Rahu Network Access Server

transcript

Neutron Soutmunneutron@rahunas.org

RahuNAS Core Team

September 27, 2009Debian MiniDebConf 2009, Taiwan

Introduction

What is RahuNAS ?

Words combination

Rahu : The daemon that swallows the sun or the moonNAS : Network Access Server

Short description

RahuNAS is an extended ipset (iptables/netfilter extension) withdaemon and helper scripts which provides the web-based networkauthentication system or the captive portal like

Introduction

What is RahuNAS ?

Words combination

Rahu : The daemon that swallows the sun or the moonNAS : Network Access Server

Short description

RahuNAS is an extended ipset (iptables/netfilter extension) withdaemon and helper scripts which provides the web-based networkauthentication system or the captive portal like

Introduction

Where is RahuNAS in the network ?

Software Goals

Fastnot too much delay the packets forwarding.

more Stableavailable whenever users request.

Trafic controlhas a capability to control the users’ bandwidth

Scalablehas a capablility to handle multiple networks.

System Requirements

Debian GNU/Linux 5.0 (Lenny)Server OS

iptables/netfilter with ipset + RahuNAS patchincluded with mainstream kernel

ipset with RahuNAS patchspecial firewalls

FreeRADIUSAAA (Authentication Authorization Accounting)

PostgreSQLdatabase to store users information

DHCP, DNS Server

Existing captive portal softwares

chillispotopen source Linux daemon

CoovaChilliopen source software access controller, based on chillispot

captivator-gwopen source perl based written by Dale W.Carder atUniversity of Wisconsin Board of Regents

Review existing software

chillispot

Advantages

Well known, world wide used.

Disadvantages

The daemon is not stable enough when running in high load.

The project is seems to be abandoned.

It’s not well scalable, may or may not run multiple networkson single server.

Some overheads over the tunneling interface (tunX, tapX),sometimes it’s a bottle neck.

CoovaChilli

Advantages

Project still alive.

More documents and tools than chillispot.

Less problems when migrating from chillispot.

Disadvantages

The major disadvantages is as same as chillispot.

captivator-gw

Advantages

Simple.

Scalable, capable to handle multiple networks.

Disadvantages

Simple firewall technic, more users more rules added (slowdown in theoretical assumption)

Why RahuNAS was born ?

Problem

As mentioned before, none of any existing softwares areactually match our software goals

Solution

A. Seeking for another softwares ?orB. Construct it by myself ?

Answer

B. Construct it by myself ← RahuNAS was born here

Problem

Solution

Answer

Problem

Solution

Answer

How to meet the software goals ?

If our software meets the 4 major goals

meet Fast

meet more Stable

meet Traffic control

meet Scalable

it’s enough for our simple authentication system.

meet Fast

meet more Stable

meet Scalable

meet Fast

meet more Stable

meet Scalable

meet Fast

meet more Stable

meet Scalable

meet Fast

meet more Stable

meet Scalable

meet Fast

meet more Stable

meet Scalable

meet Fast

Most wanted

We need the special firewalls

Special firewalls

High number of rules:Fast matching algorithms.

Often changed rules:Storage structures which can be changed fast.

Low RAM machines:Memory optimized storage structures.

Reference: Jozsef Kadlecsik - 6th Netfilter workshop Paris 29.09.2008

meet Fast

Special firewalls: iptables ?

High number of rules: slowLinear evaluation.

Often changed rules: slowBetween kernel-userspace are passed back and forth atadding/deleting a single rule. Rules are stored in a blob.

Medium RAM requirements.

meet Fast

Special firewalls: nf-hipac ?

nf-hipac: http://www.hipac.org/

High number of rules: fastComplex matching algorithms.

Often changed rules: fastJust the new/to be deleted rule passed; hashes, trees.

Memory requirements ?

meet Fast

Special firewalls: ipset ?

ipset: http://ipset.netfilter.org/

High number of rules: fastSimple algorithms.

Often changed rules: fastJust the new/to be deleted rule passed; arrays, hashes, trees.

Memory requirements can be low.

meet Fast

Choices

A. nf-hipacB. ipset

Choosing

B. ipset ← a good choice, more simple than nf-hipac.

Then hack

hack: macipmap → rahunasreason: conventional of authentication system using IP address

and MAC address to identify users.why: needs to state each users’ idle time for idle timeout

checking.todo: add the code to state the users’ idle timeout

meet Fast

Before

# ipset -nLName: rahunasnetType: macipmapReferences: 4Default binding:Header: from: 192.168.1.0 to: 192.168.1.255Members:192.168.1.13:00:AA:BB:CC:DD:EEBindings:

meet Fast

# ipset -nLName: rahunasnetType: rahunasReferences: 4Default binding:Header: from: 192.168.1.0 to: 192.168.1.255Members:192.168.1.13:00:AA:BB:CC:DD:EE ==> idle 81 secondsBindings:

meet Fast

How to state the idle time ?

