Difference between revisions of "7lab"

From Tmplab
(Network)
 
(68 intermediate revisions by 2 users not shown)
Line 6: Line 6:
 
* Asterisk with chan-ss7
 
* Asterisk with chan-ss7
 
* Intel SS7 stack
 
* Intel SS7 stack
 +
* OpenSS7 new release
 +
* Kannel
  
 
= Network =
 
= Network =
  
tmp
+
== Addressing ==
* R1
+
=== tmp (France) ===
 +
* 10.42.0-9.x
 +
 +
 
 +
* R1 dynamips Cisco ITP
 
** 10.0.0.150
 
** 10.0.0.150
 
** 10.42.1.1
 
** 10.42.1.1
 
** PC: 4.2.1
 
** PC: 4.2.1
* R2
+
** x25: x25routerR1 250
 +
* R2 dynamips Cisco ITP
 
** 10.0.0.160
 
** 10.0.0.160
 
** 10.42.2.1
 
** 10.42.2.1
 
** PC: 4.2.2
 
** PC: 4.2.2
 +
** x25: x25routerR2 150
 +
 +
 +
* NET Intel SS7: 10.42.5.x
 +
** tee1 - Debian 5.02
 +
*** 10.0.0.51
 +
*** 10.42.5.1
 +
*** IP Router, add it:
 +
<PRE>
 +
route add -net 10.42.5.0 10.0.0.51 255.255.0.0
 +
</PRE>
 +
** tee2 - Debian 5.02
 +
*** 10.0.0.52
 +
*** 10.42.5.2
 +
 +
 +
* NET Clients VPNSSL: 10.42.8.x
 +
** tee1 - Debian 5.02
 +
*** 10.42.8.1
 +
 +
=== bkk (Bangkok, Thailand) ===
 +
* 10.42.32.x
 +
* kin 10.211.55.7, 10.42.32.102
 +
* mac (parallels 10.211.55.3) 10.42.32.2  VM: kin
 +
* kiwi 10.42.32.1  VM: 10.42.32.101
 +
 +
=== tw (Taiwan) ===
 +
* 10.42.50-59.x
 +
 +
== Source Configuration ==
 +
=== GIT ===
 +
* There is a GIT repository
 +
** ssh://sevenbone@hera.dreamhost.com/~/git/7bone.git
 +
** See http://www.tmplab.org/wiki/index.php/GIT_Cheat_Sheet#Creating_an_empty_project_on_a_remote_machine
 +
 +
=== Commands ===
 +
* Get your copy
 +
git clone ssh://sevenbone@penguins.dreamhost.com/~/git/7bone.git 7bone
 +
 +
* Make some modification and compare
 +
git diff
 +
 +
* Update your local copy with the master repository changes
 +
git pull
 +
 +
* Add some files to your GIT repository
 +
git add File14
 +
git add Dir32
 +
 +
* Commit these changes and new files to your local GIT repository
 +
git commit -m "Comment message here"
 +
 +
* Push your changes to the master repository
 +
git push origin master
 +
 +
---------------------
 +
 +
= Installation =
 +
 +
== OpenSS7 ==
 +
 +
On Ubuntu 8.04 (only this version, highly kernel version dependent)
 +
 +
apt-get install groff-base info bison flex
 +
apt-get install linux-libc-dev libc6-dev libperl-dev
 +
./configure --without-snmp
 +
make
 +
make install
 +
 +
=== M3UA ===
 +
* Check /home/user/openss7-0.9.2.G/sigtran-0.9.2.4/src/modules/m3ua_as.c
 +
 +
== SCTPlib ==
 +
* http://sctp.de/sctp-download.html
 +
* On MacOS X there are some NKE to be loaded (http://sctp.fh-muenster.de/sctp-nke.html)
 +
 +
kextload /System/Library/Extensions/SCTP.kext
 +
 +
* In order to compile the examples programs (echo_tool etc...) with SCTPlib:
 +
 +
gcc -DHAVE_CONFIG_H -I. -I../.. -I./../sctp  -I/opt/local/include/glib-2.0 \
 +
  -I/opt/local/lib/glib-2.0/include -I/opt/local/include    -g -O2 \
 +
  -I/opt/local/include/glib-2.0 -I/opt/local/lib/glib-2.0/include \
 +
  -I/opt/local/include  -DDARWIN -DUSE_SELECT -Wall -g3 -O0 -D_REENTRANT \
 +
  -D_THREAD_SAFE  -o echo_server echo_server.c sctp_wrapper.c  -lsctplib
 +
 +
gcc -DHAVE_CONFIG_H -I. -I../.. -I./../sctp  -I/opt/local/include/glib-2.0 \
 +
  -I/opt/local/lib/glib-2.0/include -I/opt/local/include    -g -O2 \
 +
  -I/opt/local/include/glib-2.0 -I/opt/local/lib/glib-2.0/include \
