Adding a GATE customer
Time estimate: 30 minutes
This exercise is split into four tasks. In the first task, you will investigate the current configuration. Then, you will configure the GATE appliance of Webspeed (task 2) and the EDGE appliance of Stabank (task 3). Finally, you will verify that a user in Webspeed's network can access the service exposed by Stabank (task 4).
For general information on a GATE setup, please refer to the Anapaya GATE deployment example.
Overview
Multiple ISD setup
For the purpose of this exercise, we have modified the topology to include another ISD.
When using the scion tool suite, you need to specify the ISD-AS you want to work with by using the
--isd-as flag.
For example, to work with ISD-AS 2-ff00:1:1, use:
scion showpaths 2-ff00:1:3 --isd-as 2-ff00:1:1
Refer to the diagram below, which visualizes the network topology we work on in this hands-on session. The depicted infrastructure consists of two ISDs.
TODO misd-topology.drawio.svg diagram
ISD 1 is the Finance ISD and has three ASes:
- Webspeed (ISD-AS 1-ff00:1:1)
- Corpbank Switzerland (ISD-AS 1-ff00:1:2)
- Stabank Private Banking (ISD-AS 1-ff00:1:3)
ISD 2 is the Switzerland ISD and has two ASes:
- Webspeed (ISD-AS 2-ff00:1:1)
- Stabank Private Banking (ISD-AS 2-ff00:1:3)
We can see that two of the organizations belong to two different ISDs at the same time. This is a common setup in SCION networks. Each ISD has a different governing entity, defines a trust root and can have separate membership requirements.
From the perspective of SCION and remote entities, each organization will be treated as two distinct entities in the network depending on the ISD. It is, in fact, possible to define different policies towards the same organization for the different ISDs to which it belongs.
The Webspeed AS consists of three sites in Zurich, Geneva, and Lugano. Each of these sites has one
CORE instance. The CORE hosts are called core.zurich.webspeed, core.geneva.webspeed, and
core.lugano.webspeed, respectively. The Zurich site also has a GATE instance called
gate.zurich.webspeed. The GATE appliance is connected to the BGP network of Webspeed with a
private BGP peering. The purpose of this connection is for the GATE to learn the IP prefixes which
are reachable in Webspeed's BGP network and for the BGP network to learn the prefixes which are
reachable in the SCION network. The GATE is also connected to the EDGE appliance of Stabank, using
the IP-in-SCION tunneling functionality. The Webspeed AS is a core AS in both ISDs.
TODO fig/gate.drawio.svg diagram
The Corpbank Switzerland AS has two sites, one in Geneva and one in Zurich. Each of them has a host,
respectively called edge.zurich.corpbank and edge.geneva.corpbank. Furthermore, the Stabank
Private Banking AS includes only one site, in Lugano, with one host, called edge.lugano.stabank.
They are both leaf ASes and each of them is connected to the Webspeed AS via two links, as depicted
in the diagram. In this topology, the same physical links are reused for connection within both
ISDs. However, the SCION interfaces are treated as separate logical links depending on the ISD to
which they belong.
Over the course of this lab, you will be working in a cloud-hosted playground of the SCION infrastructure. All the ASes run in a virtualized environment on a cloud machine.
Routing Domains
As we saw in the IP-in-SCION Tunneling: Basics exercise, domains are an essential part of the IP-in-SCION tunneling configuration. They allow an IP-in-SCION tunneling endpoint, such as an Anapaya EDGE or an Anapaya GATE, to exchange prefix information with remote entities, enabling end-to-end communication. An IP-in-SCION tunneling endpoint can announce different prefixes to different remote entities. Additionally, they can accept different received prefixes depending on the remote entity. This enables the IP-in-SCION tunneling endpoint to have full control over which prefixes/services are reachable to which remote entities.
Another benefit of domains is that they facilitate the definition of desired communication partners without having to specify how the different entities are interconnected. With domains, you can specify the necessary information for end-to-end communication, e.g. collection of remote user accesses. The details of how the remote users are connected to the organization are tackled separately according to the SCION links defined on the IP-in-SCION tunneling endpoint and the SCION backbone.
For further information on domains and on how the protocol works in detail, you can refer to our documentation.
Preparation
This step is required to follow the hands-on session.
From the cloud machine, run the setup script:
operator@training:~/workspace$ ./appliance_gate_exercise setup
After the tasks in this exercise are completed, the topology should be in a working state. However in case something is not working properly and you need to revert the changes, you can run the following command:
operator@training:~/workspace$ ./appliance_gate_exercise restore
As you know, before running the setup command from above, the network setup in your VM should look
like what is depicted in the above diagram. The setup command essentially removes the entries in
the scion_tunneling configurations of the GATE and EDGE appliances, which you will be adding in
this exercise.
Unless stated otherwise, all commands are assumed to be run from the
workspace directory on your training VM. The built-in terminal in
the editor will put you automatically in the right
directory. To open the built-in terminal use the Ctrl+` shortcut.
