DOCSLIB.ORG

ERE-019-122-701 Opensync Requirement: Network Management

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
ERE-019-122-701 Opensync Requirement: Network Management OpenSyncTM Network Management Requirements Date: May 27, 2020 Document ID: ERE-019-122-701 Table of Contents Introduction 2 Prerequisites and requirements 2 Prerequisites 3 Prerequisite: OpenSync 1.2 or more 3 Requirements 3 Requirement: IPv4 3 Requirement: DNS 4 Requirement: DHCPv4 Client 4 Requirement: DHCPv4 Server 4 Requirement: IPv4 Routing 5 Requirement: IPv4 Firewall 5 Requirement: UPnP 5 Requirement: IPv6 5 Requirement: IPv6 Router Advertisement 6 Requirement: DHCPv6 Client 6 Requirement: DHCPv6 Server 6 IPv6 firewall [SOON OBSOLETE] 7 References [1] ERE-020-011-301 OpenSync requirement: General.pdf [2] https://www.opensync.io/s/OpenSync_12-fpht.pdf [3] EUB-020-013-001 OpenSync Overview.pdf 1/7 Introduction The OpenSync Network Manager (NM2) is responsible for managing and reporting the network configuration, and creation of interfaces. NM2 is one of the core OpenSync services – NM2 manages the device operation and guides the onboarding process. Prerequisites OpenSync versions OpenSync 1.2 [2] is required for IPv4 support. Support for IPv6 and WAN management requires OpenSync 1.4 [3]. Prerequisite: OpenSync 1.2 [2] for IPv4 support. Prerequisite: OpenSync 1.4 [3] for IPv6 and WAN management. Requirements OpenSync network management requires the below listed APIs. The default backend exists in the core repository, which is targeting the generic Linux systems with a focus on the OpenWrt-like distributions. This implementation requires various external tools and utilities, which are typically present on the OpenWrt-based Linux distributions. Component OpenSync API Default backends and external dependencies IPv4 osn_inet.h Iproute2 utilities: ip addr / ip route NETLINK sockets DNS osn_inet.h Libc that uses /etc/resolv.conf DHCPv4 client osn_dhcp.h udhcpc DHCPv4 server osn_dhcp.h dnsmasq IPv4 route osn_inet.h Iproute 2 utilities: ip route NETLINK sockets IPv4 firewall IPv4 firewall IPv4 firewall iptables iptables iptables 2/7 UPnP osn_upnp.h miniupnpd IPv6 osn_inet6.h Iproute2 utilities: ip -6 addr / ip -6 route NETLINK sockets IPv6 router osn_inet6.h dnsmasq advertisement DHCPv6 client with osn_dhcp6.h odhcp6c SLAAC support DHCPv6 server osn_dhcp6.h dnsmasq IPv6 firewall [SOON / Iptables -6 OBSOLETE] to configure NAT Table 1: OpenSync network tools and utilities IPv4 NM2 configures IPv4 parameters: ● Static IPv4 address and netmask ● Default gateway The API required for the IPv4 parameter configuration is in the osn_inet.h header file. The core repository uses the default implementation of Iproute2 utilities. This is currently the de-facto standard for the majority of modern Linux distributions. Requirement: IPv4: - working osn_inet.h API DNS OpenSync configures the currently used DNS server settings used by devices. The required API for this task is in the osn_inet.h header file. By default, the NM2 writes the values of the DNS servers to /etc/resolv.conf. The requirement for this is a libc implementation that can detect dynamic changes in the /etc/resolv.conf, and reload the configuration (e.g., uClibc). 3/7 Requirement: DNS: - working osn_inet.h API DHCPv4 client OpenSync uses the DHCP protocol for IPv4 auto-configuration. DHCPv4 client ensures “leaf pod” connectivity and general on-boarding. By default, the NM2 uses the udhcpc client. Requirement: DHCPv4 client: - working osn_dhcp.h API DHCPv4 server OpenSync uses the DHCP protocol for IPv4 auto-configuration of the LAN network. DHCPv4 Server also ensures the “leaf pod” connectivity. By default, the NM2 uses the dnsmasq server. Requirement: DHCPv4 server: - working osn_dhcp.h API IPv4 routing OpenSync configures the default routes, and reports the current route table status. By default, the Iproute2 configures the routes and reports about their statuses. However, the NETLINK sockets detect the route table changes. Requirement: IPv4 routing: - working osn_inet.h API IPv4 firewall OpenSync configures NAT, port forwarding, and firewall rules. By default, the firewall on the device should be closed for all interfaces. The NM2 uses the iptables utility for firewall configuration. The majority of iptables commands executes using the /usr/plume/bin/iptables_cmd.sh script. Requirement: IPv4 firewall: - working /usr/plume/bin/iptables_cmd.sh script UPnP OpenSync supports the UPnP on compatible platforms. By default, OpenSync uses the miniupnpd daemon. 