Review: Intent based networking for dummies

I found the book intent-based networking on linkedin posted by juniper:

The book contains 5 chapters on 44 pages.

Chapter one (expressing intent and seeing the basics of IBN) tries to give a motivation for intent based networking. And the story goes like this: "humans are slow, expensive, error prone, and inconsistent. [...] the systems are vulerable to small mistakes that can have enormous costs to business."
In addition we have "inadequate automation", "data overload", and "stale documentation". (At this point i think we are generally doomed and should stop networking at all).
BUT with IBN "you can manage what requires auto- mation, make your system standardized and reliable, and ensure you’re free to move and adjust heading into the future." The promise of IBN is to do a change from node-to-node management to an autonomic system. "The sys tem self-operates, self-adjusts, and self-corrects within the parameters of your expressed technical objectives."
So everthing should work like this: you express your intent - this intent is translated and then orchestration configuration will roll out the changes onto your network.
I think on good phrase for IBN is: "You say what, it says how"

The second chapter is named "Looking at the characteristics of IBN. This chapter does not give any helpful information at all. One nice concept is mentionend here: "Simple Pane of Glass": "t’s an important concept and a valuable benefit of having a single source of truth: You can see your entire network from a single, consistent perspective." But is think this is not possible for networks. Depending on your perspective (ethernet, vlans, ips, mpls, ...) the view is completely different. Just think about hardware ports vs virtual ports...
 

"Detailing the IBN architecture" is the titel of chapter 3. This chapter is with 9 pages the biggest chapter inside the booklet. In this chapter an example is drilled through: The intent "I want a VLAN connecting servers A, B, C, and D." is analyzed and the steps from define, translate, verify, deploy and monitor are shown.
In addition there are some subsection where the reference design, abstractions, inventory are put into relation to each other. This is illustrated with very nice figures. Really a good chapter!
 

In chapter four the book moves forward from fulfillment to assurance. "This chapter shows you why your IBN system (IBNS) requires sophisticated, deep analytics that can detect when a deployed service is drifting out of spec and either automatically make the adjustments to bring it back into compliance or alert you to the problem."
It starts with differentiating uncontrolled changes from controlled changes. This is nothing special to IBN. I think this is useful for any kind of operation in IT.
 

Chapter 5 is as always in this "dummmies" series a recap of the chapters before.


All in all a nice booklet which introduces very well in this new kind of network management system. But if IBN can keep the promises - let's see...
 

Wireguard: Status information / using the wg command

After the installation of wireguard on two servers i shut down the secondary server and after 4h i did the wg command:

root@zerberus:~# wg
interface: wg0
  public key: XXX=
  private key: (hidden)
  listening port: 46932

peer: YYY=
  endpoint: 192.168.178.54:35891
  allowed ips: 10.0.0.2/32
  latest handshake: 4 hours, 19 minutes, 2 seconds ago
  transfer: 348 B received, 436 B sent

With the "ip addr" command there is nothing really interesting:

root@zerberus:~# ip addr show wg0
5: wg0:  mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.0.0.1/24 scope global wg0
       valid_lft forever preferred_lft forever

Just to get some information about the "wg" command:

root@zerberus:~# wg help
Usage: wg  []

Available subcommands:
  show: Shows the current configuration and device information
  showconf: Shows the current configuration of a given WireGuard interface, for use with `setconf'
  set: Change the current configuration, add peers, remove peers, or change peers
  setconf: Applies a configuration file to a WireGuard interface
  addconf: Appends a configuration file to a WireGuard interface
  genkey: Generates a new private key and writes it to stdout
  genpsk: Generates a new preshared key and writes it to stdout
  pubkey: Reads a private key from stdin and writes a public key to stdout
You may pass `--help' to any of these subcommands to view usage.

and one more example:

root@zerberus:~# wg showconf wg0

[Interface]
ListenPort = 46932
PrivateKey = TTT=

[Peer]
PublicKey = XXX=
AllowedIPs = 10.0.0.2/32
Endpoint = 192.168.178.54:35891

Wireguard: Installation & configuration

To install wireguard i followed this instruction.
First step is to add the repository to your machine:

root@zerberus:~# add-apt-repository ppa:wireguard/wireguard
 WireGuard is a novel VPN that runs inside the Linux Kernel. This is the Ubuntu packaging for WireGuard. More info may be found at its website, listed below.