 +
  -I/opt/local/include  -DDARWIN -DUSE_SELECT -Wall -g3 -O0 -D_REENTRANT \
 +
  -D_THREAD_SAFE  -o echo_tool echo_tool.c sctp_wrapper.c  -lsctplib
 +
 +
* NKE and SCTPlib are mutually exclusive.
 +
 +
== Intel / Dialogic SS7 stack ==
 +
* Commercial stack
 +
* 10h license free runtime
 +
* http://resource.dialogic.com/telecom/support/ss7/cd/hostprotocolsoftware/index.htm
 +
* http://www.dialogic.com/support/helpweb/signaling/
 +
 +
=== Configuration differences between two peers ===
 +
 +
* Useful bits
 +
** For logging
 +
 +
FORK_PROCESS    ./s7_log -fms7.log -o0xff1f -pms7.pcap
 +
 +
* Between two different configs
 +
 +
# diff upd/RUN/MTR/M2PA_CONFIG/config.txt upd/RUN/MTU/M2PA_CONFIG/config.txt
 +
6c6,8
 +
< CNSYS:IPADDR=192.168.0.2,PER=0;
 +
---
 +
> CNSYS:IPADDR=192.168.0.1,PER=0;
 +
> *
 +
> SNSLI:SNLINK=1,IPADDR=192.168.0.2,SNEND=C,SNTYPE=M2PA,M2PA=1,PPORT=3565;
 +
8,9d9
 +
< SNSLI:SNLINK=1,IPADDR=192.168.0.1,SNEND=S,SNTYPE=M2PA,M2PA=1,PPORT=3565;
 +
< *
 +
16,17c16,17
 +
< * <ssf>
 +
< MTP_LINKSET  0  1  1  0x0000 2 0x08
 +
---
 +
> *            <ssf>
 +
> MTP_LINKSET  0  2  1  0x0000 1 0x08
 +
26c26
 +
< MTP_ROUTE  1  0  0x0008
 +
---
 +
> MTP_ROUTE  2  0  0x0008
 +
31c31
 +
< SCCP_CONFIG 2 0x8 0x0102
 +
---
 +
> SCCP_CONFIG 1 0x8 0x0102
 +
39c39
 +
< SCCP_SSR 1 RSP 1 0 0x0000
 +
---
 +
> SCCP_SSR 1 RSP 2 0 0x0000
 +
47c47
 +
< SCCP_SSR 3 RSS 1 0x08 0
 +
---
 +
> SCCP_SSR 3 RSS 2 0x08 0
 +
 +
=== Commands for MTU/MTR ===
 +
* Link activation
 +
./mtpsl ACT 0 0
 +
 +
* SS7 MSU Play
 +
 +
./s7_play -f../intel-dev-upd/RUN/MTU/SCRIPTS/mtucfg.ms7
 +
 +
* Combined
 +
 +
(./gctload -csystem.txt  -d &) ; sleep 5; ./mtpsl ACT 0 0; sleep 5; ./s7_play -f../intel-dev-upd/RUN/MTU/SCRIPTS/mtucfg.ms7
 +
 +
(./gctload -csystem.txt  -d &) ; sleep 5; ./mtpsl ACT 0 0; sleep 5; ./s7_play -f../intel-dev-upd/RUN/MTU/SCRIPTS/mtucfg.ms7 ;\
 +
sleep 5; /mnt/remote/Documents/7bone/intel-stacks/upd/BIN/BACKUP_LNX/mtu -m0x2d -g43010008 -a43020008 -i987654321 -s"Hello world"
 +
 +
./gctload -x; sleep 3; (./gctload -csystem.txt  -d &) ; sleep 5; ./mtpsl ACT 0 0; sleep 5;\
 +
./s7_play -fintel-dev-upd/RUN/MTU/SCRIPTS/mtucfg.ms7 ; sleep 5; ./intel-dev-upd/BIN/BACKUP_LNX/mtu\
 +
-m0x2d -g43010008 -a43020008 -i987654321 -s"Hello world"
 +
 +
= Configurations =
 +
 +
== Hamachi ==
 +
 +
* http://files.hamachi.cc/linux/hamachi-0.9.9.9-20-lnx.tar.gz
 +
* http://files.hamachi.cc/linux/README
 +
 +
Quick Start
 +
 +
Run 'make install' and then 'tuncfg' from under the root account
 +
Run 'hamachi-init -c /etc/hamachi' to generate crypto identity (any account).
 +
Run 'hamachi start' to launch Hamachi daemon.
 +
Run 'hamachi login' to put the daemon online and to create an account.
 +
Run 'hamachi join <network>' to join the network.
 +
Run 'hamachi go-online <network>' to go online in the network.
 +
Run 'hamachi list' to list network members and their status.
 +
 +
 +
 +
== OpenVPN ==
 +
 +
=== Introduction ===
 +
Good tutorials can be found here:
 +
* http://www.nemako.net/dc2/?post/openvpn
 +
* http://openvpn.net/index.php/open-source/documentation/howto.html
 +
 +
we will use tcp port 9443 for openvpn VPNSSL configuration. So your firewall should allow this port out.
 +
 +
=== OpenVPN Certificates ===
 +
 +
