OWAMP and BWCTL: Installation and Configuration

1
OWAMP and BWCTLInstallation and Configuration

• Jeff Boote (boote_at_internet2.edu)
• Performance Workshop, Atlanta

2
Overview

• Intro
• Installation
• Policy
• Partitioning Resources
• Classifying Connections
• OWAMP configuration
• owampd general configuration
• owampd policy configuration
• Testing and troubleshooting
• BWCTL configuration
• bwctld general configuration
• bwctld policy configuration
• Testing and troubleshooting

3
Review Website

• Most of the information from this talk is on the
  web sites
• http//e2epi.internet2.edu/owamp/
• http//e2epi.internet2.edu/bwctl/

4
Overview

• Intro
• Installation
• Policy
• Partitioning Resources
• Classifying Connections
• OWAMP configuration
• owampd general configuration
• owampd policy configuration
• Testing and troubleshooting
• BWCTL configuration
• bwctld general configuration
• bwctld policy configuration
• Testing and troubleshooting

5
Download

• http//e2epi.internet2.edu/owamp/download.html
• http//e2epi.internet2.edu/bwctl/download.html

6
Unpack/Build/Install

• gzip -cd owamp-VERS.tar.gz tar xf -
• cd owamp-VERS
• ./configure --prefix/ami
• --prefix is only needed if you don't like the
  default
• (/usr/local on most systems)
• make
• make install
• Does not install configuration files
• (Same process for BWCTL - do it now)

7
Overview

• Intro
• Installation
• Policy
• Partitioning Resources
• Classifying Connections
• OWAMP configuration
• owampd general configuration
• owampd policy configuration
• Testing and troubleshooting
• BWCTL configuration
• bwctld general configuration
• bwctld policy configuration
• Testing and troubleshooting

8
General Security Considerations (review)

• Do no harm
• Dont want machines to be a source of denial of
  service attacks
• On the other hand, would like them to be as
  available as possible, so as useful as possible
  for debugging
• Avoid being an attractive nuisance
• Again, obscurity lessens usefulness
• But do harden machines themselves

9
OWAMP Security Considerations

• Limit the bandwidth that can be consumed
• Limit the memory/disk that can be consumed on the
  test host

10
BWCTL Security considerations

• Limit the bandwidth that can be consumed
• Including protocol type (UDP/TCP)

11
Partitioning Resources

• Decide upon complete amount of resources it is
  acceptable for the test host to consume
• Decide how to allocate those resources among
  users
• How much disk space can be dedicated? Per group?
• How much bandwidth total? Per group?
• Keep system load in mind as well as network. The
  data accuracy will suffer if the system is too
  loaded.

12
Resources Allocated Using Hierarchical
Limitclasses

• Users are grouped into hierarchical limitclasses
• One parent-less class allowed, it defines the
  total amount of resources available
• When limitclasses are defined, limits of the one
  and only parent are inherited
• When consumable resources are requested, the
  limits of the limitclass and all parent
  limitclasses must be satisfied (memory/bandwidth/t
  imeslots)

13
Example organization of limitclasses

• Classifications of users into limitclasses
• Root Complete set of resources available
• Hostile Used to jail hostile users
• NOC Super-user limits
• NOC Extended limits for peer tests
• Normal Reasonable limits for end-users
• Open Conservative limits for anyone

14
Example Allocation for bandwidth (BWCTL)

• Available per limitclass
• Root Complete set of resources available
• Hostile No tests allowed
• NOC Inherit Root limits
• Peer Limit UDP to 500m
• Could make children limitclasses for each
  individual peer if lower limits should be applied
  to some
• Normal UDP not needed for most end users
• Open No tests allowed

15
Example limitclass definition

• total available
• limit root with \
• AllowTCPon, \
• AllowUDPon, \
• bandwidth900m
• Hostile
• limit hostile with parentroot, \
• AllowTCPoff, \
• AllowUDPoff

16
Classifying Connections

• IP netmask
• The IP address of the client is matched against a
  list of IP netmask specified subnets and assigned
  to a limitclass based on the address of the
  client
• Username and AES key
• Client specifies a username, the server must
  already know the associated AES key
• AES key is used as a symmetric session key
• Client and Server use the key as a shared secret

17
IP/netmask matching rules

• The most specific matching mask wins
• No set bits are allowed in the address portion
  beyond the number of mask bits
• Does not need to be a real sub-net

18
Example netmask assignment setup

• loopback
• assign net /127 noc
• assign net 127.0.0.1/32 noc
• abilene nmslan (observatory systems)
• assign net 20014680/40 peer
• assign net 198.32.10.0/23 peer

19
Username and AES key rules

• Usernames are limited to 16 characters
• AES key is a 128 bit session key
• Not encrypted in the keys file, use UNIX
  permissions to protect
• Can use a pass phrase to generate the AES key
• Server use aespasswd to add pass phrase
  generated keys into the keys file
• Client application prompts user for pass phrase

