def testTopo(): "Create an empty network and add nodes to it." net = Containernet(controller=Controller, link=TCLink) info("*** Adding controller\n") net.addController("c0") info("*** Adding hosts\n") h1 = net.addDockerHost( "h1", dimage="dev_test", ip="10.0.0.1", docker_args={ "cpuset_cpus": "0", "nano_cpus": int(1e8) }, ) h2 = net.addDockerHost( "h2", dimage="dev_test", ip="10.0.0.2", docker_args={ "cpuset_cpus": "0", "nano_cpus": int(1e8) }, ) info("*** Adding switch\n") s1 = net.addSwitch("s1") info("*** Creating links\n") net.addLinkNamedIfce(s1, h1, bw=10, delay="10ms") net.addLinkNamedIfce(s1, h2, bw=10, delay="10ms") info("*** Starting network\n") net.start() info("*** Create TUN interfaces in h1\n") h1.cmd("ip tuntap add mode tun tun-test") h1.cmd("ip link set tun-test up") print("* Interfaces in the main namespace of h1:") ret = h1.cmd("ip link") print(ret) info( "*** Load a XDP(eBPF) program to drop all frames sent to and from h2\n" ) fn = b.load_func("drop_all", BPF.XDP) b.attach_xdp("s1-h2", fn, 0) net.ping([h1, h2]) info("*** Remove the XDP(eBPF) program\n") b.remove_xdp("s1-h2", 0) net.ping([h1, h2]) info("*** Stopping network") net.stop()
def testTopo(): # xterms=True, spawn xterms for all nodes after net.start() net = Containernet(controller=Controller, link=TCLink, xterms=True) info("*** Adding controller\n") net.addController("c0") info("*** Adding hosts\n") h1 = net.addDockerHost( "h1", dimage="dev_test", ip="10.0.0.1/24", docker_args={ "cpuset_cpus": "0", "nano_cpus": int(1e8), "hostname": "h1" }, ) h2 = net.addDockerHost( "h2", dimage="dev_test", ip="10.0.0.2/24", docker_args={ "cpuset_cpus": "0", "nano_cpus": int(1e8), "hostname": "h2" }, ) h3 = net.addHost("h3", ip="10.0.0.3/24") h4 = net.addHost("h4", ip="10.0.0.4/24") info("*** Adding switch\n") s1 = net.addSwitch("s1") info("*** Creating links\n") net.addLinkNamedIfce(s1, h1, bw=10, delay="100ms") net.addLinkNamedIfce(s1, h2, bw=10, delay="100ms") net.addLinkNamedIfce(s1, h3, bw=10, delay="100ms") net.addLinkNamedIfce(s1, h4, bw=10, delay="100ms") info("*** Starting network\n") net.start() info("*** Enter CLI\n") info("Use help command to get CLI usages\n") CLI(net) info("*** Stopping network") net.stop()
def testTopo(): "Create an empty network and add nodes to it." net = Containernet(controller=Controller, link=TCLink) info("*** Adding controller\n") net.addController("c0") info("*** Adding hosts\n") h1 = net.addDockerHost("h1", dimage="sec_test", ip="10.0.0.1", docker_args={"cpuset_cpus": "0"}) h2 = net.addDockerHost("h2", dimage="sec_test", ip="10.0.0.2", docker_args={"cpuset_cpus": "0"}) info("*** Adding switch\n") s1 = net.addSwitch("s1") info("*** Creating links\n") net.addLinkNamedIfce(s1, h1, bw=10, delay="10ms") net.addLinkNamedIfce(s1, h2, bw=10, delay="10ms") info("*** Starting network\n") net.start() test_connection(h2) info("*** Add drop all nftables rule\n") h1.cmd("nft add table inet filter") h1.cmd( "nft add chain inet filter input { type filter hook input priority 0 \; policy accept \; }" ) h1.cmd("nft add rule inet filter input ip saddr 10.0.0.2 counter drop") test_connection(h2) print(h1.cmd("nft list table inet filter")) info("*** Stopping network") net.stop()
def testTopo(): "Create an empty network and add nodes to it." net = Containernet(build=False, link=TCLink, xterms=False, autoSetMacs=True, autoStaticArp=True) info("*** Adding Controller\n") controller = net.addController("c0", controller=RemoteController, ip="127.0.0.1", port=6633) controller.start() info("*** Add switches\n") for i in range(4): sw = net.addSwitch("s%d" % (i + 1), dpid="%016x" % (i + 1)) sw.start([controller]) sw.cmdPrint("ovs-ofctl show s%d" % (i + 1)) sw.cmdPrint("ovs-vsctl show") info("Add hosts\n") for i in range(4): net.addDockerHost("h%d" % (i + 1), dimage="dev_test", ip="10.0.0.%d" % (i + 1)) info("*** Add links\n") http_link_config = {"bw": 1} video_link_config = {"bw": 10} net.addLinkNamedIfce("s1", "s2", **http_link_config) net.addLinkNamedIfce("s2", "s4", **http_link_config) net.addLinkNamedIfce("s1", "s3", **video_link_config) net.addLinkNamedIfce("s3", "s4", **video_link_config) net.addLinkNamedIfce("s1", "h1", bw=100, use_htb=True) net.addLinkNamedIfce("s1", "h2", bw=100, use_htb=True) net.addLinkNamedIfce("s4", "h3", bw=100, use_htb=True) net.addLinkNamedIfce("s4", "h4", bw=100, use_htb=True) net.build() info("*** Starting network\n") net.start() info("*** Enter CLI\n") info("Use help command to get CLI usages\n") CLI(net) info("*** Stopping network") net.stop()
def testTopo(): """testTopo""" net = Containernet( controller=Controller, link=TCLink, autoSetMacs=True, autoStaticArp=True, xterms=True, ) info("*** Adding controller\n") net.addController("c0") info("*** Adding hosts\n") client = net.addDockerHost( "client", dimage="yolov2", ip="10.0.0.11/24", docker_args={ "cpuset_cpus": "0", "hostname": "client" }, ) vnf = net.addDockerHost( "vnf", dimage="yolov2", ip="10.0.0.12/24", docker_args={ "cpuset_cpus": "0", "hostname": "vnf" }, ) # Run server on another vCPU since it is more compute-intensive than client # and vnf. server = net.addDockerHost( "server", dimage="yolov2", ip="10.0.0.21/24", docker_args={ "cpuset_cpus": "1", "hostname": "server" }, ) info("*** Adding switch\n") s1 = net.addSwitch("s1") info("*** Creating links\n") net.addLinkNamedIfce(s1, client, bw=10, delay="150ms", use_htb=True) net.addLinkNamedIfce(s1, vnf, bw=10, delay="150ms", use_htb=True) net.addLinkNamedIfce(s1, server, bw=10, delay="150ms", use_htb=True) info("*** Starting network\n") net.start() net.pingAll() add_ovs_flows() ifces = ["s1-vnf"] disable_cksum_offload(ifces) info("*** Enter CLI\n") CLI(net) info("*** Stopping network") net.stop()
