Anapaya appliance configuration (scion_tunneling only)
scion_tunneling object
Top-level configuration and state for IP-in-SCION tunneling.
domains object[]
List of domains that define the rules by which IP packets are routed. A domain is a subset of the IP space that shares the same policies.
Whether this domain is the default domain. The default domain is assumed to accept the whole IP space that is not covered by other domains. The default domain is used when no other domain matches a packet’s destination Because of this it may not specify an accept-filter.
Optional description, or comment, for the domain.
The domain. It matches all packets and allows any
path to be used.Whether the domain should be disabled.
falseThe payload encryption mode for the domain. When payload encryption is not disabled for a domain, payload encryption must be enabled in the endpoint configuration . Otherwise, the config validation will fail.
| Enum Value | Description |
|---|---|
| DISABLED | Payload encryption is disabled for all remote tunneling endpoints in this domain. This is the default. |
| ENABLED | Payload encryption is enabled and enforced for all remote tunneling endpoints in this domain. That means that all packets are sent encrypted and authenticated and only accepted if they are encrypted and authenticated. |
| OPTIONAL | Payload encryption is enabled but not enforced. This should only be used for transitioning to ENABLED. In this mode, unencrypted packets from remote endpoints are accepted and sent, if the remote endpoint does not support payload encryption. This mode does not provide any security guarantees. |
Possible values: [DISABLED, ENABLED, OPTIONAL]
Whether traffic that should be sent via this domain is also allowed to fall back to other lower priority domains. The fall back would happen in case this domain does not have any alive remotes/paths.
falseList of local ISD-AS identifiers that belong to this domain. Traffic towards remote ISD-ASes is guaranteed to only use paths that start at one of these local ISD-ASes. Setting this field is only necessary if the Anapaya EDGE Appliance is part of multiple SCION ISDs and an operator wants to restrict the domain to a subset of the local SCION ISDs. This has the effect that traffic towards remote tunneling endpoints in this domain only uses paths that start in one of the listed local ASes. Note that if the Anapaya EDGE Appliance is only part of a single ISD or if all available local AS identities are part of the domain, then local_isd_ases does not need to be set.
The name of the domain.
Default Domainprefixes object
List of IP prefix matchers to filter the announced and received prefixes.
accept_filter object[]
List of IP prefix matchers to define which prefixes announced by remotes ISD ASes are accepted. Only the matching subset of a prefix announced by a remote ISD-AS is is accepted for routing. There cannot be more than one routing domain that accepts a specific IP prefix. Thus, the accept_filter matchers of different domains must not overlap.
Specify matchers action.
| Enum Value | Description |
|---|---|
| ACCEPT | Include all matching remotes |
| REJECT | Exclude all matching remotes |
Possible values: [ACCEPT, REJECT]
Optional description for the prefix matcher.
The list of IP prefixes used for matching. The matcher matches all IP prefixes that are contained in the specified IP prefix and have a length between the specified minimum and maximum length.
["192.168.1.0/24 ge 24 le 32"]The sequence ID determines the order in which sequence the prefix matchers are applied. The sequence ID must be unique for each entry. Target devices apply the prefix matchers in order of ascending sequence ID (low to high) accepting all IPs that are in accepted matchers and rejecting the ones that are in rejected matchers.
1announce_filter object[]
List of IP prefix matchers to filter prefixes announced to remotes. The prefixes to be announced are configured in the static announcements or BGP. Only the subset of the routes that matches the announce filter is advertised to the remotes.
Specify matchers action.
| Enum Value | Description |
|---|---|
| ACCEPT | Include all matching remotes |
| REJECT | Exclude all matching remotes |
Possible values: [ACCEPT, REJECT]
Optional description for the prefix matcher.
The list of IP prefixes used for matching. The matcher matches all IP prefixes that are contained in the specified IP prefix and have a length between the specified minimum and maximum length.
["192.168.1.0/24 ge 24 le 32"]The sequence ID determines the order in which sequence the prefix matchers are applied. The sequence ID must be unique for each entry. Target devices apply the prefix matchers in order of ascending sequence ID (low to high) accepting all IPs that are in accepted matchers and rejecting the ones that are in rejected matchers.
1The priority of the domain. The priority is used to determine the order in which domains are tried for sending traffic. The priority also directly implies the priority of a route installed in this domain. The lower the number, the higher the priority. If two domains have the same priority, the one with the lower name is preferred.
remote_isd_ases object[]
List of remote ISD-AS identifiers that belong to this domain.
Prefix announcements will be accepted from these remote ISD-ASes.
