├── .gitigonre
├── docs
    ├── sfc-testbed.png
    └── chaining-of-sr-aware-and-sr-unaware-sf.pdf
├── config
    ├── config_r4.sh
    ├── config_r2.sh
    ├── config_r6.sh
    ├── config_r1.sh
    ├── config_r5.sh
    ├── config_r3.sh
    ├── deploy-vnf.sh
    └── deploy-term.sh
├── Vagrantfile
└── README.md


/.gitigonre:
--------------------------------------------------------------------------------
1 | .vagrant/
2 | 


--------------------------------------------------------------------------------
/docs/sfc-testbed.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SRouting/SR-sfc-demo/HEAD/docs/sfc-testbed.png


--------------------------------------------------------------------------------
/docs/chaining-of-sr-aware-and-sr-unaware-sf.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SRouting/SR-sfc-demo/HEAD/docs/chaining-of-sr-aware-and-sr-unaware-sf.pdf


--------------------------------------------------------------------------------
/config/config_r4.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Install required softwares
 4 | export DEBIAN_FRONTEND=noninteractive
 5 | apt-get -y update
 6 | apt-get -y upgrade
 7 | apt-get -y install build-essential libpcap-dev git
 8 | 
 9 | # Interfaces configuration
10 | ifconfig eth1 up
11 | ip -6 addr add fc00:14::4/64 dev eth1
12 | 
13 | ifconfig eth2 up
14 | ip -6 addr add fc00:45::4/64 dev eth2
15 | 
16 | # Enable forwarding
17 | sysctl -w net.ipv6.conf.all.forwarding=1
18 | 
19 | # Install SR-tcpdump
20 | cd ~/
21 | git clone https://github.com/srouting/sr-tcpdump
22 | cd sr-tcpdump
23 | ./configure && make && make install
24 | 
25 | # Configure Routing
26 | ip -6 route add fc00:5::/64 via fc00:45::5
27 | ip -6 route add fc00:1::/64 via fc00:14::1
28 | 


--------------------------------------------------------------------------------
/config/config_r2.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Configure Interfaces
 4 | ifconfig eth1 up
 5 | ip -6 addr add fc00:12::2/64 dev eth1
 6 | 
 7 | ifconfig eth2 up
 8 | ip -6 addr add fc00:23::2/64 dev eth2
 9 | 
10 | # Enable forwarding
11 | sysctl -w net.ipv6.conf.all.forwarding=1
12 | 
13 | # Accept SRv6 traffic
14 | sysctl -w net.ipv6.conf.all.seg6_enabled=1
15 | sysctl -w net.ipv6.conf.lo.seg6_enabled=1
16 | sysctl -w net.ipv6.conf.eth1.seg6_enabled=1
17 | sysctl -w net.ipv6.conf.eth2.seg6_enabled=1
18 | 
19 | # Configure VNFs
20 | cd ~/
21 | rm -rf sr-sfc-demo
22 | git clone https://github.com/SRouting/sr-sfc-demo
23 | cd sr-sfc-demo/config/
24 | sh deploy-vnf.sh add f1 veth0 veth1 fd00:2:0::f1:1/64 fd00:2:1::f1:1/64 fd00:2:0::f1:2/64 fd00:2:1::f1:2/64
25 | ip netns exec f1 sysctl -w net.ipv6.conf.all.seg6_enabled=1
26 | ip netns exec f1 sysctl -w net.ipv6.conf.lo.seg6_enabled=1
27 | ip netns exec f1 sysctl -w net.ipv6.conf.veth0-f1.seg6_enabled=1
28 | ip netns exec f1 sysctl -w net.ipv6.conf.veth1-f1.seg6_enabled=1
29 | ip netns exec f1 sysctl -w net.ipv6.ip6t_seg6=1
30 | ip netns exec f1 ifconfig lo up
31 | ip netns exec f1 ip -6 route add local fc00:2::f1:0/112 dev lo
32 | 
33 | # Configure Routing
34 | ip -6 route add fc00:3::/64 via fc00:23::3
35 | ip -6 route add fc00:1::/64 via fc00:12::1
36 | ip -6 route add fc00:2::f1:0/112 via fd00:2:0::f1:2
37 | 
38 | 


--------------------------------------------------------------------------------
/config/config_r6.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | #interfaces configuration
 4 | ifconfig eth1 up
 5 | ip -6 addr add fc00:36::6/64 dev eth1
 6 | 
 7 | ifconfig eth2 up
 8 | ip -6 addr add fc00:56::6/64 dev eth2
 9 | 
10 | # Enable forwarding
11 | sysctl -w net.ipv6.conf.all.forwarding=1
12 | 
13 | # Accept SRv6 traffic
14 | sysctl -w net.ipv6.conf.all.seg6_enabled=1
15 | sysctl -w net.ipv6.conf.lo.seg6_enabled=1
16 | sysctl -w net.ipv6.conf.eth1.seg6_enabled=1
17 | sysctl -w net.ipv6.conf.eth2.seg6_enabled=1
18 | 
19 | # Configure External network (ext)
20 | cd ~/
21 | rm -rf sr-sfc-demo
22 | git clone https://github.com/SRouting/sr-sfc-demo
23 | cd sr-sfc-demo/config/
24 | sh deploy-term.sh add ext veth1 inet6 fd00:e::1/64 fd00:e::2/64
25 | ip netns exec ext ifconfig lo up
26 | ip netns exec ext ip -6 route add local fc00:e::/64 dev lo
27 | 
28 | # Configure Routing
29 | ip -6 route add fc00:e::/64 via fd00:e::2
30 | ip -6 route add fc00:3::/64 via fc00:36::3
31 | ip -6 route add fc00:5::/64 via fc00:56::5
32 | 
33 | # Configure SRv6 End.D6 behaviour for traffic going to Ext
34 | ip -6 route add local fc00:6::d6/128 dev lo
35 | 
36 | # Configure SR SFC policies for reverse traffic
37 | echo "201 localsid" >> /etc/iproute2/rt_tables
