Configuring a GATE Customer¶
In this user guide, we will configure a customer on an Anapaya GATE appliance. The guide is split into two sections: In the first section we update the configuration of the GATE appliance itself. In the second section we update the configuration of the customer EDGE appliance such that the services it exposes are accessible through the GATE.
Gathering Information¶
Before starting the configuration, both parties need to communicate and agree on the following parameters:
GATE Operator
The ISD-AS number of the SCION AS where the GATE appliance is running.
GATE Customer
The ISD-AS number of the SCION AS where the EDGE appliance is running.
The IP prefix which should be reachable by the residential customers of the GATE operator. This needs to be a prefix with public IP addresses, which are currently not routed in the Internet.
The LAN gateway that acts as the next-hop for the EDGE appliance, if the EDGE is not connected through BGP to the customer’s LAN.
Both parties
Specific requirements for path selection policies.
Example Information¶
In this user guide, we will be using the following information for our example configurations.
GATE Operator
ISD-AS Number:
1-ff00:0:1
GATE Customer
ISD-AS Number:
1-ff00:0:1234
IP Prefix:
198.51.100.0/28
LAN Gateway:
198.51.100.1
Both parties
There are no specific path selection requirements. Therefore, we will configure
the default path filters and traffic matchers in the scion_tunneling
section.
Default Path Filters and Traffic Matchers
"scion_tunneling": { "path_filters": [ { "acl": ["+"], "name": "default" } ], "traffic_matchers": [ { "condition": "BOOL=true", "name": "default" } ] },
Configuring the GATE¶
In this section we assume the GATE appliance has been set up using the guide in Deployment Example and is already operational.
Remotes Configuration¶
On the GATE appliance, we need to add the customer ISD-AS number to the list of
scion_tunneling/remotes
.
Tunneling Remotes
"remotes": [ { "isd_as": "1-ff00:0:1234" } ],
Domain Configuration¶
On the GATE appliance, we need to add a domain configuration to the
scion_tunneling/domains
list. As part of this configuration we have defined
the following parameters:
name
is an identifier for the domain, here we usegate-customer-3
,local_isd_ases
is the ISD-AS number of the GATE operator, in this case1-ff00:0:1
,remote_isd_ases
contains an ISD-AS filter that matches the ISD-AS number (1-ff00:0:1234
) of the GATE customer,prefixes/announce_filter
contains a wildcard filter, which has the effect that all IP prefixes that are announced by the BGP router of the GATE operator, are re-announced via the SCION Gateway Routing Protocol (SGRP) protocol to the EDGE of the GATE customer,prefixes/accept_filter
contains a filter that accepts the IP prefixes defined by the GATE customer (198.51.100.0/28
),traffic_policies
contains custom routing policies. In this guide, we reference the default path filters and traffic matchers as defined in Example Information.
Refer to Domain Configuration for more details on domain configuration.
Domain Configuration on GATE appliance
{ "name": "gate-customer-3", "local_isd_ases": [ "1-ff00:0:1" ], "remote_isd_ases": [ { "action": "ACCEPT", "isd_as": "1-ff00:0:1234", "sequence_id": 0 } ], "prefixes": { "announce_filter": [ { "action": "ACCEPT", "prefixes": [ "0.0.0.0/0" ], "sequence_id": 0 } ], "accept_filter": [ { "action": "ACCEPT", "prefixes": [ "198.51.100.0/28" ], "sequence_id": 0 } ] }, "traffic_policies": [ { "sequence_id": 0, "traffic_matcher": "default", "failover_sequence": [ { "path_filter": "default", "sequence_id": 0 } ] } ] },
BGP Configuration¶
The GATE operator then also needs to ensure, that the IP prefix
198.51.100.0/28
is accepted via the BGP session between the ISP’s BGP network
and the GATEs.
Configuring the EDGE Appliance¶
The process to configure the EDGE appliance is very similar to the configuration of the GATE appliance. We assume the EDGE appliance has been set up according to one of the examples in Deployment Examples.
Remotes Configuration¶
On the EDGE appliance, we need to add the GATE operator ISD-AS number to the
list of scion_tunneling/remotes
.
