In the deployment phase, it is interesting to set-up a proxy server that translates the TCP/IP traffic into HIP. For instance, this is convenient in http proxy servers. Thus all http traffic between our host and the proxy server will benefit from the usage of HIP.
First of all, you should have installed and configured properly your proxy server to employ HIP. This includes allowing HITs to connect the server (settings in the httpd.conf file) and restarting httpd using HIP.
You have several options to enable the HIP proxy within Firefox. In the menu Edit/Preferences/Advanced/Connection Settings, you can choose:
Direct connection to the Internet: To disable the usage of any proxy.
Auto-detect proxy settings for this network: To enable the auto-detection feature, you should configure the wpad.dat file that it is served by your proxy in the URL http://wpad.mynetwork.com/wpad.dat (or a similar one). The wpad.dat file should return the information of your HIP enabled proxy server at the end of the function FindProxyForURL(url, host).
Manual proxy configuration: To manually introduce the information about your HIP enabled proxy server. You should also identify the port number.
Automatic proxy configuration URL: To use a wpad.dat file that is not located in the default URL http://wpad.mynetwork.com/wpad.dat. With this feature, you can store a wpad.dat file in some other location of your server and Firefox will fetch it from this URL.
Once you have the proxy server and Firefox ready, you can restart Firefox under HIP with (please make sure that no other instances of Firefox are being run at that time):
hipconf run normal|opp firefox
Sendmail works fine with HIP after you enable IPv6 in sendmail. We did some experimentation with spamassassin to integrate it with HIP puzzle mechanisms. See spamass-sendmail-debian-v1.patch, README.SPAMASS.HIPL and spamass-milter-0.3.0-hipl-v1.patch for some examples of configuration changes and instructions.
Apache1 supports only IPv4, so it requires LSI support at the server side (include in the hipfw module). Apache supports also IPv6 and can make use of HITs.
You may have to bind apache to the local HIT (or LSI). Alternatively, you can bind apache to :: (or 0.0.0.0) to allow both HIP and non-HIP based communications. You can set the binding using the Listen directive, but probably want to specify local HITs (or LSIs) also to the NameVirtualHost and VirtualHost directives.
Apache may want to resolve all of the local IP addresses in its configuration, including the HITs and LSIs, and complains about unresolvable ones. You can solve this using two ways. Firstly, you can run the DNS proxy the section called “DNS Proxy” at the server. Alternatively, you can set the local LSIs and HITs in the /etc/hosts file manually.
Video LAN Client (VLC) is a software that supports playing and network streaming of multimedia. VLC can be used with HIP by using LSIs or HITs. These instructions show how to stream a video clip over HIP based on HITs. LSI-based connectivity works similarly as with HITs, but you should replace the HITs with LSIs and exclude the square brackets.
You need two computers with HIP support. First, start a vlc client on one computer that listens for incoming multimedia streams over RTP:
client % vlc -vvv 'rtp://@[::]:50004'
Then start a VLC server that streams the video to the client over RTP:
server % vlc -vvv somemovie.avi --sout '#rtp{mux=ts,dst=[HIT_OF_CLIENT]}'
The "HIT_OF_THE_CLIENT" should not be taken as literal. Replace it with the actual HIT of the client (run "hipconf get ha default" at the client host).
It should be noticed that you can also specify the HIT_OF_CLIENT at the client instead of the wildcard (denoted "::"). This enforces also the client to accept only HIP-based connections.
The server streams data only the client specified at the command line. It is possible to stream to multiple clients using the "group" option in vlc.
At the time of writing, VLC did not support IPv6 multicast (ff01::1 or ff02::1) at the server side. It is unclear how such multicast would work in combination with HIP. Contributions on the topic are welcome.
In the case VLC seems insufficient for your purposes, we have also expiremented successfully music streaming with Icecast earlier. Unfortunately, we don't have any documentation yet on this.
Vino-server/Vinagre-client and tightVNCserver/xtightVNCviewer applications work just fine with the LSI support of HIPL. LSIs are used because tested applications did not support IPv6. It seems that most of the VNC applications do not support IPv6.
Setup LSIs as the manual instructs and remember the daemons and so on. Then do the following.
For server side (Remember Ubuntu was used when testing). Open the settings GUI from Gnome System->Preferences->Remote Desktop then allow other users to view and or control the desktop. You can also set a password for the desktop.
For the client side do the following and everything should work.
vinagre <LSI-of-Server>
Setup LSIs as the manual instructs and remember the daemons and so on. Then do the following.
For the server side install package tightvncsercer. To start the server just write tightvncserver on the terminal and the server will start with default options. Refer to the official documentation or the man pages of tightvnc for more information on the configuration.
On the client side install package xtightvncviewer. Then with the following command you should have an successfull connection.
xtightvncviewer <LSI-of-server>:1
Longer how-to can be found from http://www.cs.helsinki.fi/u/sklvarjo/vnc.htm
Tested with stable version openldap-2.3.38 and with release version 2.4.7. ACL part is tested using 2.4.11. Using OpenLDAP with HIP is pretty straight forward thing to do. Simplest way is to run hipd and on DNS proxy both machines and just use command like:
ldapsearch -x -H ldap://<fqdn> -b 'dc=<MY-DOMAIN>,dc=<COM>' '(objectclass=*)'
The name can be something found in /etc/hosts. Search can also be done directly with HIT by command
ldapsearch -x -H ldap://[<HIT>] -b 'dc=<MY-DOMAIN>,dc=<COM>' '(objectclass=*)'
You can search also by using the opportunistic mode by using command
ldapsearch -x -H ldap://<fqdn> -b 'dc=<MY-DOMAIN>,dc=<COM>' '(objectclass=*)'
Ldapadd can be used similarly with LDAPURI and HITs.
