Skip to content

Commit

Permalink
Partially-implements: #111
Browse files Browse the repository at this point in the history
  • Loading branch information
mkowalski committed Oct 30, 2019
1 parent 30b367c commit f73af66
Show file tree
Hide file tree
Showing 6 changed files with 105 additions and 51 deletions.
49 changes: 28 additions & 21 deletions content/faq/join_infrastructure.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,40 +3,47 @@
If you are part of an organization and/or you are committed to do research with SCION, and using user ASes is not enough for your plans, then you could join SCIONLab with a dedicated host. We have compiled a short guide to document the requirements.
You can join the SCIONLab network as an infrastructure AS with one or more machines, or you can start as small as dedicating only a simple commodity PC.

!!! Danger "Attention needed"

This page is supposed to give you a general overview over joining as a part of the infrastructure. In any case, if you are interested in joining, please [contact us directly](../index.md#contact).

## Procedure

- Get in contact with us. Send us an email to <[email protected]> telling us you want to join the infrastructure.
- Once the node(s) are ready, create a user with the name `scionlab` and permission to run `sudo`. Grant the SCIONLab admins `ssh` access to the machine via a key for that `scionlab` user.
- The SCIONLab admins will perform some measurements to find the appropriate neighbors to your AS. We will notify you of the result.
- Once the neighboring ASes have been decided, the administrators will install the necessary services of SCION and monitoring. This is typically done by us using `Ansible`. We deploy the configuration of the node(s) in the AS at the same time.
- [Get in contact with us](../index.md#contact) telling you want to join the infrastructure.
- Once the node(s) are ready on your side, create a `scionlab` user with full `sudo` rights and access for the SCIONLab team.
- The SCIONLab admins will perform measurements to find the most appropriate neighbors to your AS. We will notify you of the result.
- Once the neighboring ASes have been decided, the administrators will install SCION services and configure monitoring for the node(s).
- Your AS is now connected to the infrastructure of SCIONLab and hosts within your network now have direct access to SCIONLab.

Once the node(s) are part of the SCIONLab infrastructure, their configuration will be centrally managed via Ansible in order to keep the whole infrastructure in the best shape. You will not be required to take any action as long as the machine remains accessible for us.

## Requirements

There are a few requirements for you or your organization to join SCIONLab as an infrastructure node:

- Infrastructure ASes and nodes are required to be active 24 hours a day, 7 days a week. The SCIONLab administrators can typically handle all SCION related problems, but sometimes they will contact you if they cannot perform certain tasks. An example would be to change a drive if it failed, etc.
- The machine should have a minimum of 4 GB of RAM. A VM can suffice, given sufficient resources.
- Currently the SCION code works with Ubuntu 16.04.
- The border router node(s) must have a public static IP.
- The following ports need to be accessible:
- For each configured SCION inter-domain connection one UDP port for SCION inter-domain traffic, preferrably in the 50000~50010 range.<br>
Preferrably, these ports should be open for any source IP, as this simplifies changing the SCIONLab topology. However, we can provide the specific allowed source IP for each port if necessary.<br>
As the SCION border routers send a continuous trickle of keep-alive messages, it may be enough if a firewall allows return traffic to the same port.
- SSH access for management of the node by the SCIONLab-team:<br>
TCP 22: source 192.33.96.0/20, 192.33.88.0/21, 192.33.87.0/24, 54.176.0.0/12

As an alternative, we can also operate the connections over a tunnel, e.g. OpenVPN, Wireguard or SSH tunnels.
- The machine should have a minimum of 4 CPUs, 8 GB of RAM and 40 GB of disk space. In most of the cases a VM can suffice.
- OS for the SCION infrastructure node must be Ubuntu 18.04.
- The border router node(s) must have a public static IP. Any other SCION services can run with private static IP.
- Firewall has to be configured according to the connectivity matrix below.

## Connectivity requirements

| Protocol | Port | Source | Comment |
| :------------- | :----------: | :-----------: | -----------: |
| UDP | 50000--50010 | 0.0.0.0/0 | SCION inter-AS connectivity |
| UDP | 30000 - 35000 | machines in the same SCION AS | SCION intra-AS connectivity |
| TCP | 22 | 82.130.64.0/18<br> 129.132.0.0/16<br> 195.176.96.0/19<br> 192.33.87.0/24<br> 192.33.88.0/23<br> 192.33.91.0/24<br> 192.33.92.0/24<br> 192.33.93.0/24<br> 192.33.94.0/23<br> 192.33.96.0/21<br> 192.33.104.0/22<br> 192.33.108.0/23<br> 192.33.110.0/24 | Administrative SSH access for configuration management |

!!! note
Inter-AS connectivity is required only with the neighbouring ASes. In order to allow dynamic topology adjustments we recommend firewall opening for 0.0.0.0/0. In most cases, after determining the best neighbours for your AS, we can provide a narrowed-down list of networks.

