Initial commit

.gitignore

@@ -0,0 +1,8 @@
+*.pyc
+*.log
+*.swp
+*.pyc
+.DS_Store
+.fuse_*
+*.pid
+*.*~

PSC/Config.py

@@ -0,0 +1,65 @@
+import ConfigParser
+import os
+import copy
+
+
+class Configuration(object):
+
+    _instance = None
+    #(fmignini) Not too meaningful use this var, I should change his name with something else like inizialized = False 
+    _AUTH_SERVER = None
+
+    def __new__(cls, *args, **kwargs):
+
+        if not cls._instance:
+            cls._instance = super(Configuration, cls).__new__(
+                                cls, *args, **kwargs)
+        return cls._instance 
+
+    def __init__(self):
+        #print 'Configuration - PATH : '+os.getcwd()
+        path = copy.copy(os.getcwd())
+        path_dirs = path.split("/")
+        for path_dir in path_dirs:
+            if path_dir == 'tests':
+                self.test = True
+            else:
+                self.test = False
+        #print self.test
+        if self._AUTH_SERVER is None:
+            self.inizialize()
+
+    def inizialize(self): 
+        config = ConfigParser.RawConfigParser()
+        config.read('psc.conf')
+        self._LOG_FILE = 'PSC.log'
+        self._VERBOSE = 'true'
+        self._DEBUG = 'true'
+        self._ORCHESTRATOR_ADDRESS = config.get('configuration', 'orchestrator_address')
+        self._PSA_CONFIG_PATH = config.get('configuration', 'psa_config_path')
+        self._PSC_VERSION = config.get('configuration', 'psc_version')
+        self._PSA_API_VERSION = config.get('configuration', 'psa_api_version')
+
+    @property
+    def LOG_FILE(self):
+        return self._LOG_FILE
+
+    @property
+    def VERBOSE(self):
+        return self._VERBOSE
+
+    @property
+    def ORCHESTRATOR_ADDRESS(self):
+        return self._ORCHESTRATOR_ADDRESS
+
+    @property
+    def PSA_API_VERSION(self):
+        return self._PSA_API_VERSION
+
+    @property
+    def PSC_VERSION(self):
+        return self._PSC_VERSION
+
+    @property
+    def PSA_CONFIG_PATH(self):
+        return self._PSA_CONFIG_PATH

PSC/README.md

@@ -0,0 +1,143 @@
+# Software for the PSC execution environment
+
+These files or functionality need to be part of the PSC execution environment and always running
+
+# Notes about mobility Configuration
+This document describes the necessary steps to configure the mobile environment. We assume the NED is running and properly configured, but we will update the IPSec tunnel configuration though.
+
+The aim of the experiment is to make handover by building a tunnel between the Mobile client and the NED using a wireless link, at a given point in time, the mobile node will move to a different location, thus forcing the handover to another secured access point. Once in associated to the other access point, belonging to a different IP subnetwork, the enduser will not experience any connection disruptions.
+
+For this to work, the mobile node will periodically check the wireless signal power of secured compliant access points. Handover will be enforced when the PSC deems it appropriate, pointing out the best alternative among all the present options. Currently the criteria is solely  based on the signal level.
+
+Then the tasks performed by the Mobile Node are:
+
+1. Tear down the IPSec tunnel
+2. Start the handover process
+3. Establish the new tunnel
+4. Continue the signal power reporting
+
+For testing purposes, we added a REST method in the PSC by which we are able to force the handover. Particularly, it can be invoked by sending a GET request to:
+```
+http://10.2.2.251:8080/forceHandOver
+```
+
+## Scenario
+It is necessary to have two access points with DHCP and a mobile node using NetworManager. We assume that the Access Points are located in different subnetworks, but both have connection visibility to the NED. Particularly, both access points need to be connected to the NED NAT interface.
+
+### Configuration of strongswan in the NED
+We assume that you followed the installation process is specified in [README.md](/secured/app/blob/master/README.md) in strongswan’s directory of NED repository.
+
+In NED add the following lines in ```/etc/strongswan/ipsec.conf``` 
+```
+conn secured
+     left=172.18.0.10 #IP of the NED
+     leftid="C=CH, O=strongSwan, CN=ned-1" #the DN that you use to generate the certificate
+     leftsubnet=0.0.0.0/0
+     leftfirewall=yes
+     leftauth=pubkey
+     leftcert=peerCert.der #the name of the generated certificate on the ipsec.d/certs dir
+     right=%any
+     rightsourceip=10.2.2.2/24
+     rightdns=8.8.8.8
+     rightauth=eap-md5
+     rightsendcert=never
+     auto=add
+```
+
+In client add the following lines in ```/etc/strongswan/ipsec.conf```
+```
+conn secured1 #connection of AP1 
+        ikelifetime=1200s
+        margintime=1100s
+        left=192.168.150.10  # IP of the client, be careful because DHCP assigned dynamic IP
+        leftid=user1         # user to use on the eap authentication (the one configured on both ipsec.secrets files)
+        leftfirewall=yes
+        leftfirewall=yes
+        leftauth=eap-md5
+        leftsourceip=10.2.2.2
+        right=172.18.0.10  #IP of the NED
+        rightid="C=CH, O=strongSwan, CN=ned-1"#the DN that you use to generate the certificate 
+        rightauth=pubkey
+        rightsubnet=0.0.0.0/0
+        auto=add
+
+conn secured2 #connection of AP2
+        ikelifetime=1200s
+        margintime=1100s
+        left=192.168.200.10  #IP of the client, be careful because DHCP assigned dynamic IP
+        leftid=user1  #the one configured on both ipsec.secrets files
+        leftfirewall=yes
+        leftauth=eap-md5
+        leftsourceip=10.2.2.2
+        right=172.18.0.10  #IP of the NED
+        rightid="C=CH, O=strongSwan, CN=ned-1"#the DN that you use to generate the certificate 
+        rightauth=pubkey
+        rightsubnet=0.0.0.0/0
+        auto=add
+```
+
+```/etc/strongswan/ipsec.secrets``` has to be modified in both NED and mobile client
+```
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA peerKey.der "172.18.0.10"
+
+user1 : EAP "abcd1234"
+```
+
+Only the NED needs to generates the certificate. You need to put the
+certificate of the NED inside the ```ipsec.d/certs``` directory, the private
+key on the ipsec.d/private directory and the ca certificate on the ```ipsec.d/cacerts```.
+
+And then we need to execute
+```bash
+/usr/libexec/strongswan/pki  --gen > caKey.der
+/usr/libexec/strongswan/pki  --self --in caKey.der --dn "C=CH, O=strongSwan, CN=strongSwan CA" --ca --outform pem > caCert.crt
+/usr/libexec/strongswan/pki  --gen > peerKey.der
+/usr/libexec/strongswan/pki --pub --in peerKey.der | /usr/libexec/strongswan/pki --issue --cacert caCert.crt --cakey caKey.der \
+   --dn "C=CH, O=strongSwan, CN=ned-1" --san 172.18.0.10 > peerCert.der
+cp caCert.crt  /etc/strongswan/ipsec.d/cacerts
+cp peerCert.der /etc/strongswan/ipsec.d/certs/
+cp peerKey.der /etc/strongswan/ipsec.d/private/
+```
+
+On the client side you need only to put the ca certificate on the directory ```ipsec.d/cacerts```.
+
+When the client starts the connection with IPSEC will get the IP ```10.2.12.2```.
+For the NED you should configure on interface with the IP ```10.2.2.1``` and
+configuring the proper route to forward the packets through that network.
+
+## Updating the legacy PSC VM
+
+First we need to clone the mobility branch of the NED repository where are the
+python scripts that have to be integrated to PSC, we execute the following
+command-lines:
+
+```bash
+git clone  –b  mobility  [email protected]:secured/ned.git
+```
+When this is done, python files which are in PSC directory will have to be
+copied into debianPSC.img.
+
+```bash
+virt-copy-in -a /var/lib/libvirt/images/debianPSC.img * /home/nedpsc/pythonScript/  
+```
+
+## Setting up the Mobile Client
+In the client we need to clone the master branch of the mobilityclient repository:
+
+```bash
+git clone [email protected]:secured/mobilityclient.git
+```
+
+Installing the dependencies to run the Client node
+```bash
+apt-get install python-networkmanager python-gi python-dbus
+```
+
+Finally, before starting the experiment we have to run the application by executing:
+```bash
+# ./list_signals.py
+```
+Don't forget to run this as ```root```. For more information regarding
+MobileClient please refer to its [README.md](/secured/mobilityclient/blob/master/README.md)

