Wednesday, March 16, 2016

NetworkManager and multiple provisioning domains

The goal of this post is to list different options on how to introduce PvDs into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NetworkManager, i.e. what should be changed in NetworkManager and how it should handle explicit and implicit PvDs. But first we'll start with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 definition of Provisioning Domain and object that could potentially be used to store/represent Provisioning Domains. The implementation this post refers to can be found on GitHub.

The term Provisioning Domain (PvD) is defined and clarified in RFC7556 as:
A consistent set of network configuration information. Classically, all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 configuration information available on a single interface is provided by a single source (such as a network administrator) and can cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365refore be treated as a single provisioning domain.  In modern IPv6 networks, multihoming can result in more than one provisioning domain being present on a single link.  In some scenarios, it is also possible for elements of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same PvD to be present on multiple links.
Basically it is a set of configuration information that should be treated as a single unit. Here are some examples of such units of configuration data:
  1. Static IPv4 configuration provided by a user for a server or for a network without DHCP.
  2. Data handed over to a client by DHCP server.
  3. On an IPv6 enabled local network with a single router which sends configuration data in RA to nodes attached to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network.
  4. Configuration data sent by VPN gateway upon successful connection of a client. 
In all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se cases we have implicit PvDs, meaning that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sets of configuration data are implicitly bound togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re was no indication whatsoever that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y should be treated as a single unit. This is in contrast to explicit PvDs which are sets of configuration data bound togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r by some explicit mechanism and associated with some kind of a PvD identifier sent to a client in some way. Explicit PvDs, as of time this post was written, don't exist yet, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IETF MIF working group is trying to define necessary mechanisms to support cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m as well as how exactly IDs should look like.

Note that apart from explicit PvD and implicit Pvd we also differentiate between PvD and PvD instance. The difference is that PvD consists of a set of PvD instances thate are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same on some local network, while PvD instance is valid for only a single host on a given local network. In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, PvD will include network prefix and mask, while PvD instance will include host addresses too. It is interesting to note that router advertisements communicate PvDs while DHCP communicates PvD instaces.

How to implement PvDs in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NetworkManager

As always, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same goal can be achieved in multiple ways, so here are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 options on how PvDs can be implemented within NM. Basically, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are two main approaches: first, existing objects can be enhanced so that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can represent PvDs or a completely new object can be introduced.

Using NMSettingsConnection object to store PvD and PvD instance


Each network connection (which is not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same as PvD or PvD instance) is stored in NMSettingsConnection object. Those objects are generated from static files or dynamically during NetworkManager's execution. NMSettingsConnection objects are initialized from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following sources:
  1. Distribution configuration files. System dependent network configuration files (e.g. /etc/sysconfig/network-scripts for RHEL based systems) are read by NM via plugins and NMSettingsConnection objects are created as a result.
     
  2. Network manager specific configuration. NetworkManager has its own configuration files that are stored in /etc/NetworkManager/system-connections/.
  3. Dynamically created configurations. While running, NetworkManager allows new configurations to be created via D-Bus interface.
Note that NetworkManager has a concept of profiles that are used in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case of Wired networks. Basically, those are settings which are not bound to any specific network interface. Profiles can have 802.1x type of credentials assigned to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m.

So, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 idea of integrating PvDs into NetworkManager is for each new PvD or PvD instance to create a new NMSettingsConnection object. The modification to NMSettingsConnection should be extended with PvD ID parameter.

There are several potential problems with this approach:
  1. There is a difference between NMSettingsConnection on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 one hand, and PvD and PvD instance on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r hand. For example, some NMSettingsConnection defines a network connection that should be configured using DHCP and in that case cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NMSettingsConnection isn't PvD nor PvD instance. On cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r hand, NMSettingsConnection can be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same as PvD instance. This is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case with static IPv4 configurations when a user specifies concrete IP addresses. Finally, NMSettingsConnection can be PvD only in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case of IPv6 when host part is generated from MAC address.
  2. When PvDs and PvD instances are received cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are valid only for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 interface on which cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are received. But, a user can request any NMSettingsConnection object to be activated on any interface which isn't possible.
  3. Also, this can create confusion. Take for example preconfigured NMSettingsConnection which is now treated as PvD with a specific PvD ID, and it is defined to use DHCP for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 configuration. Obviously, this PvD ID is expected to be valid on a certain interface on a specific attachment point. But due to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 interface is configured (DHCP) it can actually be activated on any interface on any network that supports DHCP. Thus, it might easily happen that a user by mistake activated this particular NMSettingsConnection on a "wrong" network and so makes a user believe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network is active while in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reality it is not.

    Note that even NMSettingsConnection objects that contain credential information aren't guaranteed to retrieve cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same PvD every time cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 connection is made. Namely, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are AAA servers and infrastructure that allow clients with a same credentials to connect to multiple networks, and thus to potentially receive multiple PvDs.
     
