ping and
traceroute commands by running scion ping --help and scion traceroute --help.
-
Perform a SCION
pingfrom the Lugano EDGE to the Corpbank Switzerland ASSolution
root@edge-lugano-stabank:~# scion ping -c 1 1-ff00:1:2,10.2.0.2 -
Perform a SCION
traceroutecommand to the Corpbank Switzerland AS from the same hostSolution
root@edge-lugano-stabank:~# scion traceroute 1-ff00:1:2,10.2.0.2
scion can also run from machines without a local SCION Daemon; however
if this is the case, the --sciond command line argument is required,
which takes the address of the desired SCION Daemon as an argument.
The scion tool gives you the possibility to select the path
on which you want to execute your ping or traceroute tool.
For this you need to utilize the --interactive flag. For example,
we run the below command from the host edge.zurich.corpbank
root@edge-zurich-corpbank:~# scion ping --interactive 1-ff00:1:3,10.8.0.1
Available paths to 1-ff00:1:3:
3 Hops:
[ 0] Hops: [1-ff00:1:2 1>1 1-ff00:1:1 2>1 1-ff00:1:3] MTU: 1472 NextHop: 10.2.0.1:30042
[ 1] Hops: [1-ff00:1:2 1>1 1-ff00:1:1 4>2 1-ff00:1:3] MTU: 1472 NextHop: 10.2.0.1:30042
[ 2] Hops: [1-ff00:1:2 2>3 1-ff00:1:1 2>1 1-ff00:1:3] MTU: 1472 NextHop: 10.2.0.2:30042
[ 3] Hops: [1-ff00:1:2 2>3 1-ff00:1:1 4>2 1-ff00:1:3] MTU: 1472 NextHop: 10.2.0.2:30042
Choose path: 0
Resolved local address:
10.2.0.2
Using path:
Hops: [1-ff00:1:2 1>1 1-ff00:1:1 2>1 1-ff00:1:3] MTU: 1472 NextHop: 10.2.0.1:30042
PING 1-ff00:1:3,10.8.0.1:0 pld=0B scion_pkt=112B
120 bytes from 1-ff00:1:3,10.8.0.1: scmp_seq=0 time=54.561ms
120 bytes from 1-ff00:1:3,10.8.0.1: scmp_seq=1 time=55.644ms
120 bytes from 1-ff00:1:3,10.8.0.1: scmp_seq=2 time=44.099ms
120 bytes from 1-ff00:1:3,10.8.0.1: scmp_seq=3 time=46.876ms
As you can see after executing the command, you can
choose your desired path. In the above example, the path number
`0` is chosen.
Run the traceroute tool and choose the path which leaves on the interface
number 1.
Solution
root@edge-zurich-corpbank:~# scion traceroute --interactive 1-ff00:1:1,10.1.0.1
Available paths to 1-ff00:1:1:
2 Hops:
[ 0] Hops: [1-ff00:1:2 1>1 1-ff00:1:1] MTU: 1472 NextHop: 10.2.0.1:30042
[ 1] Hops: [1-ff00:1:2 2>3 1-ff00:1:1] MTU: 1472 NextHop: 10.2.0.2:30042
Choose path: 0
Resolved local address:
10.2.0.2
Using path:
Hops: [1-ff00:1:2 1>1 1-ff00:1:1] MTU: 1472 NextHop: 10.2.0.1:30042
0 1-ff00:1:2,10.2.0.1:0 IfID=1 15.302ms 20.547ms 15.547ms
1 1-ff00:1:1,10.1.0.1:0 IfID=1 31.061ms 41.161ms 31.099ms
In addition to the flag --interactive, the scion tool
provides the sequence option which gives you even more flexibility
in the choice of path for the execution of ping and traceroute.
You can read about how it works by running scion ping --help or
scion traceroute --help.
Bonus task 1. Traffic Interception with TShark
Time estimate: 10 minutes
This task is only solvable using the CLI.
TShark is a network protocol analyzer that can be used to inspect live network traffic, see Wireshark man page for more information about this tool.
To use TShark, you first need to make sure that it is installed on the machine
where the TShark commands to capture traffic will be run. For the purpose of
this task, you should log into the host
edge.lugano.stabank and run TShark; more precisely, run the following commands
operator@training:~/workspace$ lxc shell edge-lugano-stabank
root@edge-lugano-stabank:~# tshark
Running as user "root" and group "root". This could be dangerous.
Capturing on 'vlan'
^C0 packets captured
As you observe, TShark is capturing packets from the default interface, which
is vlan in this case.
You can quit the live capturing any time by exiting the program using Ctrl+C.
That's what is also done in the above command.
To capture traffic from any interface run
root@edge-lugano-stabank:~# tshark -i any
The output is perhaps quite overwhelming; thus, you might want to kill
TShark shortly after starting it by executing Ctrl+C.
The output of the tshark command is always in the following format
<seq-id> <timestamp> <src> -> <dst> <protocol> <protocol specific info>
The seq-id is an increasing ID that starts at 0 and increments by one
for each captured packet. The timestamp indicates the time since starting the
capture. The src and dst values represent source and destination IP addresses
of the packet. The protocol represents the protocol in use; you should be able to
see packets with various protocols such as “HTTP”, “ICMP”, “TCP”, “BFD”, “UDP”, etc.
