Anapaya appliance configuration (scion only)
scion object
Top-level configuration and state for the SCION protocol.
ases object[]
List of SCION ASes that this device is part of identified by their ISD-AS identifier.
ca_service object
SCION CPPKI (Control Plane Public Key Infrastructure) CA service configuration data. This section defines how the anapaya-scion interacts with the SCION CPPKI CA service backend. It is only required for SCION ASes that act as a CA in their respective ISD.
anapaya_vault object
The configuration data of the Anapaya SCION CPPKI CA service. This section is provided only when the CA service type is Anapaya Vault, i.e., is operated by Anapaya.
The list of addresses where the Anapaya Vault backend can be reached. This list must be non-empty.
credentials object
The necessary credentials to be logged into the Anapaya Vault backend.
The role ID used to authenticate with the Vault backend via the AppRole Authentication Method. See https://www.vaultproject.io/docs/auth/approle for more details.
Reference to the secret ID used to authenticate with the Vault backend via the AppRole Authentication Method. See https://www.vaultproject.io/docs/auth/approle for more details.
validation object
The validation option configures how the Anapaya Vault backend validate CSRs.
The subject option configures how the Anapaya Vault backend validates the subject of the CSRs.
Possible values: [MATCHING_ISD_AS, EXACT_MATCH]
external object
The configuration data for the External SCION CPPKI CA service. This section is provided only when the CA service is of type External, i.e., is not operated by Anapaya.
The address where the external SCION CPPKI CA service can be reached.
192.0.2.3:5000The client ID that is used to authenticate with the CA service. The client ID is set in the 'sub' and 'iss' claim of the generated JWT. If unset, a generic client ID based on the ISD-AS is used.
Reference to the shared secret used between the appliance and the CA service (used to generate JWTs for authentication).
The type of CA service that is used by the appliance.
Possible values: [EXTERNAL, ANAPAYA_VAULT, IN_PROCESS]
control object
The configuration for the SCION control service. The address configures where the control service is exposed. Clients connect to this address to request control plane data.
The address of the control service. The address must be specified as host:port. If the port is 0 it will be automatically allocated.
192.168.1.1:30100Whether the service is enabled.
Indicate whether the AS is core in its ISD. A SCION core AS must only have other core ASes or child ASes as neighbors. A SCION non-core AS must only have parent. child, or peer ASes as neighbors.
cppki object
SCION CPPKI configuration for the SCION AS.
Whether automatic renewal of AS certificates should be disabled. Usually, this value should not be set. By disabling certificate renewal, the appliance is set into a manual mode where new AS certificates must be provisioned manually and periodically.
issuers object[]
The SCION CPPKI Issuers that issue certificates for the local SCION AS. The list of issuers is tried in order of their priority. If no issuers are set explicitly, the renewal process will use the issuer of the newest existing SCION CPPKI AS Certificate.
The ISD-AS identifier of the issuing AS.
1-ff00:0:120The priority of the issuing AS. The appliance attempts to get certificates issued from the AS with the highest priority. The value 0 indicates the highest priority, higher numbers are lower priority.
Default indicates whether the respective SCION AS should be used by default as the source AS by SCION applications, e.g., scion ping or scion showpaths. The configurations with more than one default ASes will be rejected because there can only be one default AS. If there is only a single AS configured, it will be the default. Therefore, this setting is only necessary if multiple ASes are configured on the appliance.
falsedetails object
User-defined details about the SCION AS for informational purpose.
User-defined description, or comment, that describes this SCION AS.
SCION AS name for informational purpose.
Reference to the forwarding key for this AS. The referenced secret must be a BASE64 encoded forwarding key.
Note that changing this reference might result in a network disruption and it is therefore not recommended.
ISD-AS identifier of the SCION AS.
1-ff00:0:110neighbors object[]
List of neighbor SCION ASes that this device is connected to via one or multiple SCION interfaces. Each entry is identified by the remote ISD-AS.
Description, or comment, for the neighbor AS.
interfaces object[]
SCION interfaces on this device that link to the neighbor AS.
UDP/IP underlay endpoint of the SCION Interface. The data plane traffic is received on this address. The address must be specified as host:port. Both host and port must be specified.
169.254.0.1:30100Administrative state of the SCION interface.
Experimental: Currently only UP is supported.
Possible values: [UP, ADMIN_DOWN, DATAPLANE_ONLY]
bfd object
SCION interface BFD configuration. BFD is used to detect faults on the link to the neighbor AS.
The minimum interval between transmission of BFD control packets that the operator desires. This value is advertised to the peer, however the actual interval used is specified by taking the maximum of desired-minimum-tx-interval and the value of the remote required-minimum-receive interval value. This value is specified as an integer number of microseconds.
The number of packets that must be missed to declare this session as down. The detection interval for the BFD session is calculated by multiplying the value of the negotiated transmission interval by this value.
