IDENTITY-BASED MICROSEGMENTATION DOCUMENTATION

Connectivity

Overview

Microsegmentation provides an oam ping command in apoctl that helps to debug connectivity issues. It allows you to generate traffic between processing units and analyze the resources it is hitting. Some questions it can help you answer follow.

  • Is an outgoing packet hitting an excluded network?
  • Does an outgoing packet have a destination IP in the target network?
  • Is there network address translation (NAT) in between the source and destination?
  • Did source NAT or port address translation (PAT) happen?
  • Did destination NAT or PAT happen?
  • In layer 3 traffic, did a middle box change sequence numbers?

Control messages

  • pingEnabled: starts ping to the destination
  • pingIterations: number of iterations (default 1)
  • pingMode: you can specify L3, L4, or L7 (defaults to Auto)
  • pingAddress: destination address to ping
  • pingPort: destination port to ping

Specifying the number of iterations

By default, oam ping completes a single iteration. To specify more iterations, you can pass an integer using the --iterations flag.

Selecting the mode

By default, oam ping automatically detects the OSI network layer. You can use the --mode flag to manually specify the layer.

  • --mode l3: the packets flow through layer 3 via Linux NFQUEUE.
  • --mode l4: the packets flow through layer 4 via Golang’s TCP server implementation.
  • --mode l7: the packets flow through layer 7 via Golang’s HTTP server implementation.

Examples

Prerequisites

  • Client processing unit ID
  • Destination IP
  • Destination port
  • apoctl installed
  • apoctl credentials have the namespace administrator role in the Microsegmentation namespace of both the client and server endpoints

TIP

If the server endpoint resides in an different Microsegmentation namespace, you can pass the app credential that has the namespace administrator role access using the --appcreds flag.

Apoctl command

  • Syntax

    apoctl oam ping <client-processing-unit-id> <destination-ip>:<destination-port>
    
  • Example

    apoctl oam ping 5f21363139483e3b048eda02 192.168.100.100:9000
    
  • Output

    INFO	Generating report(s)...
    
    Report 1 of processing unit 5f21363139483e3b048eda02 talking to processing unit 5f2136cb39483e3b048eda04,
    
    +-----------------+-----------------+-------------------------------------------+-------------------------------------------+
    |    Category     |      Name       |                  Source                   |                Destination                |
    +-----------------+-----------------+-------------------------------------------+-------------------------------------------+
    | Processing Unit | Controller      | https://localhost:4443                    | https://localhost:4443                    |
    |                 | ID              | 5f21363139483e3b048eda02                  | 5f2136cb39483e3b048eda04                  |
    |                 | Name            | centos                                    | nginx                                     |
    |                 | Namespace       | /apomux                                   | /apomux                                   |
    |                 | Claims          | $identity=processingunit                  | $identity=processingunit                  |
    |                 |                 | $namespace=/apomux                        | $namespace=/apomux                        |
    |                 |                 | app=frontend                              | AporetoContextID=5f2136cb39483e3b048eda04 |
    |                 |                 | AporetoContextID=5f21363139483e3b048eda02 |                                           |
    |                 | ClaimsType      | Transmitted                               | Transmitted                               |
    | Enforcer        | ID              | 5f20f86039483e3b048ed9fe                  | 5f2136b339483e3b048eda03                  |
    |                 | Name            | apomux-enforcerd-4                        | apomux-enforcerd-1                        |
    |                 | Namespace       | /apomux                                   | /apomux                                   |
    |                 | Version         | 0.0.0-dev                                 | 0.0.0-dev                                 |
    | Policy          | ID              | 5eaa175a39483e075f411be3                  | 5e504e7a39483e4d3a6404ff                  |
    |                 | Name            | pu-service                                | pu-pu                                     |
    |                 | Namespace       | /apomux                                   | /apomux                                   |
    |                 | Action          | accept                                    | accept                                    |
    | Packet          | SourceIP        | 172.17.0.2                                | 192.168.100.103                           |
    |                 | SourcePort      | 34909                                     | 34909                                     |
    |                 | DestinationIP   | 192.168.100.100                           | 172.17.0.2                                |
    |                 | DestinationPort | 9000                                      | 80                                        |
    |                 | PayloadSize     | 945                                       | 808                                       |
    |                 | PayloadSizeType | Received                                  | Received                                  |
    | Other           | Error           |                                           |                                           |
    |                 | Timestamp       | 2020-07-29 08:46:04.74 +0000 UTC          | 2020-07-29 08:45:54.741 +0000 UTC         |
    +-----------------+-----------------+-------------------------------------------+-------------------------------------------+
    
    
    Verdict:
    
    Communication flows through L3 service.
    The protocol medium used is TCP.
    It took 1.431995ms for the ping handshake to complete.
    An application is listening on port 80.
    ACL policy is applied. The ID of the policy is 5e45d2ab39483e1bb9b811e1 and action accept.
    NAT: SNAT,DNAT,DPAT.
    --------------------------------------------------------------------------
    
  • Output with layer 4 service

    INFO	Generating report(s)...
    
    Report 1 of processing unit 5f21363139483e3b048eda02 talking to processing unit 5f2136cb39483e3b048eda04,
    
    +-----------------+-----------------+--------------------------------------------------------------+------------------------------------------------------------+
    |    Category     |      Name       |                            Source                            |                        Destination                         |
    +-----------------+-----------------+--------------------------------------------------------------+------------------------------------------------------------+
    | Processing Unit | Controller      | https://localhost:4443                                       | https://localhost:4443                                     |
    |                 | ID              | 5f21363139483e3b048eda02                                     | 5f2136cb39483e3b048eda04                                   |
    |                 | Name            | centos                                                       | nginx                                                      |
    |                 | Namespace       | /apomux                                                      | /apomux                                                    |
    |                 | Claims          | $controller=https://localhost:4443                           | $controller=https://localhost:4443                         |
    |                 |                 | $datapathtype=Aporeto                                        | $datapathtype=Aporeto                                      |
    |                 |                 | $enforcementstatus=Active                                    | $enforcementstatus=Active                                  |
    |                 |                 | $enforcerid=5f2136b339483e3b048eda03                         | $enforcerid=5f20f86039483e3b048ed9fe                       |
    |                 |                 | $enforcernamespace=/apomux                                   | $enforcernamespace=/apomux                                 |
    |                 |                 | $id=5f2136cb39483e3b048eda04                                 | $id=5f21363139483e3b048eda02                               |
    |                 |                 | $identity=processingunit                                     | $identity=processingunit                                   |
    |                 |                 | $image=nginx                                                 | $image=gcr.io/aporetodev/centos                            |
    |                 |                 | $image=nginx                                                 | $image=gcr.io/aporetodev/centos                            |
    |                 |                 | $name=nginx                                                  | $name=centos                                               |
    |                 |                 | $namespace=/apomux                                           | $namespace=/apomux                                         |
    |                 |                 | $operationalstatus=Running                                   | $operationalstatus=Running                                 |
    |                 |                 | $type=Docker                                                 | $type=Docker                                               |
    |                 |                 | $vulnerabilitylevel=none                                     | $vulnerabilitylevel=none                                   |
    |                 |                 | @app:docker:exposedport=tcp:80                               | @app:docker:name=centos                                    |
    |                 |                 | @app:docker:hostport=tcp:9000                                | @app:docker:networkmode=bridge                             |
    |                 |                 | @app:docker:name=nginx                                       | @app:docker:pid=0                                          |
    |                 |                 | @app:docker:networkmode=bridge                               | @app:extractor=docker                                      |
    |                 |                 | @app:docker:pid=0                                            | @os:host=linux                                             |
    |                 |                 | @app:extractor=docker                                        | app=frontend                                               |
    |                 |                 | @os:host=linux                                               | org.label-schema.build-date=20190801                       |
    |                 |                 | maintainer=NGINX Docker Maintainers <docker-maint@nginx.com> | org.label-schema.license=GPLv2                             |
    |                 |                 | role=service                                                 | org.label-schema.name=CentOS Base Image                    |
    |                 |                 |                                                              | org.label-schema.schema-version=1.0                        |
    |                 |                 |                                                              | org.label-schema.vendor=CentOS                             |
    |                 | ClaimsType      | Received                                                     | Received                                                   |
    |                 | CertIssuer      | CN=Apomux Public Signing CA,OU=apomux,O=Aporeto              | CN=Apomux Public Signing CA,OU=apomux,O=Aporeto            |
    |                 | CertSubject     | CN=5f21363139483e3b048eda02,OU=aporeto-enforcerd,O=/apomux   | CN=5f2136cb39483e3b048eda04,OU=aporeto-enforcerd,O=/apomux |
    |                 | CertExpiry      | 2020-07-29 09:22:32 +0000 UTC                                | 2020-08-05 08:52:23 +0000 UTC                              |
    | Enforcer        | ID              | 5f20f86039483e3b048ed9fe                                     | 5f2136b339483e3b048eda03                                   |
    |                 | Name            | apomux-enforcerd-4                                           | apomux-enforcerd-1                                         |
    |                 | Namespace       | /apomux                                                      | /apomux                                                    |
    |                 | Version         | 0.0.0-dev                                                    | 0.0.0-dev                                                  |
    | Policy          | ID              | 5eaa175a39483e075f411be3                                     | 5e504e7a39483e4d3a6404ff                                   |
    |                 | Name            | pu-service                                                   | pu-pu                                                      |
    |                 | Namespace       | /apomux                                                      | /apomux                                                    |
    |                 | Action          | accept                                                       | accept                                                     |
    | Packet          | SourceIP        | 172.17.0.2                                                   | 192.168.100.103                                            |
    |                 | SourcePort      | 48624                                                        | 48624                                                      |
    |                 | DestinationIP   | 192.168.100.100                                              | 172.17.0.2                                                 |
    |                 | DestinationPort | 9000                                                         | 80                                                         |
    |                 | PayloadSize     | 208                                                          | 208                                                        |
    |                 | PayloadSizeType | Transmitted                                                  | Received                                                   |
    | Other           | Error           |                                                              |                                                            |
    |                 | Timestamp       | 2020-07-29 08:52:32.209 +0000 UTC                            | 2020-07-29 08:52:32.21 +0000 UTC                           |
    +-----------------+-----------------+--------------------------------------------------------------+------------------------------------------------------------+
    
    
    Verdict:
    
    Communication flows through L4 service.
    The protocol medium used is TCP.
    It took 3.098666ms for the ping handshake to complete.
    An application is listening on port 80.
    ACL policy is applied. The ID of the policy is 5e45d2ab39483e1bb9b811e1 and action accept.
    NAT: SNAT,DNAT,DPAT.
    --------------------------------------------------------------------------
    
  • Output with layer 7 service

    INFO	Generating report(s)...
    
    Report 1 of processing unit 5f21363139483e3b048eda02 talking to processing unit 5f2136cb39483e3b048eda04,
    
    +-----------------+-----------------+------------------------------------------------------------+------------------------------------------------------------+
    |    Category     |      Name       |                           Source                           |                        Destination                         |
    +-----------------+-----------------+------------------------------------------------------------+------------------------------------------------------------+
    | Processing Unit | Controller      | https://localhost:4443                                     | https://localhost:4443                                     |
    |                 | ID              | 5f21363139483e3b048eda02                                   | 5f2136cb39483e3b048eda04                                   |
    |                 | Name            | centos                                                     | nginx                                                      |
    |                 | Namespace       | /apomux                                                    | /apomux                                                    |
    |                 | Claims          | $identity=processingunit                                   | $identity=processingunit                                   |
    |                 |                 | $namespace=/apomux                                         | $namespace=/apomux                                         |
    |                 |                 | app=frontend                                               | app=frontend                                               |
    |                 |                 | AporetoContextID=5f21363139483e3b048eda02                  | AporetoContextID=5f21363139483e3b048eda02                  |
    |                 |                 |                                                            | kDMRXWckV9k6mGuJ                                           |
    |                 |                 |                                                            | a=b                                                        |
    |                 | ClaimsType      | Transmitted                                                | Received                                                   |
    |                 | CertIssuer      | CN=Apomux Public Signing CA,OU=apomux,O=Aporeto            | CN=Apomux Public Signing CA,OU=apomux,O=Aporeto            |
    |                 | CertSubject     | CN=5f21363139483e3b048eda02,OU=aporeto-enforcerd,O=/apomux | CN=5f2136cb39483e3b048eda04,OU=aporeto-enforcerd,O=/apomux |
    |                 | CertExpiry      | 2020-08-05 08:43:17 +0000 UTC                              | 2020-08-05 08:55:33 +0000 UTC                              |
    | Enforcer        | ID              | 5f20f86039483e3b048ed9fe                                   | 5f2136b339483e3b048eda03                                   |
    |                 | Name            | apomux-enforcerd-4                                         | apomux-enforcerd-1                                         |
    |                 | Namespace       | /apomux                                                    | /apomux                                                    |
    |                 | Version         | 0.0.0-dev                                                  | 0.0.0-dev                                                  |
    | Policy          | ID              |                                                            | 5e504e7a39483e4d3a6404ff                                   |
    |                 | Name            |                                                            | pu-pu                                                      |
    |                 | Namespace       |                                                            | /apomux                                                    |
    |                 | Action          | passthrough                                                | accept                                                     |
    |                 | ServiceID       | 5ec1d21b39483e4dbe85ec92                                   | 5ec1d21b39483e4dbe85ec92                                   |
    | Packet          | SourceIP        | 172.17.0.2                                                 | 192.168.100.103                                            |
    |                 | SourcePort      | 48626                                                      | 48626                                                      |
    |                 | DestinationIP   | 192.168.100.100                                            | 172.17.0.2                                                 |
    |                 | DestinationPort | 9000                                                       | 80                                                         |
    |                 | PayloadSize     | 970                                                        | 970                                                        |
    |                 | PayloadSizeType | Transmitted                                                | Received                                                   |
    | Other           | Error           |                                                            |                                                            |
    |                 | Timestamp       | 2020-07-29 08:55:41.709 +0000 UTC                          | 2020-07-29 08:55:41.709 +0000 UTC                          |
    +-----------------+-----------------+------------------------------------------------------------+------------------------------------------------------------+
    
    
    Verdict:
    
    Communication flows through L7 service.
    The protocol medium used is TCP.
    It took 11.578028ms for the ping handshake to complete.
    An application is listening on port 80.
    ACL policy is applied. The ID of the policy is 5e45d2ab39483e1bb9b811e1 and action accept.
    NAT: SNAT,DNAT,DPAT.
    --------------------------------------------------------------------------
    

NOTE

The examples above are for reference purposes only and the actual output might not be similar.

Advanced options

To learn more about oam ping, issue the following command.

apoctl oam ping -h