Download presentation
Presentation is loading. Please wait.
Published byChrystal Fletcher Modified over 9 years ago
1
05-Apr-2006 OWAMP and BWCTL: Installation and Configuration Jeff Boote (boote@internet2.edu)boote@internet2.edu Network Performance Workshop
2
2006-Apr-05 2 Overview Intro Installation Policy Partitioning Resources Classifying Connections OWAMP configuration owampd general configuration owampd policy configuration Testing and troubleshooting BWCTL configuration bwctld general configuration bwctld policy configuration Testing and troubleshooting
3
2006-Apr-05 3 Review Website Most of the information from this talk is on the web sites: http://e2epi.internet2.edu/owamp/ http://e2epi.internet2.edu/bwctl/
4
2006-Apr-05 4 Overview Intro Installation Policy Partitioning Resources Classifying Connections OWAMP configuration owampd general configuration owampd policy configuration Testing and troubleshooting BWCTL configuration bwctld general configuration bwctld policy configuration Testing and troubleshooting
5
2006-Apr-05 5 Download http://e2epi.internet2.edu/owamp/download.html http://e2epi.internet2.edu/bwctl/download.html
6
2006-Apr-05 6 Unpack/Build/Install %gzip -cd owamp-$VERS.tar.gz | tar xf - %cd owamp-$VERS %./configure --prefix=/ami #--prefix is only needed if you don't like the default #(/usr/local on most systems) %make %make install Does not install configuration files (Same process for BWCTL - do it now)
7
2006-Apr-05 7 Overview Intro Installation Policy Partitioning Resources Classifying Connections OWAMP configuration owampd general configuration owampd policy configuration Testing and troubleshooting BWCTL configuration bwctld general configuration bwctld policy configuration Testing and troubleshooting
8
2006-Apr-05 8 General Security Considerations (review) Do no harm Don’t want machines to be a source of denial of service attacks On the other hand, would like them to be as available as possible, so as useful as possible for debugging Avoid being an attractive nuisance Again, obscurity lessens usefulness But do harden machines themselves
9
2006-Apr-05 9 OWAMP Security Considerations Limit the bandwidth that can be consumed Limit the memory/disk that can be consumed on the test host
10
2006-Apr-05 10 BWCTL Security considerations Limit the bandwidth that can be consumed Including protocol type (UDP/TCP)
11
2006-Apr-05 11 Partitioning Resources Decide upon complete amount of resources it is acceptable for the test host to consume Decide how to allocate those resources among users How much disk space can be dedicated? Per group? How much bandwidth total? Per group? Keep system load in mind as well as network. The data accuracy will suffer if the system is too loaded.
12
2006-Apr-05 12 Resources Allocated Using Hierarchical Limitclasses Users are grouped into hierarchical limitclasses One parent-less class allowed, it defines the total amount of resources available When limitclasses are defined, limits of the one and only parent are inherited When consumable resources are requested, the limits of the limitclass and all parent limitclasses must be satisfied (memory/bandwidth/timeslots)
13
2006-Apr-05 13 Classifications of users into limitclasses Root: Complete set of resources available Hostile: Used to “jail” hostile users NOC: Super-user limits Peer: Extended limits for peer tests Normal: Reasonable limits for end-users Open == Conservative limits for *anyone* Example organization of limitclasses
14
2006-Apr-05 14 Available per limitclass Root: Complete set of resources available Hostile: No tests allowed NOC: Inherit Root limits Peer: Limit UDP to 500m Could make children limitclasses for each individual peer if lower limits should be applied to some Normal: UDP not needed for most end users Open: No tests allowed Example Allocation for bandwidth (BWCTL)
15
2006-Apr-05 15 Example limitclass definition # total available limit root with \ AllowTCP=on, \ AllowUDP=on, \ bandwidth=900m # Hostile limit hostile with parent=root, \ AllowTCP=off, \ AllowUDP=off
16
2006-Apr-05 16 Classifying Connections IP/netmask The IP address of the client is matched against a list of IP netmask specified subnets and assigned to a limitclass based on the address of the client Username and AES key Client specifies a username, the server must already know the associated AES key AES key is used as a symmetric session key –Client and Server use the key as a shared secret
