Terragraph links support WPA-PSK and IEEE 802.1X for security. Refer to Link-Layer Security for more details.
Terragraph provides CPE interface security using the IEEE 802.1X standard.
Security can be enabled on each CPE interface independently by setting
wiredSecurityEnable in the node configuration, as well as
When enabled, the CPE interface will only allow EAPoL frames to pass, and will
drop all other packets until successful authentication. This EAPoL-only
forwarding is only supported in VPP mode, and is implemented in the
plugin via the "wired security" interface configuration option.
802.1X authentication involves three parties: an authentication server, an authenticator, and a supplicant.
IEEE 802.1X requires an authentication server that can tell the authenticator if a connection is to be allowed. Terragraph expects an authentication server that supports the RADIUS and EAP protocols. The authentication server must be reachable by the authenticator (CN or DN with CPE interface enabled).
When wired security is enabled on a CPE interface, the CPE interface takes the
role of the authenticator. The Terragraph node is responsible for managing one
Linux authenticator process (
hostapd) for each CPE interface with wired
security enabled, which is configured and launched by the
start_cpe_security.sh script. Logs for these processes are written to
/tmp/hostapd_<iface>. The authenticator will be restarted upon CPE interface
state changes. So, if a CPE device is removed or replaced, it is strongly
recommended to shut down CPE interface before adding the new device (currently,
Terragraph isn't able to automatically detect connection change and
re-authenticate the same CPE interface).
The supplicant refers to the CPE device connecting over the Terragraph CPE
interface and sending traffic through the Terragraph network. It is expected
that each CPE device has pre-provisioned certificates and runs a Linux
supplicant process (
wpa_supplicant) on the interface that connects to the
Terragraph nodes are able to apply
ip6tables firewall rules via node
configuration and the
/usr/bin/update_firewall script. This does not support
filtering of throughput traffic, but can protect traffic destined to Linux
itself. More specifically:
- The rules only modify the
FORWARDtable is always left to
OUTPUTtable is always left to
ip6tables implementation allows the following options
firewallConfig node configuration structure:
allowEstalished: Allow already-established connections (recommended).
allowICMPv6: Allow all ICMPv6 traffic (recommended).
allowLinkLocal: Allow any packets from source prefix
fe80::/10(important for Open/R's Spark module).
allowLoopback: Allow anything destined to the
lointerface. This is NOT recommended, as it effectively allows anything to the management address, but could be handy for debugging if firewall issues are suspected.
defaultPolicy: Set the table to
DROPby default (default is
tcpPorts: TCP ports to open from any address. This is a comma-separated list, e.g. "22,179". It is recommended to always keep 22 (SSH) and 179 (BGP) open.
udpPorts: UDP ports to open from any address. This is a comma-separated list. It is recommended to always keep 123 (NTP) open.