Documentation
Installation
Configuration
Testing
Problems and bugs
1. Requirements
- Three computers, two for running the PLA and the third one acting
as a TTP (trusted third party).
- Working network supporting IPv4 and IPv6.
- Linux kernel 2.6.15, or newer.
- Kernel needs to have IPv6 and IPv6 packet filtering configured.
- Kernel needs user space packet queueing for IPv6:
- Go to: Device Drivers -> Networking Support -> Networking
Options -> Network Packet Filtering -> IPv6: Netfilter Configuration
- Select all boxes in the menu as modules.
- OpenSSL libraries and headers.
- GNU MP Bignum library
version 4.20 or newer.
- User space tools for IPv6 netfilter configuration. Especially ip6tables
- Synchronized clocks on the nodes. By default, a time difference of
more than 3 seconds in the clocks of the nodes in the network will result
in dropped packets. Using NTP for synchronizing clocks is recommended.
2. Compiling
Untar the latest distribution and compile:
make depend
make
A startup script must be created for starting the PLA. Existing scripts
like 'sp_amd' from the 'pla' directory can be used a base for the
new startup script.
Configuration is carried out by editing the startup script.
1. Enabling and disabling the encryption
In the startup script, line containing 'eccrypto' determines wherever
the encryption is used or not. For example:
nice -n -20 ./eccrypto -n &
Means that the encryption is not used (-n flag for eccrypto) and:
nice -n -20 ./eccrypto &
Means that the encryption is used. Note: at this point only software
encryption is supported, enabling encryption will significantly
slow things down.
2. Specifying the address of the trusted third party (TTP)
The address of the trusted third party is specified on the line beginning
with './placonf -c'. The IPv4 address of the host acting as
a trusted third party should be here. For example:
./placonf -c 192.168.0.1
3. Iptables configuration
The rest of the startup script contains iptables configuration. The
configuration depends wherever or not the PLA is used on all network
interfaces.
3.1. PLA host contains only one network interface or the PLA is used
on all interfaces
In this case, all packets are processed by the PLA. Only the following
ip6tables related lines must be present in the startup script:
ip6tables --table mangle -A OUTPUT -p all -j QUEUE
ip6tables --table mangle -A INPUT -p all -j QUEUE
ip6tables --table mangle -A FORWARD -p all -j QUEUE
3.2. There are two or more network interfaces and the PLA is not used on
all of them
This is a slightly more complicated situation. Interfaces that are NOT using
the PLA must be specified. Here is an example of the configuration where
PLA is not used on eth0 interface:
ip6tables --table mangle -A OUTPUT -p all -o eth0 -j ACCEPT
ip6tables --table mangle -A OUTPUT -p all -j QUEUE
ip6tables --table mangle -A INPUT -p all -i eth0 -j ACCEPT
ip6tables --table mangle -A INPUT -p all -j QUEUE
ip6tables --table mangle -A FORWARD -p all -j QUEUE
This means that packets coming and goind to/from eth0 are not touched, but
all other packets are processed by the PLA. Similarly, if there is a three
or more interfaces, following lines must be added for each interface that
is not using the PLA:
ip6tables --table mangle -A OUTPUT -p all -o interface_name -j ACCEPT
ip6tables --table mangle -A INPUT -p all -i interface_name -j ACCEPT
1. TTP (trusted third party)
Go to the directory where the PLA software is compiled and execute:
./placonf -d
Note: host running PLA cannot act as a TTP at this point. Thus a separate
host is needed for the TTP functionality.
2. PLA hosts
Execute correct startup scripts in both PLA hosts, for example:
./sp_amd
The startup script should output something like this:
Address is: 192.168.0.1
Creating hash ID
Sending request
Received response of 122 bytes
2967578620614803107047807377454441249846156428911Length of cert: 25
If the startup scripts exit without an error and the IPv6 connection
can be made between PLA hosts (ping6 can be used for
testing) then the PLA is working.
3. Stopping the PLA
1. Run stoppla script on the PLA hosts:
./stoppla
2. Stop or kill the 'placonf' process on the host acting as a TTP
Startup script hangs after printing: 'Sending request'
The connection to the TTP cannot be established. Check that the
'placonf -d' is running on a host acting as a TTP and check that the
startup script contains the correct IPv4 address of the TTP host
('./placonf -c IPv4_address')
Last modified: 20.6.2006