1 / 64

Arctic Networking Properties

Arctic Networking Properties. Jari Lahti, CTO. Wireless. Solutions. Industry. General networking properties. Network menu. WiFi. BLUETOOTH. Summary. CDMA. EDGE. UMTS. WiMax. GPRS. Summary. Shows the status of all active network interfaces

becky
Télécharger la présentation

Arctic Networking Properties

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Arctic Networking Properties Jari Lahti, CTO

  2. Wireless Solutions Industry General networking properties Network menu

  3. WiFi BLUETOOTH Summary CDMA EDGE UMTS WiMax GPRS

  4. Summary • Shows the status of all active network interfaces • loopback, Ethernet, SSH-VPN, L2TP-Tunnel, Dial-In • Shows the routing table • Shows the ARP cache

  5. WiFi BLUETOOTH Ethernet CDMA EDGE UMTS WiMax GPRS

  6. Ethernet • 10 Base-T or 100 Base-T • supports auto negotiation • supports half duplex and full duplex • Shielded Ethernet connection, shield connected to power supply ground • when using shielded cable consider the possible potential differences

  7. Override Ethernet configuration by DHCP? Enable if Arctic should fetch the Ethernet configuration from DHCP server on LAN Make sure the Default gateway is not enabled by DHCP server if other interface (Tunnel, GPRS) should be used as default route Host name The Host name of Arctic Identifies Arctic on SSH-VPN and L2TP Tunnels. Each Arctic must have different hostname on Tunneling configurations Ethernet IP address The IP address of Arctic Ethernet interface (LAN) Network mask The network mask of Ethernet network Default gateway The IP address of default gateway on LAN Use only when Ethernet should be used as default route Disable by entering 0 DNS servers Addresses of DNS servers MAC address shows Arctic's MAC/HW address NOTE Arctic must have only one default route (Ethernet, GPRS, Tunnel) enabled simultaneously! Ethernet settings

  8. WiFi BLUETOOTH GPRS CDMA EDGE UMTS WiMax GPRS

  9. GPRS • General Packet Radio Service • Wireless packet data channel • Based on GSM technology and networks • Designed for TCP/IP traffic • Dynamic radio channel allocation • Faster data transfer compared to GSM data • Pricing based on amount of data • Different pricing models, subscription and operator dependent • X EUR / MB (typically 0,5 - 2 EUR/MB) • X EUR / 100 MB (typically 5 - 15 EUR / 100 MB) • X EUR / Unlimited communication (typically 10 - 20 EUR) • Public network, Global - low initial investments

  10. GPRS throughput • Class 10 (4 downlink channels, 2 uplink channels) • Typically CS1 and CS2 supported by GPRS networks • Table above indicates maximum throughput • practical throughput ~ 70-80% of maximum • ~5 kB/sec download • Round-trip times 350 ms - 2 sec • first packets typically have longer delays CODING SCHEMES: CS1 => 9.05 kbps CS2 => 13.4 kbps CS3 => 15.6 kbps CS4 => 21.4 kbps

  11. Maximum MTU value Maximum size of sent GPRS packet in bytes Default route Enable if GPRS is used as a default route to external networks (typically when plain GPRS is used) Disable if other connection (Tunnel, Ethernet) is used as a default route to external networks NOTE Arctic must have only one default route (Ethernet, GPRS, Tunnel) enabled simultaneously! GPRS enabled Set Yes to allow GPRS communication Access point name mandatory parameter public APN usually "INTERNET" private APN (e.g. viola.fi) requires operator contract PIN code The PIN code of GPRS SIM card (e.g. 1234) Non-numeric value causes Arctic not to try PIN code The SIM card must have at least 2 tries left Led indication Data only - GPRS LED blinks when data is transmitted Informative - GPRS LED indicates data and GPRS registration status GPRS username & password Username and password required by APN Use ”dummy” values e.g. user and pass even when not required by APN PPP idle timeout If GPRS connection is idle more than defined amount of seconds Arctic will re-establish GPRS connection The ICMP Echo sending interval of monitor should be smaller than PPP idle timeout in order to have uninterrupted connetion GPRS settings

