You may have heard about bonding interface in linux that allows you to bind multiple network interfaces together into a single channel. Channel bonding enables two or more network interfaces to act as one, simultaneously increasing the bandwidth and providing redundancy. So if you are connecting your IDS sensor to the network tap, bonding interface is what you need since most of the expensive tap splits the stream into two, transmit and receive. You may find how to configure bond interface on RHEL/CentOS in InstantNSM documentation, or if your OS preference is FreeBSD, you may find the guide in taosecurity site.
How about OpenBSD? OpenBSD has introduced trunk interface in 3.8 release, and if you are always staying with Current or maybe you are always edging, you will notice they have even added failover capabilities for trunk interface, what is trunk interface anyway?
Trunk allows aggregation of multiple network interfaces as one virtual inteface. All the network interfaces that configured to be single trunk will receive traffic from all attached ports. Ain't it similar to bond interface? I downloaded the latest OpenBSD and try to configure trunk interface, apparently it works and this is quick view of trunk interface. Serving as IDS sensor interface, we don't need to assign the IP address to the trunk interface which only used to sniff traffic in promisc mode as IDS sensor. It is not mentionned in the trunk man page however you can configure trunk interface without assiging IP address, thanks to Richard who asking me to try it out.
I have two network interfaces which are pcn0 and pcn1. In order to create trunk0, that's what I do
shell>ifconfig trunk0 trunkport pcn0 up
shell>ifconfig trunk0 trunkport pcn1 up
shell>ifconfig trunk0 trunkproto failover up
Here's the output, you may noteice pcn0, pcn1 and trunk0 are sharing the same mac address now, lladdr means mac address has been changed. However you should figure out their original mac address in the inet6 field. The default proto of the trunk interface is roundrobin, and even if you configure to use proto failover, it won't go failover unless one of the interface down. Proto here doesnt means IP or TCP protocol but the mechanism that used to trunk.
How about OpenBSD? OpenBSD has introduced trunk interface in 3.8 release, and if you are always staying with Current or maybe you are always edging, you will notice they have even added failover capabilities for trunk interface, what is trunk interface anyway?
Trunk allows aggregation of multiple network interfaces as one virtual inteface. All the network interfaces that configured to be single trunk will receive traffic from all attached ports. Ain't it similar to bond interface? I downloaded the latest OpenBSD and try to configure trunk interface, apparently it works and this is quick view of trunk interface. Serving as IDS sensor interface, we don't need to assign the IP address to the trunk interface which only used to sniff traffic in promisc mode as IDS sensor. It is not mentionned in the trunk man page however you can configure trunk interface without assiging IP address, thanks to Richard who asking me to try it out.
I have two network interfaces which are pcn0 and pcn1. In order to create trunk0, that's what I do
shell>ifconfig trunk0 trunkport pcn0 up
shell>ifconfig trunk0 trunkport pcn1 up
shell>ifconfig trunk0 trunkproto failover up
Here's the output, you may noteice pcn0, pcn1 and trunk0 are sharing the same mac address now, lladdr means mac address has been changed. However you should figure out their original mac address in the inet6 field. The default proto of the trunk interface is roundrobin, and even if you configure to use proto failover, it won't go failover unless one of the interface down. Proto here doesnt means IP or TCP protocol but the mechanism that used to trunk.
You may see clearly here that the streams are load balanced within pcn0 and pcn1 and trunk0 is receiving everything - link aggregation :]
If I run ifconfig trunk0 -trunkport pcn0, then pcn1 is still alive and receiving everything. The failover seems working well.
That's what we need for the OpenBSD IDS sensor box - trunk interface corresponding to the linux bond interface.
4 comments:
I just tried this with OpenBSD 3.9 and a Shomiti tap. I usually bridge the two interfaces and this works fine. The trunk did not work. It only saw one side of the tcp/ip conversation. any ideas?
Great blog BTW! :)
I am finding the exact same thing. I am only getting the RX, not the TX with the very same tap on OpenBSD 3.9.
It seems, only the active master is seeing traffic.
Time to search OpenBSD mailling list :-)
Check the man page for trunk it says right in it that you can set it for roundrobin,failover, loadbalance , broadcast or none. If you are doing loadbalance it will only use the 2nd nic when the 1st one fails. You would want to use the broadcast option to enable both sides of the network stream
http://www.openbsd.org/cgi-bin/man.cgi?query=trunk
In this post, i saw about the full details of bond interface....Really, iam so happy to leave my comments here...keep posting interesting matters here...
lse
Post a Comment