Anapaya GATE¶
The Anapaya GATE implements the IP-in-SCION tunneling module and is typically deployed by ISPs to collect the IP traffic of their residential customers which should be routed into the SCION network.
In the following, we describe a typical small deployment scenario, where an ISP operates two CORE appliances (as described in Anapaya CORE) and additionally two GATE instances.
This GATE setup is a best practice because it increases the redundancy for residential customers. Further, it allows the ISP to perform maintenance on one of the GATE appliances without causing a service interruption.
Topology¶
Our target topology contains the following elements:
ISP 1 deploys two CORE appliances,
s01.chzrh1.isp1ands01.chbrn1.isp1, that are connected via the internal network10.0.0.0/24.ISP 1 deploys two GATE appliances,
s02.chzrh1.isp1ands02.chbrn1.isp1, that are connected via the internal network10.0.0.0/24to the CORE appliances. The two GATE appliances are both connected to the BGP network of the ISP via a BGP peering (using the10.10.0.0/24and10.20.0.0/24networks).Residential customers, which belong to the BGP network of ISP 1.
gate-customer-1andgate-customer-2which are two organizations that are connected to the SCION Internet using an Anapaya EDGE appliance. They are customers of the Anapaya GATE solution of ISP 1, through which they allow their employees to access critical services.gate-customer-1exposes services, namely a VPN server, in the192.0.2.0/28range.gate-customer-2exposes services in the203.0.113.0/24range.
We will now configure the GATE appliances step-by-step to implement the above scenario.
Network Interface Configuration¶
First, we will look at the configuration for the network interfaces. In the
setup, there are two physical network interfaces - one for the internal
network lan and one for the BGP peering to the ISP’s BGP network bgp.
Please refer to the Network Interface Configuration for guidance on how to configure network interfaces and to Network Interfaces for the full documentation on network interface configuration.
Network Interface Configuration
s02.chzrh1.isp1
"interfaces": { "ethernets": [ { "addresses": ["10.0.0.101/24"], "name": "lan", "gateway": { "ipv4_gateway": "10.0.0.1" } }, { "addresses": ["10.10.0.2/24"], "name": "bgp" } ] },s02.chbrn1.isp1
"interfaces": { "ethernets": [ { "addresses": ["10.0.0.201/24"], "name": "lan", "gateway": { "ipv4_gateway": "10.0.0.1" } }, { "addresses": ["10.20.0.2/24"], "name": "bgp" } ] },
BGP Configuration¶
GATE appliances are connected to the BGP network of the ISP. Over these BGP peerings, the GATE announces reachable remote prefixes into the ISP’s internal BGP network and reannounces BGP announcements received from the ISP’s BGP routers to remote SCION ASes. Therefore, each GATE appliance needs to set up at least one BGP session to a BGP router of the ISP.
In the example the following sessions are configured:
s02.chzrh1.isp1with local IP10.10.0.2has a BGP session with the BGP router of the ISP with peer IP10.10.0.1.s02.chbrn1.isp1with local IP10.20.0.2has a BGP session with the BGP router of the ISP with peer IP10.20.0.1.
Note
For the peering a private BGP AS number is used on the GATE appliance. The BGP router of the ISP can use its usual public BGP AS number or use a private AS number as well.
BGP Configuration
s02.chzrh1.isp1
"bgp": { "global": { "as": 65302, "router_id": "10.10.0.2" }, "neighbors": [ { "enabled": true, "local_as": 65302, "neighbor_address": "10.10.0.1", "peer_as": 64496 } ] },s02.chbrn1.isp1
"bgp": { "global": { "as": 65302, "router_id": "10.20.0.2" }, "neighbors": [ { "enabled": true, "local_as": 65302, "neighbor_address": "10.20.0.1", "peer_as": 64496 } ] },
The full documentation on the BGP configuration can be found in Border Gateway Protocol (BGP).