  12. GPRS LED • On "Data only" mode the GPRS LED blinks when Arctic transmits GPRS data • On "Informative" mode the GPRS LED behaves following way • OFF: GPRS Modem turned off • 600 ms ON / 600 ms OFF: No SIM card inserted or no PIN entered, or network search inprogress • 75 ms ON / 3 s OFF: Logged to network • 75 msON / 75 ms OFF / 75 ms ON / 3 s OFF: GPRS activated • Flashing slow: Indicates GPRS data transfer • ON: GSM Data call on progress

  13. WiFi BLUETOOTH Dial - inGSM Data CDMA EDGE UMTS WiMax GPRS

  14. Dial-in • It is possible to dial-in into Arctic with GSM data call • To configure Arctic in situations where GPRS connection is not possible • Public APN, Firewall blocks, D-NAT forwards TCP ports 22 (SSH), 23 (Telnet) or 80 (HTTP), Tunnel problems • Installed but unconfigured device • The SIM card must allow incoming data calls • Dial-in is enabled in Arctic by default • change the default username and password for Dial-in • When dial-in is active the GPRS data is suspended • Dial-in uses PPP protocol, not plain data. GSM data

  15. NOTE also SMS Config is available for remote configuration in situations where GSM data is not possible Dial-in enabled Set Yes to allow incoming data calls Require authentication (PAP) Set Yes to require password/username authentication for PPP connection Required username & password The required username/password combination Idle timeout If the dial-in connection is idle more than defined timeout of seconds Arctic closes the connection Local IP address The IP address Arctic allocates itself in PPP connection After the connection is established the Arctic can be reached by using this IP address Peer's IP address The IP address Arctic allocates for Peer (e.g. Laptop computer) in PPP connection Dial-in settings

  16. Configuring Dial-In on Windows • Modem needs to be installed on PC (conventional PSTN or GSM modem) • Go to Control Panel > Network connections • Select "Create new Connection" • Network connection type is "Connect to the Internet" • Select "Set up my connection manually" • Select "Connect using a dial-up modem" • Select suitable modem • ISP name can be e.g. Arctic or the hostname of Arctic • Type the Arctic SIM card number as number to dial • Arctic SIM must support incoming GSM data call • Type the username and password for Arctic Dial-in • "user" and "pass" by default • Uncheck "Make this the default internet connection" • Press finish - the Dial-in connection is configured • To Dial-in to Arctic double-click the created connection icon on Control Panel > Network connections

  17. WiFi BLUETOOTH SSH-VPNTunneling CDMA EDGE UMTS WiMax GPRS

  18. SSH-VPN • Secure and authenticated VPN tunnel • uses SSH protocol • authentication with 1024 bit RSA keys • communicating parties must know each other's public keys in order to be able to authenticate • Extra GPRS data caused by SSH-VPN ~ 50-60 bytes/packet • Tunnel establishment takes more time and data than with L2TP-Tunneling • Operators usually drop GPRS connections after X hours • When SSH-VPN Tunnel is succesfully formed the "Status" LED of Arctic lits • SSH uses TCP protocol • TCP is connection oriented protocol - possible NAT devices between Arctic and M2M GW maintains NAT binding without keepalive data • Each packet must be acknowledged by receiver with ACK packet • If the "tunneled" data also uses TCP this leads situation where multiple ACK packets are sent. This increases the amount of data transmitted and decreases performance on interactive applications Usually combined to a single packet USER TCP DATA OVER SSH SSH ACK USER TCP ACK OVER SSH SSH ACK

  19. Routing mode "None" used if the SSH-VPN is a default route already and Arctic is not required to advertise any specific network to Ethernet with Proxy-ARP "Tunnel the following network" used to tell the Arctic which network is reachable behind tunnel. This must be used when the remote network is a subnet of the network in Ethernet interface or when the SSH-VPN is not the default route of Arctic Remote network IP & mask Defines the remote network behind tunnel Use SSH-VPN Set Yes to allow SSH-VPN operation Interface Define the interface (GPRS or Ethernet) used to form SSH-VPN Tunnel Default route Enable if the SSH-VPN tunnel is the primary comunication channel Usually this should be enabled If enabled all other default gateways (Ethernet, GPRS) must be disabled Tunnel server IP The public IP address of M2M Gateway Tunnel server port The TCP port M2M Gateway listens for incoming SSH connections Tunnel server GW If Ethernet is used and M2M Gateway is not in same LAN as Arctic this field must contain the IP address of LAN's default gateway SSH-VPN settings

