Provisioning arrangements for secnet - consultation
ijackson at chiark.greenend.org.uk
Wed Aug 24 14:55:46 BST 2016
Ian Jackson writes ("Provisioning arrangements for secnet - consultation"):
> I am starting by collecting requirements `user stories' . I will
> reply to this message with a couple of my own. Please do likewise,
> posting to sgo-software-discuss.
User story: New site
Jennifer has a home network. Jennifer is using a randomly-generated
IPv4 /24 registered in the CAM-GRIN. The main router on her network,
called `router', is running a Debian derivative.
Jennifer wants her network to join the SGO VPN.
Jennifer finds the SGO VPN documentation on how to do this, which is
short and easy to follow.
Following the instructions, Jennifer installs the secnet package on
her router. She types something like this, from her own account:
secnet-join-vpn asks Jennifer some basic questions, automatically
guessing good default answers.
It presents Jennifer with the policy document provided by the SGO VPN
administrator and asks for her agreement, providing a text editor for
her to type any comments, questions or clarifications.
One of the questions asks for Jennifer's permission to route any or
all of 172.16/12 and 192.168/16, apart from her own network, to the
secnet-join-vpn configures everything on her router. It communicates
with the provisioning service on chiark, providing all the details
necessary. It sets up secnet right away, expecting that things will
start working when the other end is done. (It is idempotent.)
If authentication to chiark is done with ssh, secnet-join-vpn uses
Jennifer's own chiark account and sets up the group on chiark, ssh
keys with restricted commands, and so on. When secnet-join-vpn needs
root, it uses sudo (or it can be run as root).
The provisioning service on chiark sees that this is a new request,
stores it, and emails vpn-coordinator@ details of the request
(including any comments provided by Jennifer).
vpn-coordinator reviews the request and checks the CAM-GRIN.
vpn-coordinator approves the request by running a simple command line
rune on chiark. This sends a confirmation email to Jennifer.
The details of Jennifer's network are incorporated into chiark's
secnet configuration and chiark's secnet is made to use them.
Communication between chiark's secnet and Jennifer's house starts
When the link comes up, the provisioning system emails Jennifer and
vpn-coordinator to let them know that the provisioning was
successful. (vpn-coordinator does not have to email Jennifer.)
Also, the information about Jennifer's house is automatically
distributed to all the other nodes on the VPN. Those other nodes
which are running secnet automatically pick up this information.
Jennifer's house has connectivity to other SGO VPN sites within a
matter of minutes.
Other nodes which are running things other than secnet are provided
with an API they can use to discover that Jennifer's house is now
part of the VPN and to add her address range to the ranges that ought
to be routed via chiark.
Ian Jackson <ijackson at chiark.greenend.org.uk> These opinions are my own.
If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.
More information about the sgo-software-discuss