def testTopo(): # xterms=True, spawn xterms for all nodes after net.start() net = Containernet(controller=Controller, link=TCLink, xterms=True) info("*** Adding controller\n") net.addController("c0") info("*** Adding hosts\n") compressor = net.addDockerHost( "compressor", dimage="o2sc", ip="10.0.0.1/24", docker_args={ "cpuset_cpus": "1", "cpu_quota": 25000, "hostname": "compressor" }, ) decompressor = net.addDockerHost( "decompressor", dimage="o2sc", ip="10.0.0.2/24", docker_args={ "cpuset_cpus": "1", "cpu_quota": 25000, "hostname": "decompressor", }, ) source_1 = net.addDockerHost( "source_1", dimage="o2sc", ip="10.0.0.11/24", docker_args={ "cpuset_cpus": "1", "cpu_quota": 25000, "hostname": "source_1" }, ) source_2 = net.addDockerHost( "source_2", dimage="o2sc", ip="10.0.0.12/24", docker_args={ "cpuset_cpus": "1", "cpu_quota": 25000, "hostname": "source_2" }, ) source_3 = net.addDockerHost( "source_3", dimage="o2sc", ip="10.0.0.13/24", docker_args={ "cpuset_cpus": "1", "cpu_quota": 25000, "hostname": "source_3" }, ) info("*** Adding switch\n") s1 = net.addSwitch("s1") info("*** Creating links\n") net.addLinkNamedIfce(s1, compressor, bw=10, delay="100ms") net.addLinkNamedIfce(s1, decompressor, bw=10, delay="100ms") net.addLinkNamedIfce(s1, source_1, bw=10, delay="100ms") net.addLinkNamedIfce(s1, source_2, bw=10, delay="100ms") net.addLinkNamedIfce(s1, source_3, bw=10, delay="100ms") info("*** Starting network\n") net.start() net.pingAll() info("*** Enter CLI\n") info("Use help command to get CLI usages\n") CLI(net) info("*** Stopping network") net.stop()
def testTopo(): net = Containernet(controller=Controller, link=TCLink) info("*** Adding controller\n") net.addController("c0") info("*** Adding hosts\n") client = net.addDockerHost( "client", dimage="sec_test", ip="10.0.0.1/24", docker_args={ "cpuset_cpus": "0", "cpu_quota": 25000 }, ) server = net.addDockerHost( "server", dimage="nginx", ip="10.0.0.2/24", docker_args={ "cpuset_cpus": "0", "cpu_quota": 25000 }, ) info("*** Adding switch\n") s1 = net.addSwitch("s1") info("*** Creating links\n") net.addLinkNamedIfce(s1, client, bw=100, delay="10ms") net.addLinkNamedIfce(s1, server, bw=100, delay="10ms") info("*** Starting network\n") try: net.start() info("** client -> server\n") info("** " + str(test_connection(client, "10.0.0.2")) + "\n") info("\n") # Create whitelist info("*** Create whitelist\n") server.cmd("nft add table inet filter") server.cmd( "nft add chain inet filter input { type filter hook input priority 0 \; policy drop \; }" ) server.cmd("nft add rule inet filter input ip saddr 10.0.0.1 accept") # The server can talk back to client info("** server -> client\n") info("** " + str(test_connection(server, "10.0.0.1")) + "\n") # But he cannot talk to some other server on the internet, this is a problem info("** server -> internet\n") info("** " + str(test_connection(server, "8.8.8.8")) + "\n") info("\n") info( "*** The server can only communicate with the client because of the implemented whitelist filtering.\n" ) info( "*** When the server wants to talk to the internet the internet cannot talk back because the incoming " "traffic is dropped.\n") info( "*** Use the connection tracking state to allow established connections to answer the server.\n" ) info("*** Do this without removing the whitelist.\n") while not test_connection(server, "8.8.8.8") or not test_connection( client, "10.0.0.2"): sleep(5) info("** server -> internet\n") info("** " + str(test_connection(server, "8.8.8.8")) + "\n") info( "*** Now we want to make sure that the client cannot overload the server with traffic.\n" ) info("*** Drop all traffic of the client that exceeds 10 Mbit/s.\n") # client is overdoing it a little and our server cannot handle all of its requests... server.cmd("iperf -s &") while try_to_flood_the_server(client): sleep(5) info("\n") except KeyboardInterrupt: info("** KeyboardInterrupt detected, exit the program.\n") finally: info("*** Stopping network") net.stop()