4/7 Requirement: UPnP: - working osn_upnp.h IPv6 OpenSync configures the following IPv6 parameters: ● Static IPv6 address and prefixes ● Router advertisement The API required for IPv6 parameter configuration is in the osn_inet6.h header file. The core repository uses a default implementation that uses the Iproute2 suite of utilities and NETLINK sockets for detecting changes in the configuration. Requirement: IPv6: - working osn_inet6.h API IPv6 router advertisement OpenSync configures and enables the router advertisement services to ensure proper IPv6 provisioning on LAN interfaces. By default, the dnsmasq daemon serves this purpose, and provides stateful and stateless IPv6 modes. Requirement: IPv6: - working osn_inet6.h API DHCPv6 client OpenSync acquires IPv6 addresses on the WAN link. To acquire the IP addresses, you need either SLAAC, stateless, or stateful DHCPv6. To support all 3 options, OpenSync requires a DHCPv6 client that also supports SLAAC. Additionally, the DHCPv6 client should report the assigned delegated prefix back to the NM2. By default, OpenSync uses the odhcp6c for DHCPv6 client and SLAAC. All DHCP options, including the delegated prefix, are written to a file after link negotiation. The NM2 reads this file and transfers these options to the OVSDB. 5/7 Requirement: IPv6: - working osn_dhcp6.h API DHCPv6 server OpenSync runs stateless and stateful DHCPv6 server. By default, the dnsmasq is used in the core repository. The NM2 spawns a separate instance of the dnsmasq daemon exclusively for IPv6 handling. Therefore, you can expect two dnsmasq processes if both – IPv6 and IPv4 stacks are active. However, all IPv6 interfaces share a common dnsmasq instance. Requirement: IPv6: - working osn_dhcp6.h API IPv6 firewall [SOON OBSOLETE] OpenSync executes port forwarding and firewall rules. By default, the device firewall should be closed for all interfaces. The NM2 by default uses the iptables utility for firewall configuration, where the majority of commands execute using the /usr/plume/bin/iptables_cmd.sh script. Note: The Netfilter Manager (NFM) capable of configuring the NAT is going to replace the IPv6 firewall. 6/7.
Load more

Recommended publications
  • SIP Software for Avaya 1200 Series IP Deskphones-Administration
    SIP Software for Avaya 1200 Series IP Deskphones-Administration Release 4.4 NN43170-601 Issue 06.05 Standard July 2015 © 2015 Avaya Inc. list of Heritage Nortel Products located at http://support.avaya.com/ All Rights Reserved. LicenseInfo under the link “Heritage Nortel Products” or such successor site as designated by Avaya. For Heritage Nortel Notice Software, Avaya grants You a license to use Heritage Nortel While reasonable efforts have been made to ensure that the Software provided hereunder solely to the extent of the authorized information in this document is complete and accurate at the time of activation or authorized usage level, solely for the purpose specified printing, Avaya assumes no liability for any errors. Avaya reserves in the Documentation, and solely as embedded in, for execution on, the right to make changes and corrections to the information in this or for communication with Avaya equipment. Charges for Heritage document without the obligation to notify any person or organization Nortel Software may be based on extent of activation or use of such changes. authorized as specified in an order or invoice. Documentation disclaimer Copyright “Documentation” means information published by Avaya in varying Except where expressly stated otherwise, no use should be made of mediums which may include product information, operating materials on this site, the Documentation, Software, Hosted Service, instructions and performance specifications that Avaya may generally or hardware provided by Avaya. All content on this site, the make available to users of its products and Hosted Services. documentation, Hosted Service, and the product provided by Avaya Documentation does not include marketing materials.