  20. Local SSH public key The public SSH key of Arctic. This must be copied to M2M Gateway Use SHIFT-END to select the whole key and copy with CNTRL-C Paste to M2M GW with CNTRL-V Server SSH key Shows the public key of M2M GW if the key is known by Arctic Retrieve SSH server key Uses HTTP (TCP port 80) to fetch the public key from M2M GW Insert SSH server key Paste the public key of M2M GW here manually if the "retrieve" method does not work SSH-VPN key management

  21. Common SSH-VPN problems • Most of the problems are routing-related • Multiple default routes defined to Arctic, there must be only one default route/default gateway defined • "Remote network IP" and "Remote network mask" are incompatible in Arctic. Check the routes in Network>Summary when tunnel is active • "Remote network IP" and "Remote network mask" are incompatible in M2M GW. Check with "route" command on M2M GW when tunnel is active. • SSH-VPN can not be established • Check the SSH-VPN interface (GPRS or Ethernet) • Check the public keys. M2M GW and Arctic must know each other's public keys • Check the firewall in M2M GW side to allow TCP port 22 • SSH-VPN works only certain time if operator closes PDP contexts • Check the Arctic monitor pings the other end of tunnel, not the public IP address • SSH-VPN drops after several hours • Check how often the operator drops GPRS connections • SSH-VPN is slow or high variance in response times • "TCP over TCP" decreases performance, consider L2TP Tunnel

  22. WiFi BLUETOOTH L2TP TUNNEL CDMA EDGE UMTS WiMax GPRS

  23. L2TP TUNNEL • Plain tunneling without strong authentication or encryption • M2M Gateway authenticates the Arctic only by user/password combination • Data is not encrypted • Very fast data transfer and small delays when compared to other tunnels • Very fast tunnel establishment • Suitable for bringing full routing to private-APN systems • Suitable for applications not requiring strong security • Extra GPRS data caused by L2TP Tunnel ~ 30-40 bytes/packet • L2TP uses UDP • UDP is connectionless protocol - possible NAT devices (APN, firewall) between Arctic and M2M GW may maintain the NAT binding only 30-60 seconds • In order to keep the NAT binding valid additional keepalive data may be required • Ask the NAT binding timeout from operator! • When L2TP Tunnel is succesfully formed the "Status" LED of Arctic lits

  24. Use L2TP-VPN Set Yes to allow L2TP tunneling Interface Define the interface (GPRS or Ethernet) used to form L2TP Tunnel Default route Enable if the L2TP tunnel is the primary comunication channel Usually this should be enabled If enabled all other default gateways (Ethernet, GPRS) must be disabled L2TP server IP The public IP address of L2TP server L2TP server port The UDP port L2TP server listens for incoming connections L2TP server gateway If Ethernet is used and L2TP server is not in same LAN as Arctic this field must contain the IP address of LAN's default gateway L2TP username & password If the L2TP server requires PAP authentication these settings define the username/password combination Hello interval Interval sending L2TP "Hello" messages in order to keep NAT binding active Routing mode "None" used if the L2TP is a default route already and Arctic is not required to advertise any specific network to Ethernet with Proxy-ARP "Tunnel the following network" used to tell the Arctic which network is reachable behind tunnel. This must be used when the remote network is a subnet of the network in Ethernet interface or when the L2TP is not the default route of Arctic Remote network IP & mask Defines the remote network behind tunnel L2TP-TUNNEL settings