def testTopo(): "Create an empty network and add nodes to it." net = Containernet(controller=Controller, link=TCLink) info("*** Adding controller\n") net.addController("c0") info("*** Adding hosts\n") router = net.addDockerHost( "router", dimage="sec_test", docker_args={ "cpuset_cpus": "1", "cpu_quota": 25000 }, ) internal1 = net.addDockerHost( "internal1", dimage="sec_test", ip="10.0.0.2", docker_args={ "cpuset_cpus": "1", "cpu_quota": 25000 }, ) internal2 = net.addDockerHost( "internal2", dimage="sec_test", ip="192.168.0.2", docker_args={ "cpuset_cpus": "0", "cpu_quota": 25000 }, ) internet = net.addDockerHost( "internet", dimage="sec_test", ip="100.64.0.2", docker_args={ "cpuset_cpus": "0", "cpu_quota": 25000 }, ) info("*** Adding switch\n") s1 = net.addSwitch("s1") s2 = net.addSwitch("s2") s3 = net.addSwitch("s3") info("*** Creating links\n") net.addLinkNamedIfce(s1, router, bw=100, delay="10ms") net.addLinkNamedIfce(s2, router, bw=100, delay="10ms") net.addLinkNamedIfce(s3, router, bw=100, delay="10ms") net.addLinkNamedIfce(s1, internal1, bw=100, delay="10ms") net.addLinkNamedIfce(s2, internal2, bw=100, delay="10ms") net.addLinkNamedIfce(s3, internet, bw=100, delay="10ms") info("*** Starting network\n") net.start() # Setup the router router.cmd("ip a a 10.0.0.1/24 dev router-s1") router.cmd("ip a a 192.168.0.1/24 dev router-s2") router.cmd("ip a a 100.64.0.1/24 dev router-s3") # Configure the router as default gateway internal1.cmd("ip r c default via 10.0.0.1") internal2.cmd("ip r c default via 192.168.0.1") internet.cmd("ip r c default via 100.64.0.1") # Start some services internal2.cmd("service ssh start") internal2.cmd("nc -l -p 1337 &") router.cmd("service ssh start") check_connectivity_between_hosts(router, internal1, internal2, internet) """ info('*** Create firewall whitelist\n') router.cmd("nft add table inet filter") router.cmd("nft add chain inet filter forward { type filter hook forward priority 0 \; policy drop \; }") router.cmd("nft add rule inet filter forward ct state established,related ip daddr 10.0.0.0/24 accept") router.cmd("nft add rule inet filter forward ip saddr 10.0.0.0/24 accept") router.cmd("nft add rule inet filter forward ip saddr 192.168.0.0/24 accept") """ router.cmd("nft add table inet filter") router.cmd( "nft add chain inet filter forward { type filter hook forward priority 0 \; policy drop \; }" ) router.cmd( "nft add chain inet filter input { type filter hook input priority 0 \; policy drop \; }" ) router.cmd("nft add chain inet filter forward-s1") router.cmd("nft add chain inet filter forward-s2") router.cmd("nft add chain inet filter forward-s3") router.cmd( "nft add rule inet filter forward iif router-s1 counter jump forward-s1" ) router.cmd( "nft add rule inet filter forward iif router-s2 counter jump forward-s2" ) router.cmd( "nft add rule inet filter forward iif router-s3 counter jump forward-s3" ) router.cmd( "nft add rule inet filter forward-s1 tcp dport {ssh, 1337} drop") router.cmd( "nft add rule inet filter forward-s1 ip saddr 10.0.0.0/24 accept") router.cmd( "nft add rule inet filter forward-s2 ip saddr 192.168.0.0/24 accept") router.cmd( "nft add rule inet filter forward-s3 ct state established,related ip daddr 10.0.0.0/24 accept" ) check_connectivity_between_hosts(router, internal1, internal2, internet) info("*** Stopping network") net.stop()
def testTopo(): net = Containernet(controller=Controller, link=TCLink) info("*** Adding controller\n") net.addController("c0") info("*** Adding hosts\n") router = net.addDockerHost( "router", dimage="sec_test", docker_args={ "cpuset_cpus": "1", "cpu_quota": 25000 }, ) internal1 = net.addDockerHost( "internal1", dimage="sec_test", ip="10.0.0.2", docker_args={ "cpuset_cpus": "1", "cpu_quota": 25000 }, ) internal2 = net.addDockerHost( "internal2", dimage="sec_test", ip="192.168.0.2", docker_args={ "cpuset_cpus": "0", "cpu_quota": 25000 }, ) internet = net.addDockerHost( "internet", dimage="sec_test", ip="100.64.0.2", docker_args={ "cpuset_cpus": "0", "cpu_quota": 25000 }, ) info("*** Adding switch\n") s1 = net.addSwitch("s1") s2 = net.addSwitch("s2") s3 = net.addSwitch("s3") info("*** Creating links\n") net.addLinkNamedIfce(s1, router, bw=100, delay="10ms") net.addLinkNamedIfce(s2, router, bw=100, delay="10ms") net.addLinkNamedIfce(s3, router, bw=100, delay="10ms") net.addLinkNamedIfce(s1, internal1, bw=100, delay="10ms") net.addLinkNamedIfce(s2, internal2, bw=100, delay="10ms") net.addLinkNamedIfce(s3, internet, bw=100, delay="10ms") try: info("*** Starting network\n") net.start() # Setup the router router.cmd("ip a a 10.0.0.1/24 dev router-s1") router.cmd("ip a a 192.168.0.1/24 dev router-s2") router.cmd("ip a a 100.64.0.1/24 dev router-s3") # Configure the router as default gateway internal1.cmd("ip r c default via 10.0.0.1") internal2.cmd("ip r c default via 192.168.0.1") internet.cmd("ip r c default via 100.64.0.1") # Start some services internal2.cmd("service ssh start") internal2.cmd("nc -l -p 1337 &") router.cmd("service ssh start") # Create whitelist info("*** Create firewall whitelist\n") router.cmd("nft add table inet filter") router.cmd( "nft add chain inet filter forward { type filter hook forward priority 0 \; policy drop \; }" ) router.cmd( "nft add rule inet filter forward ct state established,related ip daddr 192.168.0.0/24 accept" ) router.cmd( "nft add rule inet filter forward ip saddr 10.0.0.0/24 accept") router.cmd( "nft add rule inet filter forward ip saddr 192.168.0.0/24 accept") info( "*** Rewrite the present filter ruleset and create one chain for each of the 3 networks.\n" ) info( "*** You can use the network interfaces to distinguish the traffic from the networks.\n" ) info( "*** Additionally filter traffic to the ports 22 and 1337 on the router and the internal networks.\n" ) while not check_connectivity_between_hosts(router, internal1, internal2, internet): sleep(5) except KeyboardInterrupt: info("** KeyboardInterrupt detected, exit the program.\n") finally: info("*** Stopping network") net.stop()