More info: https://www.wireguard.com/
Packages: wireguard wireguard-tools wireguard-dkms

Install with: $ apt install wireguard

For help, please contact 

Then the installion:

root@zerberus:~# apt install wireguard
Paketlisten werden gelesen... Fertig
Abhängigkeitsbaum wird aufgebaut.       
Statusinformationen werden eingelesen.... Fertig
Die folgenden Pakete wurden automatisch installiert und werden nicht mehr benötigt:
  btrfs-tools geoip-database-extra libcryptui0a libjs-openlayers seahorse-daemon
Verwenden Sie »apt autoremove«, um sie zu entfernen.
Die folgenden zusätzlichen Pakete werden installiert:
  wireguard-dkms wireguard-tools
Die folgenden NEUEN Pakete werden installiert:
  wireguard wireguard-dkms wireguard-tools
0 aktualisiert, 3 neu installiert, 0 zu entfernen und 1 nicht aktualisiert.
Es müssen 640 kB an Archiven heruntergeladen werden.
Nach dieser Operation werden 4.814 kB Plattenplatz zusätzlich benutzt.
Möchten Sie fortfahren? [J/n] 
Holen:1 http://ppa.launchpad.net/wireguard/wireguard/ubuntu bionic/main amd64 wireguard-dkms all 0.0.20190123-wg1~bionic [551 kB]
Holen:2 http://ppa.launchpad.net/wireguard/wireguard/ubuntu bionic/main amd64 wireguard-tools amd64 0.0.20190123-wg1~bionic [85,2 kB]
Holen:3 http://ppa.launchpad.net/wireguard/wireguard/ubuntu bionic/main amd64 wireguard all 0.0.20190123-wg1~bionic [4.136 B]
Es wurden 640 kB in 0 s geholt (1.307 kB/s).
Vormals nicht ausgewähltes Paket wireguard-dkms wird gewählt.
(Lese Datenbank ... 471444 Dateien und Verzeichnisse sind derzeit installiert.)
Vorbereitung zum Entpacken von .../wireguard-dkms_0.0.20190123-wg1~bionic_all.deb ...
Entpacken von wireguard-dkms (0.0.20190123-wg1~bionic) ...
Vormals nicht ausgewähltes Paket wireguard-tools wird gewählt.
Vorbereitung zum Entpacken von .../wireguard-tools_0.0.20190123-wg1~bionic_amd64.deb ...
Entpacken von wireguard-tools (0.0.20190123-wg1~bionic) ...
Vormals nicht ausgewähltes Paket wireguard wird gewählt.
Vorbereitung zum Entpacken von .../wireguard_0.0.20190123-wg1~bionic_all.deb ...
Entpacken von wireguard (0.0.20190123-wg1~bionic) ...
wireguard-dkms (0.0.20190123-wg1~bionic) wird eingerichtet ...
Loading new wireguard-0.0.20190123 DKMS files...
Building for 4.17.0-rc3
Building initial module for 4.17.0-rc3
Secure Boot not enabled on this system.
Done.

wireguard:
Running module version sanity check.
 - Original module
   - No original module exists within this kernel
 - Installation
   - Installing to /lib/modules/4.17.0-rc3/updates/dkms/

depmod.....

DKMS: install completed.
wireguard-tools (0.0.20190123-wg1~bionic) wird eingerichtet ...
wireguard (0.0.20190123-wg1~bionic) wird eingerichtet ...
Trigger für man-db (2.8.3-2ubuntu0.1) werden verarbeitet ...
root@zerberus:~# 

And then the configuration:
(i extracted the steps from the video here)

root@zerberus:~# wg genkey > /root/private.wireguard
Warning: writing to world accessible file.
Consider setting the umask to 077 and trying again.

root@zerberus:~# ls -l /root/
insgesamt 4
-rw-r--r-- 1 root root 45 Apr 27 18:55 private.wireguard

root@zerberus:~# cat /root/private.wireguard 
XXXYYYY....=
root@zerberus:~# wg pubkey  < /root/private.wireguard
ZZZAAAA...=

root@zerberus:~# ip link add wg0 type wireguard
root@zerberus:~# ip addr add 10.0.0.1/24 dev wg0
root@zerberus:~# wg set wg0 private-key /root/private.wireguard 
root@zerberus:~# ip link set wg0 up

root@zerberus:~# ifconfig
....
wg0: flags=209  mtu 1420
        inet 10.0.0.1  netmask 255.255.255.0  destination 10.0.0.1
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

All the steps up to here, have to be done on both servers.
My setup was

• server 1: "public ip" 192.168.178.39, vpn ip 10.0.0.1
  public wireguard key XXX
  wirguard port: 46932 (how to get this number, just move on)
• server 2: "public ip" 192.168.178.54, vpn ip 10.0.0.2
  public wireguard key YYY
  wireguard port: 35891

 To get the public keys and the port number use this command:

root@zerberus:~# wg

interface: wg0
  public key: XXX
  private key: (hidden)
  listening port: 46932

Then use the ip, port and public key from the secondary server:

root@zerberus:~# wg set wg0 peer 23P8GMzwpnpaw38wEERXev1jJIQlkhB/lZB35wwXVD4= allowed-ips 10.0.0.2/32 endpoint 192.168.178.54:35891

Do the some on the secondary machine with the ip, port and public key from primary server.

