Need help on connecting endhost.

[Nygneu]

Hello everybody,

I'm very interested in SCION architecture and would like to do some experiment on it but I'm a newbie and kinda need some help.

Currently, I've successfully set up a SCION VM running SCION AS on my computer (https://netsec-ethz.github.io/scion-tutorials/virtual_machine_setup/dynamic_ip/). I've also finished running SCION on a local topology and connecting to the SCION network via VPN (https://netsec-ethz.github.io/scion-tutorials/general_scion_configuration/vpn_setup/) . Please see the picture below.

However, I'm kinda stuck at the host-endhost connection step (https://netsec-ethz.github.io/scion-tutorials/general_scion_configuration/setup_endhost/). Say I already have 3 VMs with static public IP addresses (my endhosts) and I want to set up a simple topology like the below picture on SCION architecture.

There are two things I'm confused:

1. There is only one network interface on the host VM, that means I can only connect one endhost to it. Thus, every time I want to connect an endhost, there must be an available SCION host for it, is that correct?

2. SCION must also be installed on endhosts, that means I have to create extra ASes on SCIONLab Coordiation Service for each endhost if the endhosts have static public IP addresses like in my case. To me this doesn't make much sense.

My questions might be naive because I haven't had full understanding about SCION architecture. My ultimate goal is to create a topology like in the second picture on SCION. Please help me with that.

Thank you very much for your time and help!

[Juan A. Garcia Pardo]

Hi Nygneu,

On Tuesday, December 4, 2018 at 9:44:22 PM UTC+1, Nygneu wrote:

Hello everybody,

I'm very interested in SCION architecture and would like to do some experiment on it but I'm a newbie and kinda need some help.

Currently, I've successfully set up a SCION VM running SCION AS on my computer (https://netsec-ethz.github.io/scion-tutorials/virtual_machine_setup/dynamic_ip/). I've also finished running SCION on a local topology and connecting to the SCION network via VPN (https://netsec-ethz.github.io/scion-tutorials/general_scion_configuration/vpn_setup/) . Please see the picture below.

From this screenshot it seems that your VM is yet not fully connected to SCIONLab. There is an error with the border router, probably because the VPN connection. We have a troubleshooting guide in https://netsec-ethz.github.io/scion-tutorials/general_scion_configuration/troubleshooting/ that might be of help.

 

However, I'm kinda stuck at the host-endhost connection step (https://netsec-ethz.github.io/scion-tutorials/general_scion_configuration/setup_endhost/). Say I already have 3 VMs with static public IP addresses (my endhosts) and I want to set up a simple topology like the below picture on SCION architecture.

There are two things I'm confused:

1. There is only one network interface on the host VM, that means I can only connect one endhost to it. Thus, every time I want to connect an endhost, there must be an available SCION host for it, is that correct?

The machine named server will run all SCION services (path server, certificate server, beacon server) plus the border router from your AS to its attachment point.

The other machines, called user1 and user2, will have installed only the SCION endhost (only a small daemon to communicate with SCION services), meaning that they will "talk" to the machine called server to route traffic out of your AS. All three machines will be part of your AS.

 

 

2. SCION must also be installed on endhosts, that means I have to create extra ASes on SCIONLab Coordiation Service for each endhost if the endhosts have static public IP addresses like in my case. To me this doesn't make much sense.

Indeed all three machines have a SCION endhost. We call SCION endhost to the `sciond` process, that is responsible to ask for paths to the path server, cache answers, pack your `send` and unpack your `receive` calls, etc.

Your AS, ffaa:1:22a, is a full network. You don't need to configure more ASes, as this AS can contain a huge number of machines. In your case, those three machines would be part of your ffaa:1:22a AS.

 

My questions might be naive because I haven't had full understanding about SCION architecture. My ultimate goal is to create a topology like in the second picture on SCION. Please help me with that.

They are not naive. I think the confusion arises from the concept of AS, SCION services and endhost. AS is your network. You run all necessary SCION services in one machine (called server). You have three endhosts (the three machines in your picture).

 

Thank you very much for your time and help!

If you have further problems and can't solve them with the tutorials or guide, write again and we will guide you step by step to configure services and endhosts. It is, though, a good exercise to try it yourself first with the help of our tutorials, but if you get stuck, tell us and we'll jump in.

Thanks and best regards,

Juan A.

[Nygneu]

Hello Juan,

Thank you so much for your reply! Now I understand it a little bit more.

