Skip to content

Commit 693b46a

Browse files
faq/join_infra: Firewall configuration update (#131)
* faq/join_infra: split FW config to its own page and update it Questions: 1. Is this split better? (I think it makes sense, because this way we can send the direct link to just that info to network operators when prodding them to fix the firewall.) 2. What did I forget in outgoing connections? * faq/join_infra: cosmetic changes * change title and add an intro sentence
1 parent e41938a commit 693b46a

File tree

2 files changed

+52
-39
lines changed

2 files changed

+52
-39
lines changed

content/faq/as_connectivity.md

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,43 @@
1+
---
2+
title: SCIONLab AS connectivity requirements
3+
parent: Frequently Asked Questions
4+
nav_order: 11
5+
---
6+
7+
This page lists the connectivity requirements for running a SCIONLab AS. Any firewalls or other network equipment must be configured to allow these.
8+
9+
# Incoming connectivity requirements
10+
11+
| Protocol | Port | Source | Comment |
12+
| :------------- | :----------: | :-----------: | -----------: |
13+
| ALL | | ESTABLISHED | |
14+
| ICMP, ICMP6 | | 0.0.0.0/0 | Heartbeats |
15+
| UDP | 50000--50010 | 0.0.0.0/0 | SCION inter-AS connectivity |
16+
| UDP | 30000 - 35000 | machines in the same SCION AS | SCION intra-AS connectivity |
17+
| TCP | 22 | 82.130.64.0/18<br> 129.132.0.0/16<br> 195.176.96.0/19<br> 192.33.87.0/24<br> 192.33.88.0/23<br> 192.33.91.0/24<br> 192.33.92.0/24<br> 192.33.93.0/24<br> 192.33.94.0/23<br> 192.33.96.0/21<br> 192.33.104.0/22<br> 192.33.108.0/23<br> 192.33.110.0/24 | Administrative SSH access for configuration management |
18+
| TCP | 443 | 82.130.64.0/18<br> 129.132.0.0/16<br> 195.176.96.0/19<br> 192.33.87.0/24<br> 192.33.88.0/23<br> 192.33.91.0/24<br> 192.33.92.0/24<br> 192.33.93.0/24<br> 192.33.94.0/23<br> 192.33.96.0/21<br> 192.33.104.0/22<br> 192.33.108.0/23<br> 192.33.110.0/24 | Administrative ILO/MGMT access (for physical machines) |
19+
20+
{% include alert type="note" content="
21+
Inter-AS connectivity is required only with the neighbouring ASes. In order to allow dynamic topology adjustments we recommend firewall opening for 0.0.0.0/0. In most cases, after determining the best neighbours for your AS, we can provide a narrowed-down list of networks.
22+
" %}
23+
24+
{% include alert type="note" content="
25+
As an alternative we can also operate connections over a tunnel, e.g. OpenVPN or Wireguard. However please note this will be done only in a special scenarios, e.g. installing a node in a country with strict network policy regarding connectivity abroad. In that case UDP connectivity can be stricter, but inbound SSH connectivity from networks listed above must work.
26+
" %}
27+
28+
{% include alert type="note" content="
29+
The ICMP connectivity is required for diagnosing the state of the network in case of any issues with the node. In case it is not provided, the node will be considered down as soon as it's not reachable via SSH without further investigations.
30+
" %}
31+
32+
# Outgoing connectivity requirements
33+
34+
| Protocol | Port | Destination | Comment |
35+
| :------------- | :----------: | :-----------: | ---------------: |
36+
| ALL | | ESTABLISHED | |
37+
| ICMP, ICMP6 | | 0.0.0.0/0 | Heartbeats |
38+
| UDP | 50000--50010 | 0.0.0.0/0 | SCION inter-AS connectivity |
39+
| UDP | 30000--35000 | machines in the same SCION AS | SCION intra-AS connectivity |
40+
| TCP | 80, 443 | 0.0.0.0/0 | Software updates, monitoring |
41+
| UDP | 51820 | 82.130.64.0/18<br> 129.132.0.0/16<br> 195.176.96.0/19<br> 192.33.87.0/24<br> 192.33.88.0/23<br> 192.33.91.0/24<br> 192.33.92.0/24<br> 192.33.93.0/24<br> 192.33.94.0/23<br> 192.33.96.0/21<br> 192.33.104.0/22<br> 192.33.108.0/23<br> 192.33.110.0/24 | Administrative access for monitoring |
42+
43+
Additionally, reliable DNS and NTP services must be accessible (but may be provided by the local network).

content/faq/join_infrastructure.md

Lines changed: 9 additions & 39 deletions
Original file line numberDiff line numberDiff line change
@@ -15,13 +15,13 @@ This page is supposed to give you a general overview over joining as a part of t
1515