And after that you can check with:

root@zerberus:~# ping 10.0.0.2

PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=47.0 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=63.8 ms
^C
--- 10.0.0.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 47.018/55.442/63.866/8.424 ms

I think this was much easier than setting up IPSec or OpenVPN.

Wireguard: An easy way to build VPNs

Last week i came across the following tool:

https://www.wireguard.com/

If you want to build up a VPN you can choose one of the following strategies:

• based on IPSec
• using TLS

(These two are the options to choose - of course there are some others...)

The nice thing with wireguard (from the linux point of view) is, that the wireguard interfaces are handled like all other  network interfaces on your device.

If you are really interested in this way, you should read the whitepaper. Here some excerpts:

... IPSec ... updating these data structures based on the results of a key exchange, generally done with IKEv2 [13], itself a complicated protocol with much choice and malleability. The complexity, as well as the sheer amount of code, of this solution is considerable. Administrators have a completely separate set of firewalling semantics and secure labeling for IPsec packets.

... based solution that uses TLS. By virtue of it being in user space, it has very poor performance—since packets must be copied multiple times between kernel space and user space—and a long-lived daemon is required; OpenVPN appears far from stateless to an administrator.

A WireGuard interface,wg0, can be added and configured to have a tunnelIP address of10.192.122.3in a/24subnet with the standard ip(8)utilities...

One design goal of WireGuard is to avoid storing any state prior to authentication and to not send any responses to unauthenticated packets. With no state stored for unauthenticated packets, and with no response generated,WireGuard is invisible to illegitimate peers and network scanners. Several classes of attacks are avoided bynot allowing unauthenticated packets to influence any state. And more generally, it is possible to implement WireGuard in a way that requires no dynamic memory allocation at all, even for authenticated packets, as explained in section 7.

So next step is to install this VPN solution and see, if the administration is really so easy as promised...

Linux VPN Client: disconnect every 600s (10min)

You are trying to connect to a Cisco Pix or Cisco ASA with a Linux PC and the connection disconnects after 10 minutes?

You tried

• Network Manager (s. this posting)
  
• vpnc

You found after googling around the following hints:

• rekeying problem (not implemented for Linux)
• missing open ports in your firewall (500 UDP, 4500 UDP, 10000 UDP)
• write a automatic restart script
• set MTU size on tun0 below 1300
• disable dead pear detection (--dpd-idle 0)
  this is done via port 500
  
• ...

None of this tips worked. And now?
Let's take a look at the debug messages from vpnc:

vpnc -no-detach --debug 2 profile0

after 10 minutes:

S7.2 QM_packet2 send_receive
S7.3 QM_packet2 validate type
vpnc: no response from target

Anything learned? The connection is dead again with no response from target...
Where are this response packets? Let's take a look at wireshark:

Hmmm
Dst Port 500...
Let's try the following:

vpnc --no-detach --debug 2 --dh dh5 gip2

and voila: no disconnects anymore...

Why?
Read this link:

The Diffie-Hellman Group 5 feature enables group 5
on all platforms that support crypto images. Group 5 specifies the
1536-bit Diffie-Hellman group, which is a method of establishing a
shared key over an insecure medium.

So my advise:
If your VPN disconnects after some minutes, try some of the cli-options of vpnc. Or ask your administrator, which Diffie-Hellman group is configured...

Here the cli-option (via vpnc --long-help)

Usage: vpnc [--version] [--print-config] [--help] [--long-help] [options] [config files]

Options:
--gateway <ip/hostname>
IP/name of your IPSec gateway
conf-variable: IPSec gateway <ip/hostname>

--id <ASCII string>
your group name
conf-variable: IPSec ID <ASCII string>

(configfile only option)
your group password (cleartext)
conf-variable: IPSec secret <ASCII string>

(configfile only option)
your group password (obfuscated)
conf-variable: IPSec obfuscated secret <hex string>

--username <ASCII string>
your username
conf-variable: Xauth username <ASCII string>

(configfile only option)
your password (cleartext)
conf-variable: Xauth password <ASCII string>

