Project Mayhem

First of all, a little brush-up about myself:

Well, as you have guessed, I am Allan Eising, demigod of computers to some (very few, but the cult is growing), geek to most and NOC Operator to my boss.

I am currently employed as NOC (Network Operating Center) Operator at a relatively young tele communications company that delivers Wimax, FWA and other sorts of connections primarely to other ISPs. I really love this job. I used to be a tech support for a much larger ISP, but tech support is murder, and luckily I got this job. Of course it’s only part time, as I also study Chinese at the Copenhagen University (explains the post about enabling Chinese input in Ubuntu, doesn’t it?).

So what is project Mayhem? We’ll come to this later. I need to brag a bit more

I feel I am right now getting a lot of experience in the networking field, that would otherwise have been impossible. For instance, right now I can say that I know about managing, implementing and diagnosticing Wimax, Misc. Ericsson radio-link connections including Fixed Wireless Access (FWA), ATM networking, Ethernet networking and it won’t be long before I can write SDH/SONET on that list. I also know a great lot about Linux and Unix both as a server environment but also as workstation because I use most of my spare time to administrate the network at this 400+ user student housing.

Now this leads me directly to Project Mayhem, which is a project I have been thinking about for some time now. Because this network is built by one of my predecessors here, and is really poorly documented. It’s not very efficient anymore either, because it was built at a time, when 256kbit/s was called high-speed. Today we have different problems, such as peer2peer networking and the impact of such on a shared network as this.

The main gateway box is a linux machine that runs a program called PL. PL was written by one of my predecessors and does per-mac address opening from our walled-garden to the internet, based on user policies. It also does per-user bandwidth quota managing, and has the capability of closing the user’s access to the internet should he or she have exceeded the quota.
This was previously sufficient for limiting traffic. The network administrators believed that by limiting the ammount of data one user could transfer per day, one assured equal access to the internet for all users. Today this argument is a bit vague. By only limiting the ammount of data allowed to transfer, one could easily fill up the network ie. by opening a lot of tcp connections. To counter this, one could implement a series of trafic shaping measures, for instance I know that linux is able to prioritize traffic by recognicing some peer2peer headers at package level. Also, one could set up some really advanced shaping script, that differentiated on the basis of different package type, ie. always allowing http traffic to go as a higher priority than ie. binary files. But my main argument against this is: The last thing we need is more systems. Right now we have PL for opening and closing access to the internet, vc to test for viruses, a postgresql user database and a lot of strange other tools, and the last thing we need is another tool, which might not even be a tool but more an undocumented shell script.

So here’s project mayhem:

• The gateway box will be an OpenBSD box, utilizing PF with all it’s options. It must have a database backend, that configures all user data, and the PF script must be able to do all what we used to have a lot of programs to. For instance PF does what we currently uses three programs or more for: It normalises packages with SCRUB, therefore doing spoof protection. It can mark packages, which we currently use Iproute2 for. It also does QoS very well, which is also an essential. Also one thing that I really like is Authpf. Using Authpf to authenticate users instead of PL is a great way of making sure it works. Also I really like Authpf’s ACL capabilities. (just after writing this sentence, I got so fond of the idea that I instantly fired up an openBSD virtual machine, and now five hours later, I’m resuming this post )
• The network must be IPv6 ready

So, right now, I’ve fired up OpenBSD in a virtual machine team, configured a basic PF and fired up a small debian virtual machine for client testing. It seems to work, at least for the simple setup. Now all I need to do is to figure out how I can do connection tracking, QoS per user basis, and then I need to rewrite authpf to allow users to be logged on without ssh’ing to the box. Might be quite tough actually.