Difference between revisions of "FastForward network protocol"

(TLS)
 
(No difference)

Latest revision as of 09:18, 13 July 2020

FastForward is an original protocol that was created to make communications between BrandMeister servers. The protocol is based on UDP and TCP basically on port 54000.

FastForward 2.0

Since release 202007xx FastForward provides following ways to interact between BrandMeister Cores:

  • UDP (with compatibility to FastForward 1.x) by default
  • TLS - more secure way with dynamic key encryption and less latency
  • Direct - to communicate between several BrandMeister Core instances on the same host (zero latency)
  • vSocket - rare case, when several BrandMeister Cores run on the same hypervisor (zero latency)
  • RDMA - rare case, when several BrandMeister Cores run on the same datacenter and datacenter has RDMA support (InfiiBand, RoCE, iWARP)

Basic configuration

FastForward :
{
  port = 54000;
  certificate = "Data/fastforward.pem";  // Certificate + private key in PEM format
};
  • port - allocated port number (both for UDP and TCP)
  • certificate - path to X.509 certificate for TLS mode

UDP

UDP is basic (and mostly compatible with all master servers) transport which is used by default and in case of failover. It will be used when any other method (except vSocket) fails.

TLS

BrandMeister Core uses self-signed X.509 certificates with fingerprint registration in authentication database. Common Name at Subject field is in use to identify each BrandMeister Core instance.

You can use following way to generate certificate: 

openssl req -x509 -newkey rsa:2048 -sha256 -new -nodes -days 3650  -subj "/CN=<Master ID>" \
  -keyout /opt/BrandMeister/Data/fastforward.pem -out /opt/BrandMeister/Data/fastforward.pem
openssl x509 -fingerprint -sha1 -noout -in /opt/BrandMeister/Data/fastforward.pem | \
  curl -v -X POST -d @- https://<hub address>/dmr/register.php?number=<Master ID>
chown root:master /opt/BrandMeister/Data/fastforward.pem
chmod 0640 /opt/BrandMeister/Data/fastforward.pem

To clarify: both sides have to have certificates configured. There are two-side TLS authentication. TLS connection will be established only when both BrandMeister Cores define their capability to establish TLS by using FastForward measurement messages over UDP.

Direct

When you run several instances of BrandMeister Core in the same host, BrandMeister Core uses shared memory to communicate each other directly and D-BUS to discover instances and establish connection. No extra actions required.

Please read BrandMeister Server Clustering for details.

vSocket, RDMA

These connection types require to be configured at Registry. 

box,space.OverriddenNodes:insert({ <node ID>, 0, <FORWARD_TRANSPORT_RDMA | FORWARD_TRANSPORT_VSOCKET>, <address>, <port> })
  • Address:
    • FORWARD_TRANSPORT_UDP and FORWARD_TRANSPORT_RDMA: host name, IPv4 address or IPv6 address
    • FORWARD_TRANSPORT_RDMA: it could be InfiniBand GID in hexadecimal format with leading "0x", such as 0xfe8000000000000050800200008e4d39
    • for FORWARD_TRANSPORT_VSOCKET: decimal CID number of host on hypervisor

Please read BrandMeister Server Clustering for details.

Retrieved from "https://wiki.brandmeister.network/index.php?title=FastForward_network_protocol&oldid=14759"

FastForward is an original protocol that was created to make communications between BrandMeister servers. The protocol is based on UDP and TCP basically on port 54000.

FastForward 2.0[edit]

Since release 202007xx FastForward provides following ways to interact between BrandMeister Cores:

Basic configuration[edit]

FastForward :
{
  port = 54000;
  certificate = "Data/fastforward.pem";  // Certificate + private key in PEM format
};

UDP[edit]

UDP is basic (and mostly compatible with all master servers) transport which is used by default and in case of failover. It will be used when any other method (except vSocket) fails.

TLS[edit]

BrandMeister Core uses self-signed X.509 certificates with fingerprint registration in authentication database. Common Name at Subject field is in use to identify each BrandMeister Core instance.

You can use following way to generate certificate: 

openssl req -x509 -newkey rsa:2048 -sha256 -new -nodes -days 3650  -subj "/CN=<Master ID>" \
  -keyout /opt/BrandMeister/Data/fastforward.pem -out /opt/BrandMeister/Data/fastforward.pem
openssl x509 -fingerprint -sha1 -noout -in /opt/BrandMeister/Data/fastforward.pem | \
  curl -v -X POST -d @- https://<hub address>/dmr/register.php?number=<Master ID>
chown root:master /opt/BrandMeister/Data/fastforward.pem
chmod 0640 /opt/BrandMeister/Data/fastforward.pem

To clarify: both sides have to have certificates configured. There are two-side TLS authentication. TLS connection will be established only when both BrandMeister Cores define their capability to establish TLS by using FastForward measurement messages over UDP.

Direct[edit]

When you run several instances of BrandMeister Core in the same host, BrandMeister Core uses shared memory to communicate each other directly and D-BUS to discover instances and establish connection. No extra actions required.

Please read BrandMeister Server Clustering for details.

vSocket, RDMA[edit]

These connection types require to be configured at Registry. 

box,space.OverriddenNodes:insert({ <node ID>, 0, <FORWARD_TRANSPORT_RDMA | FORWARD_TRANSPORT_VSOCKET>, <address>, <port> })

Please read BrandMeister Server Clustering for details.