Maybe the most interesting parts are the ACL rules with OpenLDAP. In the newer versions you can use IPv6 formatted peername rules, so it is interesting when we remember that HITs are IPv6 formatted. Below is the basic example of a rule that grants write/read/search permissions to self, read/search permissions to all processes from HIT_1 without authentication and no permissions to the rest of the world.
access to *
by self write
by peername.ipv6=<HIT_1> anonymous read
by * none
Longer how-to can be found from http://www.cs.helsinki.fi/u/sklvarjo/openldap.htm
These pages contain some scripts for vmware, virtualbox and UML users. For UML there is a more complete tutorial on howto compile HIP enabled host and guest kernels. http://www.cs.helsinki.fi/u/sklvarjo/manuals.htm.
OpenVPN is an open-source virtual private network solution. To set up OpenVPN, you need to change the configuration file to contain the addresses used for the VPN. VPN traffic must be routed through the tun0 interface, and all other traffic directed through the default interface. No changes to iptables are needed.
A separate HIP and OpenVPN tunnel have roughly the same throughput. We have tested HIP inside an OpenVPN tunnel successfully by using the VPN addresses as locators for HIP. However, this seems to halve the throughput without any optimizations (such as using NULL crypto with HIP).
OpenVPN can be run over HIP. The main benefit of such layering is create a mobile OpenVPN tunnel. The VPN inherits also some other features from HIP, such as transparent NAT traversal. In other words, both end-hosts can be located behind NAT devices.
The instructions here assume that you have two hosts with OpenVPN and HIP installed. Furthermore, you should have a working configuration of LSIs between the two hosts as instructed in the section called “Testing a HIP connection with an IPv4-only application”.
This experiment uses OpenVPN from the command line. For real deployment, you probably want to modify the OpenVPN configuration file. Start OpenVPN at both end-hosts as follows:
openvpn --remote <REMOTE_LSI> --dev tun1 --ifconfig <LOCAL_VPN_IP> <REMOTE_VPN_IP> --verb 9
Then you can try the connection e.g. with "ping <REMOTE_LSI>". Note that the capitalized identifiers should not be taken literally. Replacate them with the local and remote LSIs and virtual VPN addresses according to your configuration.
This section describes how you can run NFSv3 over HIP. One benefit of running NFSv3 over HIP is that you can provide a stronger authentication using public-key based access control lists. A second benefit is that you can use NFSv3 to serve also mobile devices because the access control lists are based on location-independent public keys.
Linux has two NFSv3 server software, one operating in kernelspace and the second one in userspace. These instructions were tested on Ubuntu with the userspace NFS server (unfs3). For generic NFSv3 instructions, please see e.g. http://nfs.sourceforge.net/nfs-howto/.
As NFSv3 supports only IPv4, you need use LSIs. So, make sure that you are running also hipfw with the LSI support (-l) on both sides. For example, you can start it with "hipfw -lAbk" flags. Also, it is recommended to fix HITs and LSIs to /etc/hip/hosts and IP addresses to /etc/hosts at both sides. In this example, the NFS server has been configured to use LSI 1.0.0.1 and the client 1.0.0.2. Notice that the LSIs are valid only within the local host!
Configure the NFS server:
Install unfs3 and portmap
Make sure that your /etc/hosts.allow and /etc/hosts.deny do not contain anything else than comments. You can make these rules more strict after successful testing.
Add "/home 1.0.0.2/255.0.0.0(rw)" to /etc/exports and restart unfs3.
Configure the NFS client:
Install nfs-client and portmap
mount -t nfs 1.0.0.1:/home /mnt/
Now you should have mounted the NFS share over HIP. As the LSIs are bound locally to HIs, the NFS traffic is authenticated with public keys and encrypted using IPsec. The public key authentication supports mobile NFS clients.
Iperf is a network performance measurement tool. You can use it to measure IPsec performance with two locally connected machines as shown below:
server % iperf -V -s
client % iperf -V -c <hit-of-the-server>
Notice that <hit-of-the-server> should not be taken literally. Replace it with the HIT of the server (run "hipconf get hi default" at the server). If you want to use LSIs instead of HITs, you shouldn't use the -V option and use LSIs as instructed in the section called “IPv4 and IPv6 interoperability”.
TCP-over-IPsec performance was one fourth of UDP-over-IPsec performance in a gigabit network during the time of writing. It was unclear whether this was caused by a missing command line argument to iperf, a problem in iperf itself or a problem in IPsec performance.
Nagios is a web-based, open source Infrastructure monitoring service. Here is an example how to handle the monitoring over HIP based on the instructions in https://wiki.chpc.utah.edu/display/CHPC/Nagios+ping6+creation
Nagios supported "check_command check_http" over IPv6 and using HITs without any changes. However, you will need the following tweaks support HIT-based ICMPv6 (unless you are satisfied with LSIs):
define command {
command_name check_ping6
command_line $USER1$/check_ping -6 -H $HOSTADDRESS$ -w 3000.0,80% -c 5000.0,100% -p 5
}
define command {
command_name check-ipv6-alive
command_line $USER1$/check_ping -6 -H $HOSTADDRESS$ -w 3000.0,80% -c 5000.0,100% -p 1
}
define service {
use local-service
host_name crossroads.infrahip.net
service_description PING
check_command check_ping6
}
define host {
use linux-server
host_name crossroads.infrahip.net
alias crossroads
address 2001:1b:a9be:c6a6:34e5:8361:c07f:a990
}
Vanilla telnet client can be used with HIP by giving it a "-6" flag to force IPv6 resolution. Then the connection can be made to HITs with syntax presented below.
telnet -6 <HIT-of-responder> <port>
The following link shows how to run torrent over HIP: http://www.cs.helsinki.fi/u/sklvarjo/torrent.html