On OpenVPN server, see /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/
 +
 +
=== OpenVPN Client configs ===
 +
 +
<pre>
 +
client
 +
dev tun
 +
proto tcp
 +
remote lab.tstf.net 1337
 +
resolv-retry infinite
 +
nobind
 +
persist-key
 +
persist-tun
 +
comp-lzo
 +
ns-cert-type server
 +
user nobody
 +
group nogroup
 +
ca ca.crt
 +
cert client.crt
 +
key client.key
 +
</pre>
 +
 +
=== OpenVPN Server configs ===
 +
 +
See http://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rsa-key-management.html
 +
 +
# Configure your server keys thanks to /usr/share/doc/openvpn/examples/easy-rsa/2.0/README.gz
 +
# edit vars
 +
# ./build-dh
 +
# ./pkitool --initca
 +
# Create server keys: ./pkitool --server myserver
 +
# Copy them to /etc/openvpn:
 +
# cp keys/ca.* /etc/openvpn/
 +
# cp keys/server1.* /etc/openvpn/
 +
# cp keys/dh1024.pem /etc/openvpn/
 +
# Copy sample configuration to /etc/openvpn: zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
 +
# edit /etc/openvpn/server.conf
 +
 +
 +
==== Example Configuration ====
 +
 +
local [EXTERNALIP]
 +
port 8443
 +
proto tcp
 +
dev tap0
 +
# we'll add section how to manage certs later
 +
ca /etc/openvpn/easy-rsa/keys/ca.crt
 +
cert /etc/openvpn/easy-rsa/keys/server.crt
 +
key /etc/openvpn/easy-rsa/keys/server.key 
 +
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
 +
 +
#this will allow for people to get the same IP address after a reconnect
 +
ifconfig-pool-persist /etc/openvpn/ipp.txt
 +
 +
keepalive 10 120
 +
comp-lzo
 +
max-clients 10
 +
user nobody
 +
group nobody
 +
persist-key
 +
persist-tun
 +
status /tmp/openvpn-status.log
 +
log-append  /var/log/openvpn.log
 +
verb 6
 +
 +
== Networking ==
 +
 +
/etc/init.d/net-addroute
 +
<PRE>
 +
#!/bin/sh
 +
### BEGIN INIT INFO
 +
# Provides:          net-addroute 
 +
# Required-Start:    $all
 +
# Required-Stop:   
 +
# Default-Start:    2 3 4 5
 +
# Default-Stop:      0 1 6
 +
# Short-Description: Adds 7Bone default routes at boot time
 +
# Description:      Enable service provided by daemon.
 +
### END INIT INFO
 +
#route add -net 10.42.0.0 netmask 255.255.0.0 gw 10.0.0.51
 +
 +
case "$1" in
 +
start)
 +
        route add -net 10.42.0.0 netmask 255.255.0.0 gw 10.0.0.51
 +
        ;;
 +
 +
stop)
 +
        route del -net 10.42.0.0 netmask 255.255.0.0 gw 10.0.0.51
 +
        ;;
 +
 +
force-reload|restart)
 +
        echo "No reload possibility for this script"
 +
        ;;
 +
 +
*)
 +
        echo "Usage: /etc/init.d/net-addroute {start|stop|restart|force-reload}"
 +
        exit 1
 +
        ;;
 +
esac
 +
 +
exit 0
 +
</PRE>
 +
 +
== Cisco ITP ==
 +
# cs7 variant itu
 +
# cs7 point-code 1.2.3
 +
# Maybe: cs7 capability-pc 1.2.3
 +
 +
= Diagnostics =
 +
 +
== SIGTRAN sniffing ==
 +
* wireshark
 +
* Remove the HEARTBEAT and HEARTBEAT_ACKs with display filter:
 +
sctp.chunk_type != 4 and sctp.chunk_type != 5
 +
 +
* Check inits
 +
sctp.chunk_type == 1
 +
 +
= Testing =
 +
== Security ==
 +
* http://www.irmplc.com/downloads
 +
* [[Media:MPLS_Security_Overview.pdf‎]]
 +
* http://www.irmplc.com/researchlab/whitepapers
 +
 +
== XOT ==
 +
* http://www.fyonne.net/
 +
 +
= Links =
 +
* http://www.google.com/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&q=site%3Ahttp%3A%2F%2Fwww.eurescom.eu%2F~pub-deliverables%2F+security+ss7&aq=f&oq=&aqi=

