wiki:OverlayPathSetup

How to setup a MPLS-over-IP overlay path

Preparing the lab

Before downloading the lab configuration files and set-up a netkit lab, where we can try a MPLS path used in MORGAN, to anonymize a connection, we need to download a patched version of IPtables: iptables (user and kernel) support is needed to put mpls rules in the kernel netfilter.

So, go in your home directory:

$ cd ~ 

and check-out from minerva's SVN the patched version of iptables-1.3.8:

$ svn co https://minerva.netgroup.uniroma2.it/svn/discreet/MORGAN/trunk/iptables-1.3.8/ 

IPtables sources are compiled, if you want to rebuild just do:

$ make clean 
$ ./configure
$ make     

Now we are ready to set up the MORGAN testbed lab. We suppose that before you read this page, you have compiled the MORGAN-patched kernel. If you don't, see the instructions at the follow link:

https://minerva.netgroup.uniroma2.it/discreet/wiki/Preparing_a_netkit_Linux_Box_with_MORGAN_support

Once you compiled the patched kernel, you can download from SVN the lab configuration files:

$ cd ~
$ svn co https://minerva.netgroup.uniroma2.it/svn/discreet/MORGAN/trunk/testbed/
$ cd testbed

If you want to get information about the lab and create a topology of the testbed network (requires GraphViz? library to be installed), just type in the testbed directory:

$ linfo -m topology.png

Now, we can start the lab (all commands must be type in the testbed directory):

$ lstart

In PC0 and PC3 we have to copy the IPtables patched library to correctly set up the anonymized path through PC0, PC1, PC2 and PC3; so, in the shell of PC0 and PC3, do the follow steps:

$ mkdir /usr/lib/iptables
$ cp /hosthome/iptables-1.3.8/extension/* /usr/lib/iptables/   

and reboot the machines PC0 and PC3 or, if you want the entire lab.

Until the lab machines are all started, we can try the anonymized path: all MPLS parameters (ILMs, NHLFEs, forging structures) are statically compiled in the mpls_ip module and all overlay path configuration are written in the virtual machine start-up files, pcN.startup, where N is the number of the virtual machine. In this files we can found the network interfaces configurations, the commands to set-up the ipsec SAD and SPD between the virtual machines, to load the MORGAN mpls-over-ip modules and the IPtables rules to set up the anonymized path (using the patched version of IPtables). For example (in PC0) to anonymize the ssh connection from client (10.1.1.2) to the server (1.1.1.1):

hosthome/iptables-1.3.8/iptables -A FORWARD -d 1.1.1.1 -s 10.1.1.2 -j mpls --nhlfe 10

or to source nat the overlay address in the exit node, PC3 (in this case the IPtable patched version isn't needed):

iptables -t nat -A POSTROUTING -d 1.1.1.1 -s 10.0.2.5 -j SNAT --to 1.1.1.2

We are finally ready to try the anonymized path :-). We can use MORGAN with an SSH connection from client to server (MORGAN parameters are now statically compiled for a ssh connection in mpls_ip.c, if you want to change, simply modify a parameter in this file and re-build the kernel modules). So start the ssh service on server:

$ /etc/init.d/ssh start

and, in client machine, try the connection (passwd: root :-) ):

$ ssh root@1.1.1.1

If all configuration are correct, we have an anonymized SSH connection from client to server through the path PC0-->PC1-->PC2-->PC3. If we capture the traffic using tcpdump in a central node of the path, e.g. PC1, we can see encrypted packets (ESP) from/to PC0/PC2 but not from to client/server: so an attacker who can observe the traffic flow between, for example, PC1 and PC2, can't correctly establish the true origin/destination of the communication.

Adding IPsec support

To set up ESP security association between the nodes that use MORGAN, simply follow the "The official IPsec Howto for Linux":

http://www.ipsec-howto.org/

Last modified 11 years ago Last modified on Dec 10, 2007, 3:14:38 PM