SCION Configuration¶
Next, we will take a look at the SCION configuration. The SCION section contains the configuration of the SCION protocol and AS. For GATE appliances, we only need the general AS configuration section.
General AS Configuration¶
Each SCION AS has several general AS configuration options such as the ISD-AS identifier, the AS forwarding secret key, and a human-readable description of the AS. For the full list of the general AS configuration options, please refer to General AS Configuration.
For the configuration of a GATE appliances, we need the following fields:
isd_asscion_mtu
Please refer to General AS Configuration for details, since the values for the CORE appliances are equal to the values of the GATE appliances.
General AS Configuration
s02.chzrh1.isp1
"scion": { "ases": [ { "isd_as": "1-ff00:0:1", "scion_mtu": 1472 } ] },s02.chbrn1.isp1
"scion": { "ases": [ { "isd_as": "1-ff00:0:1", "scion_mtu": 1472 } ] },
Cluster Configuration¶
The GATE appliances are deployed in a sharded manner as part of a cluster together with the CORE appliances. The GATE appliances exchange topology information with the CORE appliances.
The cluster configuration includes the local cluster endpoint and the list of peers that are part of the cluster. For CORE and GATE deployments we recommend to use automatic topology synchronization (see Cluster for more details).
Cluster Configuration
s02.chzrh1.isp1
"cluster": { "synchronization": { "address": "10.0.0.101:40000" }, "peers": [ { "name": "s01.chbrn1.isp1", "synchronization": { "address": "10.0.0.200:40000" } }, { "name": "s01.chzrh1.isp1", "synchronization": { "address": "10.0.0.100:40000" } }, { "name": "s02.chbrn1.isp1", "synchronization": { "address": "10.0.0.201:40000" } } ] },s02.chbrn1.isp1
"cluster": { "synchronization": { "address": "10.0.0.201:40000" }, "peers": [ { "name": "s01.chbrn1.isp1", "synchronization": { "address": "10.0.0.200:40000" } }, { "name": "s01.chzrh1.isp1", "synchronization": { "address": "10.0.0.100:40000" } }, { "name": "s02.chzrh1.isp1", "synchronization": { "address": "10.0.0.101:40000" } } ] },
For GATE appliances to be integrated into the existing cluster of CORE
appliances, they need to be added to the cluster/peers section of the CORE
appliances.
Additional CORE Cluster Configuration
{
"name": "s02.chbrn1.isp1",
"synchronization": {
"address": "10.0.0.201:40000"
}
},
{
"name": "s02.chzrh1.isp1",
"synchronization": {
"address": "10.0.0.101:40000"
}
}
SCION Tunneling Configuration¶
The SCION tunneling configuration enables the IP-in-SCION tunneling module of the appliance and can be used to configure IP tunnels towards customers of the GATE.
The full documentation on the IP-in-SCION tunneling configuration can be found in IP-in-SCION Tunneling.
In this example, we configure both GATE appliances for two customers gate-customer-1 and
gate-customer-2.
gate-customer-1owns the SCION AS with ISD-AS number1-ff00:1:234. This SCION AS announces the IP prefix192.0.2.0/28to the GATE instances via the SCION Gateway Routing Protocol (SGRP).gate-customer-2owns the SCION AS with ISD-AS number1-ff00:2:5b. This SCION AS announces the IP prefix203.0.113.0/24to the GATE instances.
For both customers we create a domain configuration which contains:
prefixes.accept_filterto filter the prefixes which the GATE receives from the customer,prefixes.announce_filterto filter the prefixes which the GATE announces to the customer,remote_isd_asesto list the SCION ISD-AS numbers of the customer,traffic_policiesto influence what paths are chosen towards the customer. For simplicity, we configure the a default traffic policy that allows the GATE to choose any SCION path to the remote destination for any kind of traffic. Refer to IP-in-SCION Tunneling for much more details on how to configure traffic policies.