Possible values: >= 1 and <= 255
If set to true, then the BFD session is enabled on the SCION interface - if it is set to false, BFD is disabled on that SCION interface. When disabled, the health of the interface is not tracked and it is assumed to be healthy. Note that the remote side of this SCION interface should have the same setting for enabled.
trueThe minimum interval between received BFD control packets that this system should support. This value is advertised to the remote peer to indicate the maximum frequency (i.e., minimum inter-packet interval) between BFD control packets that is acceptable to the local system.
Description, or comment, for the SCION interface.
Flag to activate SCION RSS for this link. If activated, the router utilizes UDP source port entropy on the underlay such that the remote router can leverage RSS for SCION traffic. This can greatly improve throughput performance. For low throughput SCION links (up to 1 Gbps), enabling SCION RSS is not necessary. Before enabling this feature, please ensure that the remote router supports SCION RSS.
falseSCION interface identifier. It must be unique in the SCION AS.
Possible values: >= 1 and <= 65535
remote object
Remote SCION interface endpoint of the link.
UDP/IP underlay endpoint of the SCION Interface. The data plane traffic is received on this address. The address must be specified as host:port. Both host and port must be specified.
169.254.0.1:30100SCION interface identifier. It must be unique in the SCION AS.
Possible values: >= 1 and <= 65535
The maximum transmission unit in bytes for SCION packets. This represents the protocol data unit (PDU) of the SCION layer on this interface and is usually calculated as maximum Ethernet payload - IP Header - UDP Header.
14721472ISD-AS number of the neighbor AS.
2-ff00:0:210The relationship to the neighbor AS. If the local AS is core, this value must either be CORE or CHILD. If the local is non-core, this value must either be PARENT, CHILD or PEER.
Possible values: [CORE, CHILD, PARENT, PEER]
router object
The configuration for the SCION router service. The address configures where the router is exposed. AS internal hosts send SCION data plane traffic to this address for forwarding over the local SCION interfaces.
Whether the service is enabled.
The address of internal SCION interface of the router. The address must be specified as host:port. If the port is 0 it will be automatically allocated.
192.168.1.1:30100The maximum transmission unit in bytes for SCION packets. This represents the protocol data unit (PDU) of the SCION layer on this interface and is usually calculated as maximum Ethernet payload - IP Header - UDP Header.
14721472The control and the data plane of a SCION AS is split into multiple shards. Each shard is responsible for processing and disseminating pathing information only for a subset of links. This field is the ID of the shard to which the control service and the router on this appliance belong. It is recommended to have the router and the control service from the same shard on the same host and if they are not then the routers and the control service in the same shard need mutual IP connectivity. Each shard must contain only a single control service.
synchronization object
The synchronization configuration contains the configuration for SCION path and beacon synchronization.
The interval between two consecutive beacon synchronizations attempts to the cluster peers. It requires a unit suffix out of ['d', 'h', 'm', 's']. The encoding consists of a decimal number concatenated with a suffix; for example, '5s', '10m', '12h', and '1d'.
4sThe interval between two consecutive path segment synchronizations attempts to cluster peers. It requires a unit suffix out of ['d', 'h', 'm', 's']. The encoding consists of a decimal number concatenated with a suffix; for example, '5s', '10m', '12h', and '1d'.
4s{
"scion": {
"ases": [
{
"ca_service": {
"anapaya_vault": {
"addresses": [
"string"
],
"credentials": {
"role_id": "string",
"secret_id_ref": "string"
},
"validation": {
"subject": "MATCHING_ISD_AS"
}
},
"external": {
"address": "192.0.2.3:5000",
"client_id": "string",
"shared_secret_ref": "string"
},
"service_type": "EXTERNAL"
},
"control": {
"address": "192.168.1.1:30100",
"enabled": true
},
"core": true,
"cppki": {
"disable_auto_renewal": true,
"issuers": [
{
"isd_as": "1-ff00:0:120",
"priority": 0
}
]
},
"default": false,
"details": {
"description": "string",
"name": "string"
},
"forwarding_key_ref": "string",
"isd_as": "1-ff00:0:110",
"neighbors": [
{
"description": "string",
"interfaces": [
{
"address": "169.254.0.1:30100",
"administrative_state": "UP",
"bfd": {
"desired_minimum_tx_interval": 0,
"detection_multiplier": 0,
"enabled": true,
"required_minimum_receive": 0
},
"description": "string",
"enable_scion_rss": false,
"interface_id": 0,
"remote": {
"address": "169.254.0.1:30100",
"interface_id": 0
},
"scion_mtu": 1472
}
],
"neighbor_isd_as": "2-ff00:0:210",
"relationship": "CORE"
}
],
"router": {
"enabled": true,
"internal_interface": "192.168.1.1:30100"
},
"scion_mtu": 1472,
"shard_id": 0
}
],
"synchronization": {
"beacon_synchronization_interval": "4s",
"path_segment_synchronization_interval": "4s"
}
}
}