Appliance Configuration
Time estimate: 45 minutes
In this exercise, you will learn to configure SCION services in a minimally prepared appliance. The goal is to turn this minimally configured appliance into a fully setup appliance that is part of a two-node SCION AS cluster.
Unless stated otherwise, all commands are assumed to be run from the
workspace directory on your training VM. The built-in terminal in
the editor will put you automatically in the right
directory. To open the built-in terminal use the Ctrl+` shortcut.
Alternatively, you can click the Menu button in the top left, then
select View -> Show Terminal . This will bring up the terminal and puts
you in the correct working directory (~/workspace) for all the tasks in
this training.
The host that you will configure is called edge.zurich.corpbank. A more detailed view of the
network in the Corpbank Switzerland AS can be found below:
TODO: Training Corpbank Image Placeholder
To get started with this exercise, run the following command
operator@training:~/workspace$ ./appliance_config_exercise setup
This command executes a script which introduces the necessary changes for this exercise.
If you need to revert the changes made by the above command at any time during this exercise, you can run the following command:
operator@training:~/workspace$ ./appliance_config_exercise restore
Now, download the minimal configuration of the host edge.zurich.corpbank by running the
following commands:
operator@training:~/workspace$ appliance-cli context select edge.zurich.corpbank
operator@training:~/workspace$ appliance-cli get config > edge.zurich.corpbank.appliance.json
Download the full configuration of the other node in the cluster edge.geneva.corpbank by running:
operator@training:~/workspace$ appliance-cli context select edge.geneva.corpbank
operator@training:~/workspace$ appliance-cli get config > edge.geneva.corpbank.appliance.json
Open the minimal appliance configuration in the file edge.zurich.corpbank.appliance.json in
your VSCode editor. You can also open the full configuration of the Geneva host,
edge.geneva.corpbank.appliance.json. You will need the Geneva configuration to cross-check
some information later:
operator@training:~/workspace$ code-server edge.zurich.corpbank.appliance.json
operator@training:~/workspace$ code-server edge.geneva.corpbank.appliance.json
Next, you will go through the individual sections of the appliance and set it up. You can make
all your desired changes directly in the edge.zurich.corpbank.appliance.json file. At some
points during the exercise, you will be asked to push this configuration file to validate the
configuration.
To get the full documentation of all the fields in the appliance configuration file please refer to the Anapaya Configuration documentation
The editor has built-in support for the appliance configuration schema. You can get contextual help for each configuration entry by hovering your mouse over the entry. Furthermore, you can use the Ctrl+Space shortcut to get autocompletion suggestions (useful for editing the configuration in later exercises).
Copying and pasting the relevant sections from the configuration of edge.geneva.corpbank and
applying the necessary changes is a viable approach to solving the following tasks.
Task 1. Configure the SCION AS Section
The scion/ases list contains the AS local information of each AS. In this case, the list
contains only one element. The purpose of this task is to fill in all the entries for this element.
We go through all the entries one by one and guide you how to find their values. However, to get a
detailed description of any of the entries, you can check Anapaya Configuration documentation.
Configure the General AS Information
Let us start by completing some configuration data about general AS information.
isd_asis the ISD-AS identifier of the SCION AS.coreindicate whether the AS is a core AS in its ISD.scion_mtuis the Maximum Transmission Unit (MTU) in bytes for SCION packets.shard_idis the shard ID of the local control and router group. This needs to unique within the AS.forwarding_key_refis the secret identifier referencing the forwarding key used to verify the AS hopfield in the SCION path.detailsis user-defined details about the SCION AS for informational purpose.defaultindicates whether the respective SCION AS should be used by default as the source AS by SCION applications, e.g.,scion pingor showpaths. The configurations with more than one default ASes will be rejected because there can only be one default AS. If there is only a single AS configured, it will be the default, regardless of the value ofdefault.
Since most the above entries are AS related rather than host related, they can be borrowed from the
configuration of the other host in this AS, namely edge.geneva.corpbank. The exceptions are:
shard_id: use the value2for this exercise.forwarding_key_ref: provision the secret located in the fileforwarding-key-1-ff00:1:2.txtand use the reference for this field.
Solution
Provision the secret:
operator@training:~/workspace$ lxc shell edge-zurich-corpbank
root@edge-zurich-corpbank:~# cat forwarding-key-1-ff00:1:2.txt | appliance-cli secrets add forwarding-key@1
If you use a different secret identifier, the reference in your configuration will differ.