38 | ip -6 rule add from fc00:e::/64 lookup localsid
39 | ip -6 route add fc00:b1::/64 encap seg6 mode encap segs fc00:3::f2:AD61,fc00:2::f1:0,fc00:1::D6 dev eth1 table localsid
40 | ip -6 route add fc00:b2::/64 encap seg6 mode encap segs fc00:5::f3:0,fc00:1::D6 dev eth2 table localsid
41 | 


--------------------------------------------------------------------------------
/config/config_r1.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Configure Interfaces
 4 | ifconfig eth1 up
 5 | ip -6 addr add fc00:12::1/64 dev eth1
 6 | 
 7 | ifconfig eth2 up
 8 | ip -6 addr add fc00:14::1/64 dev eth2
 9 | 
10 | # Enable forwarding
11 | sysctl -w net.ipv6.conf.all.forwarding=1
12 | 
13 | # Accept SRv6 traffic
14 | sysctl -w net.ipv6.conf.all.seg6_enabled=1
15 | sysctl -w net.ipv6.conf.lo.seg6_enabled=1
16 | sysctl -w net.ipv6.conf.eth1.seg6_enabled=1
17 | sysctl -w net.ipv6.conf.eth2.seg6_enabled=1
18 | 
19 | # Configure Branches (BR1 and BR2)
20 | cd ~/
21 | rm -rf sr-sfc-demo
22 | git clone https://github.com/SRouting/sr-sfc-demo
23 | cd sr-sfc-demo/config/
24 | sh deploy-term.sh add br1 veth1 inet6 fc00:b1::1/64 fc00:b1::2/64
25 | sh deploy-term.sh add br2 veth2 inet6 fc00:b2::1/64 fc00:b2::2/64
26 | 
27 | # Configure Policy Based Routing (PBR)
28 | echo "201 br1" >> /etc/iproute2/rt_tables
29 | ip -6 rule add from fc00:b1::/64 lookup br1
30 | 
31 | echo "202 br2" >> /etc/iproute2/rt_tables
32 | ip -6 rule add from fc00:b2::/64 lookup br2
33 | 
34 | # Configure SR SFC policies
35 | ip -6 route add fc00:e::/64 encap seg6 mode encap segs fc00:2::f1:0,fc00:3::f2:AD60,fc00:6::D6 dev eth1 table br1
36 | ip -6 route add fc00:e::/64 encap seg6 mode encap segs fc00:5::f3:0,fc00:6::D6 dev eth2 table br2
37 | 
38 | # Configure Routing
39 | ip -6 route add fc00:2::/64 via fc00:12::2
40 | ip -6 route add fc00:5::/64 via fc00:14::4
41 | 
42 | # Configure SRv6 End.D6 behaviour for traffic going to BR1 and BR2
43 | ip -6 route add local fc00:1::d6/128 dev lo
44 | 


--------------------------------------------------------------------------------
/config/config_r5.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | #interfaces configuration
 4 | ifconfig eth1 up
 5 | ip -6 addr add fc00:45::5/64 dev eth1
 6 | 
 7 | ifconfig eth2 up
 8 | ip -6 addr add fc00:56::5/64 dev eth2
 9 | 
10 | # Enable forwarding
11 | sysctl -w net.ipv6.conf.all.forwarding=1
12 | 
13 | # Accept SRv6 traffic
14 | sysctl -w net.ipv6.conf.all.seg6_enabled=1
15 | sysctl -w net.ipv6.conf.lo.seg6_enabled=1
16 | sysctl -w net.ipv6.conf.eth1.seg6_enabled=1
17 | sysctl -w net.ipv6.conf.eth2.seg6_enabled=1
18 | 
19 | 
20 | # Configure VNFs
21 | cd ~/
22 | rm -rf sr-sfc-demo/
23 | git clone https://github.com/SRouting/sr-sfc-demo
24 | cd sr-sfc-demo/config/
25 | sh deploy-vnf.sh add f3 veth0 veth1 fd00:5:0::f3:1/64 fd00:5:1::f3:1/64 fd00:5:0::f3:2/64 fd00:5:1::f3:2/64
26 | ip netns exec f3 sysctl -w net.ipv6.conf.all.seg6_enabled=1
27 | ip netns exec f3 sysctl -w net.ipv6.conf.lo.seg6_enabled=1
28 | ip netns exec f3 sysctl -w net.ipv6.conf.veth0-f3.seg6_enabled=1
29 | ip netns exec f3 sysctl -w net.ipv6.conf.veth1-f3.seg6_enabled=1
30 | ip netns exec f3 ifconfig lo up
31 | ip netns exec f3 ip -6 route add local fc00:5::f3:0/112 dev lo
32 | 
33 | # Configure Routing
34 | ip -6 route add fc00:6::/64 via fc00:56::6
35 | ip -6 route add fc00:1::/64 via fc00:45::4
36 | ip -6 route add fc00:5::f3:0/112 via fd00:5:0::f3:2
37 | 
38 | # configure snort rules
39 | sudo mkdir -p /etc/snort/ /etc/snort/rules/ /var/log/snort
40 | touch /etc/snort/snort.conf /etc/snort/rules/local.rule
41 | echo 'var RULE_PATH rules' >> /etc/snort/snort.conf
42 | echo 'include $RULE_PATH/local.rule' >> /etc/snort/snort.conf
43 | echo 'alert icmp any any -> any any (msg:"ICMP detected"; sid:1000)' >> /etc/snort/rules/local.rule
44 | 


--------------------------------------------------------------------------------
/config/config_r3.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Install required softwares
 4 | export DEBIAN_FRONTEND=noninteractive
 5 | apt-get -y update
 6 | apt-get -y upgrade
 7 | apt-get -y install build-essential libpcap-dev git wget libdumbnet-dev zlib1g-dev liblzma-dev openssl libssl-dev libnghttp2-dev libpcre3 \
 8 | libpcre3-dev flex bison libdnet-dev libghc-zlib-dev dh-autoreconf libnet-dev gcc automake autoconf make libyaml-dev g++ binutils autotools-dev libtool pkg-config \
 9 | libcunit1-dev libxml2-dev libev-dev libjansson-dev libc-ares-dev libjemalloc-dev libsystemd-dev cython python3-dev python-setuptools
10 | 
11 | # Install nghttp2
