Child pages
  • Laboratory Manual
Skip to end of metadata
Go to start of metadata

If you have reached this point it is because you are interested in using our lab to develop your own P4 applications and therefore this section is where you are supposed to be.

First of all, you need to request access to the lab through rare@lists.geant.org explaining what are you willing to use the lab for. After committee aproval, you will be granted the access to the lab.

Assuming you already have the permission to use the lab, the following instructions are intended to make you understand how the lab is used, what can you expect from it and what do we expect you to do (and not to do).

Access the RARE@NMaaS Domain

In order to provide access to the lab and provide also with some services that are needed to support it, the RARE@NMaaS provides among others with VPN access, a reservation service based on schedule (Booked) and a bastion from which the resources are accessible. The picture below is a simplistic representation on your access to the lab.

  1. You will basically connect through a VPN network to get access to the RARE@NMaaS domain.
  2. You will provide with an ssh public key that will be installed on the lab to allow you ssh access.
  3. You will connect to the Booked service to make your reservation
  4. Your ssh public key will be automatically installed and removed at the precise timeslot on the "Researchers bastion" and the reserved devices.
  5. You should now be able to ssh to the "Researchers bastion" and from there jump to the reserved resource.
  6. You can happily code, compile and test your p4 code on top of a powerful Tofino device.


Following subsections explain more in detail  and technically the actions needed from your side to get access to the resources.

VPN Access

So once you are granted administratively access to the lab, a vpn configuration file is provided to you. The vpn is based on openvpn and any Operating service can be used to connect to it. In particular if you are working from a linux system you can use the following command to connect to it and you should get some output similar to the one you can see below


$ sudo openvpn --verb 3 --config user.ovpn            
[sudo] password for user: 
Mon Jun  1 15:38:44 2020 OpenVPN 2.4.9 [git:makepkg/9b0dafca6c50b8bb+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 20 2020
Mon Jun  1 15:38:44 2020 library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.10
Mon Jun  1 15:38:44 2020 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Jun  1 15:38:44 2020 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Jun  1 15:38:44 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]150.254.160.131:1194
Mon Jun  1 15:38:44 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
Mon Jun  1 15:38:44 2020 UDP link local (bound): [AF_INET][undef]:1194
Mon Jun  1 15:38:44 2020 UDP link remote: [AF_INET]150.254.160.131:1194
Mon Jun  1 15:38:44 2020 TLS: Initial packet from [AF_INET]150.254.160.131:1194, sid=b5d0dcc3 12d2a696
Mon Jun  1 15:38:44 2020 VERIFY OK: depth=1, CN=sts-ca, C=PL, ST=Poznan, L=Poznan, O=PSNC, OU=PLLAB
Mon Jun  1 15:38:44 2020 VERIFY KU OK
Mon Jun  1 15:38:44 2020 Validating certificate extended key usage
Mon Jun  1 15:38:44 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Jun  1 15:38:44 2020 VERIFY EKU OK
Mon Jun  1 15:38:44 2020 VERIFY X509NAME OK: CN=sts-vpn.nmaas.eu, C=PL, ST=Poznan, L=Poznan, O=PSNC, OU=PLLAB
Mon Jun  1 15:38:44 2020 VERIFY OK: depth=0, CN=sts-vpn.nmaas.eu, C=PL, ST=Poznan, L=Poznan, O=PSNC, OU=PLLAB
Mon Jun  1 15:38:44 2020 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Mon Jun  1 15:38:44 2020 [sts-vpn.nmaas.eu] Peer Connection Initiated with [AF_INET]150.254.160.131:1194
Mon Jun  1 15:38:45 2020 SENT CONTROL [sts-vpn.nmaas.eu]: 'PUSH_REQUEST' (status=1)
Mon Jun  1 15:38:45 2020 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.99.1,topology subnet,ping 10,ping-restart 60,route 192.168.113.0 255.255.255.0 192.168.99.1,ifconfig 192.168.99.22 255.255.255.0,peer-id 9,cipher AES-128-GCM'
Mon Jun  1 15:38:45 2020 OPTIONS IMPORT: timers and/or timeouts modified
Mon Jun  1 15:38:45 2020 OPTIONS IMPORT: --ifconfig/up options modified
Mon Jun  1 15:38:45 2020 OPTIONS IMPORT: route options modified
Mon Jun  1 15:38:45 2020 OPTIONS IMPORT: route-related options modified
Mon Jun  1 15:38:45 2020 OPTIONS IMPORT: peer-id set
Mon Jun  1 15:38:45 2020 OPTIONS IMPORT: adjusting link_mtu to 1625
Mon Jun  1 15:38:45 2020 OPTIONS IMPORT: data channel crypto options modified
Mon Jun  1 15:38:45 2020 Data Channel: using negotiated cipher 'AES-128-GCM'
Mon Jun  1 15:38:45 2020 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Mon Jun  1 15:38:45 2020 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Mon Jun  1 15:38:45 2020 ROUTE_GATEWAY 192.168.18.1/255.255.255.0 IFACE=wlan0 HWADDR=64:80:99:97:d6:d2
Mon Jun  1 15:38:45 2020 TUN/TAP device tun0 opened
Mon Jun  1 15:38:45 2020 TUN/TAP TX queue length set to 100
Mon Jun  1 15:38:45 2020 /usr/bin/ip link set dev tun0 up mtu 1500
Mon Jun  1 15:38:45 2020 /usr/bin/ip addr add dev tun0 192.168.99.22/24 broadcast 192.168.99.255
Mon Jun  1 15:38:46 2020 /usr/bin/ip route add 192.168.113.0/24 via 192.168.99.1
Mon Jun  1 15:38:46 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Jun  1 15:38:46 2020 Initialization Sequence Completed