17
2006-Apr-05 17 IP/netmask matching rules The most specific matching mask wins No set bits are allowed in the address portion beyond the number of mask bits Does not need to be a “real” sub-net
18
2006-Apr-05 18 Example netmask assignment setup # loopback assign net ::/127 noc assign net 127.0.0.1/32 noc # abilene nmslan (observatory systems) assign net 2001:468:0::/40 peer assign net 198.32.10.0/23 peer
19
2006-Apr-05 19 Username and AES key rules Usernames are limited to 16 characters AES key is a 128 bit session key Not encrypted in the keys file, use UNIX permissions to protect Can use a pass phrase to generate the AES key Server: use aespasswd to add pass phrase generated keys into the keys file Client: application prompts user for pass phrase
20
2006-Apr-05 20 Example key file joea0167ac6101b360d2f4dd164abba2337 bob2dc36fc4807894cdfbe180b71d2b4a0f sam3fc763fb270ce6ba6e928bd10d4977d3
21
2006-Apr-05 21 aespasswd Similar command-line to htpasswd (apache web server) Specify an identity to be added to a key file, prompted for a passphrase http://e2epi.internet2.edu/owamp/aespasswd. man.html
22
2006-Apr-05 22 Example username/key assignment setup # local super users assign user boote noc assign user joe noc # peers assign user warren peer assign user bob peer # normal assign user sam normal
23
2006-Apr-05 23 Overview Intro Installation Policy Partitioning Resources Classifying Connections OWAMP configuration owampd general configuration owampd policy configuration Testing and troubleshooting BWCTL configuration bwctld general configuration bwctld policy configuration Testing and troubleshooting
24
2006-Apr-05 24 Configure (owampd.conf) http://e2epi.internet2.edu/owamp/owampd.conf.man.html These parameters control how the owampd runs –General operations such as where it reports its errors and where it stores buffered data files. Most installations will only need to modify –datadir –vardir –user –group
25
2006-Apr-05 25 Configure (owampd.limits) http://e2epi.internet2.edu/owamp/owampd.limits.man. html Two parts: 1.Authentication Who is making the request? 2.Authorization What is that identity allowed to do?
26
2006-Apr-05 26 Configure (owampd.limits) Authentication is done by assigning a limitclass to each new connection as it comes in IP/netmask method: assign net 127.0.0.1/32 noc username method: assign user boote noc
27
2006-Apr-05 27 Configure (owampd.limits) Authorization is done by associating a set of hierarchical limits with each limitclass and verifying that each incoming request adheres to them. Limit root with \ Disk=100M, \ Bandwidth=0, \ Delete_on_fetch=on, \ Allow_open_mode=off Limit noc with parent=root, \ Allow_open_mode=on
28
2006-Apr-05 28 Configure (owampd.keys) http://e2epi.internet2.edu/owamp/owampd.keys.man.html http://e2epi.internet2.edu/owamp/aespasswd.man.html Used to hold the username/AESKey pairing information for the daemon. Use the aespasswd program to generate a key if you want a passphrase associated with it
29
2006-Apr-05 29 Starting owampd http://e2epi.internet2.edu/owamp/owampd.man.html start in foreground during testing /usr/local/bin/owampd -c /usr/local/etc -Z
30
2006-Apr-05 30 Testing (owping) http://e2epi.internet2.edu/owamp/owping.man.html Simple localhost test: /ami/bin/owping localhost Test to Internet2 test host: /ami/bin/owping nmsy-aami.abilene.ucaid.edu Others: /usr/local/bin/owping otherhost
31
2006-Apr-05 31 Troubleshooting No control connection Control connection denied 100% packet loss in test streams Clock offset (ntpq, loss timeout) Firewall
32
2006-Apr-05 32 Overview Intro Installation Policy Partitioning Resources Classifying Connections OWAMP configuration owampd general configuration owampd policy configuration Testing and troubleshooting BWCTL configuration bwctld general configuration bwctld policy configuration Testing and troubleshooting
33
2006-Apr-05 33 Configure (bwctld.conf) http://e2epi.internet2.edu/bwctl/bwctld.conf.man.html These parameters control how the bwctld runs General operations such as where it reports its errors and other daemon wide configuration options Most installations will only need to modify vardir user group
34
2006-Apr-05 34 Configure (bwctld.limits) http://e2epi.internet2.edu/bwctl/bwctld.limits.man.html Two parts: 1.Authentication Who is making the request? 2.Authorization What is that identity allowed to do?