12 | cd ~/
13 | git clone https://github.com/nghttp2/nghttp2
14 | cd nghttp2/
15 | git submodule update --init && autoreconf -i && automake && autoconf && ./configure && make && make install
16 | 
17 | # Install SR-tcpdump
18 | cd ~/
19 | git clone https://github.com/srouting/sr-tcpdump
20 | cd sr-tcpdump
21 | ./configure && make && make install
22 | 
23 | # Configure Interfaces
24 | ifconfig eth1 up
25 | ip -6 addr add fc00:23::3/64 dev eth1
26 | 
27 | ifconfig eth2 up
28 | ip -6 addr add fc00:36::3/64 dev eth2
29 | 
30 | # Enable forwarding
31 | sysctl -w net.ipv6.conf.all.forwarding=1
32 | 
33 | # Accept SRv6 traffic
34 | sysctl -w net.ipv6.conf.all.seg6_enabled=1
35 | sysctl -w net.ipv6.conf.lo.seg6_enabled=1
36 | sysctl -w net.ipv6.conf.eth1.seg6_enabled=1
37 | sysctl -w net.ipv6.conf.eth2.seg6_enabled=1
38 | 
39 | # Configure VNFs
40 | cd ~/
41 | rm -rf sr-sfc-demo/
42 | git clone https://github.com/SRouting/sr-sfc-demo
43 | cd sr-sfc-demo/config/
44 | sh deploy-vnf.sh add f2 veth0 veth1 fd00:3:0::f2:1/64 fd00:3:1::f2:1/64 fd00:3:0::f2:2/64 fd00:3:1::f2:2/64
45 | 
46 | # Install and configure srext (SR proxy)
47 | cd ~/
48 | git clone https://github.com/SRouting/SRv6-net-prog
49 | cd SRv6-net-prog/srext/
50 | make && make install && depmod -a && modprobe srext
51 | srconf localsid add fc00:3::f2:AD60 end.ad6 ip fd00:3:0::f2:2 veth0 veth1
52 | srconf localsid add fc00:3::f2:AD61 end.ad6 ip fd00:3:1::f2:2 veth1 veth0
53 | 
54 | # Configure Routing
55 | ip -6 route add fc00:6::/64 via fc00:36::6
56 | ip -6 route add fc00:2::/64 via fc00:23::2
57 | 
58 | # Install Snort
59 | cd ~/
60 | wget https://snort.org/downloads/snort/daq-2.0.6.tar.gz
61 | wget https://snort.org/downloads/snort/snort-2.9.11.1.tar.gz
62 | 
63 | tar xvzf daq-2.0.6.tar.gz
64 | cd daq-2.0.6
65 | ./configure && make && sudo make install
66 | 
67 | cd ~/
68 | tar xvzf snort-2.9.11.1.tar.gz
69 | cd snort-2.9.11.1
70 | ./configure --enable-sourcefire && make && sudo make install
71 | 
72 | # Update shared libraries (mandatory according to Snort documentation)
73 | sudo ldconfig
74 | 
75 | # configure snort rules
76 | sudo mkdir -p /etc/snort/ /etc/snort/rules/ /var/log/snort
77 | 
78 | touch /etc/snort/snort.conf /etc/snort/rules/local.rule
79 | echo 'var RULE_PATH rules' >> /etc/snort/snort.conf
80 | echo 'include $RULE_PATH/local.rule' >> /etc/snort/snort.conf
81 | echo 'alert icmp any any -> any any (msg:"ICMP detected"; sid:1000)' >> /etc/snort/rules/local.rule
82 | 


--------------------------------------------------------------------------------
/config/deploy-vnf.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | 
  3 | usage () {
  4 | echo ""
  5 | echo "+-----------------------------------------------------------------------+"
  6 | echo "+---------------------+ VNF deploy script +-----------------------------+"
  7 | echo "+-----------------------------------------------------------------------+"
  8 | echo "+-- This script Adds/cleans network namespace (VNF)                   --+"
  9 | echo "+-- Usage:                                                            --+"
 10 | echo "+-- $ ./deploy-vnf.sh help                                            --+"
 11 | echo "+-- $ ./deploy-vnf.sh add VNF_NAME NFV_IFACE1 NFV_IFACE2 NFV_IFACE1\  --+"
 12 | echo "+--     NFV_IFACE1_IP NFV_IFACE2_IP VNF_IFACE1_IP VNF_IFACE2_IP       --+"
 13 | echo "+-- $ ./deploy-vnf.sh del VNF_NAME NFV_IFACE1 NFV_IFACE2              --+"
 14 | echo "+-- N.B:                                                              --+"
 15 | echo "+-- IP Addresses should be in the form ADDR/MASK 'A::2/64'            --+"
 16 | echo "+-- Clean the VNF before re-trying to add (in case of error)          --+"
 17 | echo "+-- $./deploy-vnf.sh del VNF_NAME NFV_IFACE1 NFV_IFACE2               --+"
 18 | echo "+-----------------------------------------------------------------------+"
 19 | echo ""
 20 | exit
 21 | }
 22 | 
 23 | if [ $# -eq 0 ]
 24 | 	then
 25 | 	echo "ERROR: No command specified. please try \"$0 help\" "
 26 | 	exit
 27 | fi
 28 | 
 29 | if [ $1 = "help" ]
 30 | 	then
 31 | 	usage
 32 | fi
 33 | 
 34 | if [ $1 != "add" ] && [ $1 != "del" ]
 35 | 	then
 36 | 	echo "ERROR: unrecognized coomand. please try \"$0 help\" "
 37 | 	exit
 38 | fi
 39 | 
 40 | if [ $# -lt 4 ]
 41 | 	then
 42 | 	echo "ERROR: too few parameters. please try \"$0 help\" "
 43 | 	exit
 44 | fi
 45 | 
 46 | COMMAND=$1
 47 | VNF_NAME=$2
 48 | NFV_IFACE1=$3
 49 | NFV_IFACE2=$4
 50 | 
 51 | if [ $COMMAND = "del" ]
 52 | 	then
 53 | 	echo "DELETING \"${VNF_NAME}\"........."
