{"id":18678172,"url":"https://github.com/srl-labs/sros-anysec-macsec-lab","last_synced_at":"2025-04-12T02:40:27.176Z","repository":{"id":213097235,"uuid":"732524515","full_name":"srl-labs/sros-anysec-macsec-lab","owner":"srl-labs","description":"This is an ANYSec and MACSec demo using Nokia SROS vSIMs with SR-ISIS and Flex-Algo Slicing, gNMIc Streaming Telemetry and Python/Flask Automation.","archived":false,"fork":false,"pushed_at":"2025-03-27T09:46:01.000Z","size":4145,"stargazers_count":28,"open_issues_count":2,"forks_count":3,"subscribers_count":7,"default_branch":"main","last_synced_at":"2025-04-05T22:08:19.439Z","etag":null,"topics":["anysec","automation","clab-topo","containerlab","flex-algo","fp5","gnmic","grafana","macsec","prometheus","slicing","sr-isis","sros","telemetry"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/srl-labs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-12-17T00:42:43.000Z","updated_at":"2025-03-27T09:46:05.000Z","dependencies_parsed_at":"2024-02-25T20:46:37.803Z","dependency_job_id":"7655a9e9-8e33-443f-bcee-05a130b4ebd7","html_url":"https://github.com/srl-labs/sros-anysec-macsec-lab","commit_stats":null,"previous_names":["tiago-amado/sros-anysec-macsec-lab"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/srl-labs%2Fsros-anysec-macsec-lab","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/srl-labs%2Fsros-anysec-macsec-lab/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/srl-labs%2Fsros-anysec-macsec-lab/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/srl-labs%2Fsros-anysec-macsec-lab/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/srl-labs","download_url":"https://codeload.github.com/srl-labs/sros-anysec-macsec-lab/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248507465,"owners_count":21115605,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["anysec","automation","clab-topo","containerlab","flex-algo","fp5","gnmic","grafana","macsec","prometheus","slicing","sr-isis","sros","telemetry"],"created_at":"2024-11-07T09:36:16.223Z","updated_at":"2025-04-12T02:40:27.169Z","avatar_url":"https://github.com/srl-labs.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\n# SR OS FP5 ANYSec and MACSec Demo\n\nANYSec is a Nokia technology that provides low-latency and line-rate native encryption for any transport (IP, MPLS, segment routing, Ethernet or VLAN), on any service, at any time and for any load conditions without impacting performance.\n\nThis lab is an ANYSec demo using [Nokia SR OS FP5](https://www.nokia.com/networks/technologies/fp5/) vSIMs orchestrated by [Containerlab](https://containerlab.dev/).\nIt combines ANYSec with MACSec and illustrates ANYSec slicing for distinct network services with multi-instance SR-ISIS and FLEX-Algo.\n\nAugmented with a visualization dashboard rendering the data received by means of the Streaming Telemetry stack (gNMIc, Prometheus and Grafana).\n\nFor enhanced demonstration purposes a web-based automation panel has been added to the lab that allows the presenter to start/stop traffic, enable/disable links and toggle ANYSec services.\n\n## ANYSec Overview\n\nANYSec is a Nokia's proprietary network encryption solution available with the new FP5 models starting with SR OS 23.10R1 release.  \nIt is a low-latency line-rate encryption mechanism that is scalable, flexible and quantum-safe.\n\nBased on MACSec standards as the foundation, it introduces the flexibility to offset the authentication and encription to allow L2, L2.5 and L3 encryption.\n\n## Requirements\n\nTo deploy this lab you need:\n\n1. A server with Docker and Containerlab (upgrade to latest releases is recomended).