Latest revision as of 23:26, 10 November 2009

Intro

Testing with:

Dynagen & Dynamips (GNS3 not yet working on my Mac)

Future:

Asterisk with chan-ss7
Intel SS7 stack
OpenSS7 new release
Kannel

Network

Addressing

tmp (France)

10.42.0-9.x

R1 dynamips Cisco ITP
- 10.0.0.150
- 10.42.1.1
- PC: 4.2.1
- x25: x25routerR1 250
R2 dynamips Cisco ITP
- 10.0.0.160
- 10.42.2.1
- PC: 4.2.2
- x25: x25routerR2 150

NET Intel SS7: 10.42.5.x
- tee1 - Debian 5.02
  - 10.0.0.51
  - 10.42.5.1
  - IP Router, add it:

route add -net 10.42.5.0 10.0.0.51 255.255.0.0

- tee2 - Debian 5.02
  - 10.0.0.52
  - 10.42.5.2

NET Clients VPNSSL: 10.42.8.x
- tee1 - Debian 5.02
  - 10.42.8.1

bkk (Bangkok, Thailand)

10.42.32.x
kin 10.211.55.7, 10.42.32.102
mac (parallels 10.211.55.3) 10.42.32.2 VM: kin
kiwi 10.42.32.1 VM: 10.42.32.101

tw (Taiwan)

10.42.50-59.x

Source Configuration

GIT

There is a GIT repository
- ssh://sevenbone@hera.dreamhost.com/~/git/7bone.git
- See http://www.tmplab.org/wiki/index.php/GIT_Cheat_Sheet#Creating_an_empty_project_on_a_remote_machine

Commands

Get your copy

git clone ssh://sevenbone@penguins.dreamhost.com/~/git/7bone.git 7bone

Make some modification and compare

git diff

Update your local copy with the master repository changes

git pull

Add some files to your GIT repository

git add File14 
git add Dir32

Commit these changes and new files to your local GIT repository

git commit -m "Comment message here"

Push your changes to the master repository

git push origin master

Installation

OpenSS7

On Ubuntu 8.04 (only this version, highly kernel version dependent)

apt-get install groff-base info bison flex
apt-get install linux-libc-dev libc6-dev libperl-dev
./configure --without-snmp
make
make install

M3UA

Check /home/user/openss7-0.9.2.G/sigtran-0.9.2.4/src/modules/m3ua_as.c

SCTPlib

http://sctp.de/sctp-download.html
On MacOS X there are some NKE to be loaded (http://sctp.fh-muenster.de/sctp-nke.html)

kextload /System/Library/Extensions/SCTP.kext

In order to compile the examples programs (echo_tool etc...) with SCTPlib:

gcc -DHAVE_CONFIG_H -I. -I../.. -I./../sctp  -I/opt/local/include/glib-2.0 \ 
 -I/opt/local/lib/glib-2.0/include -I/opt/local/include    -g -O2 \
 -I/opt/local/include/glib-2.0 -I/opt/local/lib/glib-2.0/include \ 
 -I/opt/local/include   -DDARWIN -DUSE_SELECT -Wall -g3 -O0 -D_REENTRANT \
 -D_THREAD_SAFE  -o echo_server echo_server.c sctp_wrapper.c  -lsctplib

gcc -DHAVE_CONFIG_H -I. -I../.. -I./../sctp  -I/opt/local/include/glib-2.0 \
 -I/opt/local/lib/glib-2.0/include -I/opt/local/include    -g -O2 \
 -I/opt/local/include/glib-2.0 -I/opt/local/lib/glib-2.0/include \
 -I/opt/local/include   -DDARWIN -DUSE_SELECT -Wall -g3 -O0 -D_REENTRANT \
 -D_THREAD_SAFE  -o echo_tool echo_tool.c sctp_wrapper.c  -lsctplib

NKE and SCTPlib are mutually exclusive.

Intel / Dialogic SS7 stack

Commercial stack
10h license free runtime
http://resource.dialogic.com/telecom/support/ss7/cd/hostprotocolsoftware/index.htm
http://www.dialogic.com/support/helpweb/signaling/

Configuration differences between two peers

Useful bits
- For logging

FORK_PROCESS    ./s7_log -fms7.log -o0xff1f -pms7.pcap

Between two different configs

# diff upd/RUN/MTR/M2PA_CONFIG/config.txt upd/RUN/MTU/M2PA_CONFIG/config.txt
6c6,8
< CNSYS:IPADDR=192.168.0.2,PER=0;
---
> CNSYS:IPADDR=192.168.0.1,PER=0;
> *
> SNSLI:SNLINK=1,IPADDR=192.168.0.2,SNEND=C,SNTYPE=M2PA,M2PA=1,PPORT=3565;
8,9d9
< SNSLI:SNLINK=1,IPADDR=192.168.0.1,SNEND=S,SNTYPE=M2PA,M2PA=1,PPORT=3565;
< *
16,17c16,17
< * <ssf>
< MTP_LINKSET  0  1  1  0x0000 2 0x08
---
> *             <ssf>
> MTP_LINKSET  0  2  1  0x0000 1 0x08
26c26
< MTP_ROUTE  1  0  0x0008
---
> MTP_ROUTE  2  0  0x0008
31c31
< SCCP_CONFIG 2 0x8 0x0102
---
> SCCP_CONFIG 1 0x8 0x0102
39c39
< SCCP_SSR 1 RSP 1 0 0x0000
---
> SCCP_SSR 1 RSP 2 0 0x0000
47c47
< SCCP_SSR 3 RSS 1 0x08 0
---
> SCCP_SSR 3 RSS 2 0x08 0

