Difference between revisions of "IKEv2 Interop testing with OpenBSD"

From Libreswan
Jump to: navigation, search
(Some changes)
Line 1: Line 1:
 
== Introduction ==
 
== Introduction ==
  
IPSec standards are produced and maintained by [https://ietf.org/ IEFT] which are implemented by many software including Libreswan. IKED is one such native implementation of IPSec v2 on OpenBSD. My project’s goal is to perform Interop tests where one end is Libreswan on Linux(Fedora) and the other is the native IKE daemon on OpenBSD.
+
IPSec standards are produced and maintained by [https://ietf.org/ IEFT] which are implemented by many software including Libreswan. IKED is one such native implementation of [https://tools.ietf.org/html/rfc7296 IKEv2] on OpenBSD. My project’s purpose is to enable Interop tests where one end is Libreswan on Linux and the other is the native IKE daemon on OpenBSD. This helps us test Linux kernel to BSD kernel and understand several issues with Linux when inter-operating with *nix like Operating Systems.
 
+
  
 
== Implementation ==
 
== Implementation ==
*Perform a Non-interactive OpenBSD installation
+
*Perform a Non-interactive OpenBSD Base installation
OpenBSD’s autoinstall allows unattended installation by automatically responding to installer questions with answers from a response file([https://man.openbsd.org/autoinstall.8 auto_install.conf]). But this introduces additional complexities into the testing system. So I have come with a Python’s pexpect script which adds install.conf file(which consists of answers to default questions) into the OpenBSD iso and perform’s the installation by taking the values from that file.  
+
OpenBSD’s autoinstall allows unattended installation by automatically responding to installer questions with answers through a response file([https://man.openbsd.org/autoinstall.8 auto_install.conf]). But this introduces additional complexities into the testing system. To solve this, I have written a pexpect script using python which adds install.conf
*Mounting directory over NFS
+
(which consists of answers to default questions) into the OpenBSD iso and perform’s the installation by taking the values from that file.  
With OpenBSD running as Virtual Machine, to mount the testing directory via QEMU we need to use the 9p File System. But, qemu's 9p is not the same as plan 9's 9p(only software that can be used to mount 9p FS on OpenBSD) since plan 9's 9p is 9p2000 which transports a subset of plan 9 system calls over the network while qemu's 9p is 9p2000.L transports a subset of Linux system calls over the network. So we have to serve files over NFS to mount the testing directory on OpenBSD.
+
 
*Cloning them as openbsde (OpenBSD East) and openbsdw (OpenBSD West)
+
*Mounting the testing directory over NFS:
 +
 
 +
The Libreswan’s testing system uses a 9P File System with Libvirt/Qemu to mount the testing directory. As 9P support is constrained in OpenBSD, I had to fall back to use the NFS mount. This required changes in the Libreswan testing infrastructure to provide support for NFS server.
 +
 
 +
*Cloning them as openbsde (OpenBSD East) and openbsdw (OpenBSD West) domains
 +
 
 
Initially, we create a base image called OpenBSD-base and then clone it as OpenBSD East(openbsde) and OpenBSD(openbsdw).
 
Initially, we create a base image called OpenBSD-base and then clone it as OpenBSD East(openbsde) and OpenBSD(openbsdw).
 +
 
*Adding additional tests
 
*Adding additional tests
 +
 
Writing of additional tests to perform interoperability tests between Libreswan on one end and OpenBSD’s IKED daemon on the other end.
 
Writing of additional tests to perform interoperability tests between Libreswan on one end and OpenBSD’s IKED daemon on the other end.
 
  
 
== Issues encountered ==
 
== Issues encountered ==
OpenBSD’s documentation is very incomprehensible on how to automatically perform non-interactive installation. Further, I wasn’t able to find any resources on how to mount a 9P File System on an OpenBSD VM, and there exists only one project called Plan9port which kinda supports 9PFS but not which is supported by QEMU.
+
*OpenBSD’s documentation is very incomprehensible on how to automatically perform the non-interactive installation.
  
== Further Work ==
+
*To mount the 9P File system on OpenBSD, we need to install a port called Plan9port which doesn't work with Qemu. This is because Qemu's 9p is not the same as Plan9port. Plan 9's 9p is 9p2000 which transports a subset of plan 9 system calls over the network while Qemu's 9p is 9p2000.L transports a subset of Linux system calls over the network. It took me a week to get this minute difference.
  
*Adding additional tests to the testing system which involve shared certificate and more complex operations.
+
*When the NFS server was up and running, I was not able to figure out why the NFS mount wasn’t working with OpenBSD. After a thorough analysis of Network packets using TCP Dump, I was able to infer that Fedora’s Firewall was blocking the Packets. I disabled the firewall to make the NFS mount work as intended. This was challenging as it was difficult to figure out whether the issue was with OpenBSD or Linux.
*Installing Libreswan on OpenBSD and performing tests between Libreswan on OpenBSD with Libreswan on Linux(Fedora).
+
*Adding a dedicated test network subnet to the test networks to exclusively serve NFS mount for OpenBSD systems (suggested).
+
  
 +
== Possible Future Work ==
 +
 +
*Including additional tests to the testing system which involve shared certificate and more complex operations.
 +
*Porting Libreswan to OpenBSD
 +
*Performing Interop tests between Libreswan on OpenBSD with Libreswan on Linux.
 +
*Adding a dedicated test network subnet to the test networks to exclusively serve NFS mount for OpenBSD systems (suggested).
  
 
== Source code ==
 
== Source code ==
Code Status: Development completed(to fix some minor issues) and to be released in the upcoming version.
+
Code Status: Development completed (yet to fix some minor issues) and to be released in the upcoming version.
  
