Network Tokens Support for upf-epc #75
Conversation
| -ALWAYS_LIBS := -lpcap -lgflags -lnuma -lbpf | ||
| +ALWAYS_LIBS := -lpcap -lgflags -lnuma -lbpf -lcjose -ljansson -lcrypto |
There was a problem hiding this comment.
can we try to see if having an extra-ntf.mk in your repo copied to core/ would work? we currently use extra-upf.mk
LIBS += -lcjose -ljansson -lcrypto
relevant upstream snippets
https://github.com/NetSys/bess/blob/c648ea8d39c00bb67df6cdd64bb3f92b48036175/core/Makefile#L160-L165
https://github.com/NetSys/bess/blob/c648ea8d39c00bb67df6cdd64bb3f92b48036175/core/Makefile#L185
There was a problem hiding this comment.
Yes - this is the reason the build is failing at the moment; I'm only building cjose if NTF is enabled.
On that note @krsna1729 do you think it makes sense to compile cjose conditinally, or should this always go in?
There was a problem hiding this comment.
if will be conditionally since your extra-ntf.mk will be copied in only under the if block
There was a problem hiding this comment.
unresolving till we know if we can use extra-ntf.mk to as a substitute for this patch
There was a problem hiding this comment.
extra-ntf.mk will be present in your repo/core/
There was a problem hiding this comment.
@krsna1729 The sample plugin repos don't have the core directory so this complicates things - however we now have extra-ntf.mk in the plugin directory to take care of this so I think this is good to resolve.
There was a problem hiding this comment.
@nevelis i meant repo/modules
There was a problem hiding this comment.
but i guess they are not looking at modules/mk
There was a problem hiding this comment.
really wish we can fix the plugin model build then we can use ntf that way. Also move our modules to plugin mechanism too.
#4
|
retest this please |
|
Can one of the admins verify this patch? |
2 similar comments
|
Can one of the admins verify this patch? |
|
Can one of the admins verify this patch? |
|
@krsna1729 , question on the pipeline: NTF keeps (bidirectional) connection state. Right now we have two different modules for uplink and downlink, but this doesn't cover certain use cases. Can we have both uplink and downlink pipelines pass through the same module? Or is there another way to communicate (bidirectional) connection state? |
|
@yiannisy take a look at NAT module in BESS one worker
two worker i.e., one per pipeline
|
|
@krsna1729 do we have to do something ourselves for the container-based-verification and fossa-verification to complete? |
|
retest this please |
|
retest this please |
3 similar comments
|
retest this please |
|
retest this please |
|
retest this please |
Network tokens are an open and secure method for end users and application providers to coordinate with the network about how their traffic is treated (e.g., to access a 5G slice, a firewall whitelist, or a zero-rating service). They replace complex, insecure, and privacy-invasive DPI application signatures with a deterministic and unified mechanism to expose datapath services. Build the image with `--build-arg ENABLE_NTF=1` to enable NTF.
|
retest this please |
Co-authored-by: Saikrishna Edupuganti <krsna1729@users.noreply.github.com>
|
retest this please |
|
retest this please |
Network Tokens Support for upf-epc
This PR adds preliminary support for Network Tokens to upf-epc/bess and installs Network Token Function (NTF) modules in the uplink and downlink pipelines.
Background
Network tokens are an open and secure method for end users and application providers to coordinate with the network about how their traffic is treated ( e.g., to access a 5G slice, a firewall whitelist, or a zero-rating service ). They replace complex, insecure, and privacy-invasive DPI application signatures with a deterministic and unified mechanism to expose datapath services.
Network tokens are developed as an IETF I-D standard, and implementation takes place at https://github.com/network-tokens
Usage
To enable Network Token Functions, the build argument ENABLE_NTF should be non-empty. Add
--build-arg ENABLE_NTF=1to your docker build command.Known Issues/Limitations
The encryption key is hard-coded for testing purposes
Compiling without ENABLE_NTF set breaks because the patch that gets applied unconditionally adds
-lcjose -ljanssonto ALWAYS_LIBS. This should only get added if ENABLE_NTF is set.If NTF is enabled at build time it will be enabled all the time. This can be changed by overriding
conf/spgwu.jsonand building another image with"enable_ntf": falsein the configuration.We have built & verified the module shows in the pipeline correctly but since CIAB's UE doesn't work with upf-epc correctly, we haven't been able to test traffic flowing through the NTF module yet.
Feedback and Questions
The distributed version of cjose is too old to work with our token decryption so we are compiling from source. I'm doing this in the same way that DPDK does it. Is there a better way to do this for third party sources?
Is setting an argument at compile time the right way to enable NTF? Should this be compiled in all the time and enabled with an environment variable or some other configuration mechanism? Right now it is a flag in a config file that gets set at build time. We could use an environment variable that gets set by the container host, or load the configuration from somewhere
How does spgwu.conf get loaded/distributed? Is there some site-specific override for this or is a file with the right values compiled in as needed?