  25. Common L2TP problems • Most of the problems are routing-related • Multiple default routes defined to Arctic, there must be only one default route/default gateway defined • "Remote network IP" and "Remote network mask" are incompatible in Arctic. Check the routes in Network>Summary when tunnel is active • "Remote network IP" and "Remote network mask" are incompatible in M2M GW. Check with "route" command on M2M GW when tunnel is active. • L2TP Tunnel can not be established • Check the L2TP interface (GPRS or Ethernet) • Check the firewall in M2M GW side to allow UDP port 1701 • L2TP works only certain time • Check the Arctic monitor pings the other end of tunnel, not the public IP address • L2TP works only certain time (minutes) • Check how long the operator's NAT (or other NAT device between Arctic and L2TP server) maintains NAT binding for UDP and adjust the L2TP Hello interval to be smaller than the timeout • Extra data caused by keepalive ~30 bytes / packet

  26. WiFi BLUETOOTH Monitor CDMA EDGE UMTS WiMax GPRS

  27. Monitor • The monitor application performs runtime supervisory of Arctic by inspecting various resources like • Status of filesystem and memory • GPRS modem and SIM card • Status of applications • The monitor should be used to verify the "end-to-end" operation of GPRS or Tunnel connection. This is achieved by periodically pinging the defined IP address. • In Tunnel mode pinging the private Tunnel IP of M2M GW • In plaing GPRS mode pinging suitable public IP address. • If the ping fails the monitor restarts GPRS connection and the Tunnel • If the systems inspection fails or the ping fails many times the monitor reboots Arctic • The monitor itself is protected by HW watchdog. If the monitor application hangs the Arctic will reboot.

  28. NOTE each ping sent consumes ~50 bytes of data in plain GPRS mode and ~100 bytes in Tunnel mode the reply consumes same amount the Interval defines the minimum time to detect closed GPRS or Tunnel connection. Adjust this parameter according the criticality of connection the interval must be smaller than GPRS idle timeout (typically 2/3 of GPRS idle timeout) in order to have uninterrupted communication ICMP Echo sending Set enabled in order to allow end-to-end testing of GPRS or Tunnel connection Interval The interval in seconds between ICMP Echo requests (pings) sent Reply timeout The timeout in seconds waiting reply for sent ICMP Echo request Retries Number of retries sent before detecting connection to be closed Target IP address The IP address where ICMP Echo requests are sent In Tunnel mode this should be the other end of tunnel (M2M GW) Secondary target IP address The secondary IP address where ICMP Echo requests are sent if the primary IP address does not respond Use this option only in plain GPRS mode Monitor settings

  29. WiFi BLUETOOTH Routing CDMA EDGE UMTS WiMax GPRS

  30. Act as a router? Enable in order to allow Arctic to route traffic between Ethernet, GPRS and Tunnel Enabled by default Use Proxy ARP? Enable in order to allow Arctic to "cheat" devices in Ethernet Usually used with subnetting when the network behind tunnel is a subnet of the network behind Ethernet interface Proxy-ARP makes it possible to access devices in subnet without using Arctic as a default gateway for Ethernet devices Disabled by default Routing settings

  31. WiFi BLUETOOTH NATNetwork Address Translation CDMA EDGE UMTS WiMax GPRS

  32. S-NAT (Source NAT) • Replaces the source address of IP packet with GPRS IP address • This is usually required (Network does not know how to route private IP addresses) • access internet from laptop-PC thru Arctic • The S-NAT can be turn completely off on Arctic • It's also possible to define only certain source addresses to be S-NAT processed ARCTIC GPRS IP: 11.22.33.44 Ethernet IP: 10.10.10.1 1 2 Ethernet GPRS Data from 10.10.10.2 Data from 11.22.33.44

  33. S-NAT settings • Enable S-NAT • set Yes to enable S-NAT operation • Use • Yes - The defined source address is S-NAT processed • No - The defined source address is not S-NAT processed • From IP • Defines the IP address or IP address range to be S-NAT processed • IP Address syntax • single IP address format (1.2.3.4) • net/bits on net (1.2.3.0/24) • any IP (0/0 or empty) • S-NAT is enabled by default