1616
## Procedure
1717

18-
- [Get in contact with us](../../#contact) telling you want to join the infrastructure.
19-
- Once the node(s) are ready on your side, create a `scionlab` user with full `sudo` rights and access for the SCIONLab team.
20-
- The SCIONLab admins will perform measurements to find the most appropriate neighbors to your AS. We will notify you of the result.
21-
- Once the neighboring ASes have been decided, the administrators will install SCION services and configure monitoring for the node(s).
22-
- Your AS is now connected to the infrastructure of SCIONLab and hosts within your network now have direct access to SCIONLab.
18+
1. [Get in contact with us](../../#contact) telling you want to join the infrastructure.
19+
2. Once the node(s) are ready on your side, create a `scionlab` user with full `sudo` rights and access for the SCIONLab team.
20+
3. The SCIONLab admins will perform measurements to find the most appropriate neighbors to your AS. We will notify you of the result.
21+
4. Once the neighboring ASes have been decided, the administrators will install SCION services and configure monitoring for the node(s).
22+
5. Your AS is now connected to the infrastructure of SCIONLab and hosts within your network now have direct access to SCIONLab.
2323

24-
Once the node(s) are part of the SCIONLab infrastructure, their configuration will be centrally managed via Ansible in order to keep the whole infrastructure in the best shape. You will not be required to take any action as long as the machine remains accessible for us.
24+
Once the node(s) are part of the SCIONLab infrastructure, their configuration will be centrally managed via Ansible in order to keep the whole infrastructure in the best shape. You will not be required to take any action as long as the machine remains accessible to us.
2525

2626
## Requirements
2727

@@ -30,40 +30,10 @@ There are a few requirements for you or your organization to join SCIONLab as an
3030
- Infrastructure ASes and nodes are required to be active 24 hours a day, 7 days a week. The SCIONLab administrators can typically handle all SCION related problems, but sometimes they will contact you if they cannot perform certain tasks. An example would be to change a drive if it failed, etc.
3131
- The machine should have a minimum of 4 CPUs, 8 GB of RAM and 40 GB of disk space. In most of the cases a VM can suffice.
3232
- OS for the SCION infrastructure node must be Ubuntu 18.04.
33-
- The border router node(s) must have a public static IP. Any other SCION services can run with private static IP.
34-
- Firewall has to be configured according to the connectivity matrix below.
33+
- The border router node(s) must have a public static IP address. Any other SCION services can run with private static IP addresses.
34+
- Any firewalls affecting the node must be configured according to the [SCION AS connectivity matrix](./as_connectivity.html).
3535

36-
### Incoming connectivity requirements
37-
38-
| Protocol | Port | Source | Comment |
39-
| :------------- | :----------: | :-----------: | -----------: |
40-
| ALL | | ESTABLISHED | |
41-
| ICMP | | 0.0.0.0/0 | Heartbeats |
42-
| UDP | 50000--50010 | 0.0.0.0/0 | SCION inter-AS connectivity |
43-
| UDP | 30000 - 35000 | machines in the same SCION AS | SCION intra-AS connectivity |
44-
| TCP | 22 | 82.130.64.0/18<br> 129.132.0.0/16<br> 195.176.96.0/19<br> 192.33.87.0/24<br> 192.33.88.0/23<br> 192.33.91.0/24<br> 192.33.92.0/24<br> 192.33.93.0/24<br> 192.33.94.0/23<br> 192.33.96.0/21<br> 192.33.104.0/22<br> 192.33.108.0/23<br> 192.33.110.0/24 | Administrative SSH access for configuration management |
45-
| TCP | 443 | 82.130.64.0/18<br> 129.132.0.0/16<br> 195.176.96.0/19<br> 192.33.87.0/24<br> 192.33.88.0/23<br> 192.33.91.0/24<br> 192.33.92.0/24<br> 192.33.93.0/24<br> 192.33.94.0/23<br> 192.33.96.0/21<br> 192.33.104.0/22<br> 192.33.108.0/23<br> 192.33.110.0/24 | Administrative ILO/MGMT access (for physical machines) |
46-
47-
{% include alert type="note" content="
48-
Inter-AS connectivity is required only with the neighbouring ASes. In order to allow dynamic topology adjustments we recommend firewall opening for 0.0.0.0/0. In most cases, after determining the best neighbours for your AS, we can provide a narrowed-down list of networks.
49-
" %}
50-
51-
{% include alert type="note" content="
52-
As an alternative we can also operate connections over a tunnel, e.g. OpenVPN or Wireguard. However please note this will be done only in a special scenarios, e.g. installing a node in a country with strict network policy regarding connectivity abroad. In that case UDP connectivity can be stricter, but inbound SSH connectivity from networks listed above must work.
53-
" %}
54-
55-
{% include alert type="note" content="
56-
The ICMP connectivity is required for diagnosing the state of the network in case of any issues with the node. In case it is not provided, the node will be considered down as soon as it's not reachable via SSH without further investigations.
57-
" %}
58-
59-
### Outgoing connectivity requirements
60-
61-
| Protocol | Port | Destination | Comment |
62-
| :------------- | :----------: | :-----------: | -----------: |
63-
| ICMP | | 0.0.0.0/0 | Heartbeats |
64-
| IP | ALL | 0.0.0.0/0 | Outside world |
65-
66-
### Recommendations
36+
## Recommendations
6737

6838
The following are not requirements, but recommendations:
6939

0 commit comments

Comments
 (0)