20
Example key file

• joe a0167ac6101b360d2f4dd164abba2337
• bob 2dc36fc4807894cdfbe180b71d2b4a0f
• sam 3fc763fb270ce6ba6e928bd10d4977d3

21
aespasswd

• Similar command-line to htpasswd (apache web
  server)
• Specify an identity to be added to a key file,
  prompted for a passphrase
• http//e2epi.internet2.edu/owamp/aespasswd.man.htm
  l

22
Example username/key assignment setup

• local super users
• assign user boote noc
• assign user joe noc
• peers
• assign user warren peer
• assign user bob peer
• normal
• assign user sam normal

23
Overview

• Intro
• Installation
• Policy
• Partitioning Resources
• Classifying Connections
• OWAMP configuration
• owampd general configuration
• owampd policy configuration
• Testing and troubleshooting
• BWCTL configuration
• bwctld general configuration
• bwctld policy configuration
• Testing and troubleshooting

24
Configure (owampd.conf)

• http//e2epi.internet2.edu/owamp/owampd.conf.man.h
  tml
• Example
• owampd.conf

25
Configure (owampd.keys)

• http//e2epi.internet2.edu/owamp/owampd.keys.man.h
  tml
• http//e2epi.internet2.edu/owamp/aespasswd.man.htm
  l
• Example
• owampd.keys

26
Configure owampd.limits

• http//e2epi.internet2.edu/owamp/owampd.limits.man
  .html
• Limit parameters
• Syntactic
• parent
• Canonical (inherited, but fixed)
• allow_open_mode, delete_on_fetch
• Consumables (inherited and aggregated)
• bandwidth, disk
• Example owampd.limits

27
Starting owampd

• http//e2epi.internet2.edu/owamp/owampd.man.html
• start in foreground during testing
• /usr/local/bin/owampd -c /usr/local/etc -Z

28
Testing (owping)

• http//e2epi.internet2.edu/owamp/owping.man.html
• In another window
• /usr/local/bin/owping localhost (no clock issues)
• /usr/local/bin/owping nms4-atla.abilene.ucaid.edu
  (nmsx-aami?)
• /usr/local/bin/owping (to eachother)

29
Troubleshooting

• No control connection
• Control connection denied
• 100 packet loss in test streams
• Clock offset (ntpq, loss timeout)
• Firewall

30
Overview

• Intro
• Installation
• Policy
• Partitioning Resources
• Classifying Connections
• OWAMP configuration
• owampd general configuration
• owampd policy configuration
• Testing and troubleshooting
• BWCTL configuration
• bwctld general configuration
• bwctld policy configuration
• Testing and troubleshooting

31
Configure (bwctld.conf)

• http//e2epi.internet2.edu/bwctl/bwctld.conf.man.h
  tml
• Example
• bwctld.conf

32
Configure (bwctld.keys)

• http//e2epi.internet2.edu/bwctl/bwctld.keys.man.h
  tml
• http//e2epi.internet2.edu/bwctl/aespasswd.man.htm
  l
• Example
• bwctld.keys

33
Configure bwctld.limits

• http//e2epi.internet2.edu/bwctl/bwctld.limits.man
  .html
• Limit parameters
• Syntactic
• parent
• Canonical (inherited, but fixed)
• allow_open_mode, allow_tcp, allow_udp, bandwidth,
  event_horizon, duration
• Consumables (inherited and aggregated)
• pending
• Example bwctld.limits

34
Starting bwctld

• http//e2epi.internet2.edu/bwctl/bwctld.man.html
• start in foreground during testing
• /usr/local/bin/bwctld -c /usr/local/etc -Z

35
Testing (bwctl)

• http//e2epi.internet2.edu/bwctl/bwctl.man.html
• On another host (hostB)
• Client to server
• bwctl hostA
• Client to two servers
• /usr/local/bin/bwctld -c /usr/local/etc -Z
• bwctl hostA
• (can run another quickly to demonstrate
  scheduling)

36
Testing (bwctl)With AESKEY authentication

• Within a single authentication domain (same AES
  key)
• bwctl -A AE AESKEY demo -s hostA -c hostB
• Different authentication domains (different AES
  keys)
• bwctl -s hostA AE AESKEY demo -c hostB AE AESKEY
  joe

37
Troubleshooting

• No control connection
• Control connection denied
• Initial control connection works - peer
  connection fails
• Scheduling problems
• Iperf connections fail
• Iperf results are bad

38
Questions?/Review?

• Intro
• Installation
• Policy
• Partitioning Resources
• Classifying Connections
• OWAMP configuration
• owampd general configuration
• owampd policy configuration
• Testing and troubleshooting
• BWCTL configuration
• bwctld general configuration
• bwctld policy configuration
• Testing and troubleshooting