ng_ayiya - a SixXS IPv6 tunnel broker AYIYA Netgraph node
=========================================================

Student: Peter Pentchev (roam@)
Mentor: Bjoern A. Zeeb (bz+soc@)

Project description
-------------------

Implement a netgraph node that connects to a netgraph kernel socket node and
a netgraph interface node and understands enough of the AYIYA protocol to
pass packets back and forth.  Use a control connection to user space to
handle all other signalling.  Adjust the sixxs-aiccu implementation and add
the netgraph implementation as an option for the FreeBSD port.

The goal of this project is to create a Netgraph node that acts as a link
between a socket (TCP, UDP, SCTP, ...) connection to an AYIYA server
(for a start, the SixXS POPs) and a local network interface (for a start,
one that can route IPv6 traffic).  The operation of the node should be
controlled via a Netgraph socket (the usual way of letting a kernel Netgraph
node communicate with a userland program) by higher-level tunnel negotiation
software like SixXS's AICCU.  The scope of the project also includes
the necessary changes to SixXS's AICCU software to use the Netgraph
framework instead of tunneling the packets by itself, as it does in its
standard mode of operation.

The initial design of the Netgraph node is as follows:
- a "ayiya" hook to a ng_ksocket node for the "uplink" connection to the
  AYIYA POP of the tunnel broker
- an "inet6" hook to a ng_iface node
- a "control" hook to a ng_socket node for configuration from userland
- a "secrethash" control message to set the pre-hashed shared secret for
  the AYIYA protocol, so that the node need not know the actual secret
- possibly more control messages to set the node's mode of operation in
  additional ways (possibly reconnect to the AYIYA POP by itself, etc.)
- possibly two-way data communication with the userland utility through
  the control hook for e.g. responding to AYIYA queries, passing on
  the POP's message of the day, etc.

The hook names should either be the exact strings "ayiya", "control" and
"secret" or strings that start with those tags followed by a slash ("/") and
additional data that the node will ignore.  This allows the administrator or
the userland utility to keep more information for clarity, documentation and
so on, without interfering with the operation of the node.


Building ng_ayiya from source
-----------------------------

Building the AYIYA Netgraph node should be straightforward: obtain a copy of
the source tree, change into the ng_ayiya/ subdirectory (the one containing
the ng_ayiya.c file) and run the following commands:

  make cleandir && make cleandir
  make depend
  make

If you'd like to install it into the system's kernel modules directory, run:

  make install
  

Building ng_ayiya, aiccu and Net-SixXS from the ports
-----------------------------------------------------

This project includes FreeBSD ports for the AYIYA Netgraph node, the modified
verison of the SixXS AICCU tool, and some additional testing tools.
To use them, follow this procedure:

1. Obtain a copy of the source tree.

2. Change to the ports/ subdirectory.

3. Run the update.pl tool to modify your existing ports collection (residing
   in /usr/ports/), adding symlinks to the new ports and rsync'ing the aiccu
   one for the changes.

4. Build the Net-SixXS helper tools:

   cd /usr/ports/net/p5-Net-SixXS && sudo make && sudo make install

5. Build the ng_ayiya tool:

   cd /usr/ports/net/ng_ayiya && sudo make && sudo make install

6. Build the SixXS AICCU tool with Netgraph support:

   cd /usr/ports/net/sixxs-aiccu
   sudo make config   # enable the NETGRAPH option
   sudo make && sudo make install


Using ng_ayiya by itself
------------------------

Bringing up an IPv6 tunnel using the AYIYA Netgraph node involves
the following steps:

1. Use the sixxs-aiccu utility to make sure that your SixXS tunnel is active
   and there are no network connectivity issues in running AYIYA.

2. Make sure the p5-Net-SixXS toolset is installed (see the previous section).

3. Use the sixxs-tic-tunnels tool from Net-SixXS to obtain information about
   your configured SixXS tunnels in a format usable by ng_ayiya's testing
   infrastructure:

   sixxs-tic-tunnels -s tic.sixxs.net -f /usr/local/etc/aiccu.conf > tic-tunnels.txt

4. Copy the tic-tunnels.txt file to the ng_ayiya source directory.

5. Change into the ng_ayiya source directory (the one containing ng_ayiya.c)

6. Build ng_ayiya:

   make cleandir && make cleandir

   # Do not run "make obj"; the testing scaffold does not really understand
   # object directories just yet

   make depend
   make

7. Load the kernel module and create an AYIYA node:

   make down     # or make teardown
   make up       # or make setup

8. Check to see that the AYIYA node is loaded properly; these commands
   should report that it has not been configured yet and it has no hooks:

   sudo ngctl list
   sudo ngctl status sc_ayiya:
   sudo ngctl config sc_ayiya:
 
9. Use the testing scaffold to create a simple graph and connect to your
   SixXS tunnel; replace "T22928" with the name of your tunnel as listed
   in the tic-tunnels.txt file:

   make tic TIC_TUNNEL=T22928

10. Check that your tunnel is up and running:

   sudo ngctl status sc_ayiya:
   sudo ngctl config sc_ayiya:

   ifconfig ng0

   ping6 -c1 your-tunnel's-peer-IPv6-address (usually one less than
   the local IPv6 address configured on the ng0 interface, but check
   tic-tunnels.txt for the exact value)

   sudo route -6 add default your-tunnel's-peer-IPv6-address

   curl -6s http://www.kame.net/ | fgrep -e 'Dancing kame'


Using SixXS aiccu with Netgraph support
---------------------------------------

To use the SixXS aiccu tool with Netgraph support to bring up a SixXS
tunnel, build it from its port as per the "Building from ports" section
above, then start it.  It should connect to the SixXS TIC server normally,
obtain information about your tunnels, then configure an ng_ayiya node
and its requisite ng_ksocket and ng_iface nodes, and set them up for
traffic to flow.


Using SixXS aiccu for a local testing tunnel against ng_ayiya
-------------------------------------------------------------

The top-level Makefile in this source distribution contains a target
allowing you to use the included ayiya_listen and ayiya_resp tools to
set up an AYIYA server for aiccu to connect to.  To do that, follow these
steps:

1. On the client, update the aiccu.conf file to point to the local host
   as the TIC server ("server 127.0.0.1").

1. On the client, set up a tic-tunnels.txt file with the server's IPv4
   address in the 'IPv4 POP' field, and the client's and the server's IPv6
   addresses respectively in the 'IPv6 Endpoint' and 'IPv6 POP' fields.

2. On the client, start Net-SixXS's TIC server emulation:

   sixxs-tic-server -f /usr/local/etc/aiccu.conf -t tic-tunnels.txt -v

3. On the server, set up a tic-tunnels.txt file with the 'Endpoint' and
   'POP' fields swapped for IPv6; the IPv4 fields do not matter.

4. On the server, start the AYIYA server simulation by issuing this
   command in the project's top-level directory:

   make ayiya-server TUNNELSFILE=tic-tunnels.txt LISTENADDR=n.n.n.n

   ...where n.n.n.n is the server's IPv4 address, the one specified in
   the client's 'IPv4 endpoint' field.

5. On the client, start aiccu with the modified config file, so that it
   will query the local TIC server and the latter would supply data about
   the local testing tunnel:

   sudo sixxs-aiccu start /usr/local/etc/aiccu.conf

Now there should be diagnostic messages on the server side saying that
a tunnel has been established and a heartbeat message has been received.