Configure the Neighbors
The neighbors section lists the direct neighbors of the AS you are configuring. You can find
the neighboring AS on the diagram. The following values need to be configured:
neighbor_isd_asis the ISD-AS identifier of the neighboring AS.relationshipis the relationship that the neighboring AS has with the local AS. This can beCHILDfor downstream ASes,PARENTfor upstream ASes, orCOREfor links between core ASes.interfaceslists the SCION interfaces between the local and the remote ISD-AS. It has the following subsections:interface_idconfigures the local ID of this interface. The interface id needs to be agreed upon and communicated with the remote side of the peering. For this exercise, let's assume this agreement already has happened. You can find the interface id on the diagram.administrative_stateconfigures the state of the interface. This has to beUP.addressconfigures the local UDP/IP underlay address of this interface. This underlay needs to be agreed upon with the remote side of the peering. For this exercise, let's assume this agreement already has happened. You can find the address information in the diagram.remoteconfigures the remote side of the interface. It contains both aninterface_idand anaddresssimilar to the local information. All these values are given to us by the remote side of the peering. You can find them in the diagram.scion_mtuconfigures the Maximum Transmission Unit (MTU) for the link of this interface. If not set, the default value of 1472 bytes will be used, which corresponds to an IPv4 underlay network.bfdconfigures the Bidirectional Forwarding Detection (BFD) that is used to check the connectivity between the local and neighboring router. You can copy this section from the configuration ofedge.geneva.corpbank.
Solution
Configure the SCION Router
The router section is for the SCION router. It has an internal_interface and an enabled
field. The internal_interface field needs to match the next hop address of the sibling interface
in thecluster.peers.scion.ases.neighbors section of the edge.geneva.corpbank host.
Solution
Configure the Control Service
The control section is for the SCION control service. It has an address field and an enabled
field. The address needs to match the address of the control service in the
cluster.peers.scion.ases.control section of the edge.geneva.corpbank host. The enabled field
indicates whether the control service should be enabled, it is a boolean value and should be true.
Solution
Configure the CPPKI Section
The cppki section includes information about the SCION Control Plane Public Key Infrastructure
(CPPKI). It includes a list of issuers that issue certificates for this AS. The list of issuers is
tried in order of their priority. If no issuer is set explicitly, the renewal process will use the
issuer of the newest existing SCION CPPKI AS Certificate.
Each issuer includes an isd_as field which is the ISD-AS identifier of the issuing AS and a
priority field which is the priority of the issuing AS. The value 0 indicates the highest
priority and higher numbers correspond to lower priority.
In this case, you can perhaps guess that the issuer is the Webspeed AS and it has priority 0 since
it is the only issuer. However, this information can be deduced from the scion.ases.cppki section
in the configuration file of the host edge.geneva.corpbank.
Solution
Configure the Cluster Section
The cluster section configures the peers of the appliance in the cluster. There are two modes for clustering: Automatic topology synchronization and statically configured topology information. The topology information contains the service addresses of the SCION services, and SCION link information to neighbors. In this edge deployment, we are using statically configured information. In the core at webspeed, however, we are using automatic topology synchronization, which you will discover in another exercise.
A statically configured peer requires the following fields:
nameis the name that is used by the appliance to refer to that peer. Useedge.geneva.corpbankfor this exercise.scionconfigures the SCION related information for that peer.scion_tunnelingconfigures the IP-in-SCION tunneling related information for that peer.
Fill in the appropriate values for to configure edge.geneva.corpbank as the peer.
The structure of the scion and scion_tunneling sections in the peer entry are very similar to
the top level scion and scion_tunneling sections, which lends itself to copy paste the
information. Pay close attention to cluster.peers.scion.ases.neighbors because the structure
is slightly different there.
Refer to the Anapaya Configuration documentation to see which fields are required.
Solution
Testing paths
So far, if you run showpaths on the Zurich side it should fail:
operator@training:~/workspace$ lxc shell edge-zurich-corpbank
root@edge-zurich-corpbank:~# scion showpaths 1-ff00:1:1 -r
Error: connecting to the SCION Daemon{addr=127.0.0.1:30255}: dialing: context deadline exceeded
The error returned indicates that there is no SCION daemon configured. SCION daemon is a process
that performs path lookups for SCION applications, i.e., showpaths in this case. The daemon is
configured once a SCION configuration is pushed to the appliance. However, even if the daemon would
exist, there would not be any path to 1-ff00:1:1, as the SCION interface is not yet configured.