35
2006-Apr-05 35 Configure (bwctld.limits) Authentication is done by assigning a limitclass to each new connection as it comes in IP/netmask method: assign net 127.0.0.1/32 noc username method: assign user boote noc
36
2006-Apr-05 36 Configure (bwctld.limits) Authorization is done by associating a set of hierarchical limits with each limitclass and verifying that each incoming request adheres to them. Limit root with \ bandwidth=900m, \ duration=0, \ allow_tcp=on, \ allow_udp=on, \ allow_open_mode=off Limit noc with parent=root, \ Allow_open_mode=on
37
2006-Apr-05 37 Configure (bwctld.keys) http://e2epi.internet2.edu/bwctl/owampd.keys.man.html http://e2epi.internet2.edu/bwctl/aespasswd.man.html Used to hold the username/AESKey pairing information for the daemon. Use the aespasswd program to generate a key if you want a passphrase associated with it
38
2006-Apr-05 38 Testing bwctl http://e2epi.internet2.edu/bwctl/bwctl.man.html Try to create a test from the Internet2 test host: % /ami/bin/bwctl -s nmsx-aami.abilene.ucaid.edu A AESKEY jimbob Try to create a test toward the Internet2 test host: % /ami/bin/bwctl -c nmsx-aami.abilene.ucaid.edu A AESKEY jimbob
39
2006-Apr-05 39 Starting bwctld http://e2epi.internet2.edu/bwctl/bwctld.man.html start in foreground during testing /usr/local/bin/bwctld -c /usr/local/etc -Z
40
2006-Apr-05 40 Testing bwctl (With Your Daemon) If there is a local daemon running, the bwctl client will automatically connect to it to schedule the local resources instead of running the test directly. (The same command-lines are used from above to test this.) Try to create a test from the Internet2 test host: % /ami/bin/bwctl -s nmsx-aami.abilene.ucaid.edu A AESKEY jimbob Try to create a test toward the Internet2 test host: % /ami/bin/bwctl -c nmsx-aami.abilene.ucaid.edu A AESKEY jimbob
41
2006-Apr-05 41 Testing bwctl (3-Party) The bwctl client can be used to request a test between 2 other hosts If you have the same identity on the two hosts: % /ami/bin/bwctl -s sendhost -c recvhost -A A AESKEY jimbob If you have different identities, you must append the auth args after the host: % /ami/bin/bwctl -s sendhost A AESKEY jim -c recvhost A AESKEY bob
42
2006-Apr-05 42 Troubleshooting No control connection Control connection denied Initial control connection works - peer connection fails Scheduling problems Iperf connections fail Iperf results are bad
43
2006-Apr-05 43 Questions?/Review? Intro Installation Policy Partitioning Resources Classifying Connections OWAMP configuration owampd general configuration owampd policy configuration Testing and troubleshooting BWCTL configuration bwctld general configuration bwctld policy configuration Testing and troubleshooting
44
www.internet2.edu
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.