All IP traffic will be tunneled over paths that end in one of
these remote ISD-ASes. A SCION AS matcher has the form <isd>-<as>
where <isd> is the ISD ID and <as> is the AS ID. Both <isd> and
<as> can be 0 to match all ISDs and all ASes respectively. E.g.,
the matcher 1-ff00:0:1 matches exactly this single AS, 1-0 matches
all ASes that are part of ISD 1, and 0-ff00:0:1 matches the specific
AS in all ISDs. A single 0 (or 0-0) matches all ASes in all ISDs.
Specify the matchers action.
| Enum Value | Description |
|---|---|
| ACCEPT | |
| REJECT |
Possible values: [ACCEPT, REJECT]
Description for the remote matcher.
The ISD-AS identifier. The matcher matches the ISD-AS identifier of a SCION AS. 0 indicates a wildcard (both for ISD and AS).
0-ff00:0:310The sequence ID determines the order in which sequence the remote matchers are applied. The sequence ID must be unique for each entry. Target devices apply the remote matchers in order of ascending sequence ID (low to high).
1traffic_policies object[]
List of traffic policies that configure the types of traffic that are tunneled via this domain and the tunnel properties. A traffic policy defines a matcher on the IP traffic (the traffic matcher). If the IP traffic matches, it is tunneled to the remote SCION AS. Acceptable paths for the tunnel are defined via the path policy.
Traffic policies are applied in the order of their sequence ID (ascending). For each IP packet, only a single traffic policy will be applied even if it matches multiple policies. A traffic policy matches if the traffic matcher defined in the policy matches the incoming IP packet.
While only a single traffic policy applies to an incoming IP packet, within the traffic policy the failover sequence can be used to configure "failover" behavior. If a path filter in the failover sequence has no healthy path to the remote AS, the next filter will be tried in the order defined by the failover sequence.
Traffic matchers and path filters are referenced by name. This allows to easily reuse these objects in different traffic policies.
The optional description of the traffic policy.
Default traffic policyfailover_sequence object[]
A list of failover sequence entries, each of them associated with a path filter. If there's no live path left after applying the first filter the second one is tried and so on.
Name of the path filter associated with the failover sequence entry.
Sequence number of the failover sequence entry. Sequence numbers define the ordering of the items which turn detemines how the failover between different path filters happens.
1The sequence ID determines the order in which sequence the traffic policies are applied. The sequence ID must be unique for each entry. Target devices try to find the first entry with a matching traffic matcher in ascending order determined by the sequence ID (low to high).
1Reference of the traffic matcher that is utilized by this policy. The traffic matcher is a selector for the IP packets covered by this traffic policy.
endpoint object
Local IP-in-SCION tunnel endpoint configuration
allowed_interfaces object[]
The SCION interfaces for each local SCION AS that are allowed to be used by this IP-in-SCION tunneling endpoint. This can be used to control incoming traffic, e.g., if a tunnel endpoint should only be reachable via SCION interfaces 1 and 2, allowed-interfaces should list them explicitly. Remote tunnel endpoints will then only choose paths entering the respective local AS via SCION interface 1 or 2. If the IP-in-SCION tunneling endpoint on this appliance should be reachable via a SCION interface of a peer appliance, the allowed-interfaces list must be configured with the respective SCION interface of the peer appliance. By default the list is empty, in this case the appliance will automatically configure the locally configured SCION interfaces as allowed-interfaces. Automatic configuration is disabled if topology synchronization is enabled or if disable_auto_allowed_interfaces is set.
Please note that if you specify a set of allowed interfaces for an appliance, you need to also specify the same set of allowed interfaces in the tunneling section of the Cluster section of the peer appliances’ configuration.
List of allowed interfaces for this SCION AS
[2,3]The SCION AS where the list of allowed interfaces applies. Packets to this IP-in-SCION tunnel endpoint in this SCION AS will only arrive on the listed interfaces.
Port number for control traffic. The control address is constructed from the ip address and this control port. The control address is used to exchange IP routing information as part of SGRP. If not set, or zero, the control port will be dynamically allocated.
40201Port number for data traffic. The data address is constructed from the ip address and this control port. The data address is used for the IP-in-SCION encapsulated traffic stream. If not set, or zero, the data port will be dynamically allocated.
40200Optional description of the IP-in-SCION tunnel endpoint.
Whether the automatic configuration of allowed interfaces should be disabled. When disabled, the IP-in-SCION tunneling endpoint will be reached by remote endpoints on all SCION interfaces of the locally configured AS. When enabled (default), the local IP-in-SCION tunneling endpoint will only be reached by remote endpoints on the SCION interfaces that are configured on the local appliance.