    [Show full text]
  • Remote Cellular TCP/IP Access to Rockwell Ethernet and Serial Devices
    Remote Cellular TCP/IP to Rockwell Devices Remote Cellular TCP/IP Access to Rockwell Ethernet and Serial Devices Keywords: Cellular, SLC5/05, ControlLogix, MicroLogix Abstract: This document describes how to set up the Digi Connect™ WAN products (Digi Connect WAN, Digi Connect WAN RG, and Digi Connect WAN VPN) for remote cellular TCP/IP access to Rockwell equipment, such as the PLC5E, SLC5/05, ControlLogix, and MicroLogix. The Digi Connect WAN Family functions much like a home DSL/Cable modem, except the connection is by digital cellular signals such as GSM or CDMA. This enables wireless “Ethernet” solutions on a metro, regional, or global scale. 1 Introduction 1.1 Example Application To illustrate the use of Digi Connect WAN products with your Rockwell equipment, consider the following example: Key Features: The Digi Connect WAN product used with your Rockwell equipment provides several key features: • Provides outgoing Network-Address-Translation (NAT) and incoming TCP/UDP port forwarding. Some models act as VPN end-point. • Maintains an always-up IP connection, either on either the public Internet or by customized private networks established through your cellular carrier. • Being IP-based, all common Ethernet protocols can be used concurrently, including HTTP (Web browsing), ODVA Ethernet/IP, CSPv4, and Modbus/TCP. PN: 90000772_A http://www.digi.com/support/ia Page 1 of 37 Remote Cellular TCP/IP to Rockwell Devices • Existing applications, such as RSLinx, RSLogix and OPC, can be configured to access the field equipment through existing corporate LAN connections. • Intelligent field devices can use IP-based protocols to send email, file updates, or report-by-exception notifications.
    [Show full text]
  • Portproxy User's Guide
    portproxy User©s Guide Author: Tomasz Mrugalski version 2009-10-22 Table of contents 1 Project overview...............................................................................................................................4 1.1 Phase 1: Portproxy.....................................................................................................................4 1.2 Phase 2: Port forwarding GUI..................................................................................................4 2 Project status.....................................................................................................................................4 2.1 Phase 1: portproxy.....................................................................................................................4 2.2 Phase 2: Port forwarding GUI...................................................................................................4 2.3 Revision history........................................................................................................................4 3 Portproxy overview...........................................................................................................................5 4 Compilation......................................................................................................................................5 4.1 OpenWRT compilation.............................................................................................................5 4.2 MiniUPNP daemon...................................................................................................................6
    [Show full text]
  • Secure Shell- Its Significance in Networking (Ssh)
    International Journal of Application or Innovation in Engineering & Management (IJAIEM) Web Site: www.ijaiem.org Email: [email protected] Volume 4, Issue 3, March 2015 ISSN 2319 - 4847 SECURE SHELL- ITS SIGNIFICANCE IN NETWORKING (SSH) ANOOSHA GARIMELLA , D.RAKESH KUMAR 1. B. TECH, COMPUTER SCIENCE AND ENGINEERING Student, 3rd year-2nd Semester GITAM UNIVERSITY Visakhapatnam, Andhra Pradesh India 2.Assistant Professor Computer Science and Engineering GITAM UNIVERSITY Visakhapatnam, Andhra Pradesh India ABSTRACT This paper is focused on the evolution of SSH, the need for SSH, working of SSH, its major components and features of SSH. As the number of users over the Internet is increasing, there is a greater threat of your data being vulnerable. Secure Shell (SSH) Protocol provides a secure method for remote login and other secure network services over an insecure network. The SSH protocol has been designed to support many features along with proper security. This architecture with the help of its inbuilt layers which are independent of each other provides user authentication, integrity, and confidentiality, connection- oriented end to end delivery, multiplexes encrypted tunnel into several logical channels, provides datagram delivery across multiple networks and may optionally provide compression. Here, we have also described in detail what every layer of the architecture does along with the connection establishment. Some of the threats which Ssh can encounter, applications, advantages and disadvantages have also been mentioned in this document. Keywords: SSH, Cryptography, Port Forwarding, Secure SSH Tunnel, Key Exchange, IP spoofing, Connection- Hijacking. 1. INTRODUCTION SSH Secure Shell was first created in 1995 by Tatu Ylonen with the release of version 1.0 of SSH Secure Shell and the Internet Draft “The SSH Secure Shell Remote Login Protocol”.
    [Show full text]
  • Computer Security Administration
    Information Security Group Information + Technology Services University of Toronto Endpoint Security Policy System A Network Access Control System with Vulnerability Detection and User Remediation Evgueni Martynov UNIX Systems Group Mike Wiseman Computer Security Administration Endpoint Security Policy System Table of Contents Acknowledgements............................................................................. 3 Change History .................................................................................... 4 Summary ............................................................................................. 5 Overview .............................................................................................. 5 Network Isolation ............................................................................... 6 Vulnerability Detection ....................................................................... 6 User Remediation ................................................................................ 8 Administering ESP ............................................................................... 8 ESP Operations Experience ................................................................ 9 Appendix I – Installation and Configuration of ESP server ........... 10 Using init.sh ..................................................................................... 10 Post-Installation ................................................................................ 11 Configuring an ESP Server to Work with an ESP Agent .......................