def create_dumbbell(): """Create a single dumbbell topology with the given number of hosts on one side""" num_hosts = 2 net = Containernet( controller=Controller, link=TCLink, xterms=False, ) topo_params = { "sfc_port": SFC_PORT, "no_sfc_port": NO_SFC_PORT, "control_port": CONTROL_PORT, } nodes = {} info("*** Adding controller, listening on port 6653, use OpenFlow 1.3\n") c1 = net.addController( "c1", controller=RemoteController, port=6653, protocols="OpenFlow13" ) topo_params.update({"controllers": [{"name": "c1", "port": 6653}]}) info(f"*** Adding {num_hosts} clients and {num_hosts} servers\n") # Boilerplate code... clients = [] servers = [] topo_params["clients"] = {} topo_params["servers"] = {} # TODO: Play with cpuset_cpus if measurement results are not good enough for i in range(1, num_hosts + 1): client_ip = f"10.0.1.{10+i}/16" server_ip = f"10.0.2.{10+i}/16" client = net.addDockerHost( f"client{i}", dimage=f"{DIMAGE}", ip=client_ip, docker_args={ "cpuset_cpus": "0", "nano_cpus": int(1e9), "hostname": f"client{i}", "working_dir": "/coin_dl", "volumes": { CURRENT_DIR: {"bind": "/coin_dl/share", "mode": "rw"}, }, }, ) server = net.addDockerHost( f"server{i}", dimage=f"{DIMAGE}", ip=server_ip, docker_args={ "cpuset_cpus": "1", "nano_cpus": int(1e9), "hostname": f"server{i}", "working_dir": "/coin_dl", "volumes": { CURRENT_DIR: {"bind": "/coin_dl/share", "mode": "rw"}, }, }, ) clients.append(client) topo_params["clients"][client.name] = { "ip": client_ip, } servers.append(server) topo_params["servers"][server.name] = { "ip": server_ip, } info("*** Adding two switches and two VNF nodes\n") s1 = net.addSwitch("s1", protocols="OpenFlow13") s2 = net.addSwitch("s2", protocols="OpenFlow13") switches = [s1, s2] DPDK_VOLUME = { "/sys/kernel/mm/hugepages": { "bind": "/sys/kernel/mm/hugepages", "mode": "rw", }, "/dev": {"bind": "/dev", "mode": "rw"}, CURRENT_DIR: {"bind": "/coin_dl/share", "mode": "rw"}, } vnfs = [] for i in range(1, len(switches) + 1): vnf = net.addDockerHost( f"vnf{i}", dimage=f"{DIMAGE}", ip=f"10.0.3.{10+i}/16", docker_args={ "cpuset_cpus": "3", "nano_cpus": int(9e8 / 2), "hostname": f"vnf{i}", "volumes": DPDK_VOLUME, "working_dir": "/coin_dl", }, ) vnfs.append(vnf) # TODO: Pick up the suitable parameters here. # TODO: Use better DS and names for parameters here. BW_MAX_NODE = 1000 # 1Gb/sec DELAY_MIN_NODE_MS = 1 DELAY_MIN_NODE_MS_STR = f"{DELAY_MIN_NODE_MS}ms" BW_MIN_NODE = 100 DELAY_MAX_NODE_MS = 10 DELAY_MAX_NODE_MS_STR = f"{DELAY_MAX_NODE_MS}ms" BW_BOTTLENECK = 100 # Mbits/s DELAY_BOTTLENECK_MS = 100 DELAY_BOTTLENECK_MS_STR = str(DELAY_BOTTLENECK_MS) + "ms" BDP = ((BW_BOTTLENECK * 10 ** 6) * (DELAY_BOTTLENECK_MS * 10 ** -3)) / 8.0 info(f"\n*** The BDP of the bottleneck link is {BDP:.2f} B\n") topo_params.update( { "bottleneck": { "bandwidth_mbps": BW_BOTTLENECK, "delay_ms": DELAY_BOTTLENECK_MS, "BDP_B": BDP, } } ) info("*** Creating links\n") for client, server in zip(clients, servers): # TODO (Zuo): Check if max_queue_size need to be added here net.addLinkNamedIfce(client, s1, bw=BW_MAX_NODE, delay=DELAY_MIN_NODE_MS_STR) # Here... the server should also be a "bottleneck" net.addLinkNamedIfce(s2, server, bw=BW_MIN_NODE, delay=DELAY_MAX_NODE_MS_STR) # Add bottleneck link net.addLinkNamedIfce(s1, s2, bw=BW_BOTTLENECK, delay=DELAY_BOTTLENECK_MS_STR) for switch, vnf in zip(switches, vnfs): # TODO (Zuo): Check if max_queue_size need to be added here, to remove additional queuing latency of VNF data interfaces net.addLinkNamedIfce(switch, vnf, bw=BW_MAX_NODE, delay="0ms") with open("./dumbbell.json", "w+", encoding="ascii") as f: json.dump(topo_params, f, sort_keys=True, indent=2) nodes["clients"] = clients nodes["servers"] = servers nodes["switches"] = switches nodes["vnfs"] = vnfs nodes["controllers"] = [c1] return (net, nodes, topo_params)
def testTopo(): "Create an empty network and add nodes to it." net = Containernet(controller=Controller, link=TCLink) info("*** Adding controller\n") net.addController("c0") info("*** Adding hosts\n") client = net.addDockerHost( "client", dimage="sec_test", ip="10.0.0.1", docker_args={ "cpuset_cpus": "1", "cpu_quota": 25000 }, ) server = net.addDockerHost( "server", dimage="sec_test", ip="10.0.0.2", docker_args={ "cpuset_cpus": "1", "cpu_quota": 25000 }, ) attacker = net.addDockerHost( "attacker", dimage="sec_test", ip="10.0.0.3", docker_args={ "cpuset_cpus": "0", "cpu_quota": 25000 }, ) info("*** Adding switch\n") s1 = net.addSwitch("s1") info("*** Creating links\n") net.addLinkNamedIfce(s1, client, bw=10, delay="10ms") net.addLinkNamedIfce(s1, server, bw=10, delay="10ms") net.addLinkNamedIfce(s1, attacker, bw=10, delay="10ms") info("*** Starting network\n") net.start() info("*** Attacker, Client and Server setup\n") client.cmd("ping -c 10 10.0.0.2") attacker.cmd( "printf -- '#!