perfSONAR

BWCTL Protection

The BWCTL daemon poses some risks for those that deploy: in particular it is possible for a poorly configured BWCTL node to consume network bandwidth which could impact production use cases.  The following sections talk about the bwctld.limits file, a mechanism that can be used to define a host's ability to test, as well as offer permissions (larger and smaller) based on network location. 

BWCTL Limits

BWCTL contains a policy file called /etc/bwctl-server/bwctld-server.limits.  Versions prior to 3.5.1 may find the file named /etc/bwctld/bwctld.limits.  After making changes to either file, be sure to restart the daemon with /etc/init.d/bwctl-server restart or in versions prior to 3.5.1 use /etc/init.d/bwctld restart

# setup the root node with max bandwidth as open as possible.
# Super-user access
limit root with \
	bandwidth=900m, \
	duration=60, \
	allow_udp=on, \
	allow_tcp=on, \
	allow_open_mode=on, \
        max_time_error=20

# Disable UDP tests for non-authorized users. Unspecified values default to
# parent permissions
limit regular with parent=root, \
	allow_udp=off

# minimal everything
# send hackers and bad nets here
limit jail with parent=root, \
	bandwidth=1, \
	duration=1, \
	allow_udp=off, \
	allow_tcp=off, \
	allow_open_mode=off

# Default everything to regular user access
# this allows TCP for up to 60 seconds and 
# no UDP tests
assign default regular

# hacker and BBI networks
# this shows a 172.16 private address block being
# prohibited 
# see RFC 1918 for a descripton of private address blocks
assign net 172.16.10.0/24 jail

# localhost (and any other hosts you completely trust)
# (might as well trust localhost, the user could run iperf directly...)
assign net 127.0.0.1/32 root
assign net ::1/128  root

This file establishes 3 basic levels of protection:

  • root: The basis for all of the classes.  Has to be the most broad definition.  For example, this allows UDP and TCP testing, and tests that are 60 seconds long (among other things). 
  • regular: Based on root, this is the default for all tests.  It will disable UDP testing completely, but keep all of the same permissions as root
  • jail:Based on root, this turns off all functionality.  This is normally used for hosts that are known to abuse

It is then possible to assign hosts or netblocks to specific ranges.  For example, one could assign friendly networks of collaborators to the root class - thus allowing them the ability to test UDP.

UDP Testing with BWCTL

Information on configuring BWCTL to allow UDP testing can be found here:

UDP Testing with BWCTL

ESnet BWCTL Limits File

ESnet publishes a bwctld.limits file that is created nightly from the R&E networking routing table.  Using this file allows you to create a higher class of permissions for sites that have R&E connectivity, versus those that may use general purpose networks.  More information can be found here:


https://fasterdata.es.net/performance-testing/perfsonar/esnet-perfsonar-services/esnet-bwctld-limits-file/