Latest revision as of 23:26, 10 November 2009

Intro

Testing with:

  • Dynagen & Dynamips (GNS3 not yet working on my Mac)

Future:

  • Asterisk with chan-ss7
  • Intel SS7 stack
  • OpenSS7 new release
  • Kannel

Network

Addressing

tmp (France)

  • 10.42.0-9.x


  • R1 dynamips Cisco ITP
    • 10.0.0.150
    • 10.42.1.1
    • PC: 4.2.1
    • x25: x25routerR1 250
  • R2 dynamips Cisco ITP
    • 10.0.0.160
    • 10.42.2.1
    • PC: 4.2.2
    • x25: x25routerR2 150


  • NET Intel SS7: 10.42.5.x
    • tee1 - Debian 5.02
      • 10.0.0.51
      • 10.42.5.1
      • IP Router, add it:
route add -net 10.42.5.0 10.0.0.51 255.255.0.0
    • tee2 - Debian 5.02
      • 10.0.0.52
      • 10.42.5.2


  • NET Clients VPNSSL: 10.42.8.x
    • tee1 - Debian 5.02
      • 10.42.8.1

bkk (Bangkok, Thailand)

  • 10.42.32.x
  • kin 10.211.55.7, 10.42.32.102
  • mac (parallels 10.211.55.3) 10.42.32.2 VM: kin
  • kiwi 10.42.32.1 VM: 10.42.32.101

tw (Taiwan)

  • 10.42.50-59.x

Source Configuration

GIT

Commands

  • Get your copy
git clone ssh://sevenbone@penguins.dreamhost.com/~/git/7bone.git 7bone
  • Make some modification and compare
git diff
  • Update your local copy with the master repository changes
git pull
  • Add some files to your GIT repository
git add File14 
git add Dir32
  • Commit these changes and new files to your local GIT repository
git commit -m "Comment message here"
  • Push your changes to the master repository
git push origin master