/bin/bash\narpspoof -i attacker-s1 -t 10.0.0.1 10.0.0.2 >> /dev/null &\narpspoof -i attacker-s1 -t 10.0.0.2 10.0.0.1 >> /dev/null &' > spoof.sh; chmod +x spoof.sh; ./spoof.sh" ) sleep(10) attacker.cmd("tcpdump -vvv -i attacker-s1 -B 100000 ip >> messages.log &") sleep(10) server.cmd("mkdir -p /var/run/vsftpd/empty") server.cmd("vsftpd &") info("*** Create wg key pairs\n") client.cmd("umask 077; wg genkey > privatekey") client.cmd("wg pubkey < privatekey > publickey") client_pubkey = client.cmd("cat ./publickey").replace("\n", " ").replace( "\r", "") server.cmd("umask 077; wg genkey > privatekey") server.cmd("wg pubkey < privatekey > publickey") server_pubkey = server.cmd("cat ./publickey").replace("\n", " ").replace( "\r", "") info("*** Create wg interfaces\n") client.cmd("ip link add dev wg0 type wireguard") client.cmd("ip address add dev wg0 192.168.0.1/24") server.cmd("ip link add dev wg0 type wireguard") server.cmd("ip address add dev wg0 192.168.0.2/24") info("*** Setup peer configuration\n") client.cmd( "wg set wg0 listen-port 1337 private-key ./privatekey peer {} allowed-ips 192.168.0.0/24 endpoint 10.0.0.2:1337" .format(server_pubkey)) client.cmd("ip link set up dev wg0") server.cmd( "wg set wg0 listen-port 1337 private-key ./privatekey peer {} allowed-ips 192.168.0.0/24 endpoint 10.0.0.1:1337" .format(client_pubkey)) server.cmd("ip link set up dev wg0") test_connection(client, "192.168.0.2") login_at_ftp_server(client, "192.168.0.2") info("*** Extract Passwords\n") sleep(20) output = attacker.cmd("cat messages.log") password_found = False for line in output.split("\n"): if "PASS" in line: password_found = True info("*** Found password: "******"\n") if not password_found: info("*** No password found!\n") info("*** Stopping network\n") net.stop()
def testTopo(): "Create an empty network and add nodes to it." net = Containernet(controller=Controller, link=TCLink) info("*** Adding controller\n") net.addController("c0") info("*** Adding hosts\n") center = net.addDockerHost( "center", dimage="sec_test", ip="10.0.0.1", docker_args={ "cpuset_cpus": "1", "cpu_quota": 25000 }, ) client1 = net.addDockerHost( "h2", dimage="sec_test", ip="10.0.0.2", docker_args={ "cpuset_cpus": "1", "cpu_quota": 25000 }, ) client2 = net.addDockerHost( "h3", dimage="sec_test", ip="10.0.0.3", docker_args={ "cpuset_cpus": "0", "cpu_quota": 25000 }, ) client3 = net.addDockerHost( "h4", dimage="sec_test", ip="10.0.0.4", docker_args={ "cpuset_cpus": "0", "cpu_quota": 25000 }, ) info("*** Adding switch\n") s1 = net.addSwitch("s1") info("*** Creating links\n") net.addLinkNamedIfce(s1, center, bw=10, delay="10ms") net.addLinkNamedIfce(s1, client1, bw=10, delay="10ms") net.addLinkNamedIfce(s1, client2, bw=10, delay="10ms") net.addLinkNamedIfce(s1, client3, bw=10, delay="10ms") try: info("*** Starting network\n") net.start() info("*** Create wg key pairs\n") center_private_key, center_public_key = generate_key_pair_for_host( center) h2_private_key, h2_public_key = generate_key_pair_for_host(client1) h3_private_key, h3_public_key = generate_key_pair_for_host(client2) h4_private_key, h4_public_key = generate_key_pair_for_host(client3) info("*** Create wg interfaces\n") info( "*** Create a star topology with center as the center. Instead of using wg tool write a configuration for the\n" ) info( "*** interface and place it in /etc/wireguard/wg0.conf, then use the wg-quick command to setup the interface.\n" ) info( "*** The wg and wg-quick manpages contain a reference for the syntax of the configuration file.\n" ) info( "*** Use the network 192.168.0.0/24 for the inner tunnel and asign 192.168.0.1 to the center.\n" ) while (not test_connection(client1, "192.168.0.1") or not test_connection(client2, "192.168.0.1") or not test_connection(client3, "192.168.0.1")): sleep(10) except KeyboardInterrupt: info("** KeyboardInterrupt detected, exit the program.\n") finally: info("*** Stopping network") net.stop()
def run_benchmark(proto): net = Containernet(controller=Controller, link=TCLink, switch=OVSSwitch, autoStaticArp=False) info("*** Adding controller\n") net.addController("c0") info("*** Adding switch\n") s1 = net.addSwitch("s1") # MARK: The relay should run on a different CPU core as the client and # server. To avoid cache misses of the VNF running on the relay. info("*** Adding client and server.\n") client = net.addDockerHost( "client", dimage="lat_bm:latest", ip="10.0.0.100/24", docker_args={ "cpuset_cpus": "0", "volumes": { "%s" % FFPP_DIR: { "bind": "/ffpp", "mode": "ro" } }, }, ) net.addLinkNamedIfce(s1, client, delay="100ms") server = net.addDockerHost( "server", dimage="lat_bm:latest", ip="10.0.0.200/24", docker_args={"cpuset_cpus": "0"}, ) net.addLinkNamedIfce(s1, server, delay="100ms") if ADD_RELAY: cpus_relay = "1" if TEST_NF == "l2fwd-power": print( "*** [INFO] l2fwd-power application require at least one master and one slave core.\n" "The master handles timers and slave core handles forwarding task." ) cpus_relay = "0,1" info("*** Adding relay.