(configfile only option)
your password (obfuscated)
conf-variable: Xauth obfuscated password <hex string>

--domain <ASCII string>
(NT-) Domain name for authentication
conf-variable: Domain <ASCII string>

--xauth-inter
enable interactive extended authentication (for challenge response auth)

--dpd-idle
conf-variable: Xauth interactive

--vendor <cisco/netscreen>
vendor of your IPSec gateway
Default: cisco
conf-variable: Vendor <cisco/netscreen>

--natt-mode <natt/none/force-natt/cisco-udp>
Which NAT-Traversal Method to use:
* natt -- NAT-T as defined in RFC3947
* none -- disable use of any NAT-T method
* force-natt -- always use NAT-T encapsulation even
without presence of a NAT device
(useful if the OS captures all ESP traffic)
* cisco-udp -- Cisco proprietary UDP encapsulation, commonly over Port 10000
Note: cisco-tcp encapsulation is not yet supported
Default: natt
conf-variable: NAT Traversal Mode <natt/none/force-natt/cisco-udp>

--script <command>
command is executed using system() to configure the interface,
routing and so on. Device name, IP, etc. are passed using enviroment
variables, see README. This script is executed right after ISAKMP is
done, but before tunneling is enabled. It is called when vpnc
terminates, too
Default: /etc/vpnc/vpnc-script
conf-variable: Script <command>

--dh <dh1/dh2/dh5>
name of the IKE DH Group
Default: dh2
conf-variable: IKE DH Group <dh1/dh2/dh5>

--pfs <nopfs/dh1/dh2/dh5/server>
Diffie-Hellman group to use for PFS
Default: server
conf-variable: Perfect Forward Secrecy <nopfs/dh1/dh2/dh5/server>

--enable-1des
enables weak single DES encryption
conf-variable: Enable Single DES

--enable-no-encryption
enables using no encryption for data traffic (key exchanged must be encrypted)
conf-variable: Enable no encryption

--application-version <ASCII string>
Application Version to report. Note: Default string is generated at runtime.
Default: Cisco Systems VPN Client 0.5.3:Linux
conf-variable: Application version <ASCII string>

--ifname <ASCII string>
visible name of the TUN/TAP interface
conf-variable: Interface name <ASCII string>

--ifmode <tun/tap>
mode of TUN/TAP interface:
* tun: virtual point to point interface (default)
* tap: virtual ethernet interface
Default: tun
conf-variable: Interface mode <tun/tap>

--debug <0/1/2/3/99>
Show verbose debug messages
* 0: Do not print debug information.
* 1: Print minimal debug information.
* 2: Show statemachine and packet/payload type information.
* 3: Dump everything exluding authentication data.
* 99: Dump everything INCLUDING AUTHENTICATION data (e.g. PASSWORDS).
conf-variable: Debug <0/1/2/3/99>

--no-detach
Don't detach from the console after login
conf-variable: No Detach

Report bugs to vpnc@unix-ag.uni-kl.de

Debian 6: IPSec-VPN?! -> Network-Manager

After changing to Debian 6 i had to recompile the Cisco IPSec kernel module (cisco_ipsec.ko). But i ended up with:

hades:/packages/vpnclient# ./vpn_install
Cisco Systems VPN Client Version 4.8.02 (0030) Linux Installer
Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.
....
Making module
make -C /lib/modules/2.6.37.3/build SUBDIRS=/packages/vpnclient modules
make[1]: Entering directory `/usr/src/linux-2.6.37.3'
CC [M] /packages/vpnclient/linuxcniapi.o
/packages/vpnclient/linuxcniapi.c:14:28: error: linux/autoconf.h: Datei oder Verzeichnis nicht gefunden
make[2]: *** [/packages/vpnclient/linuxcniapi.o] Fehler 1
make[1]: *** [_module_/packages/vpnclient] Fehler 2
make[1]: Leaving directory `/usr/src/linux-2.6.37.3'
make: *** [default] Fehler 2
Failed to make module "cisco_ipsec.ko".

Ok... this does not work anymore.
But the network-manager has one tab labelled vpn... What about using this one?

The first try was not successful, because the "add"-button was disabled. After some googling around there was a hint to install the following package:

apt-get install network-manager-pptp-gnome

The button was enabled but only Point-to-Point-Tunneling-Protocol could be chosen. A lookup on http://packages.debian.org showed the following packages in addition:

apt-get install network-manager-openvpn-gnome
apt-get install network-manager-vpnc-gnome

After installing these packages the following vpn-types were selectable:

And with choosing vpnc the following dialog was shown

and after filling in all parameters, the vpn connection was established without any problem...