Commands for MTU/MTR

Link activation

./mtpsl ACT 0 0

SS7 MSU Play

./s7_play -f../intel-dev-upd/RUN/MTU/SCRIPTS/mtucfg.ms7

Combined

(./gctload -csystem.txt  -d &) ; sleep 5; ./mtpsl ACT 0 0; sleep 5; ./s7_play -f../intel-dev-upd/RUN/MTU/SCRIPTS/mtucfg.ms7

(./gctload -csystem.txt  -d &) ; sleep 5; ./mtpsl ACT 0 0; sleep 5; ./s7_play -f../intel-dev-upd/RUN/MTU/SCRIPTS/mtucfg.ms7 ;\
sleep 5; /mnt/remote/Documents/7bone/intel-stacks/upd/BIN/BACKUP_LNX/mtu -m0x2d -g43010008 -a43020008 -i987654321 -s"Hello world"

./gctload -x; sleep 3; (./gctload -csystem.txt  -d &) ; sleep 5; ./mtpsl ACT 0 0; sleep 5;\
./s7_play -fintel-dev-upd/RUN/MTU/SCRIPTS/mtucfg.ms7 ; sleep 5; ./intel-dev-upd/BIN/BACKUP_LNX/mtu\
-m0x2d -g43010008 -a43020008 -i987654321 -s"Hello world"

Configurations

Hamachi

Quick Start

Run 'make install' and then 'tuncfg' from under the root account
Run 'hamachi-init -c /etc/hamachi' to generate crypto identity (any account).
Run 'hamachi start' to launch Hamachi daemon.
Run 'hamachi login' to put the daemon online and to create an account.
Run 'hamachi join <network>' to join the network.
Run 'hamachi go-online <network>' to go online in the network.
Run 'hamachi list' to list network members and their status.

OpenVPN

Introduction

Good tutorials can be found here:

we will use tcp port 9443 for openvpn VPNSSL configuration. So your firewall should allow this port out.

OpenVPN Certificates

On OpenVPN server, see /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/

OpenVPN Client configs

client
dev tun
proto tcp
remote lab.tstf.net 1337
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
ns-cert-type server
user nobody
group nogroup
ca ca.crt
cert client.crt
key client.key

OpenVPN Server configs

See http://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rsa-key-management.html

Configure your server keys thanks to /usr/share/doc/openvpn/examples/easy-rsa/2.0/README.gz
edit vars
./build-dh
./pkitool --initca
Create server keys: ./pkitool --server myserver
Copy them to /etc/openvpn:
cp keys/ca.* /etc/openvpn/
cp keys/server1.* /etc/openvpn/
cp keys/dh1024.pem /etc/openvpn/
Copy sample configuration to /etc/openvpn: zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
edit /etc/openvpn/server.conf

Example Configuration

local [EXTERNALIP] port 8443 proto tcp dev tap0

we'll add section how to manage certs later

ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key dh /etc/openvpn/easy-rsa/keys/dh2048.pem

this will allow for people to get the same IP address after a reconnect

ifconfig-pool-persist /etc/openvpn/ipp.txt

keepalive 10 120 comp-lzo max-clients 10 user nobody group nobody persist-key persist-tun status /tmp/openvpn-status.log log-append /var/log/openvpn.log verb 6

Networking

/etc/init.d/net-addroute

#!/bin/sh
### BEGIN INIT INFO
# Provides:          net-addroute   
# Required-Start:    $all
# Required-Stop:     
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Adds 7Bone default routes at boot time
# Description:       Enable service provided by daemon.
### END INIT INFO
#route add -net 10.42.0.0 netmask 255.255.0.0 gw 10.0.0.51

case "$1" in
start)
        route add -net 10.42.0.0 netmask 255.255.0.0 gw 10.0.0.51
        ;;

stop)
        route del -net 10.42.0.0 netmask 255.255.0.0 gw 10.0.0.51
        ;;

force-reload|restart)
        echo "No reload possibility for this script"
        ;;

*)
        echo "Usage: /etc/init.d/net-addroute {start|stop|restart|force-reload}"
        exit 1
        ;;
esac

exit 0

Cisco ITP

cs7 variant itu
cs7 point-code 1.2.3
Maybe: cs7 capability-pc 1.2.3

Diagnostics

SIGTRAN sniffing

wireshark
Remove the HEARTBEAT and HEARTBEAT_ACKs with display filter:

sctp.chunk_type != 4 and sctp.chunk_type != 5

Check inits

sctp.chunk_type == 1

Testing

Security

XOT

http://www.fyonne.net/

Links

http://www.google.com/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&q=site%3Ahttp%3A%2F%2Fwww.eurescom.eu%2F~pub-deliverables%2F+security+ss7&aq=f&oq=&aqi=

Difference between revisions of "7lab"