\n") # Need additional mounts to run DPDK application # MARK: Just used for development, never use this in production container # setup. relay = net.addDockerHost( "relay", dimage="ffpp:latest", ip="10.0.0.101/24", docker_args={ "cpuset_cpus": cpus_relay, "nano_cpus": int(1.0 * 1e9), "volumes": { "/sys/bus/pci/drivers": { "bind": "/sys/bus/pci/drivers", "mode": "rw", }, "/sys/kernel/mm/hugepages": { "bind": "/sys/kernel/mm/hugepages", "mode": "rw", }, "/sys/devices/system/node": { "bind": "/sys/devices/system/node", "mode": "rw", }, "/dev": { "bind": "/dev", "mode": "rw" }, "%s" % FFPP_DIR: { "bind": "/ffpp", "mode": "rw" }, }, }, ) net.addLinkNamedIfce(s1, relay, delay="100ms") info("*** Starting network\n") net.start() net.pingAll() nodes = [n.name for n in net.hosts] sw_ifaces = [f"s1-{n}" for n in nodes] info("*** Disable kernel IP checksum offloading.\n") for iface in sw_ifaces: check_output(split(f"ethtool --offload {iface} rx off tx off")) node_portnum_map = {n: getOFPort(s1, f"s1-{n}") for n in nodes} if ADD_RELAY: info("*** Add OpenFlow rules for traffic redirection.\n") peer_map = {"client": "relay", "relay": "server", "server": "client"} for p in ["udp", "tcp"]: for peer in peer_map.keys(): check_output( split( 'ovs-ofctl add-flow s1 "{},in_port={},actions=output={}"' .format(p, node_portnum_map[peer], node_portnum_map[peer_map[peer]]))) if DEBUG: flow_table = s1.dpctl("dump-flows") print(f"*** Current flow table of s1: \n {flow_table}") info("*** Run DPDK helloworld\n") relay.cmd("cd $RTE_SDK/examples/helloworld && make") ret = relay.cmd( "cd $RTE_SDK/examples/helloworld/build && ./helloworld") print(f"Output of helloworld app:\n{ret}") DISPATCHER[TEST_NF](relay) server.cmd("pkill sockperf") setup_server(server, proto) for mps in LAT_TEST_PARAS["client_mps_list"]: run_latency_test(server, client, proto, mps) time.sleep(3) if ENTER_CLI: info("*** Enter CLI\n") info("Use help command to get CLI usages\n") CLI(net) info("*** Stopping network") net.stop()
def testTopo(): "Create an empty network and add nodes to it." net = Containernet(controller=Controller, link=TCLink) info("*** Adding controller\n") net.addController("c0") info("*** Adding hosts\n") client = net.addDockerHost( "client", dimage="sec_test", ip="10.0.0.1/24", docker_args={ "cpuset_cpus": "0", "cpu_quota": 25000 }, ) server = net.addDockerHost( "server", dimage="nginx", ip="10.0.0.2/24", docker_args={ "cpuset_cpus": "0", "cpu_quota": 25000 }, ) info("*** Adding switch\n") s1 = net.addSwitch("s1") info("*** Creating links\n") net.addLinkNamedIfce(s1, client, bw=100, delay="10ms") net.addLinkNamedIfce(s1, server, bw=100, delay="10ms") info("*** Starting network\n") net.start() info("** client -> server\n") test_connection(client, "10.0.0.2") info("\n") # Create whitelist info("*** Create whitelist\n") server.cmd("nft add table inet filter") server.cmd( "nft add chain inet filter input { type filter hook input priority 0 \; policy drop \; }" ) server.cmd("nft add rule inet filter input ip saddr 10.0.0.1 accept") # The server can talk back to client info("** server -> client\n") test_connection(server, "10.0.0.2") # But he cannot talk to some other server on the internet, this is a problem info("** server -> internet\n") test_connection(server, "8.8.8.8") info("\n") info("*** Enable connection tracking\n") server.cmd( "nft add rule inet filter input ct state established,related accept") info("** server -> internet\n") test_connection(server, "8.8.8.8") # client is overdoing it a little and our server cannot handle all of its requests... info("*** client is flodding server with too many requests!\n") server.cmd("iperf -s &") print(client.cmd("iperf -c 10.0.0.2")) server.cmd( "nft insert rule inet filter input position 2 limit rate over 1 mbytes/second drop" ) print(client.cmd("iperf -c 10.0.0.2")) info("\n") info("*** Stopping network") net.stop()
def testTopo(): net = Containernet(controller=Controller, link=TCLink) info("*** Adding controller\n") net.addController("c0") info("*** Adding hosts\n") client = net.addDockerHost( "client", dimage="sec_test", ip="10.0.0.1", docker_args={ "cpuset_cpus": "1", "cpu_quota": 25000 }, ) server = net.addDockerHost( "server", dimage="sec_test", ip="10.0.0.2", docker_args={ "cpuset_cpus": "1", "cpu_quota": 25000 }, ) attacker = net.addDockerHost( "attacker", dimage="sec_test", ip="10.0.0.3", docker_args={ "cpuset_cpus": "0", "cpu_quota": 25000 }, ) info("*** Adding switch\n") s1 = net.addSwitch("s1") info("*** Creating links\n") net.addLinkNamedIfce(s1, client, bw=10, delay="10ms") net.addLinkNamedIfce(s1, server, bw=10, delay="10ms") net.addLinkNamedIfce(s1, attacker, bw=10, delay="10ms") try: info("*** Starting network\n") net.start() info("*** Attacker, Client and Server setup\n") client.cmd("ping -c 10 10.0.0.2") attacker.cmd( "printf -- '#!/bin/bash\narpspoof -i attacker-s1 -t 10.0.0.1 10.0.0.2 >> /dev/null &\narpspoof -i attacker-s1 -t 10.0.0.2 10.0.0.1 >> /dev/null &' > spoof.sh; chmod +x spoof.sh; ./spoof.sh" ) sleep(10) attacker.cmd( "tcpdump -vvv -i attacker-s1 -B 100000 ip >> messages.log &") sleep(10) server.cmd("mkdir -p /var/run/vsftpd/empty") server.cmd("vsftpd &") info( "*** Setup a tunnel to protect the ftp request from the MitM attacker!\n" ) info( "*** First create key pairs for the client and server and then establish a WireGuard tunnel between them\n" ) info("*** Use the inner tunnel ip 192.168.0.2 for the server!\n") x = 0 while not check_secure_network_tunnel(attacker, client, x): sleep(10) x = x + 1 except KeyboardInterrupt: info("** KeyboardInterrupt detected, exit the program.\n") finally: info("*** Stopping network") net.stop()