  34. D-NAT (Destination NAT) • Requires fixed GPRS IP address (Private APN) • Arctic forwards defined (protocol,port) connections from GPRS to Ethernet by replacing the destination IP address of packet • The reply contains Arctic's GPRS IP as source address • Makes it possible to access Ethernet devices behind GPRS without tunneling • The Ethernet devices use Arctic as default gateway • The Arctic uses GPRS connection as default route ARCTIC GPRS IP: 11.22.33.44 Ethernet IP: 10.10.10.1 1 2 Connect to 11.22.33.44 port 888 Ethernet Forward to 10.10.10.4 port 80 GPRS Reply from 10.10.10.4 port 80 Reply from 11.22.33.44 port 888 3 4

  35. Source IP Address syntax single IP address format (1.2.3.4) net/bits on net (1.2.3.0/24) any IP (0/0 or empty) "Redirect to IP" accepts only single IP address format Enable D-NAT set Yes to enable D-NAT operation Use Yes - The defined rule is processed No - The defined rule is not processed Protocol ANY - Checks the IP address only TCP - Protocol must be TCP UDP - Protocol must be UDP ICMP - Protocol must be ICMP Source IP The source address of packet Destination port The destination port (TCP,UDP) or ICMP type of packet Redirect to IP The new destination IP address where packet is redirected Redir. port The new destination port (TCP,UDP) or ICMP type where packet is redirected D-NAT settings

  36. Common NAT problems • Redirecting (D-NAT) TCP port 22 (SSH), Telnet (23) or 80 HTTP and therefore making it impossible to access Arctic configuration from GPRS. • Solution: SMS config or Dial-in still provides access • Setting D-NAT protocol to ANY and therefore making it impossible to access Arctic configuration from GPRS. • Solution: SMS config or Dial-in still provides access • Running FTP server on passive mode behind D-NAT does not work, FTP must use active mode • Some VPN programs (Ipsec in tunnel mode) require NAT traversal in order to work over S-NAT

  37. WiFi BLUETOOTH DNS Update CDMA EDGE UMTS WiMax GPRS

  38. USER DNS Update • Requires public (but not static) GPRS IP address • Requires GPRS operator to allow incoming GPRS connections • Operator and subscription dependent policy • The idea is that Arctic informs remote Domain Name Server which IP address Arctic got from GPRS • Then the Arctic can be addressed with domain name instead of IP address • Makes it easier to access GPRS device, especially on automatic data collection applications DNS SERVER IP 62.22.33.11 I Have IP 62.22.33.11 Which IP is "arctic.exampledomain.com"? GPRS IP: 62.22.33.11 APN "arctic.exampledomain.com" is 62.22.33.11 Connect to 62.22.33.11

  39. DNS Update settings • Enable • set Yes to enable DNS update • Record TTL • Informs the DNS server how long the IP address is valid • Record refresh interval • How often Arctic refresh the DNS server about it's IP address (should be smaller than Record TTL) • Zone • The Zone (domain) where Arctic belongs • Authoritative name server address • The IP address of DNS server which is responsible of maintaing the Zone's Name-IP address bindings • Our domain name • The domain name Arctic is given • Use Transaction Signatures • Set yes to enable DNS update authentication (usually required) • Tsig key name and Tsig key • Like username and password for authentication • The key must be Base64 encoded • NOTE • DNS update works with common DNS servers like DNS-BIND • DNS update does not work with DynDSN.org and other similar services using non-standard protocols

  40. WiFi BLUETOOTH SMS Config CDMA EDGE UMTS WiMax GPRS

  41. SMS Config • Enables Artic to be monitored and controlled with SMS messages • "Emergency" situations when Arctic on the field is not reacheable with GPRS or Dial-in • Two versions • Version 1.1 • Simple command set • Versions 1.2 and newer • Advanced command set • Advanced permission configuration • SMS Config is enabled by default • NOTE • SMS Config will delete all messages from SIM card • SMS Config will send "unknown command" reply if it does not recognise command • =>Make sure the SIM card message storage is empty!