\n2. EdgeShark (Refer to [CLAB and EdgeShark integration](https://containerlab.dev/manual/wireshark/#edgeshark-integration) for details.) \n3. SR OS 23.10.R1+ image and a valid SROS license file.\n\nNote: This lab requires ~22G RAM.\n\n## Clone the lab on your server\n\nTo deploy this lab, you must clone it to your server with git.\n\n```bash\n# change to a working directory of your choice and clone the lab\ngit clone https://github.com/srl-labs/SROS-anysec-macsec-lab.git\n```\n\n## SR OS Image\n\nThe lab file provided with this repository uses the internal Nokia SR OS image, that is not available externally.\n\nTo obtain the SR OS image contact your Nokia representative and build a Containerlab-compatible image using the [vrnetlab project](https://containerlab.dev/manual/vrnetlab/#vrnetlab).\n\nTo build the container image for SR OS vSIM, follow the steps below:\n\n```bash\n# Clone the vrnetlab repo\ngit clone https://github.com/hellt/vrnetlab \u0026\u0026 cd vrnetlab\n```\n\nDownload qcow2 vSIM image from Nokia Support Portal (\u003chttps://customer.nokia.com/support/s\u003e) or get one from your Nokia contacts.  \nChange the qcow2 file name to `SR OS-vm-\u003cVERSION\u003e.qcow2`.\n\nMove the qcow2 file to `SR OS` directory of the cloned repository and run `make` command:\n\nThe build process should take 1-2 minutes, after which you can list the images matching the `vr-SR OS` pattern to verify the image was built successfully:\n\n```\ndocker images | grep vr-SR OS\n```\n\nNote: After you've built the image, edit the `anysec-macsec.clab.yml` file and change the SR OS container image name to match the one you've built.\n\n```bash\n# replace this \n      image: registry.srlinux.dev/pub/vr-SR OS:23.10.R2\n# with this (assuming you've built the 23.10.R2 image):\n      image: vrnetlab/vr-SR OS:23.10.R2\n```\n\n### License file\n\nSR OS vSIMs require a valid license. You need to get a valid license from Nokia and save it as `/opt/nokia/SROS/r24_license.key` file on your host machine.\n\nThis file is referenced in the clab topology file (ensure you use the correct version).\n\n## Deploy the lab\n\nThe rest of the images used in this lab are publicly available and will be downloaded automatically by Containerlab when we deploy the lab:\n\n```bash\n# while in the lab directory, run\nsudo containerlab deploy -c\n```\n\n## ANYSec setup\n\n### Physical setup\n\nThe physical setup is ilustrated below:\n\n![pic](pics/physical-setup.jpg)\n\nThe setup contains six SR OS FP5 \u0026 FP4 routers with 24.3.R2-1 release and 2 linux hosts. The network contains 2 P routers, 2 PEs running ANYSec and MACSec, 2 CEs with MACSec, and 2 Linux Clients with 3 interfaces for 3 distinct services.\nOnly the PEs have ANYSec configured. The models are:\n\n* P Routers\n\n  * SR-1 FP4\n\n* PE Routers with ANYSec and MACSec\n\n  * sr-1x-48d FP5\n\n* CE Routers with MACSec\n\n  * sr-1x-48d FP5\n\nNote 1: Clients are Linux hosts using [Network-MultiTool](https://github.com/srl-labs/network-multitool) container image.\n\nNote 2: An additional node called \"automation-panel\", runs the web ui for the automation panel.\n\n### Logical setup\n\nThere are 3 distinct services, each using its own Segment-Routing topology.