SCION Tunneling Configuration
s02.chzrh1.isp1
"scion_tunneling": { "endpoint": { "control_port": 40201, "data_port": 40200, "enabled": true, "ip": "10.0.0.101", "probe_port": 40202 }, "domains": [ { "default": false, "local_isd_ases": [ "1-ff00:0:1" ], "name": "gate-customer-1", "prefixes": { "accept_filter": [ { "action": "ACCEPT", "prefixes": [ "192.0.2.0/28" ], "sequence_id": 0 } ], "announce_filter": [ { "action": "ACCEPT", "prefixes": [ "0.0.0.0/0" ], "sequence_id": 0 } ] }, "remote_isd_ases": [ { "action": "ACCEPT", "isd_as": "1-ff00:1:234", "sequence_id": 0 } ], "traffic_policies": [ { "sequence_id": 0, "traffic_matcher": "default", "failover_sequence": [ { "path_filter": "default", "sequence_id": 0 } ] } ] }, { "default": false, "local_isd_ases": [ "1-ff00:0:1" ], "name": "gate-customer-2", "prefixes": { "accept_filter": [ { "action": "ACCEPT", "prefixes": [ "203.0.113.0/24" ], "sequence_id": 0 } ], "announce_filter": [ { "action": "ACCEPT", "prefixes": [ "0.0.0.0/0" ], "sequence_id": 0 } ] }, "remote_isd_ases": [ { "action": "ACCEPT", "isd_as": "1-ff00:2:5b", "sequence_id": 0 } ], "traffic_policies": [ { "sequence_id": 0, "traffic_matcher": "default", "failover_sequence": [ { "path_filter": "default", "sequence_id": 0 } ] } ] } ], "path_filters": [ { "acl": [ "+" ], "name": "default" } ], "remotes": [ { "isd_as": "1-ff00:1:234" }, { "isd_as": "1-ff00:2:5b" } ], "traffic_matchers": [ { "condition": "BOOL=true", "name": "default" } ] },s02.chbrn1.isp1
"scion_tunneling": { "endpoint": { "control_port": 40201, "data_port": 40200, "enabled": true, "ip": "10.0.0.101", "probe_port": 40202 }, "domains": [ { "default": false, "local_isd_ases": [ "1-ff00:0:1" ], "name": "gate-customer-1", "prefixes": { "accept_filter": [ { "action": "ACCEPT", "prefixes": [ "192.0.2.0/28" ], "sequence_id": 0 } ], "announce_filter": [ { "action": "ACCEPT", "prefixes": [ "0.0.0.0/0" ], "sequence_id": 0 } ] }, "remote_isd_ases": [ { "action": "ACCEPT", "isd_as": "1-ff00:1:234", "sequence_id": 0 } ], "traffic_policies": [ { "sequence_id": 0, "traffic_matcher": "default", "failover_sequence": [ { "path_filter": "default", "sequence_id": 0 } ] } ] }, { "default": false, "local_isd_ases": [ "1-ff00:0:1" ], "name": "gate-customer-2", "prefixes": { "accept_filter": [ { "action": "ACCEPT", "prefixes": [ "203.0.113.0/24" ], "sequence_id": 0 } ], "announce_filter": [ { "action": "ACCEPT", "prefixes": [ "0.0.0.0/0" ], "sequence_id": 0 } ] }, "remote_isd_ases": [ { "action": "ACCEPT", "isd_as": "1-ff00:2:5b", "sequence_id": 0 } ], "traffic_policies": [ { "sequence_id": 0, "traffic_matcher": "default", "failover_sequence": [ { "path_filter": "default", "sequence_id": 0 } ] } ] } ], "path_filters": [ { "acl": [ "+" ], "name": "default" } ], "remotes": [ { "isd_as": "1-ff00:1:234" }, { "isd_as": "1-ff00:2:5b" } ], "traffic_matchers": [ { "condition": "BOOL=true", "name": "default" } ] },