    [Show full text]
  • Hostscan 4.8.01064 Antimalware and Firewall Support Charts
    HostScan 4.8.01064 Antimalware and Firewall Support Charts 10/1/19 © 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco public. Page 1 of 76 Contents HostScan Version 4.8.01064 Antimalware and Firewall Support Charts ............................................................................... 3 Antimalware and Firewall Attributes Supported by HostScan .................................................................................................. 3 OPSWAT Version Information ................................................................................................................................................. 5 Cisco AnyConnect HostScan Antimalware Compliance Module v4.3.890.0 for Windows .................................................. 5 Cisco AnyConnect HostScan Firewall Compliance Module v4.3.890.0 for Windows ........................................................ 44 Cisco AnyConnect HostScan Antimalware Compliance Module v4.3.824.0 for macos .................................................... 65 Cisco AnyConnect HostScan Firewall Compliance Module v4.3.824.0 for macOS ........................................................... 71 Cisco AnyConnect HostScan Antimalware Compliance Module v4.3.730.0 for Linux ...................................................... 73 Cisco AnyConnect HostScan Firewall Compliance Module v4.3.730.0 for Linux .............................................................. 76 ©201 9 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
    [Show full text]
  • Wing How to Guide
    Configuration Guide for RFMS 3.0 Initial Configuration XXX-XXXXXX-XX WiNG5 How-To Guide Network Address Translation July 2011 Revision 1.0 MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office. Symbol is a registered trademark of Symbol Technologies, Inc. All other product or service names are the property of their respective owners. © 2011 Motorola, Inc. All rights reserved. WiNG5 – Network Address Translation How-To Guide Table of Contents 1. Introduction: ...............................................................................................................................................4 1.1 Overview:............................................................................................................................................4 1.2 Applications: .......................................................................................................................................5 1.3 Restrictions: ........................................................................................................................................5 2. Pre‐Requisites: ............................................................................................................................................6 2.1 Requirements: ....................................................................................................................................6 2.2 Components Used:..............................................................................................................................6
    [Show full text]
  • Using PANA for Mobile Ipv6 Bootstrapping Julien Bournelle, Jean-Michel Combes, Maryline Laurent, Sondes Larafa
    Using PANA for mobile IPv6 bootstrapping Julien Bournelle, Jean-Michel Combes, Maryline Laurent, Sondes Larafa To cite this version: Julien Bournelle, Jean-Michel Combes, Maryline Laurent, Sondes Larafa. Using PANA for mobile IPv6 bootstrapping. NETWORKING 2007 : 6th international IFIP-TC6 networking conference on ad hoc and sensor networks, wireless networks, next generation Internet, May 2007, Atlanta, United States. pp.345 - 355, 10.1007/978-3-540-72606-7_30. hal-01328113 HAL Id: hal-01328113 https://hal.archives-ouvertes.fr/hal-01328113 Submitted on 7 Jun 2016 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Using PANA for Mobile IPv6 Bootstrapping Julien Bournelle1, Jean-Michel Combes2, Maryline Laurent-Maknavicius1, Sondes Larafa1 1 GET/INT, 9 rue Charles Fourier, 91011 Evry, France 2 France Telecom R&D, 38/40 rue du General Leclerc, 92784 Issy-Les-Moulineaux, France Abstract One of the current challenge of the Mo- 2 Mobile IPv6 Overview bile IPv6 Working Group at the IETF is to dynami- As it stands in [1], an IPv6 Mobile Node (MN) is cally assign to a Mobile Node its Home Agent, Home uniquely identi¯ed by its Home Address (HoA), and Address and to setup necessary security associations.
