How to setup a MPLS-over-IP overlay path

Preparing the lab

Before downloading the lab configuration files and set-up a netkit lab, where we can try a MPLS path used in MORGAN, to anonymize a connection, we need to download a patched version of IPtables: iptables (user and kernel) support is needed to put mpls rules in the kernel netfilter.

So, go in your home directory:

$ cd ~ 

and check-out from minerva's SVN the patched version of iptables-1.3.8:

$ svn co 

IPtables sources are compiled, if you want to rebuild just do:

$ make clean 
$ ./configure
$ make     

Now we are ready to set up the MORGAN testbed lab. We suppose that before you read this page, you have compiled the MORGAN-patched kernel. If you don't, see the instructions at the follow link:

Once you compiled the patched kernel, you can download from SVN the lab configuration files:

$ cd ~
$ svn co
$ cd testbed

If you want to get information about the lab and create a topology of the testbed network (requires GraphViz? library to be installed), just type in the testbed directory:

$ linfo -m topology.png

Now, we can start the lab (all commands must be type in the testbed directory):

$ lstart

In PC0 and PC3 we have to copy the IPtables patched library to correctly set up the anonymized path through PC0, PC1, PC2 and PC3; so, in the shell of PC0 and PC3, do the follow steps:

$ mkdir /usr/lib/iptables
$ cp /hosthome/iptables-1.3.8/extension/* /usr/lib/iptables/   

and reboot the machines PC0 and PC3 or, if you want the entire lab.

Until the lab machines are all started, we can try the anonymized path: all MPLS parameters (ILMs, NHLFEs, forging structures) are statically compiled in the mpls_ip module and all overlay path configuration are written in the virtual machine start-up files, pcN.startup, where N is the number of the virtual machine. In this files we can found the network interfaces configurations, the commands to set-up the ipsec SAD and SPD between the virtual machines, to load the MORGAN mpls-over-ip modules and the IPtables rules to set up the anonymized path (using the patched version of IPtables). For example (in PC0) to anonymize the ssh connection from client ( to the server (

hosthome/iptables-1.3.8/iptables -A FORWARD -d -s -j mpls --nhlfe 10

or to source nat the overlay address in the exit node, PC3 (in this case the IPtable patched version isn't needed):

iptables -t nat -A POSTROUTING -d -s -j SNAT --to

We are finally ready to try the anonymized path :-). We can use MORGAN with an SSH connection from client to server (MORGAN parameters are now statically compiled for a ssh connection in mpls_ip.c, if you want to change, simply modify a parameter in this file and re-build the kernel modules). So start the ssh service on server:

$ /etc/init.d/ssh start

and, in client machine, try the connection (passwd: root :-) ):

$ ssh root@

If all configuration are correct, we have an anonymized SSH connection from client to server through the path PC0-->PC1-->PC2-->PC3. If we capture the traffic using tcpdump in a central node of the path, e.g. PC1, we can see encrypted packets (ESP) from/to PC0/PC2 but not from to client/server: so an attacker who can observe the traffic flow between, for example, PC1 and PC2, can't correctly establish the true origin/destination of the communication.

Adding IPsec support

To set up ESP security association between the nodes that use MORGAN, simply follow the "The official IPsec Howto for Linux":

Last modified 11 years ago Last modified on Dec 10, 2007, 3:14:38 PM