!!! note
As an alternative we can also operate connections over a tunnel, e.g. OpenVPN or Wireguard. However please note this will be done only in a special scenarios, e.g. installing a node in a country with strict network policy regarding connectivity abroad. In that case UDP connectivity can be stricter, but inbound SSH connectivity from networks listed above must work.

### Recommendations

The following are not requirements, but recommendations:

- The border router should be near (latency wise) the IP border of your AS or organization.
- Co-locating the node or nodes in your datacenter is usually a good idea in terms of network latency.
- To join the SCION network, we have a specific hardware recommendation: [HP Proliant DL20 gen9](https://www.hpe.com/us/en/product-catalog/servers/proliant-servers/pip.specifications.hpe-proliant-dl20-gen9-server.1008556817.html).
We further customize the machine with additional 8G ECC Ram and SSD, but a regular HDD also works.
- Instead of a blade type server machine, a regular PC with a similar spec works as well.

- The border router should be near (latency-wise) the IP border of your AS or organization.
- Co-locating the nodes in your datacenter is usually a good idea as it reduces network latency.
7 changes: 4 additions & 3 deletions content/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,7 @@ In order to simplify the management of ASes and lower the entry-barrier for part

## Contact

* For questions on running your SCIONLab AS and general discussion about SCION-related topics, visit our [SCION community mailing list](https://lists.inf.ethz.ch/mailman/listinfo/scion)
* For bug reports, please post them on the [scionlab GitHub site](https://github.com/netsec-ethz/scionlab)
* For suggestion on these pages, please post them on the [scion-tutorials GitHub site](https://github.com/netsec-ethz/scion-tutorials)
* For questions on running your SCIONLab AS and discussion about SCION-related topics, visit our [SCION community mailing list](https://lists.inf.ethz.ch/mailman/listinfo/scion)
* For suggestions or bugs on these pages, please post them on the [tutorial GitHub repo](https://github.com/netsec-ethz/scion-tutorials)
* For bug reports when running SCION, please post them on the [SCIONLab GitHub repo](https://github.com/netsec-ethz/scionlab)
* SCIONLab NOC is available via email <[email protected]>
91 changes: 68 additions & 23 deletions docs/faq/join_infrastructure/index.html
Original file line number Diff line number Diff line change
Expand Up @@ -589,6 +589,13 @@
Requirements
</a>

</li>

<li class="md-nav__item">
<a href="#connectivity-requirements" title="Connectivity requirements" class="md-nav__link">
Connectivity requirements
</a>

<nav class="md-nav">
<ul class="md-nav__list">

Expand Down Expand Up @@ -688,6 +695,13 @@
Requirements
</a>

</li>

<li class="md-nav__item">
<a href="#connectivity-requirements" title="Connectivity requirements" class="md-nav__link">
Connectivity requirements
</a>