1. As far as I understand, the SCION VM that I set up in the first picture plays a role as the gateway to the SCION architecture (it is called 'host' in the tutorial: https://netsec-ethz.github.io/scion-tutorials/general_scion_configuration/setup_endhost/). Running the script './scion.sh run' is to establish connections to SCION, then other machines (endhosts) can join SCION by connecting via this SCION VM. Please correct me if I'm wrong here.

So, I'm a little bit confused when you said: "AS is your network. You run all necessary SCION services in one machine (called server). You have three endhosts (the three machines in your picture)."  In this case, is the 'server' you mentioned the SCION VM I'm talking about?

2. I've just realized that I was kinda vague about my questions before. The topology I posted (my second picture) is in pure traditional network, nothing related to SCION. I'd like to create a simple topology with a server (most likely a web server) and 2 clients connected to it to do some network experiment on SCION. If my thought above is correct, then I have a question regarding technical setup.

Below are steps I've done so far:

2.1. Create an AS (ffaa:1:22a in my case), download the configuration file and use it to set up a SCION VM on my laptop (https://netsec-ethz.github.io/scion-tutorials/virtual_machine_setup/dynamic_ip/) and then run the script './scion.sh run'.

2.2. As I mentioned, currently I have 3 VMs with static public IP addresses in my lab. I would like to hook up these 3 VMs to the SCION topology (which is as I guessed above, has to be thru the SCION VM). These VMs are running Ubuntu 16.04 so I can install SCION native on them following this tutorial: https://netsec-ethz.github.io/scion-tutorials/native_setup/ubuntu_x86_build/ using the same AS ffaa:1:22a configuration file I used on the SCION VM above.

2.3. Now, I guess I cannot use the public IP addresses here because AS ffaa:1:22a configuration only allows OpenVPN (please see the picture below for my AS ffaa:1:22a configuration). But I guess this is resolvable by using OpenVPN setup instead of public IP setup on these 3 VMs using this tutorial: https://netsec-ethz.github.io/scion-tutorials/general_scion_configuration/vpn_setup/.

2.4. However, there's another problem, these VMs are running SCION native, but the AS configuration is only for 'Install inside a virtual machine'. I totally have no idea about what I should do next here. 

To be honest, I think the installation instruction is quite vague for newbie like me (no offense), so I don't even know if I'm following the right steps or not, they are pretty much just my guess. Therefore, I'd really appreciate it if you could tell if I'm doing it right or not and also help me with my question.

I'm very sorry for keeping bugging you with long question.

Once again, thank you for your time and help!

Best,

- N

[Juan A. Garcia Pardo]

Hi Nygneu,

On Wednesday, December 5, 2018 at 4:06:17 AM UTC+1, Nygneu wrote:

Hello Juan,

Thank you so much for your reply! Now I understand it a little bit more.

1. As far as I understand, the SCION VM that I set up in the first picture plays a role as the gateway to the SCION architecture (it is called 'host' in the tutorial: https://netsec-ethz.github.io/scion-tutorials/general_scion_configuration/setup_endhost/). Running the script './scion.sh run' is to establish connections to SCION, then other machines (endhosts) can join SCION by connecting via this SCION VM. Please correct me if I'm wrong here.

I think you are now correct.

When you run `scion.sh run` the SCION services start in this machine (beacon server, path server, certificate server and border router). It connects your AS to the rest of the SCIONLab network.

The rest of machines (endhosts) can use these services to reach other computers in other ASes in the SCIONLab network.

So, I'm a little bit confused when you said: "AS is your network. You run all necessary SCION services in one machine (called server). You have three endhosts (the three machines in your picture)."  In this case, is the 'server' you mentioned the SCION VM I'm talking about?

I labeled it "server" because of your picture. In your architecture picture I assumed that machine you labeled "server" was the one hosting the SCION services. The other machines, that you labeled "endhost", don't need SCION services, and only run the endhost, using the services running in "server". Using the names from the picture, and my assumption that you only deploy one AS (more than enough).

 

2. I've just realized that I was kinda vague about my questions before. The topology I posted (my second picture) is in pure traditional network, nothing related to SCION. I'd like to create a simple topology with a server (most likely a web server) and 2 clients connected to it to do some network experiment on SCION. If my thought above is correct, then I have a question regarding technical setup.

SCION is an inter network communications architecture. Inside an AS the protocol we use is IP. So, if your three machines are located inside the same AS, there will be no SCION traffic.

