Captive Portal • Authentication / Authorization System of Free Wi-Fi • Often appear popup when you connect Free Wi-Fi 街中のFree Wi-Fiに接続した時にポップアップを⾒たことがあるかもしれません
Captive Portal Detection • Implementation of Captive Portal Detection is a few different between iOS/macOS and Android, Windows, Linux, etc... • Example: • When you connect Free Wi-Fi, your device's OS try to access http://check.example.com implicitly. • If your device received contents as excepted, this network can connect to the Internet . • If your device received HTTP Found, network redirects to the Captive Portal. OSによって細かい違いがありますが、Wi-Fi接続時に意図しないHTTPリダイレクトを検知し、 ポップアップを表⽰するのがCaptive Portal Detectionです
How to Implement a Captive Portal? • For authorized users: allow all packets. • For not authorized users: redirect all HTTP traffic to Captive Portal. • I decited to use OpenFlow + Scala for dynamic packet processing. 動的なパケット処理をする必要があるのでOpenFlowとScalaを選択
OpenFlow • One of Software Defined Network Technology. • Control Plane and Data Plane model. • Data Plane is either software or hardware. • Major Control Plane implementation • Java: Floodlight, Ruby: Trema, Python: Ryu OpenFlowはSoftware Defined Networkの技術のひとつで、 ソフトウェアスイッチだけでなく、ハードウェアのスイッチも制御できます https://qiita.com/ttsubo/items/ addd c d adfcf
Implementing an OpenFlow Controller • Used Floodlight for only serialize / deserialize OpenFlow Message packet. • Other OpenFlow functions are implemented from scratch by Scala. • TCP connection and streaming is handled by netty. Scala Application OpenFlow Switch OpenFlow Message OpenFlowメッセージの処理の部分にFloodlightを、その他の部分はScalaとnettyを使って実装
Performance Test • Simple Controller: when packet-in, then packet-out. • C . xlarge • Mbps • This test is all packet processed through Scala App. • In Actually most packet processing is offloaded by writing FlowRule to OpenFlow switch. • This performance is enough. Scala Application OpenFlow Message The Internet 全パケットをScalaで処理して200Mbpsでしたが、 実際はフローがキャッシュされるのでパフォーマンスは⼗分です
HTTP Server • Redirect all HTTP traffic to Captive Portal. • Render Captive Portal Web. • Write into Redis if user is authorized. HTTP ServerはCaptive Portalの画⾯と認可するユーザーの情報をRedisに書き込みます
Captive Portal Controller • Authorized user: • allow all packets. • Unauthorized user: • Modify packet destination to "Fake DNS" If packet is DNS query. • "Fake DNS" always return IP address of Captive Portal • This is why all HTTP traffic of unauthorized users directed to Captive Portal. • Akka Streams is suitable for this case because packet processing is streaming. 認可されていないユーザーのDNSの通信は全て"Fake DNS"宛に書き換えることで HTTPの通信を強制的にリダイレクトし、Captive Portalにつながるようにします
Case: Unauthorized user Captive Portal Server The Internet User Packet In Unauthorized! Packet Out Modify destination to Fake DNS server OpenFlow Switch
Case: Unauthorized user Captive Portal Server The Internet User Packet In Unauthorized! Modify destination to Fake DNS server Packet Out Fake DNS Server OpenFlow Switch
Case: Unauthorized user Captive Portal Server The Internet User OpenFlow Switch Packet In Unauthorized! Modify destination to Fake DNS server Packet Out Fake DNS Server Fake DNS response
Case: Unauthorized user Captive Portal Server The Internet User OpenFlow Switch Packet In Unauthorized! Modify destination to Fake DNS server Packet Out Fake DNS Server Fake DNS response Redirect to Captive Portal
Deploy into DataCenter • Linux Virtual Machine: Core GB (It was too match resource) • The reason why we deployed into datacenter is explain later. 後述の理由により今回はデータセンタのサーバーにデプロイしました
There was NO Operation! • It Works! Almost... • Known Issues • Failed to detect Captive Portal only Samsung Galaxy Series • Workaround: Open some http site (e.g. http://neverssl.com ) instead of Captive Portal Detection. • Registered users!! 特定の端末でどうしても動かなかったのですが、ほぼうまく動作しました!
Goals • Connected everywhere • It's natural for someone to want to Comfortable Internet. • Technical challenge • Not just a work, use as real user traffic lab environment or playground. ただの業務にしたくなかったのと、せっかくなので⾊々なチャレンジをしました
Architecture • Internet connectivity was provided by Home NOC Operator's Group (AS ) • Scala Matsuri venue and Data Center is connected by flet's NGN Home NOC Operator's Groupのデータセンタと接続し、 ⾼速なインターネット接続を提供して頂きました The Internet AS59105 Scala Matsuri venue
Scala Matsuri Venue • Wi-Fi Access Points x • Cisco Aironet x • Cisco Meraki MR x • PoE Switching Hub x • Router x • NEC IX • Server x • Cable • LAN cable: about meters in total ! • Optical fiber cable: meters 会場ではたくさんの機材を設置しました
Conclusion • Implementing a Captive Portal in Scala. • Now open source ! • https://github.com/kurochan/scaptive-portal • Succeeded to provide comfortable Wi-Fi
kurochan
ymty
weblyzard
matsujirushi
tbshiki
nozomiito
trycycle
oracle4engineer
line_developers
red_frasco
soracom
mercari
hikiroku
hatefulcrawdad
moore
tanoku
lauravandoore
holman
addyosmani
kevinliebholz
ddemaree
tammielis
dougneiner