 54 | 	ip link delete dev ${NFV_IFACE1}
 55 |         ip link delete dev ${NFV_IFACE2}
 56 | 	ip netns del $VNF_NAME
 57 | 	exit
 58 | fi
 59 | 
 60 | if [ $# -lt 8 ]
 61 | 	then
 62 |         echo "ERROR: too few parameters. please try \"$0 help\" "
 63 |         exit
 64 | fi
 65 | 
 66 | VNF_IFACE1="veth0-${VNF_NAME}"
 67 | VNF_IFACE2="veth1-${VNF_NAME}"
 68 | 
 69 | NFV_IP1=$5
 70 | NFV_IP2=$6
 71 | VNF_IP1=$7
 72 | VNF_IP2=$8
 73 | 
 74 | NH1=`echo ${NFV_IP1} | cut -d'/' -f1`
 75 | NH2=`echo ${NFV_IP2} | cut -d'/' -f1`
 76 | 
 77 | # create VNF
 78 | ip netns add $VNF_NAME
 79 | 
 80 | # Create links between NFV and VNF
 81 | ip link add ${NFV_IFACE1} type veth peer name ${VNF_IFACE1}
 82 | ip link add ${NFV_IFACE2} type veth peer name ${VNF_IFACE2}
 83 | 
 84 | # Assign virtual interfaces to VNF
 85 | ip link set ${VNF_IFACE1} netns ${VNF_NAME}
 86 | ip link set ${VNF_IFACE2} netns ${VNF_NAME}
 87 | 
 88 | ifconfig ${NFV_IFACE1} up
 89 | ifconfig ${NFV_IFACE2} up
 90 | 
 91 | ip netns exec ${VNF_NAME} ifconfig lo up
 92 | ip netns exec ${VNF_NAME} ifconfig ${VNF_IFACE1} up
 93 | ip netns exec ${VNF_NAME} ifconfig ${VNF_IFACE2} up
 94 | 
 95 | ip netns exec ${VNF_NAME} sysctl -w net.ipv6.conf.all.forwarding=1
 96 | 
 97 | ip -6 addr add ${NFV_IP1} dev ${NFV_IFACE1}
 98 | ip -6 addr add ${NFV_IP2} dev ${NFV_IFACE2}
 99 | 
100 | ip netns exec ${VNF_NAME} ip -6 addr add ${VNF_IP1} dev ${VNF_IFACE1}
101 | ip netns exec ${VNF_NAME} ip -6 addr add ${VNF_IP2} dev ${VNF_IFACE2}
102 | 
103 | # Configure Policy Based Routing in the VNF
104 | ip netns exec ${VNF_NAME} bash -c "echo '201 forward' >> /etc/iproute2/rt_tables"
105 | ip netns exec ${VNF_NAME} bash -c "ip -6 rule add iif '${VNF_IFACE1}' lookup forward"
106 | ip netns exec ${VNF_NAME} bash -c "ip -6 route add default via '${NH2}' table forward"
107 | ip netns exec ${VNF_NAME} bash -c "echo '202 reverse' >> /etc/iproute2/rt_tables"
108 | ip netns exec ${VNF_NAME} bash -c "ip -6 rule add iif '${VNF_IFACE2}' lookup reverse"
109 | ip netns exec ${VNF_NAME} bash -c "ip -6 route add default via '${NH1}' table reverse"
110 | 
111 | 
112 | echo ""
113 | echo "+----------------------------------+"
114 | echo "+---- VNF successfully created ----+"
115 | echo "+----------------------------------+"
116 | echo "+-- NAME             : " $VNF_NAME
117 | echo "+-- HOST Iface1      : " $NFV_IFACE1
118 | echo "+-- HOST Iface2      : " $NFV_IFACE2
119 | echo "+-- HOST Iface1 addr : " $NFV_IP1
120 | echo "+-- HOST Iface2 addr : " $NFV_IP2
121 | echo "+-- VNF  Iface1      : " $VNF_IFACE1
122 | echo "+-- VNF  Iface2      : " $VNF_IFACE2
123 | echo "+-- VNF  Iface1 addr : " $VNF_IP1
124 | echo "+-- VNF  Iface2 addr : " $VNF_IP2
125 | echo "+----------------------------------+"
126 | echo ""
127 | exit
128 | 


--------------------------------------------------------------------------------
/Vagrantfile:
--------------------------------------------------------------------------------
  1 | # -*- mode: ruby -*-
  2 | # vi: set ft=ruby :
  3 | 
  4 | Vagrant.configure("2") do |config|
  5 | 	# Node R1 configuration
  6 | 	config.vm.define "r1" do |r1|
  7 | 		r1.vm.box = "srouting/srv6-net-prog"
  8 | 		r1.vm.box_version = "0.4.14"
  9 | 		r1.vm.synced_folder(".", nil, :disabled => true, :id => "vagrant-root")
 10 | 		r1.vm.network "private_network", ip: "fc00:12::1", virtualbox__intnet: "net12"
 11 | 		r1.vm.network "private_network", ip: "fc00:14::1", virtualbox__intnet: "net14"
 12 | 		r1.vm.provider "virtualbox" do |virtualbox|
 13 | 			virtualbox.memory = "512"
 14 | 			virtualbox.customize ['modifyvm', :id, '--cableconnected1', 'on']
 15 | 			virtualbox.customize ['modifyvm', :id, '--cableconnected2', 'on']
 16 | 			virtualbox.customize ['modifyvm', :id, '--cableconnected3', 'on']
 17 | 		end
 18 | 		r1.vm.provision "shell", path: "config/config_r1.sh"
 19 | 	end
 20 | 
 21 | 	# Node R2 configuration
 22 | 	config.vm.define "r2" do |r2|
 23 | 		r2.vm.box = "srouting/sera"
 24 | 		r2.vm.box_version = "0.4.15"
 25 |                 r2.vm.synced_folder(".", nil, :disabled => true, :id => "vagrant-root")
 26 | 		r2.vm.network "private_network", ip: "fc00:12::2", virtualbox__intnet: "net12"
 27 | 		r2.vm.network "private_network", ip: "fc00:23::2", virtualbox__intnet: "net23"
 28 | 		r2.vm.provider "virtualbox" do |virtualbox|
 29 | 			virtualbox.memory = "512"
 30 | 			virtualbox.cpus = "1"
 31 | 			virtualbox.customize ['modifyvm', :id, '--cableconnected1', 'on']
 32 | 			virtualbox.customize ['modifyvm', :id, '--cableconnected2', 'on']
 33 | 			virtualbox.customize ['modifyvm', :id, '--cableconnected3', 'on']
 34 | 		end
 35 | 		r2.vm.provision "shell", path: "config/config_r2.sh"
 36 | 	end
 37 | 
 38 |         # Node R3 configuration
 39 |         config.vm.define "r3" do |r3|
 40 | 		r3.ssh.username = "sr6"
 41 | 		r3.ssh.password = "sr6"
 42 |                 r3.vm.box = "srouting/srv6-net-prog"
 43 |                 r3.vm.box_version = "0.4.10"
 44 |                 r3.vm.synced_folder(".", nil, :disabled => true, :id => "vagrant-root")
 45 |                 r3.vm.network "private_network", ip: "fc00:23::3", virtualbox__intnet: "net23"
 46 |                 r3.vm.network "private_network", ip: "fc00:36::3", virtualbox__intnet: "net36"
 47 |                 r3.vm.provider "virtualbox" do |virtualbox|
 48 |                         virtualbox.memory = "512"
 49 |                         virtualbox.customize ['modifyvm', :id, '--cableconnected1', 'on']
 50 |                         virtualbox.customize ['modifyvm', :id, '--cableconnected2', 'on']