 

Below are steps I've done so far:

2.1. Create an AS (ffaa:1:22a in my case), download the configuration file and use it to set up a SCION VM on my laptop (https://netsec-ethz.github.io/scion-tutorials/virtual_machine_setup/dynamic_ip/) and then run the script './scion.sh run'.

Sounds fine.

 

2.2. As I mentioned, currently I have 3 VMs with static public IP addresses in my lab. I would like to hook up these 3 VMs to the SCION topology (which is as I guessed above, has to be thru the SCION VM). These VMs are running Ubuntu 16.04 so I can install SCION native on them following this tutorial: https://netsec-ethz.github.io/scion-tutorials/native_setup/ubuntu_x86_build/ using the same AS ffaa:1:22a configuration file I used on the SCION VM above.

Wait, there is a misunderstanding here. That configuration you downloaded is meant to be deployed in only one machine. The configuration essentially says the following: there is an AS, with ID ffaa:1:22a, inside ISD 18, with a certificate server reachable via IP in IP_of_your_machine, a border router that will talk to another border router located in ISD 18, AS ffaa:0:1202, interface some_interface. And some other descriptions of the other two services. This configuration is useful for your AS (your network) because you are specifying where those services are. Think of these services as essential services of your network, like in IP we have DHCP. In SCION we _need_ these 4 services.

Knowing this, if you re-deploy the configuration in other machine, two things will happen: you will duplicate services, and thus, for high availability, you will have to enumerate all of them (to synchronize their DBs, etc). The other thing is a critical error you will have in your border routers, as all of them will try to connect to the same point on the other side. Think of the border router as a physical cable connection to another IP router. In that cable, one end is nicely ending in one interface, but the other end is actually a bunch of them. That setting will not work and will cause several problems (we can go into details of this deployment if you are interested, but sure it won't work).

2.3. Now, I guess I cannot use the public IP addresses here because AS ffaa:1:22a configuration only allows OpenVPN (please see the picture below for my AS ffaa:1:22a configuration). But I guess this is resolvable by using OpenVPN setup instead of public IP setup on these 3 VMs using this tutorial: https://netsec-ethz.github.io/scion-tutorials/general_scion_configuration/vpn_setup/.

2.4. However, there's another problem, these VMs are running SCION native, but the AS configuration is only for 'Install inside a virtual machine'. I totally have no idea about what I should do next here. 

To be honest, I think the installation instruction is quite vague for newbie like me (no offense), so I don't even know if I'm following the right steps or not, they are pretty much just my guess. Therefore, I'd really appreciate it if you could tell if I'm doing it right or not and also help me with my question.

 

No offense taken. Some concepts that we use are a bit difficult in essence. Anyways, you can of course deploy SCION services natively, not only in a VM. There is an option for dedicated machines, and we also have tutorials for them.

I believe your setting should be done configuring your ffaa:1:22a to be deployed in a dedicated machine with public IP, then tested. After it works, you can deploy the other two endpoints to allow them to also talk to the SCIONLab network using your services.

I'm very sorry for keeping bugging you with long question.

Once again, thank you for your time and help!

Please send me a PM at juan.garcia @ inf.ethz.ch and we can arrange a skype session or Google Hangouts if you find it more convenient. We will, in the near future, add screencasts of many of typical deployments, but we don't have them yet.

I hope all this sheds some light. Please update us with your progress.

Best regards,

Juan A.

[Nygneu]

Hello Juan, I've sent you an email. Thank you very much!

On Tuesday, December 4, 2018 at 3:44:22 PM UTC-5, Nygneu wrote:

[Minh]

Hi Juan,

Thanks to your help, I've successfully deployed 2 SCION hosts that attach to 2 ASes, one is 17-ffaa:1:bc3 (let's call it 'host17') and the other one is 18-ffaa:1:22a ('host18'). I've also pingpong-ed 'host17' to 'host18' and vice versa and it showed the connection between them, please see the picture below.

Next, I've also successfully connected 2 endhosts to these hosts, let's call them 'endhosts17' (connect to 'host17') and 'endhost18' (connect to 'host18') respectively. Please see the pictures below.

I have some questions:

1. How can I test the connection between 'endhost17' and 'endhost18'? I've tried 'pingpong' but it didn't work, or maybe I used it the wrong way.

2. If I deploy an apache web server on 'endhost17', how could I access to that website thru SCION traffic from 'endhost18' via web browsers or lynx?

