Simulating the Internet Using Unprivileged LXC Container
Stéphane Graber
Software engineer for Canonical Ltd. Upstream maintainer of LXC. Infrastructure/network guy for NorthSec. LinuxCon North America 2014, Chicago Introduction
Introduction The biggest on-site capture the flag security contest in North America!
Organized over a weekend in Montreal with participants coming from Canada and the US.
26 teams for a total of over 200 participants, organized by a staff of 20 and some help from volunteers.
https://www.nsec.io
NorthSec 2014 NorthSec 2014: The map of our Internet Internet in a bottle
Why? ➔ Very recent Linux kernel 3.13 for basic functionalities, 3.16 for advanced networking.
➔ Reasonably recent LXC LXC 1.0 is required for unprivileged containers. LXC 1.0.1 (also known as the NorthSec edition) or higher is recommended.
➔ Reasonably recent distro Ubuntu 14.04 LTS for example. Needs a very recent version of shadow (newuidmap, newgidmap). Good cgroup setup support (such as using cgmanager).
➔ Our Internet generator
How? Sure!
Let’s create some Internetz!
Can we see it?
Beware of the bugs!
It can’t always go smoothly ➔ Javascript… We really need to fix that map...
➔ Partial distributed Internets You never have enough routers!
➔ Monitoring Bandwidth usage per link, per AS, per IX, BGP session monitoring, ...
➔ Making it more authentic More carriers, more routers, more exchanges, whois services, looking glass, domain registrars, maybe some way to import data from the real thing? …
Simulate BGP hijacking, countries going dark, fibers getting cut, links and datacenters being tapped, ...
What’s next? git clone git://github.com/nsec/the-internet
How do I get my own? Stéphane Graber [email protected] [email protected] https://www.stgraber.org
LXC https://www.linuxcontainers.org https://github.com/lxc
NorthSec https://www.nsec.io https://github.com/nsec ? Questions anyone?