At this point you shall be able to reach the services provided by the RARE@NMaaS , in particular, our booking service at https://p4-bkd-srv.rare.nmaas.eu

Providing your public SSH Key

Access to the bastion and also to the devices capable of building and running p4 programs is available through ssh connectivity employing asymmetric keys.

In order to get access to the resources you need to provide your public key to rare@lists.geant.org

That key will be installed in our provisioning system to be installed automatically on reservation. If your key has been compromised or you just want to change it, please send us your new public key.

Generating your keys

This section is intended to help if you ever used ssh keys for ssh access.

You can easily generate a pair via ssh-keygen command, other clients like putty (Windows) also provide ways to generate key pairs (https://www.ssh.com/ssh/putty/windows/puttygen)

$ ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): /home/user/.ssh/lab_user_key      
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/user/.ssh/lab_user_key
Your public key has been saved in /home/user/.ssh/lab_user_key.pub
The key fingerprint is:
SHA256:sZQEzn20FTRxyOiKm1x2dHALHncIdhW3+uHsm756koI user@myhost
The key's randomart image is:
+---[RSA 3072]----+
|      ... +=B*+..|
|     o o +=+*o...|
|      o =oo* o . |
|       . ++ o .  |
|       .So . . . |
|      . + .   + .|
|     . = ..   .+ |
|      +  E . o...|
|            ..=*o|
+----[SHA256]-----+


The process will generate two files. One is your private key that identifies you unequivocally and the .pub file that holds the public key allowing anyone (and in particular the lab) to know that it is you and only you accessing it.

So you need to provide us the public key sending it via email to rare@lists.geant.org

In case you used putty  there is the option to export your key as openssh format, if possible that's the format desired.

Scheduling system

The lab will enforce user access thanks to the automation of ssh public key installation into the bastion and the switches. The reservations will be checked everyday at 00:00 am so will not be possible to make a reservation for current day but it is possible to make a reservationfor multiple days timespan. The reservation system is based on booked and is accessible here: https://p4-bkd-srv.rare.nmaas.eu Your credentials will be provided to you alongside with the openvpn configuration.

After logging in, the following screen where the resources available are presented and links to reservation page are shown where the switches are available. In the figure only 3 devices are shown because the 4th is under maintenance.

Once reservation button is clicked, reservation page is shown where starting date (Begin) and ending date (End) can be set. You can set there a title for this precise reservation and a description, please, use proper titles because these may be used for giving you some support if problems appear. At that point pressing the "Change" button you can add more resources to your reservation. 

By pressing "Create" your reservation is created and can be changed at any moment later until the day before the reservation starts. Remember that making reservations for the current day is not possible in the present reservation mechanism.

The reservation is done and it appears in your list.


Alternatively there is a drag and drop reservation mechanism accessible via Schedule → Bookings . This approach simplifies the search of available devices when no particular device is required but rather simply any device.


Accessing a precise resource

Once the time of your reservation arrives, your cryptographic material will be set in the places where it must be automatically. At that point you will be able to access the device with the following steps

  1. Start the VPN access as said above
  2. ssh the resource jumping via the p4-tbd-srv.rare.nmaas.eu
    1. There is an option to make a 1 step jump to the resources via command
      $ ssh -i ~/.ssh/gn4_4096_rsa -J netops@p4lab p4@172.16.26.103
      Linux FRA0001 4.14.151-OpenNetworkLinux #1 SMP Tue May 26 16:08:08 UTC 2020 x86_64
      Last login: Wed Jun  3 22:39:51 2020 from 172.16.11.11
      p4@FRA0001:~$
      For this to work you will need to may want to configure your .ssh/config file with the following piece of configuration
      Host p4lab
           Hostname 192.168.113.104
           User netops
           IdentityFile ~/.ssh/gn4_4096_rsa
    2. If you want to do a two step jump, you will need to deploy your rsa key to the p4-tbd-srv and take care to remove it when you finish and before access is removed


Thank you and happy hacking!

  • No labels