Anapaya GATE

The following describes a typical small deployment scenario, where an ISP operates two CORE appliances (as described in Anapaya CORE) and additionally two GATE instances.

This GATE setup is best practice because it increases redundancy for residential customers. Further, it allows the ISP to perform maintenance on one of the GATE appliances without causing a service interruption.

Topology

The target topology contains the following elements:

ISP 1 deploys two CORE appliances, s01.chzrh1.isp1 and s01.chbrn1.isp1, that are connected via the internal network 10.0.0.0/24.
ISP 1 deploys two GATE appliances, s02.chzrh1.isp1 and s02.chbrn1.isp1, that are connected via the internal network 10.0.0.0/24 to the CORE appliances. The two GATE appliances are both connected to the BGP network of the ISP via BGP peering (using the 10.10.0.0/24 and 10.20.0.0/24 networks).
Residential customers, which belong to the BGP network of ISP 1.
gate-customer-1 and gate-customer-2 which are two organizations that are connected to the SCION Internet using an Anapaya EDGE appliance. They are customers of the Anapaya GATE solution of ISP 1, through which they allow their employees to access critical services.
- gate-customer-1 exposes services, namely a VPN server, in the 192.0.2.0/28 range.
- gate-customer-2 exposes services in the 203.0.113.0/24 range.

The following steps configures the GATEs to implement the above scenario.

Network interface configuration

First, configure the network interfaces. In the setup, there are two physical network interfaces - one for the internal network lan and one for the BGP peering to the ISP's BGP network bgp.

Please refer to the Network interfaces for guidance on how to configure network interfaces, to Configuration reference for the full documentation on network interface configuration, and to Network for troubleshooting network configuration issues.

BGP configuration

GATE appliances are connected to the BGP network of the ISP. Over these BGP peerings, the GATE announces reachable remote prefixes into the ISP's internal BGP network and reannounces BGP announcements received from the ISP's BGP routers to remote SCION ASes. Therefore, each GATE appliance needs to set up at least one BGP session to a BGP router of the ISP.

In the example the following sessions are configured:

s02.chzrh1.isp1 with local IP 10.10.0.2 has a BGP session with the BGP router of the ISP with peer IP 10.10.0.1.
s02.chbrn1.isp1 with local IP 10.20.0.2 has a BGP session with the BGP router of the ISP with peer IP 10.20.0.1.

note

For the peering a private BGP AS number is used on the GATE appliance. The BGP router of the ISP can use its usual public BGP AS number or use a private AS number as well.

The full documentation on the BGP configuration can be found in BGP.

SCION configuration

The SCION section contains the configuration of the SCION protocol and AS. For GATE appliances, you only need the general AS configuration section.

General AS configuration

Each SCION AS has several general AS configuration options such as the ISD-AS identifier, the AS forwarding key reference, and a human-readable description of the AS. For the full list of the general AS configuration options, please refer to SCION.

For the configuration of GATE appliances, you need the following fields:

isd_as
scion_mtu

Please refer to General AS configuration for details, since the values for the CORE appliances are equal to the values of the GATE appliances.

Cluster configuration

The GATE appliances are deployed in a sharded manner as part of a cluster together with the CORE appliances. The GATE appliances exchange topology information with the CORE appliances.

The cluster configuration includes the local cluster endpoint and the list of peers that are part of the cluster. For CORE and GATE deployments, using automatic topology synchronization is recommended (see Cluster for more details).

For GATE appliances to be integrated into the existing cluster of CORE appliances, they need to be added to the cluster/peers section of the CORE appliances.

IP-in-SCION tunneling configuration

The SCION tunneling configuration enables the IP-in-SCION tunneling module of the appliance and can be used to configure IP tunnels towards customers of the GATE.

Refer to IP-in-SCION tunneling for more information on IP-in-SCION tunneling configuration.

This example configures both GATE appliances for two customers gate-customer-1 and gate-customer-2.

gate-customer-1 owns the SCION AS with ISD-AS number 1-ff00:1:234. This SCION AS announces the IP prefix 192.0.2.0/28 to the GATE instances via the SCION gateway routing protocol (SGRP).
gate-customer-2 owns the SCION AS with ISD-AS number 1-ff00:2:5b. This SCION AS announces the IP prefix 203.0.113.0/24 to the GATE instances.

For both customers, create a domain configuration which contains:

prefixes.accept_filter to filter the prefixes which the GATE receives from the customer,
prefixes.announce_filter to filter the prefixes which the GATE announces to the customer,
remote_isd_ases to list the SCION ISD-AS numbers of the customer,
traffic_policies to influence what paths are chosen towards the customer. For simplicity, configure a default traffic policy that allows the GATE to choose any SCION path to the remote destination for any kind of traffic. Refer to IP-in-SCION tunneling for more details on how to configure traffic policies.

Topology​

Network interface configuration​

BGP configuration​

SCION configuration​

General AS configuration​

Cluster configuration​

IP-in-SCION tunneling configuration​