  42. SMS Config 1.1 • Password • If password is defined for Arctic it must be given in SMS before the command by separating it with a comma (,) • Command set (all commands must be small-cap) • echo <string> echoes back the string (e.g. echo test) • rebootreboots arctic • restart gprs restarts GPRS • get hostname returns Arctic host name • get gprs enabledreturn is the GPRS enabled • get gprs pinreturns GPRS PIN code • get gprs apn returns GPRS APN name • get gprs user returns GPRS user name • get gprs passwd returns GPRS password • get gprs defaultroute returns is the GPRS default route enabled • get gprs statusreturns is the GPRS enabled, active, interface name and enable status of default route • Exampe with password: pass,restart gprs • Example without password: restart GPRS

  43. Wireless Solutions Industry Firewall Firewall menu

  44. Firewall • Arctic firewall limits the IP communication between the following networks • From GPRS to Arctic (incoming) • From GPRS to LAN (forwarding) • From LAN to GPRS (outgoing) • Each firewall section can be turn on/off separately • The firewall can be turn completely on/off • Turning off the section or firewall means there is no traffic limitation • The tunnel connections are not affected by firewall • The dial-in connections are not affected by firewall

  45. Stateful inspection • Arctic firewall remembers the state of connections • No necessary to define separate rules for incoming and outgoing data of connection • S-NAT and D-NAT rules are prosessed before firewall rules • E.g. D-NAT is used to forward GPRS TCP port 888 to LAN IP 10.10.10.2 port 80 • GPRS to LAN firewall needs to be configured to accept TCP connection to 10.10.10.2 port 80 ARCTIC GPRS IP: 11.22.33.44 Ethernet IP: 10.10.10.1 1 2 Connect to 11.22.33.44 port 888 Ethernet Forward to 10.10.10.2 port 80 GPRS Reply from 10.10.10.2 port 80 Reply from 11.22.33.44 port 888 3 4

  46. Order of rule processing • The rules are processed from top to bottom • It's not possible to enable communication if it's disabled on rule before • It's not possible to disable communication if it's enabled on rule before • Examples of misleading configurations This setup accepts all data This setup drops all data to 10.10.10.4

  47. IP Address syntax single IP address format (1.2.3.4) net/bits on net (1.2.3.0/24) any IP (0/0) Defines the rules how to treat the traffic coming from GPRS targeted to Arctic Action NO RULE - rule is disabled ACCEPT - data is accepted DROP - data is discharded Protocol ANY - Checks the IP address only TCP - Protocol must be TCP UDP - Protocol must be UDP ICMP - Protocol must be ICMP From IP The source address of packet Destination port The destination port (TCP,UDP) or ICMP type of packet GRPS to Arctic

  48. IP Address syntax single IP address format (1.2.3.4) net/bits on net (1.2.3.0/24) any IP (0/0 or empty) Defines the rules how to treat the traffic coming from GPRS targeted to LAN Action NO RULE - rule is disabled ACCEPT - data is accepted DROP - data is discharded Protocol ANY - Checks the IP address only TCP - Protocol must be TCP UDP - Protocol must be UDP ICMP - Protocol must be ICMP From IP The source address of packet Destination IP The destination address of packet Destination port The destination port (TCP,UDP) or ICMP type of packet GRPS to LAN

  49. IP Address syntax single IP address format (1.2.3.4) net/bits on net (1.2.3.0/24) any IP (0/0 or empty) This firewall section is useful for accepting only wanted data to enter GPRS network Defines the rules how to treat the traffic coming from LAN targeted to GPRS Action NO RULE - rule is disabled ACCEPT - data is accepted DROP - data is discharded Protocol ANY - Checks the IP address only TCP - Protocol must be TCP UDP - Protocol must be UDP ICMP - Protocol must be ICMP From IP The source address of packet Destination IP The destination address of packet Destination port The destination port (TCP,UDP) or ICMP type of packet LAN to GPRS

  50. Common firewall problems • GPRS to Arctic firewall disables TCP port 22 (SSH), Telnet (23) or 80 HTTP and therefore makes it impossible to access Arctic configuration from GPRS. • Solution: SMS config or Dial-in still provides access • Violating the "from top to bottom" rule processing principle causes different operation than required

More Related