Repository Link - [https://github.com/ravitejacms/libreswan https://github.com/ravitejacms/libreswan]
+
Commits:
  
This project work was sponsored by Google as part of the [https://summerofcode.withgoogle.com/ Google Summer of Code] 2020 Program. The implementation for this project is done by [https://github.com/RaviTejaCMS Ravi Teja](hello@rtcms.dev) under the guidance of Paul Wouters, Tuomo Soini, and Andrew Cagney.
+
Add required OpenBSD files to the test system - [https://github.com/RaviTejaCMS/libreswan/commit/fc146e39a53c1090c724d7361b9374d632822d65 https://github.com/RaviTejaCMS/libreswan/commit/fc146e39a53c1090c724d7361b9374d632822d65]
  
 +
OpenBSD installation using Make - [https://github.com/RaviTejaCMS/libreswan/commit/a7c39f2249915ba53e4f3d1e6ffa73821d3e3bb6 https://github.com/RaviTejaCMS/libreswan/commit/a7c39f2249915ba53e4f3d1e6ffa73821d3e3bb6]
  
 +
Interop Tests -
 +
[https://github.com/RaviTejaCMS/libreswan/commit/144636ab92a16a1aefecd3fdf9df3f8bd032eecf https://github.com/RaviTejaCMS/libreswan/commit/144636ab92a16a1aefecd3fdf9df3f8bd032eecf]
 +
 +
This project work was sponsored by Google as part of the [https://summerofcode.withgoogle.com/ Google Summer of Code] 2020 Program. The implementation for this project is done by [https://github.com/RaviTejaCMS Ravi Teja](hello@rtcms.dev) under the guidance of Paul Wouters, Tuomo Soini, and Andrew Cagney.
  
 
== License ==
 
== License ==
  
 
This project is Licensed under [https://github.com/libreswan/libreswan/blob/master/LICENSE GNU General Public License v2.0].
 
This project is Licensed under [https://github.com/libreswan/libreswan/blob/master/LICENSE GNU General Public License v2.0].

Revision as of 15:05, 28 August 2020

Introduction

IPSec standards are produced and maintained by IEFT which are implemented by many software including Libreswan. IKED is one such native implementation of IKEv2 on OpenBSD. My project’s purpose is to enable Interop tests where one end is Libreswan on Linux and the other is the native IKE daemon on OpenBSD. This helps us test Linux kernel to BSD kernel and understand several issues with Linux when inter-operating with *nix like Operating Systems.

Implementation

  • Perform a Non-interactive OpenBSD Base installation

OpenBSD’s autoinstall allows unattended installation by automatically responding to installer questions with answers through a response file(auto_install.conf). But this introduces additional complexities into the testing system. To solve this, I have written a pexpect script using python which adds install.conf (which consists of answers to default questions) into the OpenBSD iso and perform’s the installation by taking the values from that file.

  • Mounting the testing directory over NFS:

The Libreswan’s testing system uses a 9P File System with Libvirt/Qemu to mount the testing directory. As 9P support is constrained in OpenBSD, I had to fall back to use the NFS mount. This required changes in the Libreswan testing infrastructure to provide support for NFS server.

  • Cloning them as openbsde (OpenBSD East) and openbsdw (OpenBSD West) domains

Initially, we create a base image called OpenBSD-base and then clone it as OpenBSD East(openbsde) and OpenBSD(openbsdw).

  • Adding additional tests

Writing of additional tests to perform interoperability tests between Libreswan on one end and OpenBSD’s IKED daemon on the other end.

Issues encountered

  • OpenBSD’s documentation is very incomprehensible on how to automatically perform the non-interactive installation.
  • To mount the 9P File system on OpenBSD, we need to install a port called Plan9port which doesn't work with Qemu. This is because Qemu's 9p is not the same as Plan9port. Plan 9's 9p is 9p2000 which transports a subset of plan 9 system calls over the network while Qemu's 9p is 9p2000.L transports a subset of Linux system calls over the network. It took me a week to get this minute difference.
  • When the NFS server was up and running, I was not able to figure out why the NFS mount wasn’t working with OpenBSD. After a thorough analysis of Network packets using TCP Dump, I was able to infer that Fedora’s Firewall was blocking the Packets. I disabled the firewall to make the NFS mount work as intended. This was challenging as it was difficult to figure out whether the issue was with OpenBSD or Linux.

Possible Future Work

  • Including additional tests to the testing system which involve shared certificate and more complex operations.
  • Porting Libreswan to OpenBSD
  • Performing Interop tests between Libreswan on OpenBSD with Libreswan on Linux.
  • Adding a dedicated test network subnet to the test networks to exclusively serve NFS mount for OpenBSD systems (suggested).

Source code

Code Status: Development completed (yet to fix some minor issues) and to be released in the upcoming version.

Commits:

Add required OpenBSD files to the test system - https://github.com/RaviTejaCMS/libreswan/commit/fc146e39a53c1090c724d7361b9374d632822d65

OpenBSD installation using Make - https://github.com/RaviTejaCMS/libreswan/commit/a7c39f2249915ba53e4f3d1e6ffa73821d3e3bb6

Interop Tests - https://github.com/RaviTejaCMS/libreswan/commit/144636ab92a16a1aefecd3fdf9df3f8bd032eecf

This project work was sponsored by Google as part of the Google Summer of Code 2020 Program. The implementation for this project is done by Ravi Teja(hello@rtcms.dev) under the guidance of Paul Wouters, Tuomo Soini, and Andrew Cagney.

License

This project is Licensed under GNU General Public License v2.0.