Installation

OpenSS7

On Ubuntu 8.04 (only this version, highly kernel version dependent)

apt-get install groff-base info bison flex
apt-get install linux-libc-dev libc6-dev libperl-dev
./configure --without-snmp
make
make install

M3UA

  • Check /home/user/openss7-0.9.2.G/sigtran-0.9.2.4/src/modules/m3ua_as.c

SCTPlib

kextload /System/Library/Extensions/SCTP.kext
  • In order to compile the examples programs (echo_tool etc...) with SCTPlib:
gcc -DHAVE_CONFIG_H -I. -I../.. -I./../sctp  -I/opt/local/include/glib-2.0 \ 
 -I/opt/local/lib/glib-2.0/include -I/opt/local/include    -g -O2 \
 -I/opt/local/include/glib-2.0 -I/opt/local/lib/glib-2.0/include \ 
 -I/opt/local/include   -DDARWIN -DUSE_SELECT -Wall -g3 -O0 -D_REENTRANT \
 -D_THREAD_SAFE  -o echo_server echo_server.c sctp_wrapper.c  -lsctplib

gcc -DHAVE_CONFIG_H -I. -I../.. -I./../sctp  -I/opt/local/include/glib-2.0 \
 -I/opt/local/lib/glib-2.0/include -I/opt/local/include    -g -O2 \
 -I/opt/local/include/glib-2.0 -I/opt/local/lib/glib-2.0/include \
 -I/opt/local/include   -DDARWIN -DUSE_SELECT -Wall -g3 -O0 -D_REENTRANT \
 -D_THREAD_SAFE  -o echo_tool echo_tool.c sctp_wrapper.c  -lsctplib
  • NKE and SCTPlib are mutually exclusive.

Intel / Dialogic SS7 stack

Configuration differences between two peers

  • Useful bits
    • For logging
FORK_PROCESS    ./s7_log -fms7.log -o0xff1f -pms7.pcap
  • Between two different configs
# diff upd/RUN/MTR/M2PA_CONFIG/config.txt upd/RUN/MTU/M2PA_CONFIG/config.txt
6c6,8
< CNSYS:IPADDR=192.168.0.2,PER=0;
---
> CNSYS:IPADDR=192.168.0.1,PER=0;
> *
> SNSLI:SNLINK=1,IPADDR=192.168.0.2,SNEND=C,SNTYPE=M2PA,M2PA=1,PPORT=3565;
8,9d9
< SNSLI:SNLINK=1,IPADDR=192.168.0.1,SNEND=S,SNTYPE=M2PA,M2PA=1,PPORT=3565;
< *
16,17c16,17
< * <ssf>
< MTP_LINKSET  0  1  1  0x0000 2 0x08
---
> *             <ssf>
> MTP_LINKSET  0  2  1  0x0000 1 0x08
26c26
< MTP_ROUTE  1  0  0x0008
---
> MTP_ROUTE  2  0  0x0008
31c31
< SCCP_CONFIG 2 0x8 0x0102
---
> SCCP_CONFIG 1 0x8 0x0102
39c39
< SCCP_SSR 1 RSP 1 0 0x0000
---
> SCCP_SSR 1 RSP 2 0 0x0000
47c47
< SCCP_SSR 3 RSS 1 0x08 0
---
> SCCP_SSR 3 RSS 2 0x08 0