Finally, the last part of the capture line presents information that is specific
to the protocol.
TShark supports various packet filtering mechanisms. We
already used one common filter, the -i flag. This flag can be used to select
the desired interface(s). For example, the command tshark -i eno5 will show
only packets that go through the eno5 interface.
More specific filters can be written in a custom packet filter language (see the
wireshark wiki). For instance, to
show all traffic that has IP destination address 10.1.172.120, use the following
command
root@edge-lugano-stabank:~# tshark -i any dst 10.1.172.120
Multiple filters can be combined with the and operator, for example to
additionally filter for the port 42001 run the following command
root@edge-lugano-stabank:~# tshark -i any dst 10.1.172.120 and port 42001
Running as user "root" and group "root". This could be dangerous.
Capturing on 'any'
1 0.000000000 10.1.172.228 → 10.1.172.120 HTTP 379 GET /metrics HTTP/1.1
2 0.083848673 10.1.172.228 → 10.1.172.120 TCP 68 37238 → 42001 [ACK] Seq=312 Ack=180 Win=5411 Len=0 TSval=2332552866 TSecr=1064605497
3 0.121467882 10.1.172.228 → 10.1.172.120 TCP 68 37238 → 42001 [ACK] Seq=312 Ack=4276 Win=5411 Len=0 TSval=2332552904 TSecr=1064605535
4 0.121510814 10.1.172.228 → 10.1.172.120 TCP 68 37238 → 42001 [ACK] Seq=312 Ack=11516 Win=5399 Len=0 TSval=2332552904 TSecr=1064605535
5 0.121527229 10.1.172.228 → 10.1.172.120 TCP 68 37238 → 42001 [ACK] Seq=312 Ack=18756 Win=5366 Len=0 TSval=2332552904 TSecr=1064605535
6 0.121543679 10.1.172.228 → 10.1.172.120 TCP 68 37238 → 42001 [ACK] Seq=312 Ack=32954 Win=5310 Len=0 TSval=2332552904 TSecr=1064605535
7 0.121562316 10.1.172.228 → 10.1.172.120 TCP 68 37238 → 42001 [ACK] Seq=312 Ack=32956 Win=5310 Len=0 TSval=2332552904 TSecr=1064605535
8 0.123296796 10.1.172.228 → 10.1.172.120 TCP 68 37238 → 42001 [ACK] Seq=312 Ack=37052 Win=5411 Len=0 TSval=2332552905 TSecr=1064605536
9 0.123327364 10.1.172.228 → 10.1.172.120 TCP 68 37238 → 42001 [ACK] Seq=312 Ack=51532 Win=5371 Len=0 TSval=2332552906 TSecr=1064605537
^C9 packets captured
The default filtering is too limited to inspect the SCION traffic. Therefore, we
provide a plugin that allows us to filter on the SCION layer. For example, the
filters scion.src_as and scion.dst_as can be exploited to filter the packets
according to their source and destination AS. The following command prints out
only the packets whose destination AS is equal to ff00:1:2
root@edge-lugano-stabank:~# tshark -i any -Y 'scion.dst_as == "ff00:1:2"'
As mentioned above, there are packets with various protocols. We can also filter according
to our desired protocols. For example, scion.next_hdr != BFD in the command below
makes sure that no packet from the Bidirectional Forwarding Detection (BFD) protocol
is shown
root@edge-lugano-stabank:~# tshark -i any -Y 'scion.next_hdr != "BFD"'
Or, for example, you can filter for the SCMP packets by running
root@edge-lugano-stabank:~# tshark -i any -Y 'scion.next_hdr == "SCMP"'
Now, use TShark to see how the SCMP traceroute requests flow through
the host edge.zurich.corpbank. Run the below command on the host
edge.lugano.stabank (you should already be logged in there)
root@edge-lugano-stabank:~# watch scion traceroute 1-ff00:1:2,10.2.0.2
Now, log into the host edge.zurich.corpbank and use the suitable
tshark command to filter for SCMP traffic. More precisely, you need
to run the following two commands
operator@training:~/workspace$ lxc shell edge-zurich-corpbank
root@edge-zurich-corpbank:~# tshark -i any -Y 'scion.next_hdr == "SCMP"'
You can tighten your filter by selecting your desired type of SCMP
traffic. For example the below command will show only the packets whose
type is scmpTracerouteReqCodes (corresponding to 130)
root@edge-zurich-corpbank:~# tshark -i any -Y 'scion.next_hdr == "SCMP" and scmp.type == 130'
For more information about TShark SCION filters, see the SCION Wireshark plugin. Inspect the filters used above and discover what other filters can be applied.
You can use the -V flag in the tshark commands to print full packets.
What is the right command to filter all packets with the source AS
ff00:1:3 and not with protocol "BFD"?
Solution
tshark -i any -Y 'scion.src_as == "ff00:1:3" and scion.next_hdr != "BFD"'