MORGAN + TFC overlay path

In the picture below, is shown the topology of the Netkit Lab that implements a MORGAN overlay path transported by TFC and ESP Security Associations

topology of the test-lab

Kernel Compiling

Before starting the lab, we have to build the kernel with the TFC and MPLS overlay features: so, we have to download the sources from the svn repository.

cd /home/your_user
mkdir build-mpls-tfc
svn co
cd linux-

In the previous code snipped we also create our target directory: build_um Modify the Makefile to specify the UM architecture (user mode)

vi Makefile

Add the following two lines to the kernel Makefile (if not present):


the parameter KBUILD_OUTPUT specifies the path of the build_um directory, if we like we can choose another path. Now we can configure the kernel:

make menuconfig

To use TFC and MORGAN features, we have to enable them in the kernel. So, enable the following options (also remember to enable all IPsec handling modules, AH and ESP):

Networking--->Networking options--->[M]Protocol header forging/restoring kernel APIs
Networking--->Networking options--->[M]MPLS-in-IP input support
Networking--->Networking options--->Network packet filtering--->IP: Netfilter Configuration--->[M]MPLS target support
Networking--->Networking options--->[M]TFC transformation
Networking--->Networking options--->[M]TFC: hook binding
Networking--->Networking options--->[M]TFC: handler binding

Remember to activate the following options to activate in the kernel the feature to access files stored in the host: if you don't, the kernel probably won't be able to load its modules.

UML-specific options---><*>Host filesystem

And then, use the "Layer 3 Dependent Connection Tracking (OBSOLETE)" in the "Core Netfilter Configuration" section to use the NAT with the MPLS-overlay packets (As soon as possible the latest version of connection tracking will be patched).

Now we are ready to compile the sources, install the modules and link the correct kernel in the netkit directory:

make modules_install INSTALL_MOD_PATH=$NETKIT_HOME/kernel/modules ARCH=um
cd $NETKIT_HOME/kernel
rm netkit-kernel
ln -s /home/utente/build-mpls-tfc/vmlinux netkit-kernel

Preparing the Lab

Before downloading the lab configuration files and set-up a netkit lab, , we need to download a patched version of IPtables: iptables (user and kernel) support is needed to put mpls rules in the kernel netfilter.

So, go in your home directory:

$ cd ~ 

and check-out from minerva's SVN the patched version of iptables-1.3.8:

$ svn co 

IPtables sources are compiled, if you want to rebuild just do:

$ make clean 
$ ./configure
$ make   

Now we are ready to set up the MORGAN testbed lab. So you we download from SVN the lab configuration files:

$ cd ~
$ svn
$ cd test_tfc_mpls_star

Lab Testing

If you want to get information about the lab and create a topology of the testbed network (requires GraphViz?? library to be installed), just type in the testbed directory:

$ linfo -m topology.png

Now, we can start the lab (all commands must be type in the testbed directory):

$ lstart

In PC0 and PC3 we have to copy the IPtables patched library to correctly set up the anonymized path through PC0, PC1, PC2 and PC3; so, in the shell of PC0 and PC3, we have to do the follow steps:

$ mkdir /usr/lib/iptables
$ cp /hosthome/iptables-1.3.8/extension/* /usr/lib/iptables/   

and reboot the machines PC0 and PC3 or, if you want the entire lab.

The MPLS paramenter are now hardcoded in the sources of the kernel modules. The IPsec (ESP and TFC) configurations are loaded in the lab startup: overlay path configurations are written in the virtual machine start-up files, pcN.startup, where N is the number of the virtual machine. In this files we can found the network interfaces configurations, the commands to set-up the ipsec SAD and SPD between the virtual machines, to load the MORGAN mpls-over-ip modules and the IPtables rules to set up the overlay path (using the patched version of IPtables).

So we can test the overlay path from client ( to server ( established by an MPLS virtual circuit over IPsec SA's through the nodes PC0, PC1, PC2 and PC3. The path has been tested with ICMP and SSH connection: in PC0 there is an IPtables rule to capture packet sent to server and put them in the MPLS virtual circuit; in PC3 there is a similar rule to bring packets from server in the return virtual path to the client.

Last modified 11 years ago Last modified on Mar 9, 2008, 10:04:21 PM

Attachments (1)

Download all attachments as: .zip