Configuring a GATE Customer

In this user guide, we will configure a customer on an Anapaya GATE appliance. The guide is split into two sections: In the first section we update the configuration of the GATE appliance itself. In the second section we update the configuration of the customer EDGE appliance such that the services it exposes are accessible through the GATE.

Gathering Information

Before starting the configuration, both parties need to communicate and agree on the following parameters:

GATE Operator

  • The ISD-AS number of the SCION AS where the GATE appliance is running.

GATE Customer

  • The ISD-AS number of the SCION AS where the EDGE appliance is running.

  • The IP prefix which should be reachable by the residential customers of the GATE operator. This needs to be a prefix with public IP addresses, which are currently not routed in the Internet.

  • The LAN gateway that acts as the next-hop for the EDGE appliance, if the EDGE is not connected through BGP to the customer’s LAN.

Both parties

  • Specific requirements for path selection policies.

Example Information

In this user guide, we will be using the following information for our example configurations.

GATE Operator

  • ISD-AS Number: 1-ff00:0:1

GATE Customer

  • ISD-AS Number: 1-ff00:0:1234

  • IP Prefix: 198.51.100.0/28

  • LAN Gateway: 198.51.100.1

Both parties

There are no specific path selection requirements. Therefore, we will configure the default path filters and traffic matchers in the scion_tunneling section.

Default Path Filters and Traffic Matchers

"scion_tunneling": {
  "path_filters": [
    {
      "acl": ["+"],
      "name": "default"
    }
  ],
  "traffic_matchers": [
    {
      "condition": "BOOL=true",
      "name": "default"
    }
  ]
},

Configuring the GATE

In this section we assume the GATE appliance has been set up using the guide in Deployment Example and is already operational.

Remotes Configuration

On the GATE appliance, we need to add the customer ISD-AS number to the list of scion_tunneling/remotes.

Tunneling Remotes

"remotes": [
  {
    "isd_as": "1-ff00:0:1234"
  }
],

Domain Configuration

On the GATE appliance, we need to add a domain configuration to the scion_tunneling/domains list. As part of this configuration we have defined the following parameters:

  • name is an identifier for the domain, here we use gate-customer-3,

  • local_isd_ases is the ISD-AS number of the GATE operator, in this case 1-ff00:0:1,

  • remote_isd_ases contains an ISD-AS filter that matches the ISD-AS number (1-ff00:0:1234) of the GATE customer,

  • prefixes/announce_filter contains a wildcard filter, which has the effect that all IP prefixes that are announced by the BGP router of the GATE operator, are re-announced via the SCION Gateway Routing Protocol (SGRP) protocol to the EDGE of the GATE customer,

  • prefixes/accept_filter contains a filter that accepts the IP prefixes defined by the GATE customer (198.51.100.0/28),

  • traffic_policies contains custom routing policies. In this guide, we reference the default path filters and traffic matchers as defined in Example Information.

Refer to Domain Configuration for more details on domain configuration.

BGP Configuration

The GATE operator then also needs to ensure, that the IP prefix 198.51.100.0/28 is accepted via the BGP session between the ISP’s BGP network and the GATEs.

Configuring the EDGE Appliance

The process to configure the EDGE appliance is very similar to the configuration of the GATE appliance. We assume the EDGE appliance has been set up according to one of the examples in Deployment Examples.

Remotes Configuration

On the EDGE appliance, we need to add the GATE operator ISD-AS number to the list of scion_tunneling/remotes.

Tunneling Remotes

"remotes": [
  {
    "isd_as": "1-ff00:0:1"
  }
],

Domain Configuration

On the EDGE appliance, we need to add a domain configuration to the scion_tunneling/domains list. As part of this configuration we have defined the following parameters:

  • name is an identifier for the domain, here we use gate-services,

  • default is set to true, see Default Domain for details,

  • local_isd_ases is the ISD-AS number of the GATE customer, in this case 1-ff00:0:1234,

  • remote_isd_ases contains an ISD-AS filter that matches the ISD-AS number (1-ff00:0:1) of the GATE operator,

  • prefixes/announce_filter contains a filter that accepts the IP prefixes defined by the GATE customer (198.51.100.0/28),

  • traffic_policies contains custom routing policies. In this guide, we reference the default path filters and traffic matchers as defined in Example Information.

Refer to Domain Configuration for more details on domain configuration.

Note

In case the Anapaya EDGE appliance has a BGP session to the LAN, the IP prefix 198.51.100.0/28 should be announced via BGP and the EDGE automatically re-announces it as long as it matches the prefixes/announce_filter.

When the Anapaya EDGE is connected to the LAN using static routing, the IP prefix 198.51.100.0/28 needs to be configured in the scion_tunneling/static_announcements section. Please refer to Static Announcements for more details.

Domain Configuration

"static_announcements": [
  {
    "prefixes": ["198.51.100.0/28"],
    "sequence_id": 0,
    "next_hop_tracking": {
      "target": "198.51.100.1"
    }
  },
],

Note

In cases where the Anapaya EDGE is run alongside an Internet gateway, there needs to be a mechanism to determine if the return traffic should use a path going through the Anapaya EDGE or the default Internet gateway. There are several options:

Testing the Connectivity

Once both the GATE and the EDGE have been configured, the connectivity can be tested. There are various ways how to test the new configuration. In the following, we present two possibilities.

Inspecting the Configured Domain

Using the appliance-cli, we can check the status of the configured domain on both appliances.

Use the following command to view the summary of a specific routing domain:

appliance-cli inspect scion-tunneling summary --domain <domain>

When both sides are correctly configured, we see the following example outputs.

GATE Domain Summary

$ appliance-cli inspect scion-tunneling summary --domain gate-customer-3
  DOMAIN: gate-customer-3
    PREFIXES:
      198.51.100.0/28
    TRAFFIC MATCHER: default
      FAILOVER SEQUENCE:
        STATE FILTER  HEALTHY LOCAL      REMOTE
        -->   default true    1-ff00:0:1 1-ff00:0:1234,10.4.0.1:30856
              ...

EDGE Domain Summary

$ appliance-cli inspect scion-tunneling summary --domain gate-services
  DOMAIN: gate-services
    PREFIXES:
      ...
    TRAFFIC MATCHER: default
      FAILOVER SEQUENCE:
        STATE FILTER  HEALTHY LOCAL         REMOTE
        -->   default true    1-ff00:0:1234 1-ff00:0:1,10.4.0.1:30856
              ...

If your output does not show the expected result, consult your monitoring setup and the Runbooks section.

Test End-To-End Connectivity

To test end-to-end connectivity, a residential user of the ISP which operates the previously configured Anapaya GATE should be able to access the services that were made accessible through the GATE. This process depends on the type of service or application that was exposed.