Alternatively, you can click the Menu button in the top left, then
select View -> Show Terminal . This will bring up the terminal and puts
you in the correct working directory (~/workspace) for all the tasks in
this training.
Task 1. Investigate the current configuration
In the first task, you will familiarize yourself with the current configuration of the GATE appliance.
Select the GATE appliance gate.zurich.webspeed as the appliance-cli context:
operator@training:~/workspace$ appliance-cli context select gate.zurich.webspeed
First, use the appliance CLI to view the BGP configuration:
operator@training:~/workspace$ appliance-cli get debug/bgp/config
{
configuration: {
asn: 65302
neighbors: [
{
remote_address: "10.20.0.1"
remote_asn: 64496
timers: {
connect_retry: 30000
hold_time: 30000
keepalive_interval: 10000
minimum_advertisement_interval: 30000
}
}
]
networks: null
router_id: "10.20.0.2"
}
}
Then, check the current domain configuration:
operator@training:~/workspace$ appliance-cli get debug/scion-tunneling/domains/config
{
domains: [
{
default: false
domain_name: "corpbank"
local_isd_ases: ["1-ff00:1:1"]
prefixes: {
accept_filter: null
announce_filter: null
}
remote_isd_ases: [
{
action: "ACCEPT"
isd_as: "1-ff00:1:2"
}
]
traffic_policies: [
{
failover_sequence: ["allow-all-path-filter"]
traffic_matcher: "match-all-traffic-matcher"
}
]
}
]
}
Task 2. Configure the GATE
As part of this task you will configure Stabank as a new customer on the GATE appliance in ISD 2. Stabank has given you the following details for configuration:
- ISD-AS number: 2-ff00:1:3
- Prefix: 198.51.100.0/28
Download the configuration file for the host gate.zurich.webspeed by running the command:
operator@training:~/workspace$ appliance-cli get config > gate.zurich.webspeed.appliance.json
Based on this information, you can create the necessary changes in the scion_tunneling section of
the appliance configuration.
First, add the Stabank ISD-AS number to the remotes list:
Solution
Then, add a domain for Stabank which matches the corresponding ISD-AS number and accepts the Stabank IP prefixes. You also need to add a traffic policy to the domain; you can reference the existing traffic matchers and path filters or you can create customer entries for them.
Solution
Upload the updated configuration to the GATE appliance:
operator@training:~/workspace$ appliance-cli put config <gate.zurich.webspeed.appliance.json
Task 3. Configure the EDGE
In this task, you will configure the Stabank EDGE appliance so that it connects to the GATE of Webspeed in ISD 2.
Webspeed has given you the following details for configuration:
- ISD-AS number: 2-ff00:1:1
Download the configuration file for the host edge.lugano.stabank by running the commands:
operator@training:~/workspace$ appliance-cli context select edge.lugano.stabank
operator@training:~/workspace$ appliance-cli get config > edge.lugano.stabank.appliance.json
Based on this information, you can create the necessary changes in the scion_tunneling section of
the appliance configuration.
First, add the Webspeed ISD-AS number to the remotes list:
Solution
Then, add a domain for the Webspeed GATE which matches the corresponding ISD-AS number and accepts all Webspeed IP prefixes. You also need to add a traffic policy to the domain; you can reference the existing traffic matchers and path filters or you can create customer entries for them.
Solution
Since the Stabank EDGE appliance integrates in the Stabank LAN using static routing, the
198.51.100.0/28 prefix needs to be added to the static_announcements list.
Solution
Upload the updated configuration to the EDGE appliance:
operator@training:~/workspace$ appliance-cli put config <edge.lugano.stabank.appliance.json
Task 4. Test Connectivity
In this task, you will test the connectivity between the Stabank EDGE appliance and the Webspeed GATE appliance. First, you will make sure the running configurations on the EDGE and GATE appliances are as expected. Then, you will perform an end-to-end connectivity test.