 51 |                         virtualbox.customize ['modifyvm', :id, '--cableconnected3', 'on']
 52 |                 end
 53 | 	        r3.vm.provision "shell", path: "config/config_r3.sh"
 54 |         end
 55 | 
 56 |         # Node R4 configuration
 57 |         config.vm.define "r4" do |r4|
 58 |                 r4.vm.box = "debian/contrib-jessie64"
 59 |                 r4.vm.synced_folder(".", nil, :disabled => true, :id => "vagrant-root")
 60 |                 r4.vm.network "private_network", ip: "fc00:14::4", virtualbox__intnet: "net14"
 61 |                 r4.vm.network "private_network", ip: "fc00:45::4", virtualbox__intnet: "net45"
 62 |                 r4.vm.provider "virtualbox" do |virtualbox|
 63 |                         virtualbox.memory = "512"
 64 |                         virtualbox.customize ['modifyvm', :id, '--cableconnected1', 'on']
 65 |                         virtualbox.customize ['modifyvm', :id, '--cableconnected2', 'on']
 66 |                         virtualbox.customize ['modifyvm', :id, '--cableconnected3', 'on']
 67 |                 end
 68 | 	        r4.vm.provision "shell", path: "config/config_r4.sh"
 69 |         end
 70 | 
 71 |         # Node R5 configuration
 72 |         config.vm.define "r5" do |r5|
 73 |                 r5.vm.box = "srouting/srv6-net-prog"
 74 |                 r5.vm.box_version = "0.4.14"
 75 |                 r5.vm.synced_folder(".", nil, :disabled => true, :id => "vagrant-root")
 76 |                 r5.vm.network "private_network", ip: "fc00:45::5", virtualbox__intnet: "net45"
 77 |                 r5.vm.network "private_network", ip: "fc00:56::5", virtualbox__intnet: "net56"
 78 |                 r5.vm.provider "virtualbox" do |virtualbox|
 79 |                         virtualbox.memory = "512"
 80 |                         virtualbox.customize ['modifyvm', :id, '--cableconnected1', 'on']
 81 |                         virtualbox.customize ['modifyvm', :id, '--cableconnected2', 'on']
 82 |                         virtualbox.customize ['modifyvm', :id, '--cableconnected3', 'on']
 83 |                 end
 84 | 		r5.vm.provision "shell", path: "config/config_r5.sh"
 85 |         end
 86 | 
 87 |         # Node R6 configuration
 88 |         config.vm.define "r6" do |r6|
 89 |                 r6.vm.box = "srouting/srv6-net-prog"
 90 |                 r6.vm.box_version = "0.4.14"
 91 |                 r6.vm.synced_folder(".", nil, :disabled => true, :id => "vagrant-root")
 92 |                 r6.vm.network "private_network", ip: "fc00:36::6", virtualbox__intnet: "net36"
 93 |                 r6.vm.network "private_network", ip: "fc00:56::6", virtualbox__intnet: "net56"
 94 |                 r6.vm.provider "virtualbox" do |virtualbox|
 95 |                         virtualbox.memory = "512"
 96 |                         virtualbox.customize ['modifyvm', :id, '--cableconnected1', 'on']
 97 |                         virtualbox.customize ['modifyvm', :id, '--cableconnected2', 'on']
 98 |                         virtualbox.customize ['modifyvm', :id, '--cableconnected3', 'on']
 99 |                 end
100 | 	        r6.vm.provision "shell", path: "config/config_r6.sh"
101 |         end
102 | end
103 | 


--------------------------------------------------------------------------------
/config/deploy-term.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | 
  3 | usage () {
  4 | echo ""
  5 | echo "+------------------------------------------------------------------------+"
  6 | echo "+-------------------+ Terminal deploy script +---------------------------+"
  7 | echo "+------------------------------------------------------------------------+"
  8 | echo "+-- A script to add/clean a network namespace to be used as a terminal --+"
  9 | echo "+-- The terminal can be IPv4, IPv6, or dual network stack.             --+"
 10 | echo "+-- Usage:                                                             --+"
 11 | echo "+-- $ ./deploy-term.sh help                                            --+"
 12 | echo "+-- $ ./deploy-term.sh add TERM_NAME NFV_IFACE MODE                    --+"
 13 | echo "+-- MODE := inet   NFV_ADDR4  TERM_ADDR4                               --+"
 14 | echo "+--         inet6  NFV_ADDR6  TERM_ADDR6                               --+"
 15 | echo "+--         dual   NFV_ADDR4  TERM_ADDR4 NFV_ADDR6 TERM_ADDR6          --+"
 16 | echo "+-- $ ./deploy-term.sh del TERM_NAME NFV_IFACE                          --+"
 17 | echo "+-- N.B:                                                              --+"
 18 | echo "+-- IP Addresses should be in the form ADDR/MASK 'A::2/64'            --+"
 19 | echo "+-- Clean the TERM before re-trying to add (in case of error)          --+"
 20 | echo "+-- $./deploy-term.sh del TERM_NAME NFV_IFACE                           --+"
 21 | echo "+-----------------------------------------------------------------------+"
 22 | echo ""
 23 | exit
 24 | }
 25 | 
 26 | if [ $# -eq 0 ]
 27 | 	then
 28 | 	echo "ERROR: No command specified. please try \"$0 help\" "
 29 | 	exit
 30 | fi
 31 | 
 32 | if [ $1 = "help" ]
 33 | 	then
 34 | 	usage
 35 | fi
 36 | 
 37 | if [ $1 != "add" ] && [ $1 != "del" ]
 38 | 	then
 39 | 	echo "ERROR: unrecognized coomand. please try \"$0 help\" "
 40 | 	exit
 41 | fi
 42 | 
 43 | if [ $# -lt 3 ]
 44 | 	then
 45 | 	echo "ERROR: too few parameters. please try \"$0 help\" "
 46 | 	exit
 47 | fi
 48 | 
 49 | COMMAND=$1
 50 | TERM_NAME=$2
 51 | NFV_IFACE=$3
 52 | 
 53 | if [ $COMMAND = "del" ]
 54 | 	then
 55 | 	echo "DELETING \"${TERM_NAME}\"........."