def testTopo(): "Create an empty network and add nodes to it." net = Containernet(controller=Controller, link=TCLink) info("*** Adding controller\n") net.addController("c0") info("*** Adding hosts\n") client = net.addDockerHost( "client", dimage="sec_test", ip="10.0.0.1/24", docker_args={ "cpuset_cpus": "1", "cpu_quota": 25000 }, ) server = net.addDockerHost( "server", dimage="nginx", ip="10.0.0.2/24", docker_args={ "cpuset_cpus": "1", "cpu_quota": 25000 }, ) attacker = net.addDockerHost( "attacker", dimage="sec_test", ip="10.0.0.3/24", docker_args={ "cpuset_cpus": "0", "cpu_quota": 25000 }, ) info("*** Adding switch\n") s1 = net.addSwitch("s1") info("*** Creating links\n") net.addLinkNamedIfce(s1, client, bw=10, delay="10ms") net.addLinkNamedIfce(s1, server, bw=10, delay="10ms") net.addLinkNamedIfce(s1, attacker, bw=10, delay="10ms") info("*** Starting network\n") net.start() info("** client -> server\n") test_connection(client, "10.0.0.2") info("** attacker -> server\n") test_connection(attacker, "10.0.0.2") info("\n") # Create blacklist info("*** Create blacklist\n") server.cmd("nft add table inet filter") server.cmd( "nft add chain inet filter input { type filter hook input priority 0 \; policy accept \; }" ) server.cmd("nft add rule inet filter input ip saddr 10.0.0.3 drop") # Check if client can connect and attacker can not. info("** client -> server\n") test_connection(client, "10.0.0.2") info("** attacker -> server\n") test_connection(attacker, "10.0.0.2") # attacker changes her ip address info("*** attacker changes ip address to a different one!\n") attacker.cmd("ip a f dev attacker-s1") attacker.cmd("ip a a 10.0.0." + str(random.randint(3, 250)) + "/24 dev attacker-s1") # attacker can connect again info("** attacker -> server\n") test_connection(attacker, "10.0.0.2") info("\n") # Change to whitelist info("*** Create whitelist\n") server.cmd("nft flush rule inet filter input") server.cmd( "nft add chain inet filter input { type filter hook input priority 0 \; policy drop \; }" ) server.cmd("nft add rule inet filter input ip saddr 10.0.0.1 accept") # The server can talk back to server info("** client -> server\n") test_connection(client, "10.0.0.2") info("** attacker -> server\n") test_connection(attacker, "10.0.0.2") info("*** Stopping network") net.stop()
"pid_mode": "host" }, ) h3 = net.addDockerHost( "h3", dimage="dev_test", ip="10.0.0.12/24", docker_args={ "hostname": "h3", "pid_mode": "host" }, ) info("*** Adding switch and links\n") s1 = net.addSwitch("s1") net.addLinkNamedIfce(s1, h1, bw=1000, delay="5ms") # Add the interfaces for service traffic. net.addLinkNamedIfce(s1, h2, bw=1000, delay="5ms") net.addLinkNamedIfce(s1, h3, bw=1000, delay="5ms") # Add the interface for host internal traffic. net.addLink(s1, h2, bw=1000, delay="1ms", intfName1="s1-h2-int", intfName2="h2-s1-int") net.addLink(s1, h3, bw=1000, delay="1ms", intfName1="s1-h3-int",
def testMuNF(nano_cpus): net = Containernet(controller=Controller, link=TCLink) mgr = VNFManager(net) start_ts = time.time() info("*** Adding controller\n") net.addController("c0") info("*** Adding Docker hosts\n") pktgen = net.addDockerHost( "pktgen", dimage=f"trex:{TREX_VER}", ip="10.0.0.1/24", docker_args={ "cpuset_cpus": "0", "hostname": "pktgen", "volumes": { os.path.join(TREX_CONF_DIR, "trex_cfg.yaml"): { "bind": "/etc/trex_cfg.yaml", "mode": "rw", }, TREX_CONF_DIR: {"bind": f"/trex/{TREX_VER}/local", "mode": "rw"}, }, }, ) dut = net.addDockerHost( "dut", dimage=f"ffpp:{FFPP_VER}", ip="10.0.0.2/24", docker_args={ "cpuset_cpus": "1,2", "nano_cpus": int(nano_cpus), "hostname": "dut", "volumes": { "/sys/bus/pci/drivers": {"bind": "/sys/bus/pci/drivers", "mode": "rw"}, "/sys/kernel/mm/hugepages": { "bind": "/sys/kernel/mm/hugepages", "mode": "rw", }, "/sys/devices/system/node": { "bind": "/sys/devices/system/node", "mode": "rw", }, "/dev": {"bind": "/dev", "mode": "rw"}, FFPP_DIR: {"bind": "/ffpp", "mode": "rw"}, }, }, ) s1 = net.addSwitch("s1") # Control plane links. net.addLinkNamedIfce(s1, pktgen) net.addLinkNamedIfce(s1, dut) # Data plane links. net.addLink( dut, pktgen, bw=1000, delay="1ms", intfName1="vnf-in", intfName2="pktgen-out" ) net.addLink( dut, pktgen, bw=1000, delay="1ms", intfName1="vnf-out", intfName2="pktgen-in" ) pktgen.cmd("ip addr add 192.168.17.1/24 dev pktgen-out") pktgen.cmd("ip addr add 192.168.18.1/24 dev pktgen-in") dut.cmd("ip addr add 192.168.17.2/24 dev vnf-in") dut.cmd("ip addr add 192.168.18.2/24 dev vnf-out") # TODO: Deploy a chain of CNFs. cnfs = list() for n in range(1): cnf = mgr.addContainer( f"cnf{n}", "dut", f"ffpp:{FFPP_VER}", "/bin/bash", docker_args={ "volumes": { "/sys/bus/pci/drivers": { "bind": "/sys/bus/pci/drivers", "mode": "rw", }, "/sys/kernel/mm/hugepages": { "bind": "/sys/kernel/mm/hugepages", "mode": "rw", }, "/sys/devices/system/node": { "bind": "/sys/devices/system/node", "mode": "rw", }, "/dev": {"bind": "/dev", "mode": "rw"}, FFPP_DIR: {"bind": "/ffpp", "mode": "rw"}, } }, ) cnfs.append(cnf) net.start() # Avoid looping pktgen.cmd("ip addr flush dev pktgen-s1") pktgen.cmd("ip link set pktgen-s1 down") dut.cmd("ip addr flush dev dut-s1") dut.cmd("ip link set dut-s1 down") pktgen.cmd("ping -c 5 192.168.17.2") pktgen.cmd("ping -c 5 192.168.18.2") duration = time.time() - start_ts print(f"Setup duration: {duration:.2f} seconds.") CLI(net) info("*** Stopping network\n") net.stop() mgr.stop()