    [Show full text]
  • Spirent AION
    DATASHEET Spirent AION Spirent TestCenter Broadband Access Standard and Advanced Bundles, Carrier • Enhanced Realism—Spirent Ethernet Bundle TestCenter Access test solution Overview emulates real world broadband subscriber behaviors, Triple Play Spirent AION is a flexible delivery platform that enables users to achieve improved services, and failure scenarios deployment and provisioning for all their cloud and network testing needs. It is designed to deliver ultimate flexibility in how Spirent TestCenter platforms are • Improved Testing Capacity— purchased and utilized. accomplish more in less lab space The extended platform combines a wealth of industry-leading test solutions with a with the highest number of emulated flexible licensing architecture to support a wide range of next-generation solution- subscribers and user planes per port based domain applications. and port density AION offers a centralized management hub to help leverage software and hardware • Reduced Test Time—set up tests functionalities across all lab users and locations for a simplified management and quickly and easily to validate decision-making process: system performance in realistic, unstable environments rather than • Flexible purchasing options available via subscription, consumption-based, and perpetual plans, with the ability to license different bandwidth, scale, and protocol bundles. an environment optimized for pure performance • Flexible deployment options offered include cloud-delivery, on-prem, and laptop-hosted licensing services. • Detailed Analysis—Data
    [Show full text]
  • LANCOM Datasheet
    LANCOM Operating System (LCOS) 10.40 Top performance and efficiency for your SD-WAN A Next-generation SD-WAN – LANCOM High Scalability VPN (HSVPN) greatly improves efficiency as it requires fewer VPN tunnels A A fresh look & feel – WEBconfig has been completely redesigned for an intuitive and modern appearance A Multicast routing – new possibilities with multimedia applications in LANCOM infrastructures DATASHEET LANCOM Operating System General Feature Overview Firewall IPv4/IPv6 Stateful inspection, IP packet filter with port ranges, object-oriented rule definition. IPv4 Masking (NAT/PAT) of TCP, UDP, ICMP, FTP, PPTP, H.323, Net-Meeting, IRC and IPSec; DNS forwarding. Extended port forwarding and N:N mapping. Support for up to 256 contexts with individual IP networks, VLANs and interfaces, bandwidth management, QoS and VLAN prioritization for VoIP and VoWLAN Operating modes LAN protocols ARP, Proxy ARP, IPv4, ICMP, UDP, TCP, TFTP, RIP-1, RIP-2, DHCP, DNS, SNMP, HTTP, HTTPS, SSH, Telnet and SIP, BOOTP, NTP/SNTP, NetBIOS, RADIUS, TACAS+, LANCAPI, VRRP, STP/RSTP, IGMP, IPv6, DHCPv6, SLAAC, MLD, NDP, ICMPv6 WAN protocols (Ethernet) PPPoE, PPTP (PAC or PNS) and Plain Ethernet (with and without DHCP), RIP-1, RIP-2, IPv6CP, 6to4 Tunnel, 6in4 Tunnel, 6rd Tunnel, DHCPv6, SLAAC, L2TPv3 for Ethernet Pseudowires Multiprotocol router IPv4/IPv6 router, NAT/Reverse NAT (IP- masquerading), DHCPv4/DHCPv6 server, DHCPv4/DHCPv6 client, DHCPv4/DHCPv6 relay server, DNS server, PPPoE client / Multi-PPPoE, ML-PPP, PPTP (PAC and PNS), NetBIOS proxy, DynDNS client,
    [Show full text]
  • Technical Security Guideline on Deploying Ipv6
    Draft Recommendation ITU-T X.1037 (X.ipv6-secguide) Technical security guideline on deploying IPv6 Summary The Internet protocol version 6 (IPv6) is intended to provide many built-in benefits such as large address space, mobility, and quality of service (QoS), because it is a new protocol and operates in some different ways than Internet protocol version 4 (IPv4), both foreseeable and unforeseeable security issues will arise. Many new functions or requirements of IPv6, i.e., automatic configuration of interfaces, mandatory Internet protocol security (IPSec), mandatory multicast, multiple Internet protocol (IP) addresses and many new rules for routing, can be abused for compromising computer systems or networks. Considering the above circumstances, Recommendation ITU-T X.1037 provides a set of technical security guides for telecommunication organizations to implement and deploy IPv6 environment. The content of this Recommendation focuses on how to securely deploy network facilities for telecommunication organizations and how to ensure security operations for the IPv6 environment. Keywords ???? - 2 - CONTENTS 1 Scope ............................................................................................................................. 3 2 References ..................................................................................................................... 3 3 Definitions .................................................................................................................... 4 3.1 Terms defined elsewhere ...............................................................................
    [Show full text]
  • Lecture 11 Firewalls
    BSc in Telecommunications Engineering TEL3214 Computer Communication Networks Lecture 11 Firewalls Eng Diarmuid O'Briain, CEng, CISSP 11-2 TEL3214 - Computer Communication Networks Copyright © 2017 Diarmuid Ó Briain Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back- Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". TEL3214 Firewalls 09 May 2017 TEL3214 - Computer Communication Networks 11-3 Table of Contents 1. AN INTRODUCTION TO FIREWALLS........................................................................................................................5 2. THE DIGITAL SECURITY PROBLEM...........................................................................................................................5 2.1 HOME......................................................................................................................................................................5 2.2 ENTERPRISE...............................................................................................................................................................6 2.3 ROAMING INDIVIDUAL.................................................................................................................................................6 2.4 PERIMETER DEFENCE AND FIREWALLS.............................................................................................................................6
    [Show full text]