<nav class="md-nav">
<ul class="md-nav__list">

Expand Down Expand Up @@ -723,41 +737,72 @@
<h1 id="joining-the-scionlab-infrastructure">Joining the SCIONLab infrastructure<a class="headerlink" href="#joining-the-scionlab-infrastructure" title="Permanent link">&para;</a></h1>
<p>If you are part of an organization and/or you are committed to do research with SCION, and using user ASes is not enough for your plans, then you could join SCIONLab with a dedicated host. We have compiled a short guide to document the requirements.
You can join the SCIONLab network as an infrastructure AS with one or more machines, or you can start as small as dedicating only a simple commodity PC.</p>
<div class="admonition danger">
<p class="admonition-title">Attention needed</p>
<p>This page is supposed to give you a general overview over joining as a part of the infrastructure. In any case, if you are interested in joining, please <a href="../..#contact">contact us directly</a>.</p>
</div>
<h2 id="procedure">Procedure<a class="headerlink" href="#procedure" title="Permanent link">&para;</a></h2>
<ul>
<li>Get in contact with us. Send us an email to <a href="&#109;&#97;&#105;&#108;&#116;&#111;&#58;&#115;&#99;&#105;&#111;&#110;&#108;&#97;&#98;&#45;&#97;&#100;&#109;&#105;&#110;&#115;&#64;&#115;&#121;&#109;&#112;&#97;&#46;&#101;&#116;&#104;&#122;&#46;&#99;&#104;">&#115;&#99;&#105;&#111;&#110;&#108;&#97;&#98;&#45;&#97;&#100;&#109;&#105;&#110;&#115;&#64;&#115;&#121;&#109;&#112;&#97;&#46;&#101;&#116;&#104;&#122;&#46;&#99;&#104;</a> telling us you want to join the infrastructure.</li>
<li>Once the node(s) are ready, create a user with the name <code>scionlab</code> and permission to run <code>sudo</code>. Grant the SCIONLab admins <code>ssh</code> access to the machine via a key for that <code>scionlab</code> user.</li>
<li>The SCIONLab admins will perform some measurements to find the appropriate neighbors to your AS. We will notify you of the result.</li>
<li>Once the neighboring ASes have been decided, the administrators will install the necessary services of SCION and monitoring. This is typically done by us using <code>Ansible</code>. We deploy the configuration of the node(s) in the AS at the same time.</li>
<li><a href="../..#contact">Get in contact with us</a> telling you want to join the infrastructure.</li>
<li>Once the node(s) are ready on your side, create a <code>scionlab</code> user with full <code>sudo</code> rights and access for the SCIONLab team.</li>
<li>The SCIONLab admins will perform measurements to find the most appropriate neighbors to your AS. We will notify you of the result.</li>
<li>Once the neighboring ASes have been decided, the administrators will install SCION services and configure monitoring for the node(s).</li>
<li>Your AS is now connected to the infrastructure of SCIONLab and hosts within your network now have direct access to SCIONLab.</li>
</ul>
<p>Once the node(s) are part of the SCIONLab infrastructure, their configuration will be centrally managed via Ansible in order to keep the whole infrastructure in the best shape. You will not be required to take any action as long as the machine remains accessible for us.</p>
<h2 id="requirements">Requirements<a class="headerlink" href="#requirements" title="Permanent link">&para;</a></h2>
<p>There are a few requirements for you or your organization to join SCIONLab as an infrastructure node:</p>
<ul>
<li>Infrastructure ASes and nodes are required to be active 24 hours a day, 7 days a week. The SCIONLab administrators can typically handle all SCION related problems, but sometimes they will contact you if they cannot perform certain tasks. An example would be to change a drive if it failed, etc.</li>
<li>The machine should have a minimum of 4 GB of RAM. A VM can suffice, given sufficient resources.</li>
<li>Currently the SCION code works with Ubuntu 16.04.</li>
<li>The border router node(s) must have a public static IP.</li>
<li>
<p>The following ports need to be accessible:</p>
<ul>
<li>For each configured SCION inter-domain connection one UDP port for SCION inter-domain traffic, preferrably in the 50000~50010 range.<br>
Preferrably, these ports should be open for any source IP, as this simplifies changing the SCIONLab topology. However, we can provide the specific allowed source IP for each port if necessary.<br>
As the SCION border routers send a continuous trickle of keep-alive messages, it may be enough if a firewall allows return traffic to the same port.</li>
<li>SSH access for management of the node by the SCIONLab-team:<br>
TCP 22: source 192.33.96.0/20, 192.33.88.0/21, 192.33.87.0/24, 54.176.0.0/12</li>
</ul>
<p>As an alternative, we can also operate the connections over a tunnel, e.g. OpenVPN, Wireguard or SSH tunnels.</p>
</li>
<li>The machine should have a minimum of 4 CPUs, 8 GB of RAM and 40 GB of disk space. In most of the cases a VM can suffice.</li>
<li>OS for the SCION infrastructure node must be Ubuntu 18.04.</li>
<li>The border router node(s) must have a public static IP. Any other SCION services can run with private static IP.</li>
<li>Firewall has to be configured according to the connectivity matrix below.</li>
</ul>
<h2 id="connectivity-requirements">Connectivity requirements<a class="headerlink" href="#connectivity-requirements" title="Permanent link">&para;</a></h2>
<table>
<thead>
<tr>
<th align="left">Protocol</th>
<th align="center">Port</th>
<th align="center">Source</th>
<th align="right">Comment</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left">UDP</td>
<td align="center">50000--50010</td>
<td align="center">0.0.0.0/0</td>
<td align="right">SCION inter-AS connectivity</td>
</tr>
<tr>
<td align="left">UDP</td>
<td align="center">30000 - 35000</td>
<td align="center">machines in the same SCION AS</td>
<td align="right">SCION intra-AS connectivity</td>
</tr>
<tr>
<td align="left">TCP</td>
<td align="center">22</td>
<td align="center">82.130.64.0/18<br> 129.132.0.0/16<br> 195.176.96.0/19<br> 192.33.87.0/24<br> 192.33.88.0/23<br> 192.33.91.0/24<br> 192.33.92.0/24<br> 192.33.93.0/24<br> 192.33.94.0/23<br> 192.33.96.0/21<br> 192.33.104.0/22<br> 192.33.108.0/23<br> 192.33.110.0/24</td>
<td align="right">Administrative SSH access for configuration management</td>
</tr>
</tbody>
</table>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Inter-AS connectivity is required only with the neighbouring ASes. In order to allow dynamic topology adjustments we recommend firewall opening for 0.0.0.0/0. In most cases, after determining the best neighbours for your AS, we can provide a narrowed-down list of networks.</p>
</div>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>As an alternative we can also operate connections over a tunnel, e.g. OpenVPN or Wireguard. However please note this will be done only in a special scenarios, e.g. installing a node in a country with strict network policy regarding connectivity abroad. In that case UDP connectivity can be stricter, but inbound SSH connectivity from networks listed above must work.</p>
</div>
<h3 id="recommendations">Recommendations<a class="headerlink" href="#recommendations" title="Permanent link">&para;</a></h3>
<p>The following are not requirements, but recommendations:</p>
<ul>
<li>The border router should be near (latency wise) the IP border of your AS or organization.</li>
<li>Co-locating the node or nodes in your datacenter is usually a good idea in terms of network latency.</li>
<li>To join the SCION network, we have a specific hardware recommendation: <a href="https://www.hpe.com/us/en/product-catalog/servers/proliant-servers/pip.specifications.hpe-proliant-dl20-gen9-server.1008556817.html">HP Proliant DL20 gen9</a>.
We further customize the machine with additional 8G ECC Ram and SSD, but a regular HDD also works.</li>
<li>Instead of a blade type server machine, a regular PC with a similar spec works as well.</li>
<li>The border router should be near (latency-wise) the IP border of your AS or organization.</li>
<li>Co-locating the nodes in your datacenter is usually a good idea as it reduces network latency.</li>
</ul>