Flag to disable uRPF. When enabled (default), the gateway performs strict URPF for all the received IP-in-SCION-tunneled traffic, checking that incoming IP packets have a source address that is within the announced prefixes by a remote gateway, and that the SCION packets are sent from a valid remote ISD-AS and are encrypted as configured in the associated domain.
Flag to activate SCION RSS. If activated, the gateway utilizes UDP source port entropy on the underlay such that EDGE and CORE routers can leverage RSS for SCION traffic. This can greatly improve throughput performance.
trueWhether this endpoint is enabled.
encryption object
Payload encryption configuration for the IP-in-SCION tunnel endpoint.
Whether the payload encryption module is enabled. With payload encryption enabled, the IP packets are encrypted and authenticated before being sent to a remote tunnel endpoint for domains that have the payload encryption enabled. Note that this flag only enables the payload encryption system. Each domain for which payload encryption should be used must still explicitly enable it.
The maximum number of Security Associations (SAs) that can be established with a single remote AS. If the limit is reached, new SAs from all endpoints in that AS will be rejected.
10001000Port number for the secure data traffic. The address is constructed from the endpoint IP address and this port. If not set, or zero, the secure data port will be dynamically allocated.
40203The maximum number of Security Associations (SAs) that can be established with remote tunnel endpoints. If the limit is reached, new SAs will be rejected.
100000100000IP address of the local IP-in-SCION endpoint.
192.168.1.100Port number for probing traffic. The probe address is constructed from the ip address and this probe port. The probe address is used by remote tunnel endpoints in their health probing. If not set, or zero, the probe port will be dynamically allocated.
40202path_filters object[]
List of path filters that can be referenced by name from a path policies. A path filter defines a set of paths by applying the filter to all available paths.
The ACL that is applied on the path. An ACL consists of a list of
ACL entries. Each ACL entry has the form action hop-predicate,
where the action can either be accept (+) or deny (-). The hop
predicate is optional and has the form isd-as#interface,
where isd is the ISD identifier, as is the AS identifier,
and interface is the interface identifier of a SCION path hop.
The hop predicate can be fully or partially qualified, i.e., all
entries of the hop predicate are optional or can include
wildcards (0). If no hop predicate is specified the action
matches every hop, i.e., a single '+' is the default accept action
and a single '-' is the default deny action. The ACL is applied
by sequentially applying all ACL entries to paths. If the ACL is
empty, it defaults to accepting all paths.
["+ 64-0"]Description, or comment, for the path filter.
Match only paths in the Swiss Isolation Domain (ID 64).The sequence of hop predicates that a path has to match to be
accepted. Each hop predicate can optionally be extended with a
modifier * or +. The * modifier means 0 or more occurrences.
The + means one or more occurrences.
0* 64+ 0+Name of the path filter. This is value is used by the path policy to reference the path filter.
CH ISD onlyremotes object[]
List of remote ISD-ASes the set of remote ASes which should be considered for remote endpoint discovery. The endpoints belonging to any of the ISD-ASes included in this list are automatically discovered. Note that if an ISD-AS is not listed, its remotes will not be discovered.
The ISD-ASes in listed remotes can be referenced in the remote_isd_ases
matchers of the domains section. However, note that that section is used
to limit the set of remote ASes to which a domain applies and can include
wildcards as well as allow and block lists.
Description or Comment on the remote.
The ISD-AS of the remote.
1-ff00:0:310static_announcements object[]
List of static prefixes that are advertised. This means that these prefixes doe not need to be learnt from local BGP peers. Note that announce filters for each domain also apply to statically configured prefixes. Thus, the set of advertised prefixes to remote endpoints does not necessarily contain the full set of statically defined prefixes.
Description, or comment, for the target.
next_hop_tracking object
With static announcements, we need to ensure that the prefixes are announced only if the appliance can actually reach the internal network of the customer. For this reason, we need to enable next-hop tracking. When enabled, the prefixes are only distributed if the specified target responds to ICMP ECHO requests. This can be used to implement dynamically retractable routes without having to resort to a dynamic routing protocol.
Whether or not this next-hop is tracked. It is not recommended to disable next-hop tracking.
The routes are only distributed if the address responds to ICMP ECHO requests. This can be used to implement dynamically retractable routes without having to resort to a dynamic routing protocol.
192.168.0.1The IP prefixes that are statically configured and advertised via SGRP
Possible values: >= 1
["192.168.1.0/24","172.30.100.0/28"]The sequence ID defines the order of the static route entries. The sequence ID must be unique for each entry.