 56 | 	ip link delete dev ${NFV_IFACE}
 57 | 	ip netns del $TERM_NAME
 58 | 	exit
 59 | fi
 60 | 
 61 | 
 62 | if [ $# -ge 4 ]
 63 | 	then
 64 | 	MODE=$4
 65 | 	if [ $MODE != "inet" ] &&  [ $MODE != "inet6" ]  && [ $MODE != "dual" ]
 66 | 		then
 67 | 		echo " ERROR: Mode ${MODE} is not a valid inet mode  many. please try \"$0 help\" "
 68 | 		exit
 69 | 	fi
 70 | fi
 71 | 
 72 | if [ $# -lt 6 ]
 73 | 	then
 74 | 	echo "ERROR: too few parameters for add command. please try \"$0 help\" "
 75 | 	exit
 76 | fi
 77 | 
 78 | TERM_IFACE="veth0-${TERM_NAME}"
 79 | 
 80 | if [ $MODE = "inet" ] || [ $MODE = "inet6" ]
 81 | 	then
 82 | 	if [ $# -gt 8 ]
 83 | 		then
 84 | 		echo "ERROR: too many parameters for inet or inet6 mode. please try \"$0 help\" "
 85 | 		exit
 86 | 	fi
 87 | 
 88 | 	NFV_IP=$5
 89 | 	TERM_IP=$6
 90 | 	NH=`echo ${NFV_IP} | cut -d'/' -f1`
 91 | 
 92 | 	# create TERM
 93 | 	ip netns add $TERM_NAME
 94 | 	#create link between NFV and TERM
 95 | 	ip link add ${NFV_IFACE} type veth peer name ${TERM_IFACE}
 96 | 	#assign virtual interface to TERM
 97 | 	ip link set ${TERM_IFACE} netns ${TERM_NAME}
 98 | 	ifconfig ${NFV_IFACE} up
 99 | 	ip netns exec ${TERM_NAME} ifconfig ${TERM_IFACE} up
100 | 
101 | 	if [ $MODE = "inet" ]
102 | 		then
103 | 			#configure NFV Interface
104 | 			ip addr add ${NFV_IP} dev ${NFV_IFACE}
105 | 			#configure TERM interfcae
106 | 			ip netns exec ${TERM_NAME} ip addr add ${TERM_IP} dev ${TERM_IFACE}
107 | 			#enable forwarding in TERM
108 | 			ip netns exec ${TERM_NAME} sysctl -w net.ipv4.conf.all.forwarding=1 >/dev/null
109 | 			ip netns exec ${TERM_NAME} ip route add default via ${NH}
110 | 
111 | 	else
112 | 		ip netns exec ${TERM_NAME} sysctl -w net.ipv6.conf.all.forwarding=1 >/dev/null
113 | 		ip -6 addr add ${NFV_IP} dev ${NFV_IFACE}
114 | 		ip netns exec ${TERM_NAME} ip -6 addr add ${TERM_IP} dev ${TERM_IFACE}
115 | 		ip netns exec ${TERM_NAME} ip -6 route add default via ${NH}
116 | 	fi
117 | 
118 | else
119 | 	if [ $# -lt 8 ]
120 | 		then
121 | 		echo "ERROR: too few parameters for dual mode. please try \"$0 help\" "
122 | 		exit
123 | 	fi
124 | 
125 | 	if [ $# -gt 10 ]
126 | 		then
127 | 		echo "ERROR: too many parameters for dual mode. please try \"$0 help\" "
128 | 		exit
129 | 	fi
130 | 
131 | 	NFV_IPv4=$5
132 | 	TERM_IPv4=$6
133 | 	NFV_IPv6=$7
134 | 	TERM_IPv6=$8
135 | 
136 | 	# create TERM
137 | 	ip netns add $TERM_NAME
138 | 	#create link between NFV and TERM
139 | 	ip link add ${NFV_IFACE} type veth peer name ${TERM_IFACE}
140 | 	#assign virtual interface to TERM
141 | 	ip link set ${TERM_IFACE} netns ${TERM_NAME}
142 | 	ifconfig ${NFV_IFACE} up
143 | 	ip netns exec ${TERM_NAME} ifconfig ${TERM_IFACE} up
144 | 
145 | 	#configure NFV Interface
146 | 	ip addr add ${NFV_IPv4} dev ${NFV_IFACE}
147 | 	ip -6 addr add ${NFV_IPv6} dev ${NFV_IFACE}
148 | 
149 | 	#configure TERM interfcae
150 | 	ip netns exec ${TERM_NAME} ip addr add ${TERM_IPv4} dev ${TERM_IFACE}
151 | 	ip netns exec ${TERM_NAME} ip -6 addr add ${TERM_IPv6} dev ${TERM_IFACE}
152 | 
153 | 	#enable forwarding in TERM
154 | 	ip netns exec ${TERM_NAME} sysctl -w net.ipv4.conf.all.forwarding=1 >/dev/null
155 | 	ip netns exec ${TERM_NAME} sysctl -w net.ipv6.conf.all.forwarding=1 >/dev/null
156 | 	NH4=`echo ${NFV_IPv4} | cut -d'/' -f1`
157 | 	NH6=`echo ${NFV_IPv6} | cut -d'/' -f1`
158 | 
159 | 	ip netns exec ${TERM_NAME} ip route add default via ${NH4}
160 | 	ip netns exec ${TERM_NAME} ip -6 route add default via ${NH6}
161 | 
162 | fi
163 | 
164 | echo ""
165 | echo "+---------------------------------------+"
166 | echo "+---- Terminal successfully created ----+"
167 | echo "+---------------------------------------+"
168 | echo "+-- NAME            : " $TERM_NAME
169 | echo "+-- HOST Iface      : " $NFV_IFACE
170 | echo "+-- HOST Iface addr : " $NFV_IP
171 | echo "+-- TERM Iface      : " $TERM_IFACE
172 | echo "+-- TERM Iface addr : " $TERM_IP
173 | echo "+----------------------------------+"
174 | echo ""
175 | exit
176 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Chaining of SR-aware and SR-unaware Service Functions
  2 | 
  3 | ## Abstract   
  4 | Segment Routing (SR) is a source routing paradigm that can benefit from both MPLS and IPv6 data planes to steer traffic through a set of nodes. It provides a simple and scalable way to support Service Function Chaining (SFC). In this demo, we propose an NFV architecture based on SR and implemented in Linux environment. It allows chaining of both SR-aware and SR-unaware Service Functions (SFs). In order to include SR-unaware SFs into SR SFC, we use our SR proxy implementation: [srext](https://github.com/SRouting/SRv6-net-prog), a Linux kernel module that handles the processing of SR information in behalf of the SR-unaware SFs. As SR-aware SFs, we use two of our implementation; [SERA](https://github.com/SRouting/SERA) and [SR-aware snort](https://github.com/SRouting/SR-snort). SERA is a SEgment Routing Aware Firewall, which extends the Linux iptables firewall, and capable of applying the iptables rules to the inner packet of SR encapsulated traffic. SR-aware snort is an extended version of snort that can apply snort rules directly to inner packet of SR encapsulated traffic. We show the interoperability between SR-aware and SR-unaware SFs by including both of them within the same SFC.
  5 | 
  6 | ## Description  
  7 | A full description of the demo is available [here](https://github.com/SRouting/SR-sfc-demo/blob/master/docs/chaining-of-sr-aware-and-sr-unaware-sf.pdf). 
  8 | 
  9 | ## Topology 
 10 | The topology used for the demo is as shown below:
 11 | 
 12 | ![](./docs/sfc-testbed.png)
 13 | 
 14 | ## Setup 
 15 | Before starting, please make sure that you have [vagrant](https://www.vagrantup.com/downloads.html) and 
 16 | [virtualbox](https://www.virtualbox.org/wiki/Downloads) installed on your machine.
 17 | 
 18 | Clone the git repository in your machine: 
 19 | 
 20 | ```
 21 | $ git clone https://github.com/SRouting/SR-sfc-demo
 22 | ```
 23 | 
 24 | Start the testbed:
 25 | 
 26 | ```
 27 | $ cd SR-sfc-demo/
 28 | $ vagrant up 
 29 | ```
 30 | 
 31 | It takes a bit of time, please be patient .......
 32 | 
 33 | Now we have the testbed running with all required configuration. 