Idle time reset condition192.168.1.13:00:AA:BB:CC:DD:EE ==> idle 81 seconds

Authenticated User’s packet → RahuNAS → Internet

Authenticated User’s packet ← RahuNAS ← Internet

192.168.1.13:00:AA:BB:CC:DD:EE ==> idle 0 seconds

meet Fast

meet more Stable

RahuNAS daemon

Keep it simple and stupid, does not try to handle any complextasks.

Provides internal state database powered by sqlite3, it will beresume the operation in case of accidents such as power lostor daemon crash.

meet more Stable

RahuNAS daemon

Written in C.

License GPL-2, 100% open source

libgnet (XML-RPC Server/Client)

meet more Stable

RahuNAS daemon security

Listen on localhost (127.0.0.1) only.web-based login page is running on the same host

TODO: do some encryption between XML-RPCServer/Clientneeded if we want to run RahuNAS and web-based login pageon different host.

meet more Stable

Web-based login

iptables rule setting to intercept unauthenticated connectionsand redirecting to web-based login page

Apache2 and PHP5 to serve the users’ login request

PHP PEAR for FreeRADIUS and XML-RPC communicating

RahuNAS daemon

To keep it simple, it does not handle the tc itself but left toiproute (tc).

BitTorrent blocking is optional (layer 7 filter extension needed)

meet Scalable

RahuNAS daemon

Provides the capability of multiple networks authentication

VLAN, two or more NICs could handle in single server

RahuNAS in action

Proof of Concept code test

For every hack and some coding from scratch, we finally have thesimple authentication system which meets the 4 major goals.Now, need to test.

RahuNAS in action

RahuNAS login page

RahuNAS performance

more than 2000 concurrent users

Site refernece

Khon Kaen University, Thailand

RahuNAS performance

A whole week

Site refernece

RahuNAS performance

Bandwidth status

Site refernece

Additional tools in RahuNAS project

Additional tools

RahuNAS Drupal module

RahuNAS Drupal theme (based on RootCandy)

RahuNAS Cacti plugin

Description

The RahuNAS Drupal module is the simple FreeRADIUS accountmanager, it’s a Drupal 6 module and it takes the advantages fromDrupal well design. It also include simple users’ access data reportand graphs.

Written by Suriya Soutmun (RahuNAS Core Team)

RahuNAS Drupal module and theme

Description

RahuNAS Cacti plugin is the additional function added into Cactisuch as RahuNAS clients monitoring and configuration settings,Cacti plugin architecture is needed (need patch). Cacti is a goodRRD-Tools based monitoring web-based software.

Who are using (testing) RahuNAS ?

Khon Kaen University, ThailandNow running 4 servers, service for more than 6000 concurrentusers

MahaThai Sueksa, North Eastern School, Khon Kaen,ThailandNow running 1 server, service at least 150 concurrent users

Siridhon School, Surin, ThailandNow running 1 server, service at least 200 concurrent users

Streesiriket School, Sisaket, ThailandNow running 1 server, service at least 120 concurrent users

Manchakiri Hospital - Khon Kaen, SamrongthapHospital - Surin

Hopefully, if it useful will be more in the future

Debian Package

git-buildpackage

RahuNAS and additional tools source code is in git repository(http://git.rahunas.org) and using the awesome tool,git-buildpackage to maintain the Debian package.

RahuNAS Debian Package status

Local experimental.

Uploaded to the local repository only.

Debian Package

deb ftp://ftp.rahunas.org/rahunas unstable main

packages list

rahunas - RahuNAS daemon and helper scripts

rahunas-weblogin - RahuNAS web-based login support files

netfilter-extensions - netfilter extensions which ipset andRahuNAS patched included

rahunas-config-freeradius - autogenerated config files anddatabase preparation for FreeRADIUS to support RahuNAS

linux-image-*+rahunas - the customized kernel build with layer 7filter and multi-path routing patched

drupal6-mod-rahunas - RahuNAS Drupal module

drupal6-theme-rahunas+rootcandy - RahuNAS Drupal themebased on RootCandy written by Marek Sotak

Who is sponsoring RahuNAS ?

Gold sponsor: Khon Kaen University, ThailandGive a fund for RahuNAS research and development, also thefacilities for testing.

Who is sponsoring RahuNAS ?

Gold sponsor: Plawan Central Log, ThailandGive a fund for RahuNAS research and development. Nowconsidered to integrate RahuNAS into their software anddistribute in free/open source software culture.

Special Thanks

Special thanks: Software Liberty Association of TaiwanGive a great opportunity to me to talk at DebianMiniDebConf 2009.

Follow RahuNAS

Official Website: http://www.rahunas.org

Debian package:ftp://ftp.rahunas.org/rahunas

Git repository: http://git.rahunas.org

Rahu Network Access Server

Documents