def testTopo(): "Create an empty network and add nodes to it." net = Containernet(controller=Controller, link=TCLink) info("*** Adding controller\n") net.addController("c0") info("*** Adding hosts\n") h1 = net.addDockerHost( "h1", dimage="sec_test", ip="10.0.0.1", docker_args={ "cpuset_cpus": "0", "nano_cpus": int(1e8) }, ) h2 = net.addDockerHost( "h2", dimage="sec_test", ip="10.0.0.2", docker_args={ "cpuset_cpus": "0", "nano_cpus": int(1e8) }, ) info("*** Adding switch\n") s1 = net.addSwitch("s1") info("*** Creating links\n") net.addLinkNamedIfce(s1, h1, bw=10, delay="1ms", use_htb=True) net.addLinkNamedIfce(s1, h2, bw=10, delay="1ms", use_htb=True) info("*** Starting network\n") net.start() info("*** Create wg key pairs\n") h1.cmd("umask 077; wg genkey > privatekey") h1.cmd("wg pubkey < privatekey > publickey") h1_pubkey = h1.cmd("cat ./publickey").replace("\n", " ").replace("\r", "") h2.cmd("umask 077; wg genkey > privatekey") h2.cmd("wg pubkey < privatekey > publickey") h2_pubkey = h2.cmd("cat ./publickey").replace("\n", " ").replace("\r", "") info("*** Create wg interfaces\n") h1.cmd("ip link add dev wg0 type wireguard") h1.cmd("ip address add dev wg0 192.168.0.1/24") h2.cmd("ip link add dev wg0 type wireguard") h2.cmd("ip address add dev wg0 192.168.0.2/24") info("*** Setup peer configuration\n") h1.cmd( "wg set wg0 listen-port 1337 private-key ./privatekey peer {} allowed-ips 192.168.0.0/24 endpoint 10.0.0.2:1337" .format(h2_pubkey)) h1.cmd("ip link set up dev wg0") h2.cmd( "wg set wg0 listen-port 1337 private-key ./privatekey peer {} allowed-ips 192.168.0.0/24 endpoint 10.0.0.1:1337" .format(h1_pubkey)) h2.cmd("ip link set up dev wg0") info("*** Test the connection\n") print("* Ping test count: %d" % PING_COUNT) ret = h1.cmd("ping -c %d 192.168.0.2" % PING_COUNT) sent, received = tool.parsePing(ret) measured = ((sent - received) / float(sent)) * 100.0 print("* Measured loss rate: {:.2f}%".format(measured)) info("*** Stopping network") net.stop()
def testTopo(): net = Containernet(controller=Controller, link=TCLink) info("*** Adding controller\n") net.addController("c0") info("*** Adding hosts\n") client = net.addDockerHost( "client", dimage="sec_test", ip="10.0.0.1/24", docker_args={"cpuset_cpus": "1", "cpu_quota": 25000}, ) server = net.addDockerHost( "server", dimage="nginx", ip="10.0.0.2/24", docker_args={"cpuset_cpus": "1", "cpu_quota": 25000}, ) attacker = net.addDockerHost( "attacker", dimage="sec_test", ip="10.0.0.3/24", docker_args={"cpuset_cpus": "0", "cpu_quota": 25000}, ) info("*** Adding switch\n") s1 = net.addSwitch("s1") info("*** Creating links\n") net.addLinkNamedIfce(s1, client, bw=10, delay="10ms") net.addLinkNamedIfce(s1, server, bw=10, delay="10ms") net.addLinkNamedIfce(s1, attacker, bw=10, delay="10ms") try: info("*** Starting network\n") net.start() info("** client -> server\n") info("** " + str(test_connection(client, "10.0.0.2")) + "\n") info("** attacker -> server\n") info("** " + str(test_connection(attacker, "10.0.0.2")) + "\n") info( "*** The client and the attacker can both communicate with the server \n\n" ) # Create blacklist info( "*** Create a blacklist that stops the attacker from accessing the server.\n" ) info( "*** First create a nftables table for IPv4 and IPv6 and then add a base chain connected to the input hook.\n" ) info( "*** Finally add a rule to the base chain that drops packets coming from the attacker (10.0.0.3).\n" ) info("*** When the attacker is blocked the exercise continues.\n") # Check if client can connect and attacker can not. while not test_connection(client, "10.0.0.2") or test_connection( attacker, "10.0.0.2" ): sleep(5) info("** client -> server\n") info("** " + str(test_connection(client, "10.0.0.2")) + "\n") test_connection(client, "10.0.0.2") info("** attacker -> server\n") info("** " + str(test_connection(attacker, "10.0.0.2")) + "\n") info("\n") info( "*** The attacker is blocked and the client can still access the server.\n" ) info("*** The attacker changed her IP address to a different one!\n") info( "*** Implement a whitelist that only allows the client to connect to the server.\n" ) attacker_ip = "10.0.0." + str(random.randint(3, 250)) attacker.cmd("ip a f dev attacker-s1") attacker.cmd("ip a a " + attacker_ip + "/24 dev attacker-s1") info("** attacker -> server\n") info("** " + str(test_connection(attacker, "10.0.0.2")) + "\n") # Check if client can connect and attacker can not. while not test_connection(client, "10.0.0.2") or test_connection( attacker, "10.0.0.2" ): sleep(5) info("\n") # The server can talk back to server info("** client -> server\n") info("** " + str(test_connection(client, "10.0.0.2")) + "\n") test_connection(client, "10.0.0.2") info("** attacker -> server\n") info("** " + str(test_connection(attacker, "10.0.0.2")) + "\n") except KeyboardInterrupt: info("** KeyboardInterrupt detected, exit the program.\n") finally: info("*** Stopping network") net.stop()