Rahu Network Access Server

Rahu Network Access Server


Neutron [email protected]

RahuNAS Core Team

September 27, 2009Debian MiniDebConf 2009, Taiwan


Introduction

What is RahuNAS ?

What is RahuNAS ?

Words combination

Rahu : The daemon that swallows the sun or the moonNAS : Network Access Server

Short description

RahuNAS is an extended ipset (iptables/netfilter extension) withdaemon and helper scripts which provides the web-based networkauthentication system or the captive portal like


Introduction

Where is RahuNAS in the network ?

Where is RahuNAS in the network ?


Software Goals

Software Goals

Fastnot too much delay the packets forwarding.

more Stableavailable whenever users request.

Trafic controlhas a capability to control the users’ bandwidth

Scalablehas a capablility to handle multiple networks.


System Requirements

System Requirements

Debian GNU/Linux 5.0 (Lenny)Server OS

iptables/netfilter with ipset + RahuNAS patchincluded with mainstream kernel

ipset with RahuNAS patchspecial firewalls

FreeRADIUSAAA (Authentication Authorization Accounting)

PostgreSQLdatabase to store users information

DHCP, DNS Server


Existing captive portal softwares


chillispotopen source Linux daemon

CoovaChilliopen source software access controller, based on chillispot

captivator-gwopen source perl based written by Dale W.Carder atUniversity of Wisconsin Board of Regents

etc.



Review existing software


chillispot

Advantages

Well known, world wide used.

Disadvantages

The daemon is not stable enough when running in high load.

The project is seems to be abandoned.

It’s not well scalable, may or may not run multiple networkson single server.

Some overheads over the tunneling interface (tunX, tapX),sometimes it’s a bottle neck.





CoovaChilli

Advantages

Project still alive.

More documents and tools than chillispot.

Less problems when migrating from chillispot.

Disadvantages

The major disadvantages is as same as chillispot.





captivator-gw

Advantages

Simple.

Scalable, capable to handle multiple networks.

Disadvantages

Simple firewall technic, more users more rules added (slowdown in theoretical assumption)


Why RahuNAS was born ?

Why RahuNAS was born ?

Problem

As mentioned before, none of any existing softwares areactually match our software goals

Solution

A. Seeking for another softwares ?orB. Construct it by myself ?

Answer

B. Construct it by myself ← RahuNAS was born here


How to meet the software goals ?


If our software meets the 4 major goals

meet Fast

meet more Stable

meet Traffic control

meet Scalable

it’s enough for our simple authentication system.



meet Fast

meet Fast

Most wanted

We need the special firewalls

Special firewalls

High number of rules:Fast matching algorithms.

Often changed rules:Storage structures which can be changed fast.

Low RAM machines:Memory optimized storage structures.

Reference: Jozsef Kadlecsik - 6th Netfilter workshop Paris 29.09.2008



meet Fast

meet Fast

Special firewalls: iptables ?

High number of rules: slowLinear evaluation.

Often changed rules: slowBetween kernel-userspace are passed back and forth atadding/deleting a single rule. Rules are stored in a blob.

Medium RAM requirements.




meet Fast

meet Fast

Special firewalls: nf-hipac ?

nf-hipac: http://www.hipac.org/

High number of rules: fastComplex matching algorithms.

Often changed rules: fastJust the new/to be deleted rule passed; hashes, trees.

Memory requirements ?


http://www.hipac.org/



meet Fast

meet Fast

Special firewalls: ipset ?

ipset: http://ipset.netfilter.org/

High number of rules: fastSimple algorithms.

Often changed rules: fastJust the new/to be deleted rule passed; arrays, hashes, trees.

Memory requirements can be low.


http://ipset.netfilter.org/



meet Fast

meet Fast




meet Fast

meet Fast

Choices

A. nf-hipacB. ipset

Choosing

B. ipset ← a good choice, more simple than nf-hipac.

Then hack

hack: macipmap → rahunasreason: conventional of authentication system using IP address

and MAC address to identify users.why: needs to state each users’ idle time for idle timeout

checking.todo: add the code to state the users’ idle timeout



meet Fast

meet Fast

Before

# ipset -nLName: rahunasnetType: macipmapReferences: 4Default binding:Header: from: 192.168.1.0 to: 192.168.1.255Members:192.168.1.13:00:AA:BB:CC:DD:EEBindings:



meet Fast

meet Fast

After

# ipset -nLName: rahunasnetType: rahunasReferences: 4Default binding:Header: from: 192.168.1.0 to: 192.168.1.255Members:192.168.1.13:00:AA:BB:CC:DD:EE ==> idle 81 secondsBindings:



meet Fast

meet Fast

How to state the idle time ?

Idle time reset condition192.168.1.13:00:AA:BB:CC:DD:EE ==> idle 81 seconds

Authenticated User’s packet → RahuNAS → Internet

Authenticated User’s packet ← RahuNAS ← Internet

192.168.1.13:00:AA:BB:CC:DD:EE ==> idle 0 seconds



meet more Stable

meet more Stable

RahuNAS daemon

Keep it simple and stupid, does not try to handle any complextasks.

