Skip to content

deepspaceip/dipt-netconf-over-quic-proxy

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
certificates
certificates
 
 
images
images
 
 
src
src
 
 
ssh_keys
ssh_keys
 
 
.gitignore
.gitignore
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE-APACHE
LICENSE-APACHE
 
 
LICENSE-MIT
LICENSE-MIT
 
 
readme.md
readme.md
 
 

Repository files navigation

NETCONF over Quinn

A command-line application to test NETCONF over QUIC. The name Quinn refers to Rust's community implementation of the QUIC protocol, which we use in our code.

Note: this is meant as a PoC only, do not use it in production.

Architecture

Instead of implementing a NETCONF client and server from scratch, we have created a bidirectional proxy (see image below). This readme explains how to use the proxy together with netopeer2.

Architecture

Setting up netopeer2

Unfortunately, netopeer2 is cumbersome to compile and no binary releases are provided in the official repository. We discovered Fedora offers netopeer2 through its package manager (dnf install netopeer2), so we set up a Fedora VM and used it for testing. Using Docker should work too, so if you prefer that route do try it out (and submit a patch so we can replace this manual setup).

After installing the netopeer2 package, we need to configure authorized clients. By default, the netopeer2 server allows connections from clients with authorized keys in .ssh/authorized_keys. Our NETCONF over Quinn proxy uses ssh_keys/client_rsa when connecting to the netopeer2 server, so you'll need to add its public key counterpart (e.g. ssh-keygen -y -f ssh_keys/client_rsa) to the relevant .ssh/authorized_keys file in the Fedora VM. With that in place, you can start the server: systemctl start netopeer2-server.

To test that everything is working properly, copy the SSH key from ssh_keys/client_rsa to a directory inside the Fedora VM (e.g. to ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub) and attempt to connect through the netopeer2 client. The following excerpt of a command-line session shows a successful connection:

$ netopeer2-cli
> status
Client is not connected to any NETCONF server.
> auth keys add .ssh/id_rsa.pub .ssh/id_rsa
> connect
> status
Current NETCONF session:
  ID          : 3
  Host        : 127.0.0.1
  Port        : 830
  Transport   : SSH
  Capabilities:
        urn:ietf:params:netconf:base:1.0
        urn:ietf:params:netconf:base:1.1
        <snip>

Connecting through the QUIC proxy

Assuming that the netopeer2 server is running on port 830, you can start the client and server sides of the NETCONF over QUIC proxy:

  • cargo run --release -- client
  • cargo run --release -- server

Now, instead of directly connecting to the netopeer2 server, you can use netopeer2-cli to connect to the proxy client (which listens at localhost:8081):

$ netopeer2-cli
> connect --port 8081
> status
Current NETCONF session:
  ID          : 3
  Host        : 127.0.0.1
  Port        : 830
  Transport   : SSH
  Capabilities:
        urn:ietf:params:netconf:base:1.0
        urn:ietf:params:netconf:base:1.1
        <snip>

Note that our proxy accepts unauthenticated connections, which may pose a security risk, so make sure the proxy is not accessible from the internet. We do this to simplify testing: as mentioned above, the server end of the proxy authenticates with its own credentials (ssh_keys/client_rsa) to the netopeer2-server.

Acknowledgements

With special thanks to Marc Blanchet (Viagénie inc.) for funding this work.

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0, MIT licenses found

Licenses found

Apache-2.0
LICENSE-APACHE
MIT
LICENSE-MIT
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages