Wifidog流程网关协议v2

线路协议
回复形式

在线路协议中有以下说明:

  • 紧凑表示(当浏览分散式网络时,宽带也不便宜)
  • 用户可读
  • 能够为C语言和PHP提供快速的解析器,并且比较理想的是能够多语言化
  • 适用于与配置文件分享解析器和格式
  • 适用于清晰的显示树结构(例如认证服务器列表)

请求格式

必须遵循请求格式:

  • 每个http请求都有多个操作(例如为多个用户更新统计数据)
  • 保持http传送,因为这能允许完整的NAT和透明代理阻力

以上的一些需求没有适用于RESTFull ROA。然而,保持现有格式事实上把我们限制在了tag-value对列表。理论上即使可以将action=whatever放在列表中间并在协议中申明以下每个参数都是那个action的参数,这将使大多数网络服务器与框架完全混淆。

  Acv:另一个可能性是从PHP进行URL-parsing的方式借用一个页面。将get请求设置到一个数组表示,这将允许公平的逻辑请求捆绑。也就是:

 /page?req[0][action]=Action1&req[0][Param1]=param&req[0][Param...]=param...&req[0][Paramn]=paramn&\


req[...][action]=Action...&req[...][Param1]=param&req[...][Param...]=param...&req[...][Paramn]=paramn&\


req[n][action]=Actionn&req[n][Param1]=param&req[n][Param...]=param...&req[n][Paramn]=paramn

  Acv:当比较容易进行解析的时候,这个格式会保持用户可读

功能性需求

  • 允许认证服务器发送一些主要的配置变更
  • 允许基于MAC认证的非连接关系
  • 允许per-connection防火墙政策
  • 允许per-connection宽带管理,不只限于设置数量
  • 允许全球宽带管理
  • 指定围墙花园
  • 指定最初连接用户列表

指令
NOOP
基本上只为网关心跳。可能会指定操作间很短的延迟,并且如果在实际操作之间延迟的话,就会发送NOOP。
AUTH_VERIFY
STATS_UPDATE

提议方案
  Philippe:

 I think we could have a Hash kind of structure like this:

 * protocol_version: 1 (start with this to identify protocol)

 * wifidog_version: ...

 * status:

   * uptime, etc.

 * connected_clients:

   * stats, etc.

  简单回复:

 {

    "protocol_version": 1,

    "config": {

        "login_url": "https://auth.server/login.php",

        "portal_url": "http://portal.server/",

        ... },

    "clients": [

        { "mac": "00aabbccdd22", "ip": "10.0.0.1", ... },

        { "mac": "00aabbccdd22", "ip": "10.0.0.1", ... },

        ... ]

}

网关和认证服务器通信
2.png

配置

  • 醒目页面,如果auth-server=down(URL)
  • 醒目页面,如果internet=down(内容)
  • 围墙花园(考虑一下DNS超时)
  • 静态MAC黑/白名单

  • 全球防火墙/QOS配置












Main contributors: Benoit Grégoire, Philippe April, Alexandre Carmel-Veilleux

This page documents the design effort for designing version two of the wifidog protocol specification. While it will eventually turn into a structured specification, currently,

Wire protocol

Response format

It is desirable to have the following features in the wire protocol:

  • Compact representation (bandwidth is NOT cheap when serving a distributed network)
  • Human readable
  • Fast and small parsers available for C and PHP, and ideally multiple other languages
  • Suitable for sharing parser and format with the configuration file
  • Suitable for cleanly representing trees (like the list of auth servers)

After discussion, the representation will be JASON. For config comment, a verb will be reserved for comments, which will be systematically ignored.

Request format

It is beyond desirable to have to following with request format:

  • More than one operation per http request (for example, update statistics for more than one user)
  • Keep the http transport, as it allows us full NAT and transparent proxy resistance

Some of the requirements above do not lend itself well to a RESTFull Resource oriented architecture (ROA). However, keeping the current format (GET parameters) limit us, in practice, to a single list of tag-value pairs. Even if one could, in theory, put an action=whatever in the middle of the list and have the protocol decree that every following parameters (until the next action) is to be a parameter of that action, that would utterly confuse most web servers and frameworks.

acv: One other possibility is to borrow a page from the way PHP does URL-parsing. Setting the key part of the get request to a array representation would allow for fairly logical request bundling., I.e.:

/page?req[0][action]=Action1&req[0][Param1]=param&req[0][Param...]=param...&req[0][Paramn]=paramn&\
req[...][action]=Action...&req[...][Param1]=param&req[...][Param...]=param...&req[...][Paramn]=paramn&\
req[n][action]=Actionn&req[n][Param1]=param&req[n][Param...]=param...&req[n][Paramn]=paramn

acv: This format would remain human readable while being very simple to parse (free in PHP, trivial in other languages).

So POSTing the parameters may have to be considered, in which case the same format as the response should be used, for obvious reasons.

Functionnal Requirements

  • Allow some general configuration changes to be sent by the auth server.
  • Allow non web-based MAC auth > Philippe: Explain this?
  • Allow non connection based MAC auth
  • Allow per-connection firewall policies
  • Allow per-connection bandwidth management, not limited to set amounts
  • Allow global bandwidth management (might come in configuration)
  • Specify walled garden
  • Specify list of initially connected users
  • Many more....

Philippe: Ideas?

Philippe: Way to allow people on restart, or deny people on inactivity acv: People on restart needs to be pulled from auth server unless either of: (a) We have non-volatile storage that isn't too badly affected by write-wear; or (b) We have not rebooted and can read a file from ramdisk.

Actions

NOOP

Basically there only for gateway heartbeating. A min delay between operations would be specified, and if this delay is reached before an actual operation has to be performed, a NOOP is sent.

Philippe: not required, we'll always send at LEAST the status. If no "command" is sent, it means NOOP :)

AUTH_VERIFY

STATS_UPDATE

A proposed solution

Philippe:

I think we could have a Hash kind of structure like this:

 * protocol_version: 1 (start with this to identify protocol)
 * wifidog_version: ...
 * status:
   * uptime, etc.
 * connected_clients:
   * stats, etc.

and a sample reply (just ideas...)

{
    "protocol_version": 1,
    "config": {
        "login_url": "https://auth.server/login.php",
        "portal_url": "http://portal.server/",
        ... },
    "clients": [
        { "mac": "00aabbccdd22", "ip": "10.0.0.1", ... },
        { "mac": "00aabbccdd22", "ip": "10.0.0.1", ... },
        ... ]
}

Gateway and Auth-Server communication

Gateway : Verbes / Actions Auth-Server
Init request Gateway configurations
MAC detect Auth response (accept/deny this MAC)
User auth request User connection configation (open/closed port, QOS)
Auth the auth server (key + protocol) Auth the gateway (key + protocol)

Configurations

  • Splash page if auth-server=down (URL)
  • Splash page if internet=down (content)
  • Walled garden (Think about DNS timeout)
  • Static White/Black? list MAC
  • Global firewall / QOS configuration
  • Gzip optionnel, response only, through standard HTTP

  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值