Installation

1. Requirements

Three computers, two for running the PLA and the third one acting as a TTP (trusted third party).
Working network supporting IPv4 and IPv6.
Linux kernel 2.6.15, or newer.
- Kernel needs to have IPv6 and IPv6 packet filtering configured.
- Kernel needs user space packet queueing for IPv6:
  1. Go to: Device Drivers -> Networking Support -> Networking Options -> Network Packet Filtering -> IPv6: Netfilter Configuration
  2. Select all boxes in the menu as modules.
OpenSSL libraries and headers.
GNU MP Bignum library version 4.20 or newer.
User space tools for IPv6 netfilter configuration. Especially ip6tables
Synchronized clocks on the nodes. By default, a time difference of more than 3 seconds in the clocks of the nodes in the network will result in dropped packets. Using NTP for synchronizing clocks is recommended.

2. Compiling

Untar the latest distribution and compile:

make depend
make

A startup script must be created for starting the PLA. Existing scripts like 'sp_amd' from the 'pla' directory can be used a base for the new startup script.

Configuration is carried out by editing the startup script.

1. Enabling and disabling the encryption

In the startup script, line containing 'eccrypto' determines wherever the encryption is used or not. For example:

nice -n -20 ./eccrypto -n &

Means that the encryption is not used (-n flag for eccrypto) and:

nice -n -20 ./eccrypto &

Means that the encryption is used. Note: at this point only software encryption is supported, enabling encryption will significantly slow things down.

2. Specifying the address of the trusted third party (TTP)

The address of the trusted third party is specified on the line beginning with './placonf -c'. The IPv4 address of the host acting as a trusted third party should be here. For example:

./placonf -c 192.168.0.1

3. Iptables configuration

The rest of the startup script contains iptables configuration. The configuration depends wherever or not the PLA is used on all network interfaces.

3.1. PLA host contains only one network interface or the PLA is used on all interfaces

In this case, all packets are processed by the PLA. Only the following ip6tables related lines must be present in the startup script:

ip6tables --table mangle -A OUTPUT -p all -j QUEUE
ip6tables --table mangle -A INPUT -p all -j QUEUE
ip6tables --table mangle -A FORWARD -p all -j QUEUE

3.2. There are two or more network interfaces and the PLA is not used on all of them

This is a slightly more complicated situation. Interfaces that are NOT using the PLA must be specified. Here is an example of the configuration where PLA is not used on eth0 interface:

ip6tables --table mangle -A OUTPUT -p all -o eth0 -j ACCEPT
ip6tables --table mangle -A OUTPUT -p all -j QUEUE

ip6tables --table mangle -A INPUT -p all -i eth0 -j ACCEPT
ip6tables --table mangle -A INPUT -p all -j QUEUE

ip6tables --table mangle -A FORWARD -p all -j QUEUE

This means that packets coming and goind to/from eth0 are not touched, but all other packets are processed by the PLA. Similarly, if there is a three or more interfaces, following lines must be added for each interface that is not using the PLA:

ip6tables --table mangle -A OUTPUT -p all -o interface_name -j ACCEPT
ip6tables --table mangle -A INPUT -p all -i interface_name -j ACCEPT

Testing

1. TTP (trusted third party)

Go to the directory where the PLA software is compiled and execute:

./placonf -d

Note: host running PLA cannot act as a TTP at this point. Thus a separate host is needed for the TTP functionality.

2. PLA hosts

Execute correct startup scripts in both PLA hosts, for example:

./sp_amd

The startup script should output something like this:

Address is: 192.168.0.1
Creating hash ID
Sending request
Received response of 122 bytes
2967578620614803107047807377454441249846156428911Length of cert: 25

If the startup scripts exit without an error and the IPv6 connection can be made between PLA hosts (ping6 can be used for testing) then the PLA is working.

3. Stopping the PLA

1. Run stoppla script on the PLA hosts:

./stoppla

2. Stop or kill the 'placonf' process on the host acting as a TTP

Problems and bugs

Startup script hangs after printing: 'Sending request'

The connection to the TTP cannot be established. Check that the 'placonf -d' is running on a host acting as a TTP and check that the startup script contains the correct IPv4 address of the TTP host ('./placonf -c IPv4_address')

Last modified: 20.6.2006