Expand Down
7 changes: 4 additions & 3 deletions docs/index.html
Original file line number Diff line number Diff line change
Expand Up @@ -905,9 +905,10 @@ <h4 id="what-is-the-relation-of-scionlab-and-scion">What is the relation of SCIO
</ul>
<h2 id="contact">Contact<a class="headerlink" href="#contact" title="Permanent link">&para;</a></h2>
<ul>
<li>For questions on running your SCIONLab AS and general discussion about SCION-related topics, visit our <a href="https://lists.inf.ethz.ch/mailman/listinfo/scion">SCION community mailing list</a></li>
<li>For bug reports, please post them on the <a href="https://github.com/netsec-ethz/scionlab">scionlab GitHub site</a></li>
<li>For suggestion on these pages, please post them on the <a href="https://github.com/netsec-ethz/scion-tutorials">scion-tutorials GitHub site</a></li>
<li>For questions on running your SCIONLab AS and discussion about SCION-related topics, visit our <a href="https://lists.inf.ethz.ch/mailman/listinfo/scion">SCION community mailing list</a></li>
<li>For suggestions or bugs on these pages, please post them on the <a href="https://github.com/netsec-ethz/scion-tutorials">tutorial GitHub repo</a></li>
<li>For bug reports when running SCION, please post them on the <a href="https://github.com/netsec-ethz/scionlab">SCIONLab GitHub repo</a></li>
<li>SCIONLab NOC is available via email <a href="&#109;&#97;&#105;&#108;&#116;&#111;&#58;&#115;&#99;&#105;&#111;&#110;&#108;&#97;&#98;&#45;&#97;&#100;&#109;&#105;&#110;&#115;&#64;&#115;&#121;&#109;&#112;&#97;&#46;&#101;&#116;&#104;&#122;&#46;&#99;&#104;">&#115;&#99;&#105;&#111;&#110;&#108;&#97;&#98;&#45;&#97;&#100;&#109;&#105;&#110;&#115;&#64;&#115;&#121;&#109;&#112;&#97;&#46;&#101;&#116;&#104;&#122;&#46;&#99;&#104;</a></li>
</ul>


Expand Down
2 changes: 1 addition & 1 deletion docs/search/search_index.json

Large diffs are not rendered by default.

Binary file modified docs/sitemap.xml.gz
Binary file not shown.

0 comments on commit f73af66

Please sign in to comment.