Statistics
| Branch: | Tag: | Revision:

root / doc / source / index.rst @ f8938aca

History | View | Annotate | Download (1.9 kB)

1 51ce199a Leonidas Poulopoulos
.. fod documentation master file, created by
2 51ce199a Leonidas Poulopoulos
   sphinx-quickstart on Wed Oct 16 17:20:20 2013.
3 51ce199a Leonidas Poulopoulos
   You can adapt this file completely to your liking, but it should at least
4 51ce199a Leonidas Poulopoulos
   contain the root `toctree` directive.
5 51ce199a Leonidas Poulopoulos
6 51ce199a Leonidas Poulopoulos
******************
7 51ce199a Leonidas Poulopoulos
Firewall on Demand
8 51ce199a Leonidas Poulopoulos
******************
9 51ce199a Leonidas Poulopoulos
10 51ce199a Leonidas Poulopoulos
Description
11 51ce199a Leonidas Poulopoulos
===========
12 51ce199a Leonidas Poulopoulos
Firewall on Demand applies, via Netconf, flow rules to a network device. These rules are then propagated via e-bgp to peering routers. Each user is authenticated against shibboleth. Authorization is performed via a combination of a Shibboleth attribute and the peer network address range that the user originates from.
13 51ce199a Leonidas Poulopoulos
FoD is meant to operate over this architecture::
14 51ce199a Leonidas Poulopoulos
15 51ce199a Leonidas Poulopoulos
          +-----------+          +------------+        +------------+
16 51ce199a Leonidas Poulopoulos
          |   FoD     | NETCONF  | flowspec   | ebgp   |   router   |
17 51ce199a Leonidas Poulopoulos
          | web app   +----------> device     +-------->            |
18 51ce199a Leonidas Poulopoulos
          +-----------+          +------+-----+        +------------+
19 51ce199a Leonidas Poulopoulos
                                        | ebgp
20 51ce199a Leonidas Poulopoulos
                                        |
21 51ce199a Leonidas Poulopoulos
                                 +------v-----+
22 51ce199a Leonidas Poulopoulos
                                 |   router   |
23 51ce199a Leonidas Poulopoulos
                                 |            |
24 51ce199a Leonidas Poulopoulos
                                 +------------+
25 51ce199a Leonidas Poulopoulos
26 51ce199a Leonidas Poulopoulos
NETCONF is chosen as the mgmt protocol to apply rules to a single flowspec capable device. Rules are then propagated via igbp to all flowspec capable routers. Of course FoD could apply rules directly (via NETCONF always) to a router and then ibgp would do the rest.
27 51ce199a Leonidas Poulopoulos
In GRNET's case the flowspec capable device is an EX4200.
28 51ce199a Leonidas Poulopoulos
29 51ce199a Leonidas Poulopoulos
.. attention::
30 51ce199a Leonidas Poulopoulos
	Make sure your FoD server has ssh access to your flowspec device.
31 51ce199a Leonidas Poulopoulos
32 b7566dcc Leonidas Poulopoulos
.. attention::
33 0bf16f7f Leonidas Poulopoulos
   Installation instructions assume a clean Debian Wheezy with Django 1.4
34 b7566dcc Leonidas Poulopoulos
   
35 51ce199a Leonidas Poulopoulos
Contact
36 51ce199a Leonidas Poulopoulos
=======
37 51ce199a Leonidas Poulopoulos
You can find more about FoD or raise your issues at `GRNET FoD repository <https://code.grnet.gr/projects/flowspy>`_.
38 51ce199a Leonidas Poulopoulos
39 51ce199a Leonidas Poulopoulos
You can contact us directly at leopoul{at}noc[dot]grnet(.)gr
40 51ce199a Leonidas Poulopoulos
41 51ce199a Leonidas Poulopoulos
Install
42 51ce199a Leonidas Poulopoulos
=======
43 51ce199a Leonidas Poulopoulos
44 51ce199a Leonidas Poulopoulos
.. toctree::
45 51ce199a Leonidas Poulopoulos
   :maxdepth: 2
46 51ce199a Leonidas Poulopoulos
47 51ce199a Leonidas Poulopoulos
   install
48 51ce199a Leonidas Poulopoulos