\nThe logical setup with the services is the following:\n\n![pic](pics/logical-setup.jpg)\n\nThe setup has:\n\n* ANYSec between PE1 and PE2\n* MACSec between PEs and CEs\n* ISIS instances 0, 1 and 2 with SR-ISIS and Flex-Algo\n* iBGP (P3 and P4 as RR)\n* Services: VLL 1001, VPLS 1002 and VPRN 1003\n\n### Services and Slicing\n\nANYSec slicing is possible within 20.10R1 with 2 options:\n\n* Multi-Instance SR IGP instance\n* Flex-Algo\n\nTo demonstrate both options, 3 ISIS instance are configured:\n\n* ISIS 0 – Flex-Algo with TE-Metrics (other constraints are possible)\n* ISIS 1- IGP metrics to prefer TOP LINK\n* ISIS 2 – IGP metrics to prefer BOTTOM LINK\n\nThere are 3 distinct services, each mapped to a distinct slice:\n\n* VLL 1001 – ISIS 1 =\u003e TOP LINK\n* VPLS 1002 – ISIS 2 =\u003e BOTTOM LINK\n* VPRN 1003 – ISIS 0 =\u003e Flex-Algo\n\n• Note: Each of the 3 client interfaces is mapped to a distinct service. Its possible to start iPerf or ICMP on every interface to test the distinct topologies.\n\nThe 3 SR-ISIS topologies are illustrated bellow:\n\n![pic](pics/isis-topology.jpg)\n\n## Accessing the network elements\n\nOnce the lab is deployed, the different SR OS nodes can be accessed via SSH through their management IP address, given in the summary displayed after the execution of the deploy command.\nIt is also possible to reach those nodes directly via their hostname, defined in the topology file.\n\n```bash\n# List the containers\nsudo clab inspect -a\n# reach a SR OS node via SSH\nssh pe1\n# reach Linux clients (password: multit00l)\nssh user@client7\n```\n\n## SR OS Streaming Telemetry and Automation\n\nThis lab was enhanced with the Streaming Telemetry stack powered by [gNMIc](https://gnmic.openconfig.net), Prometheus and Grafana.\n\nFor details on Streaming Telemetry with Nokia SR OS please refer to [SR Linux/SROS Streaming Telemetry Lab](https://github.com/srl-labs/srl-SROS-telemetry-lab).\n\nTo assist with the demonstration of the ANYSec technology we've integrated an automation panel with this lab. The automation panel is a web service that allows a demo runner to perform the following operations via a GUI:\n\n1. Start/Stop ICMP traffic for each service.\n\n2. Disable/enable the top link (between PE1 and P3) or the bottom link (between PE1 and P4) to see ANYSec packets flowing through the other link.\n\n3. Disable/enable ANYSec for each of the 3 services to see packets being sent in clear or encrypted on demand.\n\nThe following stack of software solutions has been chosen for this lab:\n\n| Role                | Software                              | Port  | Link                          | Credentials |\n| ------------------- | ------------------------------------- | ----- | ----------------------------- | ----------- |\n| Telemetry collector | [gnmic](https://gnmic.openconfig.net) | NA    |                               |             |\n| Time-Series DB      | [prometheus](https://prometheus.io)   | 9090  | \u003chttp://localhost:9090/graph\u003e |             |\n| Visualization       | [grafana](https://grafana.com)        | 3000  | \u003chttp://localhost:3000\u003e       | admin/admin |\n| Automation          | Go/Svelte                             | 54173 | \u003chttp://localhost:54173/\u003e     |             |\n| EdgeShark           | [EdgeShark](https://edgeshark.siemens.io/#/)| 5001 | \u003chttp://localhost:5001/\u003e     |             |\n\n### Access details\n\nIf you are accessing from a remote host, then replace localhost by the CLAB Server IP address:\n\n* Grafana: \u003chttp://\u003cServer-IP\u003e:3000\u003e. Built-in user credentials: `admin/admin`\n* Prometheus: \u003chttp://\u003cServer-IP\u003e:9090/graph\u003e\n* Automation Panel: \u003chttp://\u003cServer-IP\u003e:54173/\u003e\n* Go/Svelte: http://\u003cServer-IP\u003e:54173\n* EdgeShark: http://\u003cServer-IP\u003e:5001/\n\n## Verify the setup\n\nVerify that you're able to access all nodes (Routers and clients) and the platforms (Grafana, Prometheus and Flask Demo Page).