Provides internal state database powered by sqlite3, it will beresume the operation in case of accidents such as power lostor daemon crash.



meet more Stable

meet more Stable

RahuNAS daemon

Written in C.

License GPL-2, 100% open source

GLib

libgnet (XML-RPC Server/Client)



meet more Stable

meet more Stable

RahuNAS daemon security

Listen on localhost (127.0.0.1) only.web-based login page is running on the same host

TODO: do some encryption between XML-RPCServer/Clientneeded if we want to run RahuNAS and web-based login pageon different host.



meet more Stable

meet more Stable

Web-based login

iptables rule setting to intercept unauthenticated connectionsand redirecting to web-based login page

Apache2 and PHP5 to serve the users’ login request

PHP PEAR for FreeRADIUS and XML-RPC communicating





RahuNAS daemon

To keep it simple, it does not handle the tc itself but left toiproute (tc).

BitTorrent blocking is optional (layer 7 filter extension needed)



meet Scalable

meet Scalable

RahuNAS daemon

Provides the capability of multiple networks authentication

VLAN, two or more NICs could handle in single server


RahuNAS in action

RahuNAS in action

Proof of Concept code test

For every hack and some coding from scratch, we finally have thesimple authentication system which meets the 4 major goals.Now, need to test.


RahuNAS in action

RahuNAS login page


RahuNAS performance

RahuNAS performance

more than 2000 concurrent users

Site refernece

Khon Kaen University, Thailand


RahuNAS performance

RahuNAS performance

A whole week

Site refernece



RahuNAS performance

RahuNAS performance

Bandwidth status

Site refernece



Additional tools in RahuNAS project


Additional tools

RahuNAS Drupal module

RahuNAS Drupal theme (based on RootCandy)

RahuNAS Cacti plugin





Description

The RahuNAS Drupal module is the simple FreeRADIUS accountmanager, it’s a Drupal 6 module and it takes the advantages fromDrupal well design. It also include simple users’ access data reportand graphs.

Written by Suriya Soutmun (RahuNAS Core Team)




RahuNAS Drupal module and theme





Description

RahuNAS Cacti plugin is the additional function added into Cactisuch as RahuNAS clients monitoring and configuration settings,Cacti plugin architecture is needed (need patch). Cacti is a goodRRD-Tools based monitoring web-based software.


Who are using (testing) RahuNAS ?

Who are using (testing) RahuNAS ?

Khon Kaen University, ThailandNow running 4 servers, service for more than 6000 concurrentusers

MahaThai Sueksa, North Eastern School, Khon Kaen,ThailandNow running 1 server, service at least 150 concurrent users

Siridhon School, Surin, ThailandNow running 1 server, service at least 200 concurrent users

Streesiriket School, Sisaket, ThailandNow running 1 server, service at least 120 concurrent users

Manchakiri Hospital - Khon Kaen, SamrongthapHospital - Surin

Hopefully, if it useful will be more in the future


Debian Package

Debian Package

git-buildpackage

RahuNAS and additional tools source code is in git repository(http://git.rahunas.org) and using the awesome tool,git-buildpackage to maintain the Debian package.

RahuNAS Debian Package status

Local experimental.

Uploaded to the local repository only.

http://git.rahunas.org


Debian Package

deb

deb ftp://ftp.rahunas.org/rahunas unstable main

packages list

rahunas - RahuNAS daemon and helper scripts

rahunas-weblogin - RahuNAS web-based login support files

netfilter-extensions - netfilter extensions which ipset andRahuNAS patched included

rahunas-config-freeradius - autogenerated config files anddatabase preparation for FreeRADIUS to support RahuNAS

linux-image-*+rahunas - the customized kernel build with layer 7filter and multi-path routing patched

drupal6-mod-rahunas - RahuNAS Drupal module

drupal6-theme-rahunas+rootcandy - RahuNAS Drupal themebased on RootCandy written by Marek Sotak


Who is sponsoring RahuNAS ?


Gold sponsor: Khon Kaen University, ThailandGive a fund for RahuNAS research and development, also thefacilities for testing.




Gold sponsor: Plawan Central Log, ThailandGive a fund for RahuNAS research and development. Nowconsidered to integrate RahuNAS into their software anddistribute in free/open source software culture.


Special Thanks

Special Thanks

Special thanks: Software Liberty Association of TaiwanGive a great opportunity to me to talk at DebianMiniDebConf 2009.


Follow RahuNAS

Follow RahuNAS

Official Website: http://www.rahunas.org

Debian package:ftp://ftp.rahunas.org/rahunas

Git repository: http://git.rahunas.org

http://www.rahunas.org

ftp://ftp.rahunas.org/rahunas

http://git.rahunas.org

Rahu Network Access Server

Documents

Transcript of Rahu Network Access Server