 34 | 
 35 | ## Testing 
 36 | The testbed supports two different path, with different bandwidth and security guarantees, towards *Ext*. 
 37 | 
 38 | * Path p1 (R1 → R4 → R5 → R6) provides high bandwidth. 
 39 | * Path p2 (R1 → R2 → R3 → R6) has lower bandwidth, but more security guarantees. 
 40 | 
 41 | > Going through p1 implies crossing F1 and F2. Likewise, going through p2 implies crossing F3. 
 42 | 
 43 | BR1 and BR2 have different traffic requirements; BR2 traffic is very delay-sensitive, while BR1 traffic is highly confidential, but less delay sensitive. 
 44 | 
 45 | We exploit p1 and p2 to satisfy those traffic requirements. BR1 traffic is steered through p1, and BR2 traffic is steered through p2. 
 46 | 
 47 | At the ingress node (R1), we configured two different SR SFC policies (CP1 and CP2) that steer traffic through p1 and p1. Policy Based Routing (PBR) is used to classify traffic coming from BR1 and BR2, which respectively go through CP1 and CP2.
 48 | 
 49 | ### BR1 traffic 
 50 | 
 51 | BR1 traffic should follow the path BR1 → R1 → R2 → F1 → R3 → F2 → R6 → *Ext*.
 52 | 
 53 | In the next steps, we show configuration of all nodes along the path of BR1 traffic. 
 54 | 
 55 | **BR1**
 56 | 
 57 | BR1 and BR2 are deployed as Linux network namespaces inside R1. 
 58 | ```
 59 | $ vagrant ssh r1 
 60 | $ ip netns
 61 | br2 (id: 1)
 62 | br1 (id: 0)
 63 | ```
 64 | 
 65 | BR1 is used to generate traffic towards *Ext*, which will be classified at R1 and accordingly steered through the configured SRv6 SFC policy. 
 66 | ```
 67 | $ vagrant ssh r1 
 68 | $ ip netns exec br1 bash
 69 | $ ping6 fc00:e::
 70 | PING fc00:e::(fc00:e::) 56 data bytes
 71 | 64 bytes from fc00:e::: icmp_seq=1 ttl=61 time=2.34 ms
 72 | 64 bytes from fc00:e::: icmp_seq=2 ttl=61 time=2.98 ms
 73 | ```
 74 | 
 75 | **R1**
 76 | 
 77 | R1 serves as the ingress node of our SRv6 based SFC scenario. 
 78 | 
 79 | It is configured with Policy Based Routing (PBR) and SFC policies that force BR1 and BR2 traffic to respectively follow paths P1 and P2.
 80 | ```
 81 | $ vagrant ssh r1 
 82 | 
 83 | $ ip -6 rule
 84 | .....
 85 | 32764:	from fc00:b2::/64 lookup br2
 86 | 32765:	from fc00:b1::/64 lookup br1
 87 | .....
 88 | 
 89 | $ ip -6 route show table br1
 90 | fc00:e::/64 encap seg6 mode encap segs 3 [ fc00:2::f1:0 fc00:3::f2:ad60 fc00:6::d6 ] dev eth1
 91 | 
 92 | $ ip -6 route show table br2
 93 | fc00:e::/64 encap seg6 mode encap segs 2 [ fc00:5::f3:0 fc00:6::d6 ] dev eth2
 94 | 
 95 | $ tcpdump -i eth1
 96 | .....
 97 | IP6 fc00:b1::1 > fc00:2::f1:0: srcrt (len=6, type=4, segleft=2, last-entry=2, tag=0, [0]fc00:6::d6,
 98 | [1]fc00:3::f2:ad60, [2]fc00:2::f1:0) IP6 fc00:b1::2 > fc00:e::: ICMP6, echo request, seq 1, length 64
 99 | .....
100 | 
101 | $ tcpdump -i eth2
102 | .....
103 | IP6 fc00:b2::1 > fc00:5::f3:0: srcrt (len=4, type=4, segleft=1, last-entry=1, tag=0, [0]fc00:6::d6,
104 | [1]fc00:5::f3:0) IP6 fc00:b2::2 > fc00:e::: ICMP6, echo request, seq 9, length 64
105 | .....
106 | ```
107 | 
108 | **R2**
109 | 
110 | R2 is an NFV node, which has F1 (SERA) deployed as Linux network namespace. 
111 | 
112 | ```
113 | $ vagrant ssh r2
114 | $ ip netns
115 | f1 (id: 0)
116 | ```
117 | 
118 | **F1**
119 | 
120 | F1 is running SERA (SEgment Routing Aware Firewall), which extends the Linux iptables firewall, and capable of applying the iptables rules to the inner packet of SR encapsulated traffic. 
121 | 
122 | SERA supports a per namespace sysctl, named *ip6t_seg6*, that enables/disables the SR capabilities. 
123 | 
124 | Traffic going through F2 is SR encapsulated, but you still can write default iptables rules, and SERA will apply them directly to inner packets. 
125 | 
126 | >The ip6t_seg6 has to be set to 1 
127 | 
128 | ```
129 | $ vagrant ssh r2
130 | $ ip netns exec f1 bash 
131 | 
132 | $ tcpdump -i veth0-f1
133 | .....
134 | IP6 fc00:b1::1 > fc00:2::f1:0: srcrt (len=6, type=4, segleft=2, last-entry=2, tag=0, [0]fc00:6::d6,
135 | [1]fc00:3::f2:ad60, [2]fc00:2::f1:0) IP6 fc00:b1::2 > fc00:e::: ICMP6, echo request, seq 1386, length 64
136 | .....
137 | 
138 | $ sysctl -w net.ipv6.ip6t_seg6=1
139 | net.ipv6.ip6t_seg6 = 1
140 | 
141 | $ ip6tables -I INPUT --source fc00:b1::/64 --destination fc00:e::/64 --protocol icmpv6 -j DROP
142 | 
143 | $ ip6tables -L -nvx
144 | Chain INPUT (policy ACCEPT 3 packets, 208 bytes)
145 |     pkts    bytes   target     prot    opt in     out       source            destination
146 |      28      2912    DROP      icmpv6       *      *      fc00:b1::/64        fc00:e::/64
147 | ```
148 | 
149 | Don't forget to remove the rule to let the traffic pass through
150 | ```
151 | $ ip6tables -F
152 | ```
153 | 
154 | 
155 | **R3**
156 | 
157 | R3 is another NFV node that host F2 (SR-unware snort) deployed as Linux network namespace. 
158 | 
159 | We use srext (SR proxy) to remove SR encapsulation from packets before being handed to F2. The removed SR encapsulation is re-added again to packets after being processed. 