\n\nStart a Tcpdump/wireshark capture as explained bellow and start traffic between Client7 and Client8 using Automation panel.\n\nYou may shut the link between PE1 and P3 and see that ANYSec SR-ISIS traffic uses the bottom link.\n\nYou may also disable ANYSec to view packets in clear.\n\n## Wireshark\n\nFor details about packet capture \u0026 Wireshark at containerlab refer to [CLAB Packet capture \u0026 Wireshark](https://containerlab.dev/manual/wireshark/#capturing-with-tcpdumpwireshark).\n\nYou may found a pcap file with ANYSec packets in the files above in this project.\nYou may perform your own capture as explained below.\n\n### Local capture\n\nFollows an example on how to list the interfaces (links) of a given container and perform a packet capture:\n\n```bash\n# list the containers running in the server\nclab inspect -a \n# list the interfaces (links) of a given container\nip netns exec pe1 ip link\n# Start a capture and display packets in the session\nip netns exec pe1 tcpdump -nni eth1\n# Start a capture and store the packets in the file\nip netns exec pe1 tcpdump -nni eth1 -w capture_file.pcap\n```\n\n### Remote capture\n\nBesides displaying the packets to the session or store in a file, its possible to open them directly on Wireshark using a remote SSH connection.\n\nFollows examples of the SSH comand from a Linux Shell or Windows Comand Prompt:\n\n```bash\nSyntax:\nssh $containerlab_host_address \"ip netns exec $lab_node_name tcpdump -U -nni $if_name -w -\" | $wireshark_path -k -i -\n\nLinux example:\nssh root@10.82.182.179 \"ip netns exec pe1 tcpdump -U -nni eth1 -w -\" | /mnt/c/Program\\ Files/Wireshark/wireshark.exe -k -i -\n\nWindows example:\nssh root@10.82.182.179 \"ip netns exec pe1 tcpdump -U -nni eth1 -w -\" | \"c:\\Program Files\\Wireshark\\Wireshark.exe\" -k -i -\n```\n\n### Wireshark ANYSec Decoding\n\nWireshark does not have native support for decoding ANYSec MACSec (802.1AE) or MKAoUDP headers. You'll be able to see the MPLS and ANYSec labels, but the MACSec header will not be decoded.  \nYou may use the ANYsec  dissectors available in this GH repo: [ANYsec Packet Dissectors for Wireshark](https://github.com/xavixava/anysec-dissectors)\n\nThis is the output comparison between the wireshark without and with dissectors:\n\n![pic1](pics/anysec-wireshark.jpg)\n\nNote: With the public Wireshark the ANYSec header is not decoded but you are still able to identify it is ANYSec by looking into the ANYSec label within the configured range.\n\n### ANYSec Stack\n\nThe ANYSec introduces the MACSec Header and the Encryption SID (ES) label between the SR-ISIS transport and VPRN service labels. The VPRN service label is encrypted.\nThe picture below provides an example of the ANYSec label stack between PE1 and PE2.\n\n![pic2](pics/anysec-stack.jpg?raw=true)\n\n### Wireshark capture with EdgeShark\n\nTo start and view the ANYSec captured packets you may use EdgeShark.\nRefer to [CLAB and EdgeShark integration](https://containerlab.dev/manual/wireshark/#edgeshark-integration) for details.\n\n### TCPDump Capture multiple interfaces\n\nTCPDUMP on a single interface shows label stack correctly (Ethernet+VLAN+MPLS+ANYSec)\nTCPDUMP on a multiple interfaces (any for all) shows a distinct stack: Linux cooked capture v2 + additional MPLS Label (instead of Ethernet + VLAN)\n\n![pic3](pics/anysec-tcpdump.jpg?raw=true)\n\n### TShark Capture multiple interfaces\n\nTshark is similar to TCPDump but allows to define only the interfaces to capture and does not change the header stack.