Tunneling Remotes
"remotes": [ { "isd_as": "1-ff00:0:1" } ],
Domain Configuration¶
On the EDGE appliance, we need to add a domain configuration to the
scion_tunneling/domains
list. As part of this configuration we have defined
the following parameters:
name
is an identifier for the domain, here we usegate-services
,default
is set totrue
, see Default Domain for details,local_isd_ases
is the ISD-AS number of the GATE customer, in this case1-ff00:0:1234
,remote_isd_ases
contains an ISD-AS filter that matches the ISD-AS number (1-ff00:0:1
) of the GATE operator,prefixes/announce_filter
contains a filter that accepts the IP prefixes defined by the GATE customer (198.51.100.0/28
),traffic_policies
contains custom routing policies. In this guide, we reference the default path filters and traffic matchers as defined in Example Information.
Refer to Domain Configuration for more details on domain configuration.
Domain Configuration on EDGE appliance
{ "name": "gate-services", "default": true, "local_isd_ases": [ "1-ff00:0:1234" ], "remote_isd_ases": [ { "action": "ACCEPT", "isd_as": "1-ff00:0:1", "sequence_id": 0 } ], "prefixes": { "announce_filter": [ { "action": "ACCEPT", "prefixes": [ "198.51.100.0/28" ], "sequence_id": 0 } ] }, "traffic_policies": [ { "sequence_id": 0, "traffic_matcher": "default", "failover_sequence": [ { "path_filter": "default", "sequence_id": 0 } ] } ] },
Note
In case the Anapaya EDGE appliance has a BGP session to the LAN, the IP prefix
198.51.100.0/28
should be announced via BGP and the EDGE automatically
re-announces it as long as it matches the prefixes/announce_filter
.
When the Anapaya EDGE is connected to the LAN using static routing, the IP
prefix 198.51.100.0/28
needs to be configured in the
scion_tunneling/static_announcements
section. Please refer to
Static Announcements for more details.
Domain Configuration
"static_announcements": [ { "prefixes": ["198.51.100.0/28"], "sequence_id": 0, "next_hop_tracking": { "target": "198.51.100.1" } }, ],
Note
In cases where the Anapaya EDGE is run alongside an Internet gateway, there needs to be a mechanism to determine if the return traffic should use a path going through the Anapaya EDGE or the default Internet gateway. There are several options:
Use BGP to connect the Anapaya EDGE to the LAN.
Enable policy based routing on the firewall between the EDGE and the LAN.
Enable ingress source NAT on the Anapaya EDGE. Refer to Configuring Ingress NAT to collect Users from the Anapaya GATE for detailed information.
Testing the Connectivity¶
Once both the GATE and the EDGE have been configured, the connectivity can be tested. There are various ways how to test the new configuration. In the following, we present two possibilities.
Inspecting the Configured Domain¶
Using the appliance-cli
, we can check the status of the configured
domain on both appliances.
Use the following command to view the summary of a specific routing domain:
appliance-cli inspect scion-tunneling summary --domain <domain>
When both sides are correctly configured, we see the following example outputs.
GATE Domain Summary
$ appliance-cli inspect scion-tunneling summary --domain gate-customer-3
DOMAIN: gate-customer-3
PREFIXES:
198.51.100.0/28
TRAFFIC MATCHER: default
FAILOVER SEQUENCE:
STATE FILTER HEALTHY LOCAL REMOTE
--> default true 1-ff00:0:1 1-ff00:0:1234,10.4.0.1:30856
...
EDGE Domain Summary
$ appliance-cli inspect scion-tunneling summary --domain gate-services
DOMAIN: gate-services
PREFIXES:
...
TRAFFIC MATCHER: default
FAILOVER SEQUENCE:
STATE FILTER HEALTHY LOCAL REMOTE
--> default true 1-ff00:0:1234 1-ff00:0:1,10.4.0.1:30856
...
If your output does not show the expected result, consult your monitoring setup and the Runbooks section.
Test End-To-End Connectivity¶
To test end-to-end connectivity, a residential user of the ISP which operates the previously configured Anapaya GATE should be able to access the services that were made accessible through the GATE. This process depends on the type of service or application that was exposed.