  4. Finally, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem is that on a single network interface only one NMSettingsObject might be activated and so this prevents having multiple PvDs on a single interface.
Those problems are not unsolvable, i.e. cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y could be solved by modifying certain aspects of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NetworkManager in general, and NMSettingsObject in particular.

Treating NMActiveConnection object as PvD instance and PvD


Whenever a connection is made in NetworkManager an object is created. Basically, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are two classes for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 object, both of which inherit from NMActiveConnection base class. Which class is used depends on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 type of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 connection. Basically,  cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 only distinction is made between VPN connections that are represented by NMVPNConnection objects and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r connections that are represented by NMActRequest objects. The main task of NMActiveConnection is to bind NMSettingsConnection with NMDevice objects.

The idea in this case is to treat NMActiveConnection as a PvD or a PvD instance, i.e. on each new PvD or PvD instance received new NMActiveConnection is created.

But, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are still some problems:
  1. Since NMActiveConnection objects are transient that means that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re would be no history of PvDs used. This might, or might not be a problem, depending on whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r we need this history or not.

    The cases when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 history would be necessary is if we cache some information for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next time we connect to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 given PvD. The second case is if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are processes still using PvD through API and thus cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 information about PvD must live until cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 process dies. Note that this letter problem could be solved with delayed removal of NMActiveConnections or by some asynchronous mechanism informing applications that specific NMActiveConnection isn't available any more.
     
  2. The second problem is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 question if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re could exist two ActiveConnection objects that were created from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same NMSettingsConnection object, i.e. can NMSettingsConnections be shared.
     
  3. The third problem is that it will happen from within a single NMActiveConnection that two or more PvDs are received and this requires that NMActiveConnection is a factory for itself.

Using NMIP4Config and NMIP6Config objects for PvDs and PvD instances


NetworkManager has object/classes for storing IPv4 (libnm-core/nm-setting-ip4-config.c) and IPv6 (libnm-core/nm-setting-ip6-config.c) settings. More precisely, those objects are used to expose network settings of devices to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rest of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NetworkManager. So, in some way cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are PvDs in a sense that each of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m contains enough information to allow connection to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network.

The problem is that internally NetworkManager keeps a single IPv4/IPv6 configuration object per device and in addition it merges all received configuration data on a single interface.

Specifically, in case of configuration data received in RAs everything is kept in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 object NMRdisc defined in src/rdisc/nm-rdisc.h. There you'll find arrays of received configuration data. NetworkManager assumes that a single router sends all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 configuration data. This assumption is not valid on a multihomed network, or a network that can send multiple provisioning domains within each RA. What would be necessary is to change this structure so that configuration data is kept separate for each router and provisioning domain.

The problems in this case are:
  1. NMIPxConfig objects were not intended to keep information about available IPv4 and IPv6 addresses but to make available addresses configured on device. So, it reverses cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 purpose of those objects which isn't accepted so well.
  2. Again, those are transient objects and thus cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is no history. It is possible to keep every object alive, but NM isn't designed to behave in such way.
  3. It seems that in libnm cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is no way to obtain a list of IPv4 and IPv6 objects.

Having separate PvD structures


This is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 final alternative and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most intrusive one. The idea is that settings, active connections and IPv6 and IPv6 objects/classes stay as is, but instead, when each new connection is established a new PvD data structure is created. PvD is inferred from configuration settings or cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NetworkManager received explicit PvD.

This would solve cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem that some settings might be used to obtain different PvDs which isn't known until connection is established. For example, if we are using DHCP to configure cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 interface, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n, PvD received depends on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 PoA.

It would also solve cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user might try to instantiate one PvD, while some ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r is actually in use. This way, after cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 connection is established, appropriate PvD is searched for, or new one is created.

This is most intrusive change that would require change in APIs and thus break compatibility with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 existing applications (or require a completely new API).

Current PvD Support Implementation


The first implementation of PvDs was done using NMIP6Config as a PvD container. Before describing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 implementation we have to state that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 only mechanism currently able to carry PvDs is RA messages. NMIP6Config objects are extended with PvD ID field. At first, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re was support for different types of PvD IDs and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first implemented type was UUID stored in ASCII format. Later in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 development process PvD ID types were removed and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 only possible type is UUID. It seems that this doesn't make implementations less flexible and in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same time substantially reduces complexity.

When RA is received, and after it is processed as usual, a new implicit PvD is created from data in RA. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are two or more routers on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 local network, each sending its own configuration data, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n a separate PvD is created for each RA. Also, in case cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are PVD container option in RA it is parsed and additional PvD is created from that data.

This information is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n handled to NMDevice object which merges data from implicit PvDs (as it does in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 unmodified version) but now cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is also a hash table with set of PvDs received on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 given interface. This information is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n exposed through NMActiveConnection object.



Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

About Me

scientist, consultant, security specialist, networking guy, system administrator, philosopher ;)

Blog Archive