\nThe drawback is it has to be installed in the CLAB Server (ussually not installed by default as TCPDump).\n\nInstall Tshark at CLAB Server/hypervisor (Ubuntu):\n\n```bash\nsudo apt install tshark\ntshark --version\ntshark -D\n```\n\nFrom your Windows laptop prompt execute Tshark an pipe the output to Wireshark:\n\n```bash\n### Example! Replace IP and windows path\nssh root@\u003cIP\u003e \"ip netns exec \u003cCONTAINER\u003e tshark -l -i \u003cIF1\u003e [-i \u003cIF2\u003e] [-i \u003cIFN\u003e] -w -\" | \"\u003cWIRESHARK PATH\u003e\" -k -i -\nssh root@10.82.182.179 \"ip netns exec pe1 tshark -l -i eth3 -i eth1 -i eth2 -w -\" | \"c:\\Program Files\\Wireshark\\Wireshark.exe\" -k -i -\n```\n\n## Outputs\n\nUse the following commands under PE1 or PE2 to retrieve outputs from ANYSec operation:\n\n```bash\nshow macsec connectivity-association \"CA_Test_MACSec\" detail\nshow anysec tunnel-encryption detail\nshow router 1003 route-table 10.0.0.2/32 extensive\nshow router tunnel-table detail\nshow router mpls-labels summary\nshow router \"1003\" route-table\nshow router bgp routes 10.0.0.2/32 vpn-ipv4 hunt\n```\n\n## Tests\n\nThe tests bellow can be executed in multiple ways: flask demo page, gnmic scripts or node CLI.\n\n### Test 1 - Shut/No shut the link between PE1 and PE2\n\nUpon shut/no shut verify ANYSec is still working but using a new SR-ISIS tunnel\n\n```bash\nshow router 1003 route-table\nshow router 1003 route-table 10.0.0.2/32 extensive\nshow router 1003 route-table 10.0.0.2/32 extensive\nshow router bgp routes 10.0.0.2/32 vpn-ipv4 hunt\n```\n\n![pic](pics/link-down.jpg)\n\n### Test 2 - Disable ANYSec at PE1 and PE2\n\nNote: Use the VPRN service for this test. Wireshark correctly decodes ICMP for VPRN but not for L2 Services. You can still use VLL and VPLS and see packet in clear but ICMP Header will not be decoded.\n\nUpon Disable ANYSec verify ping is still working but unecripted.\nRe-enable ANYSec and verify traffic is encrypted again.\n\n![pic](pics/disable-anysec.jpg)\n\n## ANYSec Demo Video\n\nThe Demo Video shows the Grafana Dashboard, the Automation Panel to execute and observe different tasks in the network as well as monitoring traffic with Edgeshark.\n\n[![Watch the video](https://github.com/srl-labs/SROS-anysec-macsec-lab/assets/86619221/c23956d3-f766-4cc5-8261-189ca765e4d7)](https://www.youtube.com/watch?v=pAKnSQR694g\u0026t=2s\u0026pp=ygULcm9tYW4gZG9kaW4%3D)\n\n## Conclusion\n\nANYSec is an amazing technology, flexible and scalable, capable of E2E low-latency and line-rate transport encryption.\nANYSec can be combined with other technologies such as MACSec or IPSec. It allows slicing and per service encryption.\n\nDoes ANYSec work with CLAB vSIMs?\nYes for functional tests, but obviously not for performance/latency.\nCLAB and vSIMs can be used to test and validate the configurations.\nSetup is fully functional with ANYSec stats increase and packets are encrypted as seen in the TCPDUMP capture.\n\nMore to come in the upcoming releases!\n\n## Dev notes\n\nTo test the frontend:\n\n1. change the target proxy url in the `automation_panel/frontend/vite.config.ts` to `target: 'http://panel:8080'`\n2. run `pnmp run dev` or `npm run dev`\n3. Use the `5173` port to reach the frontend\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsrl-labs%2Fsros-anysec-macsec-lab","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsrl-labs%2Fsros-anysec-macsec-lab","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsrl-labs%2Fsros-anysec-macsec-lab/lists"}