Investigate the running configurations
You can also use Grafana to see if your appliance is correctly configured. For this, open the
IP-in-SCION tunneling dashboard.Select the GATE appliance gate.zurich.webspeed as the appliance-cli context:
operator@training:~/workspace$ appliance-cli context select gate.zurich.webspeed
On the GATE, check whether the prefixes are received via the BGP session:
operator@training:~/workspace$ appliance-cli get debug/scion-tunneling/sgrp/local-prefixes
{
local-prefixes: {
bgp: {
prefixes: ["192.0.2.0/24"]
}
static: {
prefixes: null
}
static-probed: null
}
}
Then, check if the EDGE of Stabank has been discovered by the SCION Gateway Routing Protocol on the Webspeed GATE:
operator@training:~/workspace$ appliance-cli get debug/scion-tunneling/discovery
{
sessions: [
{
last-success: "2023-03-20T07:58:13Z"
local-isd-as: "1-ff00:1:1"
path: "1-ff00:1:1 3>2 1-ff00:1:2"
peers: [
{
control: "10.2.0.2:30256"
data: "10.2.0.2:30056"
probe: "10.2.0.2:30856"
}
{
control: "10.2.0.1:30256"
data: "10.2.0.1:30056"
probe: "10.2.0.1:30856"
}
]
remote-isd-as: "1-ff00:1:2"
}
{
last-success: "2023-03-20T07:58:13Z"
local-isd-as: "2-ff00:1:1"
path: "2-ff00:1:1 2>1 2-ff00:1:3"
peers: [
{
control: "10.8.0.1:30256"
data: "10.8.0.1:30056"
probe: "10.8.0.1:30856"
}
]
remote-isd-as: "2-ff00:1:3"
}
]
}
When the GATE receives the prefixes from the BGP network and has also discovered the EDGE, it should be announcing the learned prefixes to the Stabank EDGE. Check this by running:
operator@training:~/workspace$ appliance-cli inspect scion-tunneling summary --prefixes 1000 --domain stabank
DOMAIN: stabank
PREFIXES: 198.51.100.0/28
TRAFFIC MATCHER: match-all-traffic-matcher
PATH FILTER: allow-all-path-filter
REMOTE: 2-ff00:1:3,10.8.0.1:40201 ENCRYPTION: disabled
STATE LATENCY JITTER DROPS EXPIRY PATH
--> default true 1-ff00:1:1 1-ff00:1:3,10.8.0.1:30856
[more paths available, use the --all-paths flag to display them]
And list the available paths for the stabank domain:
operator@training:~/workspace$ appliance-cli inspect scion-tunneling summary --all-paths --domain stabank
DOMAIN: stabank
PREFIXES: 198.51.100.0/28
TRAFFIC MATCHER: match-all-traffic-matcher
PATH FILTER: allow-all-path-filter
REMOTE: 2-ff00:1:3,10.8.0.1:40201 ENCRYPTION: disabled
STATE LATENCY JITTER DROPS EXPIRY PATH
alive 11.82ms 5.62ms 0.00% 5h59m7s 2-ff00:1:1 4>2 2-ff00:1:3
alive 11.97ms 6.05ms 0.00% 5h59m35s 2-ff00:1:1 2>1 2-ff00:1:3
Now, select the Stabank EDGE appliance edge-lugano-stabank as the appliance-cli context:
operator@training:~/workspace$ appliance-cli context select edge.lugano.stabank
And repeat the commands from the GATE:
operator@training:~/workspace$ appliance-cli get debug/scion-tunneling/sgrp/local-prefixes
{
local-prefixes: {
bgp: {
prefixes: null
}
static: {
prefixes: ["10.8.0.2/32", "10.8.0.5/32", "198.51.100.0/28"]
}
static-probed: null
}
}
Make sure, the EDGE can discover the Webspeed GATE:
operator@training:~/workspace$ appliance-cli get debug/scion-tunneling/discovery
{
sessions: [
{
last-success: "2023-03-20T08:11:13Z"
local-isd-as: "2-ff00:1:3"
path: "2-ff00:1:3 1>2 2-ff00:1:1"
peers: [
{
control: "10.1.0.5:30256"
data: "10.1.0.5:30056"
probe: "10.1.0.5:30856"
}
]
remote-isd-as: "2-ff00:1:1"
}
{
last-success: "2023-03-20T08:11:12Z"
local-isd-as: "1-ff00:1:3"
path: "1-ff00:1:3 1>2 1-ff00:1:1 1>1 1-ff00:1:2"
peers: [
{
control: "10.2.0.1:30256"
data: "10.2.0.1:30056"
probe: "10.2.0.1:30856"
}
{
control: "10.2.0.2:30256"
data: "10.2.0.2:30056"
probe: "10.2.0.2:30856"
}
]
remote-isd-as: "1-ff00:1:2"
}
]
}
And finally, check if the Stabank EDGE is receiving the prefixes from the Webspeed GATE:
operator@training:~/workspace$ appliance-cli inspect scion-tunneling summary --domain gate
DOMAIN: gate
PREFIXES: 192.0.2.0/24
TRAFFIC MATCHER: match-all-traffic-matcher
PATH FILTER: allow-all-path-filter
REMOTE: 2-ff00:1:1,10.1.0.5:40201 ENCRYPTION: disabled
STATE LATENCY JITTER DROPS EXPIRY PATH
--> allow-all-path-filter true 2-ff00:1:3 2-ff00:1:1,10.1.0.5:30856
Perform the End-To-End test
Now, you can perform the end-to-end connectivity test. For this you will use the ping command for
simply testing the reachability.
Log into the endhost which is part of the Webspeed BGP network. It simulates a residential customer of Webspeed. From the endhost the services exposed by Stabank should be reachable via the GATE:
operator@training:~/workspace$ lxc shell endhost-zurich-bgp-webspeed
root@endhost-zurich-bgp-webspeed:~# ping 198.51.100.10 -c 10
You can also view the traffic flow on Grafana. For this, open this
IP-in-SCION tunneling dashboard.