160 | 
161 | ```
162 | $ vagrant ssh r3
163 | $ ip netns
164 | f2 (id: 0)
165 | 
166 | $ srconf localsid show
167 | SRv6 - MY LOCALSID TABLE:
168 | ==================================================
169 | 	 SID     :        fc00:3::f2:ad60
170 | 	 Behavior:        end.ad6
171 | 	 Next hop:        fd00:3::f2:2
172 | 	 OIF     :        veth0
173 | 	 IIF     :        veth1
174 | 	 Good traffic:    [13048 packets : 1354928  bytes]
175 | 	 Bad traffic:     [18 packets : 3168  bytes]
176 | ------------------------------------------------------
177 | 
178 | $ tcpdump -i eth1
179 | .....
180 | IP6 fc00:b1::1 > fc00:3::f2:ad60: srcrt (len=6, type=4, segleft=1, last-entry=2, tag=0, [0]fc00:6::d6,
181 | [1]fc00:3::f2:ad60, [2]fc00:2::f1:0) IP6 fc00:b1::2 > fc00:e::: ICMP6, echo request, seq 3090, length 64
182 | .....
183 | 
184 | $ tcpdump -i veth0
185 | .....
186 | IP6 fc00:b1::2 > fc00:e::: ICMP6, echo request, seq 3037, length 64
187 | .....
188 | 
189 | $ tcpdump -i veth1
190 | .....
191 | IP6 fc00:b1::2 > fc00:e::: ICMP6, echo request, seq 3037, length 64
192 | .....
193 | 
194 | $ tcpdump -i eth2
195 | .....
196 | IP6 fc00:b1::1 > fc00:6::d6: srcrt (len=6, type=4, segleft=0, last-entry=2, tag=0, [0]fc00:6::d6,
197 | [1]fc00:3::f2:ad60, [2]fc00:2::f1:0) IP6 fc00:b1::2 > fc00:e::: ICMP6, echo request, seq 3152, length 64
198 | .....
199 | ```
200 | 
201 | **F2**
202 | F1 is running SR-unaware snort. It receives packets without SR encapsulation and apply the snort rules to them. 
203 | 
204 | We configured snort with a rule that alert on ICMP packets 
205 | 
206 | ```
207 | $ vagrant ssh r3
208 | $ ip netns exec f2 bash 
209 | 
210 | $ cat /etc/snort/rules/local.rule
211 | alert icmp any any -> any any (msg:"ICMP detected"; sid:1000)
212 | 
213 | $ snort -c /etc/snort/snort.conf -A console
214 | .....
215 | [**] [1:1000:0] ICMP detected [**] [Priority: 0] {IPV6-ICMP} fc00:b1::2 -> fc00:e::
216 | .....
217 | ```
218 | 
219 | **R6**
220 | R6 serves as the egress node, where SR encapsulation is removed from packets before leaving the SR domain. 
221 | 
222 | It is also configured with Policy Based Routing (PBR) and SFC policies to make sure that BR1 and BR2 traffic follows the exact path in both upstream and downstream. 
223 | This guarantees that SFs get the traffic in both directions.
224 | 
225 | It implements the external network (*Ext*) as a Linux network namespace. 
226 | 
227 | ```
228 | $ vagrant ssh r6
229 | 
230 | $ ip netns
231 | ext (id: 0)
232 | 
233 | $ tcpdump -i eth1
234 | .....
235 | IP6 fc00:b1::1 > fc00:6::d6: srcrt (len=6, type=4, segleft=0, last-entry=2, tag=0, [0]fc00:6::d6,
236 | [1]fc00:3::f2:ad60, [2]fc00:2::f1:0) IP6 fc00:b1::2 > fc00:e::: ICMP6, echo request, seq 6733, length 64
237 | .....
238 | 
239 | $ tcpdump -i veth1
240 | .....
241 | IP6 fc00:b1::2 > fc00:e::: ICMP6, echo request, seq 19, length 64
242 | .....
243 | 
244 | $ ip -6 rule
245 | .....
246 | 32765:	from fc00:e::/64 lookup localsid
247 | .....
248 | 
249 | $ ip -6 route show table localsid
250 | fc00:b1::/64  encap seg6 mode encap segs 3 [ fc00:3::f2:ad61 fc00:2::f1:0 fc00:1::d6 ] dev eth1 
251 | fc00:b2::/64  encap seg6 mode encap segs 2 [ fc00:5::f3:0 fc00:1::d6 ] dev eth2
252 | ```
253 | 
254 | **Ext**
255 | 
256 | The *Ext* network here serves as a traffic sink. 
257 | 
258 | ### BR2 traffic 
259 | 
260 | BR2 traffic should follow the path BR2 → R1 → R4 → R5 → F3 → R6 → *Ext*.
261 | 
262 | Likewise, we can show configuration of all nodes along the path of BR2 traffic. However, you focus only on F3 since the rest are similar to what we have shown for BR1. 
263 | 
264 | **F3**
265 | 
266 | F3 is running an SR-aware snort, which is an extended version of snort that can apply snort rules directly to inner packet of SR encapsulated traffic.
267 | 
268 | SR-aware snort receives SR encapsulated packets, but still able apply the configured snort rules to inner packets. 
269 | 
270 | ```
271 | $ vagrant ssh r5
272 | $ ip netns
273 | f3 (id: 0)
274 | 
275 | $ ip netns exec f3 bash 
276 | 
277 | $ tcpdump -i veth0-f3
278 | .....
279 | IP6 fc00:b2::1 > fc00:5::f3:0: srcrt (len=4, type=4, segleft=1, last-entry=1, tag=0, [0]fc00:6::d6,
280 | [1]fc00:5::f3:0) IP6 fc00:b2::2 > fc00:e::: ICMP6, echo request, seq 72, length 64
281 | 
282 | $ cat /etc/snort/rules/local.rule
283 | alert icmp any any -> any any (msg:"ICMP detected"; sid:1000)
284 | 
285 | $ snort -c /etc/snort/snort.conf -A console
286 | .....
287 | [**] [1:1000:0] ICMP detected [**] [Priority: 0] {IPV6-ICMP} fc00:b2::2 -> fc00:e::
288 | .....
289 | ```
290 | 
291 | ### Useful links
292 | 
293 | * [SRext](https://github.com/SRouting/SRv6-net-prog) - a Linux kernel module that implements different SR proxy behaviours. 
294 | * [SERA](https://github.com/SRouting/SERA)  - a SEgment Routing Aware Firewall.
295 | * [SR-iptables](https://github.com/SRouting/SR-iptables) - an extended version of iptables userspace utility that allows adding SR-aware iptables rules.
296 | * [SR-snort](https://github.com/SRouting/SR-snort) - an SR-aware version of snort. 
297 | * [SR-tcpdump](https://github.com/SRouting/SR-tcpdump) - an SR-extended version of tcpdump able to parse SRH information. 
298 | 


--------------------------------------------------------------------------------