2012年8月14日 星期二

ACCEL-PPP


Overview
--------
The ACCEL-PPP v1.0 is completly new implementation of PPTP/PPPoE/L2TP which was written from scratch.
Userspace daemon has its own PPP implementation, so it does not uses pppd and one process (multi-threaded) manages all connections.
ACCEL-PPP uses only kernel-mode implementations of pptp/l2tp/pppoe.


Features
--------
1.  Modular architecture
2.  High-performance multi-threaded I/O core
3.  Supported PPTP
4.  Supported PPPoE (including TR-101 extension)
5.  Supported L2TPv2 (without IPsec)
5.  Radius authentication/accounting
6.  Radius DM/CoA extention
7.  Supported authentication types: PAP, CHAP (md5), Microsoft CHAP Extentions (including version 2), not supported - EAP
8.  Supported MPPE
9.  Compression is not supported
10. Extensible logging engine with per session logging support, implemented log to file, log to remote host and log to PostgreSQL targets
11. Extensible user/password database, implemented Radius, pppd compatible chap-secrets sources
12. Extensible IP pool, implemented Radius, chap-secrets and static pools
13. Supported pppd compatible ip-up/ip-down scripts
14. Builtin tbf/htb shaper manager
15. Command line interface via telnet
16. SNMP support (master or subagent via AgentX)


Requirment
----------
1. modern linux distribution
2. kernel-2.6.25 or later
4. cmake-2.6 or later
5. libnl-2.0 or probably later (required for builtin shaper)
6. libcrypto-0.9.8 or probably later (openssl-0.9.8)
7. libpcre
8. net-snmp-5.x 


Compilation and instalation
-----------
Make sure you have configured kernel headers in /usr/src/linux,
or specify other location via KDIR.
1. cd /path/to/accel-ppp-1.3.5
2. mkdir build
3. cd build
4. cmake [-DBUILD_DRIVER=FALSE] [-DKDIR=/usr/src/linux] [-DCMAKE_INSTALL_PREFIX=/usr/local] [-DCMAKE_BUILD_TYPE=Release] [-DLOG_PGSQL=FALSE] [-DSHAPER=FALSE] [-DRADIUS=TRUE] [-DNETSNMP=FALSE] ..
   Please note that the double dot record in the end of the command is essential. You'll probably get error or misconfigured sources if you miss it.
   BUILD_DRIVER, KDIR, CMAKE_INSTALL_PREFIX, CMAKE_BUILD_TYPE, LOG_PGSQL, SHAPER, RADIUS  are optional,
   But while pptp is not present in mainline kernel you probably need BUILD_DRIVER.
   For example:
   cmake -DBUILD_DRIVER=TRUE ..
   will configure sources to build pptp driver, search kernel headers at /usr/src/linux, install to /usr/local,
   build with no debug, pgsql and shaper support, build with radius support.
5. If you want to use chap-secrets for authentication purpose then you need to disable radius support, configure as following:
   cmake -DBUILD_DRIVER=TRUE -DRADIUS=FALSE ..
   of course you can include additional options if needed.
6. make
7. make install


Configuration
-------------
read man accel-ppp.conf


Built-in shaper
--------------
accel-ppp supports tbf and htb based shaper manager.
To enable it uncomment shaper in [modules] section.
It accepts radius attributes in various formats: rate, down-rate/up-rate and cisco-like. Values have to be in kilobits except cisco-like.
For example:
Filter-Id=1000 (means 1000Kbit both up-stream and down-stream rate)
Filter-Id=2000/3000 (means 2000Kbit down-stream rate and 3000Kbit up-stream rate)
To change radius attribute which containes rate information use 'attr' option, for example:
[shaper]
attr=My-Custom-Rate-Attribute
of course this attribute have to be in radius dictionary.
To specify different attributes for down-stream and up-stream rates use 'attr-down' and 'attr-up' options, for example:
[shaper]
attr-down=PPPD-Downstream-Speed
attr-up=PPPD-Upstream-Speed

If you want to use cisco-like format configure accel-ppp as following:
[shaper]
vendor=Cisco
attr=Cisco-AVPair
and send two attributes:
Cisco-AVPair=lcp:interface-config#1=rate-limit input 2000000 8000 8000 conform-action transmit exceed-action drop (which means 2000Kbit up-stream rate and 8Kb burst)
Cisco-AVPair=lcp:interface-config#1=rate-limit output 2000000 8000 8000 conform-action transmit exceed-action drop (which means 2000Kbit down-stream rate and 8Kb burst)


Advanced shaper using
---------------------
1. Burst configuration.
If you not using cisco-like format then burst calculates from rate and specified burst factors.
To specify burst factors use 'down-burst-factor' and 'up-burst-factor' options, for example:
[shaper]
down-burst-factor=1.0
up-burst-factor=10.0
which means that burst for tbf/htb qdisc will be calculated as down-stream rate multiply to 1.0 and burst for policer/htb will be calculated as up-stream rate multiply to 10.0.

2. Time ranges.
You can specify time ranges to authomatic rate reconfiguration.
To specify time ranges use following sample configuration:
[shaper]
time-range=1,1:00-3:00
time-range=2,3:00-5:00
time-range=3,5:00-7:00
first number is time range identifier.
To specify time range specific rates use following format of radius attributes: range-id,rate, range-id,down-rate/up-rate or cisco-like, for example:
Filter-Id=1000
Filter-Id=1,2000
Filter-Id=2,3000
Filter-Id=3,4000
which means: set 1000Kbit by default, set 2000Kbit in time range 1, set 3000Kbit in time range 2, set 4000Kbit in time range 3.
You have to pass multiple Filter-Id attributes to utilize this functionality.
Or cisco-like:
Cisco-AVPair=lcp:interface-config#1=rate-limit output access-group 1 1000000 8000 8000 conform-action transmit exceed-action drop
Cisco-AVPair=lcp:interface-config#1=rate-limit input access-group 1 1000000 8000 8000 conform-action transmit exceed-action drop
and so on...