Commands for MTU/MTR

  • Link activation
./mtpsl ACT 0 0
  • SS7 MSU Play
./s7_play -f../intel-dev-upd/RUN/MTU/SCRIPTS/mtucfg.ms7
  • Combined
(./gctload -csystem.txt  -d &) ; sleep 5; ./mtpsl ACT 0 0; sleep 5; ./s7_play -f../intel-dev-upd/RUN/MTU/SCRIPTS/mtucfg.ms7
(./gctload -csystem.txt  -d &) ; sleep 5; ./mtpsl ACT 0 0; sleep 5; ./s7_play -f../intel-dev-upd/RUN/MTU/SCRIPTS/mtucfg.ms7 ;\
sleep 5; /mnt/remote/Documents/7bone/intel-stacks/upd/BIN/BACKUP_LNX/mtu -m0x2d -g43010008 -a43020008 -i987654321 -s"Hello world"
./gctload -x; sleep 3; (./gctload -csystem.txt  -d &) ; sleep 5; ./mtpsl ACT 0 0; sleep 5;\
./s7_play -fintel-dev-upd/RUN/MTU/SCRIPTS/mtucfg.ms7 ; sleep 5; ./intel-dev-upd/BIN/BACKUP_LNX/mtu\
-m0x2d -g43010008 -a43020008 -i987654321 -s"Hello world"

Configurations

Hamachi

Quick Start

Run 'make install' and then 'tuncfg' from under the root account
Run 'hamachi-init -c /etc/hamachi' to generate crypto identity (any account).
Run 'hamachi start' to launch Hamachi daemon.
Run 'hamachi login' to put the daemon online and to create an account.
Run 'hamachi join <network>' to join the network.
Run 'hamachi go-online <network>' to go online in the network.
Run 'hamachi list' to list network members and their status.


OpenVPN

Introduction

Good tutorials can be found here:

we will use tcp port 9443 for openvpn VPNSSL configuration. So your firewall should allow this port out.

OpenVPN Certificates

On OpenVPN server, see /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/

OpenVPN Client configs

client
dev tun
proto tcp
remote lab.tstf.net 1337
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
ns-cert-type server
user nobody
group nogroup
ca ca.crt
cert client.crt
key client.key

OpenVPN Server configs

See http://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rsa-key-management.html

  1. Configure your server keys thanks to /usr/share/doc/openvpn/examples/easy-rsa/2.0/README.gz
  2. edit vars
  3. ./build-dh
  4. ./pkitool --initca
  5. Create server keys: ./pkitool --server myserver
  6. Copy them to /etc/openvpn:
  7. cp keys/ca.* /etc/openvpn/
  8. cp keys/server1.* /etc/openvpn/
  9. cp keys/dh1024.pem /etc/openvpn/
  10. Copy sample configuration to /etc/openvpn: zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
  11. edit /etc/openvpn/server.conf


Example Configuration

local [EXTERNALIP] port 8443 proto tcp dev tap0

  1. we'll add section how to manage certs later

ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key dh /etc/openvpn/easy-rsa/keys/dh2048.pem

  1. this will allow for people to get the same IP address after a reconnect

ifconfig-pool-persist /etc/openvpn/ipp.txt

keepalive 10 120 comp-lzo max-clients 10 user nobody group nobody persist-key persist-tun status /tmp/openvpn-status.log log-append /var/log/openvpn.log verb 6

Networking

/etc/init.d/net-addroute

#!/bin/sh
### BEGIN INIT INFO
# Provides:          net-addroute   
# Required-Start:    $all
# Required-Stop:     
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Adds 7Bone default routes at boot time
# Description:       Enable service provided by daemon.
### END INIT INFO
#route add -net 10.42.0.0 netmask 255.255.0.0 gw 10.0.0.51

case "$1" in
start)
        route add -net 10.42.0.0 netmask 255.255.0.0 gw 10.0.0.51
        ;;

stop)
        route del -net 10.42.0.0 netmask 255.255.0.0 gw 10.0.0.51
        ;;

force-reload|restart)
        echo "No reload possibility for this script"
        ;;

*)
        echo "Usage: /etc/init.d/net-addroute {start|stop|restart|force-reload}"
        exit 1
        ;;
esac

exit 0

Cisco ITP

  1. cs7 variant itu
  2. cs7 point-code 1.2.3
  3. Maybe: cs7 capability-pc 1.2.3

Diagnostics

SIGTRAN sniffing

  • wireshark
  • Remove the HEARTBEAT and HEARTBEAT_ACKs with display filter:
sctp.chunk_type != 4 and sctp.chunk_type != 5
  • Check inits
sctp.chunk_type == 1

Testing

Security

XOT

Links