-
Notifications
You must be signed in to change notification settings - Fork 232
Experimenting with Gatekeeper
This page describes how to test Gatekeeper and experiment with its functionality.
There are multiple options for setting up Gatekeeper:
- Use dedicated hardware to natively support Gatekeeper. See our Supported Hardware and Hardware Requirements to obtain NICs that have the properties that DPDK requires.
- Use Amazon Elastic Compute Cloud (EC2) to set up a cloud instance. See Setup on EC2.
- Use a virtual machine with KVM. See Setup on Virtual Machine.
- Use Chameleon testbed to set up Gatekeeper at scale. See Setup on Chameleon.
For more details about how to configure Gatekeeper before it runs and at runtime, see the Configuration page.
To generate packets from an interface bound to a DPDK-compatible driver and to debug Gatekeeper, we recommended the tips on our Tips for Debugging page.
This section describes how to test the functional blocks that compose Gatekeeper's main denial of service defense capabilities. These include the GK (Gatekeeper), GT (Grantor), GT-GK Unit (GGU), and SOL (Solicitor) blocks. Once you successfully configured Gatekeeper, and compiled it. Then, we can generate packets using pktgen to test each functional block. One can find instructions on how to setup the pktgen project.
First, open two terminals. In one terminal (T1), runs the following command to open the Gatekeeper directory:
$ cd gatekeeper
On the other terminal (T2), runs the following command to open the pktgen directory:
$ cd pktgen-dpdk/app/x86_64-native-linuxapp-gcc/
To test the GK bock, one needs to specify the packets' IP destinations, which will be used to lookup the policies in LPM table. Note that the policies maintained by the LPM table can be dynamically configured using Lua scripts. For simplicity, we don't configure any policy here. On terminal T1, we can start Gatekeeper program on port C as the front port and port D as the back port by running the command:
$ sudo ./build/gatekeeper -c 0xff -b 83:00.0 -b 83:00.1 --socket-mem 256
Since we blacklisted ports A and B, we need to modify the lua/if_map.lua to filter the interface mapping for ports A and B:
return {
["ens2f0"] = "0000:04:00.0",
["ens2f1"] = "0000:04:00.1",
["ens2f2"] = "0000:04:00.2",
["ens2f3"] = "0000:04:00.3",
-- ["enp131s0f0"] = "0000:83:00.0",
-- ["enp131s0f1"] = "0000:83:00.1",
["enp133s0f1"] = "0000:85:00.1",
["enp133s0f0"] = "0000:85:00.0",
}
Note that, if you are using different ports names on your machine (e.g., virtual machine), you need to manually adjust the network ports (i.e., front_ports and back_ports) in lua/net.lua.
On terminal T2, we can run the pktgen program to generate test packets on port A using the following command:
$ sudo ./pktgen -c 0xf00 --socket-mem 256 --file-prefix pg1 -b 83:00.1 -b 85:00.0 -b 85:00.1 -- -T -P -m "[9:10].0"
To generate test packets, and send them to port C (i.e., the front port), one can use the following command:
$ Pktgen> set 0 count 1 $ Pktgen> set 0 src ip 10.0.0.2/24 $ Pktgen> set 0 dst ip 10.0.0.1 $ Pktgen> set 0 dst mac e8:ea:6a:06:21:b2 $ Pktgen> start 0
Note that, this packet will be dropped by GK block. One can construct more complex test packets with more knowledge about the GK block. However, the commands are similar but with different parameters for the packets.
The procedure is similar to the one for testing the GK block. However, one needs to send packets to the back port (i.e., port D), since these test packets are generated from GT block running on a Grantor server inside ISP. Specifically, one can use the following commands:
$ sudo ./pktgen -c 0xf00 --socket-mem 256 --file-prefix pg1 -b 83:00.0 -b 85:00.0 -b 85:00.1 -- -T -P -m "[9:10].0" $ Pktgen> set 0 count 1 $ Pktgen> set 0 proto udp $ Pktgen> set 0 dport 45232 $ Pktgen> set 0 sport 41120 $ Pktgen> set 0 src ip 66.9.149.187/32 $ Pktgen> set 0 dst ip 10.0.1.1 $ Pktgen> set 0 dst mac e8:ea:6a:06:21:b3 $ Pktgen> start 0
Note that, 10.0.1.1 is the configured IP address of the back port, specified in lua/net.lua. 45232 (that is 0xB0B0) and 41120 (that is 0xA0A0) are the destination and source ports respectively, which are configured in lua/gt.lua. This UDP packet is just for illustration and doesn't carry any GGU policy decisions.
This section describes how to test the functional blocks that enable Gatekeeper to be setup and function in a network. These include the CPS (Control Plane Services) and LLS (Link Layer Services) blocks.
TODO