Once again, thank you very much for your time and help!

Best regards,

- M

[Juan A. Garcia Pardo]

Hi Mihn,

Nice that you have them working.

One way to do it would be with SCMP (analogous protocol to ICMP but in SCION). You would run something like `scmp echo -local 18-ffaa:1:bc3,[ip_of_endhost18] -remote 18-ffaa:0:1202,[128.105.21.208]`

You can replace "18-ffaa:0:1202,[128.105.21.208]" with any SCION address of a running system (look for some of them in our tutorials as well). SCMP uses only the control plane.

For the data plane, you can of course deploy a `pingpong` server in every machine you want. The pingpong example applications uses Quic, and it's also a nice starting point for development. For instance, according to our tutorial on

https://netsec-ethz.github.io/scion-tutorials/general_scion_configuration/verifying_scion_installation/#run-pingpong-client

we run four pingpong servers for convenience. The one in 18-ffaa:0:1202 runs like this: `./bin/pingpong -mode server -local 18-ffaa:0:1202,[128.105.21.208]:40002`

Just run your own servers modifying the parameters accordingly. You could run one per AS (then 2 in total), or per machine (then 4 in total), or even many per machine.

Another possibility in the data plane is to run `bwtestclient`, or even to deploy your own `bwtestserver` as well:  https://netsec-ethz.github.io/scion-tutorials/sample_projects/bwtester/

And of course, you could write your own. If that tickles you, I'd start from https://github.com/netsec-ethz/scion-apps/tree/master/helloworld

In that repository we also have a recent HTTP client/server library and client app, and other goodies.

Thanks and best regards,

Juan A.

[Minh]

I'm sorry for the late reply. The last couple of days have been so hectic to me 'cause I was neck deep in some finals and stuff. Anyway, thank you for your help but I still have some questions. And hopefully, this would be the last time I have to bug you.

Here's the big picture of my setup:

Now, from 'host-18', I can pingpong to 'host-17' and vice versa.

Also, from 'endhost-17' and 'endhost-18', I can scmp to 'host-17' and 'host-18' respectively (below picture).

Question 1: However, I cannot scmp as you instructed. I was wondering if there is anything wrong in the command?

Question 2: Plus, I'd like to know if there is a way to pingpong or scmp from 'endhost-17' to 'endhost-18'. I've been trying every possible way but nothing came out correctly.

Once again, I'm very sorry for bugging you the last two weeks and thank you very much for your time and help!

Best Regards and Happy Holidays!

- M

[FR4NK]

Dear Nygneu

Can you re-upload you screenshots or copy-paste the relevant logs?
We only see the filenames of the screenshots in your last post.

For 1. Make sure you are using the right endhost address.

For 2. Did you try to run the applications in interactive mode with the `-i` flag?
Do you get paths in return?

Merry Christmas to you

[Minh]

Hello Frank,

So here's the big picture of my setup:

Picture 1.

From 'host-18', I can pingpong to 'host-17' and vice versa.

Picture 2.

Also, from 'endhost-17' and 'endhost-18', I can scmp to 'host-17' and 'host-18' respectively.

Picture 3.

I have 2 questions:

Question 1: I could not 'scmp' as Juan had instructed me. So I was wondering if there is anything wrong in the command below (Picture 4 below)? I'm pretty sure I was using the right endhost address since I could 'scmp' from endhost to host (please see Picture 3 above).

Picture 4.

Question 2: I'd like to know if there is a way to pingpong or scmp or any way to check the connection from 'endhost-17' to 'endhost-18'. I haven't set the mode '-i', can you please show me how to do that?

Thank you very much,

Happy Holidays,

- M

[Juan A. Garcia Pardo]

Hi Mihn,

We will independently fix the configuration for the ISD 17 (you have two machines there) and then ISD 18 (two more machines).

From your tests, it seems the problem is in the "Endhost-*" computers. Since we know --also from your tests-- that your "Host-*" computers work okay, let's debug the configuration for "Endhost-17". What I suggest is that you send us your gen folder compressed (please remove the contents of every keys/ folder) OR the topology file `topology.json` and the output of `tree $SC/gen`

From that we will be able to find out if the configuration looks okay or not, and should be fairly quick to check.

Thanks and best regards,

Juan A.

[Minh]

Hello Juan,

I got it.

Once again, thank you very much for your time and help!

Best Regards,

- M