On the Geneva side showpaths should only show one path that is alive:
operator@training:~/workspace$ lxc shell edge-geneva-corpbank
root@edge.geneva.corpbank:~# scion showpaths 1-ff00:1:1 -r
Available paths to 1-ff00:1:1
2 Hops:
[0] Hops: [1-ff00:1:2 1>1 1-ff00:1:1] MTU: 1472 NextHop: 10.2.0.1:30042 Status: alive LocalIP: 10.2.0.1
[1] Hops: [1-ff00:1:2 2>3 1-ff00:1:1] MTU: 1472 NextHop: 10.2.0.2:30042 Status: timeout LocalIP: 10.2.0.1
Publish Changes
Now let's publish the updated configuration to the appliance.
Combine all your solutions from above to create a complete scion section in the configuration
file. Then, you can apply this configuration by running the following command:
operator@training:~/workspace$ appliance-cli context select edge.zurich.corpbank
operator@training:~/workspace$ appliance-cli put config <edge.zurich.corpbank.appliance.json
If there is any mistake in the configuration file, you will receive some validation errors. If this happens, please read the error messages carefully and fix the reported problems.
Note that there should be no red squiggly lines in the json file.
Once you update the configuration of the Zurich appliance without any validation errors, the
showpaths command should start functioning as desired:
root@edge-zurich-corpbank:~# scion showpaths 1-ff00:1:1 -r
Available paths to 1-ff00:1:1
2 Hops:
[0] Hops: [1-ff00:1:2 1>1 1-ff00:1:1] MTU: 1472 NextHop: 10.2.0.1:30042 Status: alive LocalIP: 10.2.0.2
[1] Hops: [1-ff00:1:2 2>3 1-ff00:1:1] MTU: 1472 NextHop: 10.2.0.2:30042 Status: alive LocalIP: 10.2.0.2
root@edge.geneva.corpbank:~# scion showpaths 1-ff00:1:1 -r
Available paths to 1-ff00:1:1
2 Hops:
[0] Hops: [1-ff00:1:2 1>1 1-ff00:1:1] MTU: 1472 NextHop: 10.2.0.1:30042 Status: alive LocalIP: 10.2.0.1
[1] Hops: [1-ff00:1:2 2>3 1-ff00:1:1] MTU: 1472 NextHop: 10.2.0.2:30042 Status: alive LocalIP: 10.2.0.1
Solution
Task 2. Configure the SCION Tunneling Section
In this task, you will configure the IP-in-SCION tunneling.
To fully set up IP-in-SCION tunneling you will need to configure the SCION Gateway Routing Protocol (SGRP). There is a dedicated exercise for that IP-in-SCION Tunneling: Basics. In this task, you will only look at configuring the tunneling endpoint and the rest of the tunneling configuration is given to you.
You need to configure the section scion_tunneling.endpoint. This configures the IP-in-SCION tunnel
endpoint on this host. A tunnel endpoint consists of an IP address, and a series of ports.
Furthermore, it has an enabled flag to enable or disable the endpoint. Check the
Anapaya Configuration documentation
for more information.
For this task, you will be asked to complete the scion_tunneling.endpoint section. You can derive
all the aforementioned entries from the section cluster.peers.scion_tunneling.endpoint in the
configuration file edge.geneva.corpbank.appliance.json.
Solution
Finally, the scion_tunneling has various sections that are related to setting up domains and
traffic policies. These values will be covered in a dedicated exercise. For now, copy the following
values to the scion_tunneling section.
Solution
Now push the updated configuration to the appliance in edge.zurich.corpbank:
operator@training:~/workspace$ appliance-cli put config <edge.zurich.corpbank.appliance.json
Testing connectivity
Let's test that IP pinging between the Corpbank end host in Zurich and the Stabank end host in Lugano.
First log into the Stabank end host:
operator@training:~/workspace$ lxc shell endhost-lugano-stabank
Then, run ping to the end host in the Corpbank AS (check the diagram for details):
root@endhost-lugano-stabank:~# ping 10.2.0.3
PING 10.2.0.3 (10.2.0.3) 56(84) bytes of data.
64 bytes from 10.2.0.3: icmp_seq=1 ttl=61 time=1.71 ms
64 bytes from 10.2.0.3: icmp_seq=2 ttl=61 time=0.554 ms
...
Also check the opposite direction. Log into the Corpbank end host in Zurich:
operator@training:~/workspace$ lxc shell endhost-zurich-corpbank
Then, run ping to the end host in the Stabank AS:
root@endhost-zurich-corpbank:~# ping 10.8.0.2
PING 10.8.0.2 (10.8.0.2) 56(84) bytes of data.
64 bytes from 10.8.0.2: icmp_seq=1 ttl=61 time=1.97 ms
64 bytes from 10.8.0.2: icmp_seq=2 ttl=61 time=0.599 ms
...
Congratulations that concludes this exercise.
Now that you are done with the exercise, restore the configruation::
operator@training:~/workspace$ ./appliance_config_exercise restore