PSC/boot_script_psc

@@ -0,0 +1,44 @@
+#!/bin/sh
+
+# Place this in /etc/network/if-up.d/
+# For some reason the control for $IFACE as eth1 placed before starting gunicorn 
+# makes gunicorn not to start even when eth1 is the interface being processed. 
+# On the other side making the gunicorn invocation for each interface that comes up (as it happens without the control)
+# does not affect the correct behavior (the new invocation to bind gunicorn to the ip-port fails).
+
+# A quick solution to check that we have both our interfaces up
+check_needed_interfaces (){
+    	local retval=0
+	local test=$(ifconfig | grep -o eth0)$(ifconfig | grep -o eth1)
+	if [ "$test" = "eth0eth1" ]
+	then
+		retval=1
+	fi
+	echo "$retval"
+}
+
+#commented below line
+#[ "$IFACE" = 'eth1' ] || [ "$IFACE" = 'eth2' ] || exit 0
+
+# For both eth0 and eth1 check if gunicorn can be started
+# eth1 is the interface where PSC serves requests to the user's PSAs
+# being VLAN isolated a reduced MTU is used to send packets 
+if [ "$IFACE" = "eth0" ] || [ "$IFACE" = 'eth1' ]
+	then
+	result=$(check_needed_interfaces)
+	if [ "$result" = 1 ]
+		then
+		cd /home/nedpsc/pythonScript
+		gunicorn -b 192.168.2.1:8080 --access-logfile - psc:app &
+		ifconfig eth1 mtu 1496
+		killall -s SIGKILL dnsmasq 
+		/usr/sbin/dnsmasq --conf-file=dhcp_psc.conf
+	fi
+fi
+
+if [ "$IFACE" = "eth2" ] || [ "$IFACE" = 'eth2' ]
+	then
+	ifconfig eth2 mtu 1496
+	cd /home/nedpsc/pythonScript/manager
+	gunicorn -b 10.2.2.251:8080 --log-file /home/nedpsc/GUNICORN2.log --log-level debug psc_user_monitor:app &
+fi

PSC/dhcp_psc.conf

@@ -0,0 +1,12 @@
+no-hosts
+no-resolv
+strict-order
+domain-needed
+pid-file=/var/lib/dnsmasq/pscDHCP.pid
+except-interface=lo
+interface=eth1
+dhcp-range=192.168.2.100,192.168.2.150,static,255.255.255.0
+dhcp-lease-max=253
+dhcp-hostsfile=/var/lib/dnsmasq/pscDHCP.host
+bind-interfaces
+leasefile-ro