1traffic_matchers object[]
List of traffic matchers that can be referenced by name from a traffic policy. A matcher is used to classify traffic for tunneling. Each packet is classified based on configured traffic matchers and put in a traffic class. A traffic class is used in a traffic policy to map a path policy to a traffic class.
The condition for traffic to match this traffic matcher. It is expressed as a boolean expression that then evaluates to either true - the IP packet matches the traffic matcher - or false - the IP packet does not match the traffic matcher. The expression consists of atoms and combinators.
Possible Values
| Possible Value | Description |
|---|---|
BOOL=<true|false> | Evaluates to the specified boolean value. This can be used to define a traffic matcher that always matches: BOOL=true matches all packets. On the other hand, BOOL=false matches no packets. |
SRC=<IP-prefix> | Evaluates to true if IP-prefix contains the source IP address of the packet, otherwise false. |
DST=<IP-prefix> | Evaluates to true if IP-prefix contains the destination IP address of the packet, otherwise false. |
SRCPORT=<port-range> | Evaluates to true if the source port of the packet is in the range port-range, otherwise false. This applies to TCP and UDP packets. |
DSTPORT=<port-range> | Evaluates to true if the destination port of the packet is in the range port-range, otherwise false. This applies to TCP and UDP packets. |
PROTOCOL=<protocol> | Evaluates to true if the transport protocol of the packet is protocol, otherwise false. Valid strings for protocol are tcp, udp, and icmp. |
DSCP=<dscp-value> | Evaluates to true if the DSCP value of the packet is dscp-value, otherwise false. The DSCP value must be specified as a hexadecimal number of the form 0xYY. |
ANY(cond1, cond2, ...) | Evaluates to true if any of the cond conditions evaluates to true, otherwise false. |
ALL(cond1, cond2, ...) | Evaluates to true if all of the cond conditions evaluate to true, otherwise false. |
NOT(cond) | Evaluates to true if cond evaluates to false and vice versa. |
Description, or comment, for the traffic matcher
'all packets' matches all packets.Name that identifies the traffic matcher. This is value is used by the traffic policy to reference the traffic matcher.
all packets{
"scion_tunneling": {
"domains": [
{
"default": true,
"description": "The domain. It matches all packets and allows any\npath to be used.",
"disabled": false,
"encryption": "DISABLED",
"fallback": false,
"local_isd_ases": [
"string"
],
"name": "Default Domain",
"prefixes": {
"accept_filter": [
{
"action": "ACCEPT",
"description": "string",
"prefixes": [
"192.168.1.0/24 ge 24 le 32"
],
"sequence_id": 1
}
],
"announce_filter": [
{
"action": "ACCEPT",
"description": "string",
"prefixes": [
"192.168.1.0/24 ge 24 le 32"
],
"sequence_id": 1
}
]
},
"priority": 0,
"remote_isd_ases": [
{
"action": "ACCEPT",
"description": "string",
"isd_as": "0-ff00:0:310",
"sequence_id": 1
}
],
"traffic_policies": [
{
"description": "Default traffic policy",
"failover_sequence": [
{
"path_filter": "string",
"sequence_id": 1
}
],
"sequence_id": 1,
"traffic_matcher": "string"
}
]
}
],
"endpoint": {
"allowed_interfaces": [
{
"interfaces": [
2,
3
],
"isd_as": "string"
}
],
"control_port": 40201,
"data_port": 40200,
"description": "string",
"disable_auto_allowed_interfaces": true,
"disable_urpf": true,
"enable_scion_rss": true,
"enabled": true,
"encryption": {
"enabled": true,
"per_remote_sa_limit": 1000,
"port": 40203,
"total_sa_limit": 100000
},
"ip": "192.168.1.100",
"probe_port": 40202
},
"path_filters": [
{
"acl": [
"+ 64-0"
],
"description": "Match only paths in the Swiss Isolation Domain (ID 64).",
"hop_pattern": "0* 64+ 0+",
"name": "CH ISD only"
}
],
"remotes": [
{
"description": "string",
"isd_as": "1-ff00:0:310"
}
],
"static_announcements": [
{
"description": "string",
"next_hop_tracking": {
"disabled": true,
"target": "192.168.0.1"
},
"prefixes": [
"192.168.1.0/24",
"172.30.100.0/28"
],
"sequence_id": 1
}
],
"traffic_matchers": [
{
"condition": "string",
"description": "'all packets' matches all packets.",
"name": "all packets"
}
]
}
}