3. chap-secrets.
If you use chap-secrets instead of radius then there is way to utilize built-in shaper too.
The optional fifth column in chap-secrets file is used to pass rate information to shaper.
Its format is same as for radius attributes, except you cann't utilize time ranges functionality.


SNMP
----
SNMP is implemented using net-snmp libraries. By default accel-ppp starts in subagent mode,
so make sure that net-snmp configured with subagent control turned on (read net-snmp's README.agentx for more details).
Also you can start accel-ppp as master agent using following configuration:
[snmp]
master=1

Usage:
Place accel-pppd/extra/net-snmp/ACCEL-PPP-MIB.txt to your mibs directory.
Also you can find used numerical oids in this file.
1. Requesting statistics:
snmpwalk -m +ACCEL-PPP-MIB -v 2c -c local 127.0.0.1 ACCEL-PPP-MIB::accelPPPStat
2. Requesting sessions:
snmptable -m +ACCEL-PPP-MIB -v 2c -c local 127.0.0.1 ACCEL-PPP-MIB::sessionsTable
3. Terminate session by session identifier (Acct-Session-ID):
snmpset -m +ACCEL-PPP-MIB -v 2c -c local 127.0.0.1 ACCEL-PPP-MIB::termBySID.0 = 0000000000000001
4. Terminate session by interface name:
snmpset -m +ACCEL-PPP-MIB -v 2c -c local 127.0.0.1 ACCEL-PPP-MIB::termByIfName.0 = ppp2
5. Terminaten session by IP address (Framed-IP-Address):
snmpset -m +ACCEL-PPP-MIB -v 2c -c local 127.0.0.1 ACCEL-PPP-MIB::termByIP.0 = 192.168.10.10
6. Terminate session by username:
snmpset -m +ACCEL-PPP-MIB -v 2c -c local 127.0.0.1 ACCEL-PPP-MIB::termByUsername.0 = user1
7. Execute cli command:
snmpset -m +ACCEL-PPP-MIB -v 2c -c local 127.0.0.1 ACCEL-PPP-MIB::cli.0 = "shaper change all 1024 temp"



Warning !!!
-----------
1. The pptp driver conflicts with ip_gre driver (in kernel), so make sure that ip_gre is not built-in or loaded at run time
   (don't matter if you have 2.6.37 or later kernel).
2. Don't mix connections of accel-ppp and poptop's pptpd, before starting accel-ppp make sure that no connections
   of pptpd exists.


Contacts
--------
http://accel-ppp.sourceforge.net/
mail: xeb@mail.ru
ICQ: 337258064
Jabber: xeb@xeb.homelinux.net

Using pppoe kernel-mode, HOW-TO

Ref:http://norean.freecontrib.org/nakooki/SVN/snapshot/nakooki/0.3/docs/pppoe-HOW-TO.html

2012年8月7日 星期二

Linux 無線網路 WEP/WPA 手動設定(iwpriv


個人用的無線網路的加密大概可分以下幾種:
OPEN/NONE 完全無加密,人人皆可用
OPEN/WEP 使用WEP靜態加密,防君子不防小人
SHARE/WEP 使用WEP靜態加密,防君子不防小人
WPA/TKIP, AES, or TKIP/AES 使用WPA加密,算是比較安全的方式
WPA2/TKIP, AES, or TKIP/AES WPA的升級版
WPAWPA2/TKIP, AES, or TKIP/AES 混合WPA/WPA2的相容模式

以下按設定的分為三種:無加密,WEP靜態加密跟WPA動態加密
無加密(OPEN/NONE)
ifconfig ra0 up
iwpriv ra0 set NetworkType=Infra
iwpriv ra0 set AuthMode=OPEN
iwpriv ra0 set EncrypType=NONE
iwpriv ra0 set SSID="dht"
dhclient ra0

WEP靜態加密
OPEN/WEP
ifconfig ra0 up
iwconfig ra0 essid "dht"
iwconfig ra0 key open
iwconfig ra0 key aabbccddee *注1
iwconfig ra0 mode managed 

SHARE/WEP
killall wpa_supplicant
ifconfig ra0 up
iwconfig ra0 essid "dht"
iwconfig ra0 key restricted
iwconfig ra0 key aabbccddee *注1
iwconfig ra0 mode managed 

*注:加密金鑰的寫法可以是
十六進位表示法(10或者26個十六進位數字):31323334353637383930
ASCII字元表示法(5或13個英文字母):s:1234567890

WPA/WPA2
killall wpa_supplicant
ifconfig ra0 up
wpa_passphrase dht 123456789 > /tmp/wpa.conf *註2
wpa_supplicant -BDwext -ira0 -c/tmp/wpa.conf
dhclient ra0

*註2:WPA的共享金鑰長度是8~32bytes

應用上述幾種方法,大概就可以解決所有個人無線網路設定的問題

延伸閱讀:
Ubuntu Linux 設定 Wirelss(WiFi) WPA
How To: Manual Network Configuration without the need for Network Manager.

DNSSEC安全技術簡介 作者:游子興 / 臺灣大學計算機及資訊網路中心網路組約聘幹事 DNS 是一套已經廣泛使用的Internet 服務,但因先天的技術限制導致容易成為駭客攻擊的目標。本文主要在介紹DNSSEC 之緣起與技術背景,及其使用的加解密技術如何確保資料的完整...