The X-Bone

Frequently-Asked Questions (FAQ)

(The Official X-Bone cookie - A.S. Hughes)

About X-Bone
- What is the X-Bone useful for?
- How is the X-Bone different from other VPN and overlay systems?
- Can the X-Bone deploy more than one overlay at a time?
- Is the X-Bone secure?
- How do I get an X.509 key?
- What are the requirements to run the X-Bone?
Protocols
- Will there be a version that does not require multicast?
- Will there be a version supporting overlays at a different protocol layer than IP, e.g., ATM / Ethernet / etc.?
- Will there be support for QoS (e.g., RSVP / etc.)?
- Will there be support for IPv6?
- Will the X-Bone be available without SSL/X.509?
- Will there be a port available that does not require a DNS server?
Ports
- Will there be support for FreeBSD 4.0?
- Will there be support for Solaris / MacOS / NetBSD / Windows2000 etc.?
- Will there be support for non host-based routers?

About X-Bone

The X-Bone is a software system that configures overlay networks, also known as VPNs. It uses a web-based GUI, as well as Perl-based daemons, to discover, configure, and deploy an overlay network. The X-Bone installs routes, configures interfaces, updates DNS entries, and installs IPSEC keys.

What is the X-Bone useful for?

The X-Bone can be used for:

Deploying VPNs
Network research
Network lab classes

More information is available in our 'application notes' area.

How is the X-Bone different fron other VPN and overlay systems?

The X-Bone differs from other VPN and overlay systems in the following ways:

Supports multiple concurrent overlays
Requires no kernel or application modification
Uses no new network-level protocols (only IP)
Supports data security (via IPSEC) without requiring application support
Provides control security (via X.509/SSL)

Can the X-bone deploy more than one overlay at a time?

Yes! The X-Bone can deploy multiple concurrent overlays. A single host or router can participate in more than one overlay at a time as well.

Is the X-Bone secure?

The X-Bone includes a deamon that configures interfaces and installs routes on hosts and routers. Messages between the GUI and the daemon are encrypted using X.509 (via software known as SSL), the same software used to encrypt commercial web purchases.

How do I get an X.509 key?

There are three ways to get an X.509 key.

If you are a small project collaborating with the X-Bone group, we invite you to request a key from us directly. We manage our own key signing certificate authority, and can sign keys on request. However, because there are two alternatives available, this option is limited to groups working directly with us.
You can purchase a key from a commercial certificate authority, such as Verisign.
You can configure your own certificate authority, as we have done, and sign your own keys. This is useful mostly if you limit shared access to your X-Bone to those whose keys you sign; if you intend to share access with others whose keys you do not sign, you should use a commercial service so you can both trust each others' signatures.

What are the requirements to run the X-Bone?

The X-Bone requires the following:

some kernel configuration (and, in some cases, kernel patches for bug fixes)
supporting application software

More information is available in the installation instructions.

Protocols

Will there be a version that does not require multicast?

The X-Bone uses multicast for resource discovery, to reduce configuration. We are looking at ways to relax that requirement, so that the X-Bone can be used to deploy an M-Bone where it does not already exist in the underlying network.

Will there be a version supporting overlays at a different protocol layer than IP, e.g., ATM / Ethernet / etc.?

IP was chosen precisely because it is a unifying layer. IP runs over anything. By focusing the X-Bone on IP, we can run over anything IP runs over, which is, in short, anything. Customizing the X-Bone to other protocols would defeat its goals of ubiquitous deployment and recursion.

Will there be support for QoS (e.g., RSVP / etc.)?

No. The X-Bone runs over many systems for which there is no RSVP implementation available, and our project is not focused on developing that service. There are other projects, notably CMU's Darwin/VNS, which are developing QoS support for overlays. The X-Bone can be ported to use that service when it is available. Also, the X-Bone was designed to be used with minimal, if any, modifications to operating systems. Requiring QoS would defeat this goal.

Will there be support for IPv6?

Yes. Version 3.0 supports IPv4 overlays as well as IPv6.

Will the X-Bone be available without SSL/X.509?

No. The X-Bone allows overlay requesters to inject interface addresses and routes onto your machines; as such, it would be a severe security hole were it deployed without the use of secure control links.

Will there be a port available that does not require a DNS server?

There is no inherent requirement for a DNS server. From release later than 1.3 you can disable DNS at the time of creating overlays from the web interface.

Ports

Will there be support for FreeBSD 4.0?

Yes. Version 1.3 supports FreeBSD 4.0 without IPSEC.

Will there be support for Win98 / Win2000 / Solaris / MacOS / NetBSD / etc.?

The X-Bone requires support for IPIP tunnels and virtual interfaces. It also requires renumbering interfaces on the fly, and setting up routes. As such, some current operating systems (notably Win98, Win2000, Mac pre-X, and Solaris pre 2.8) cannot easily be supported, as far as we understand.

Support for other systems, e.g., Solaris 2.8, MacOS-X, are being evaluated. We do not currently plan to port to other BSD's; such ports should be comparatively trivial. Some components of the distribution also require other facilities, e.g., IPSEC, X.509/SSL, or the Apache web server.

Will there be support for non host-based routers?

Yes. This summer we plan to include SNMP support, tested with a commercial router.

$Revision: 1.5 $
$Date: 2004/02/06 19:21:20 $

XHTML | CSS

	The X-Bone
	Main Information Software Publications People X-Tend
	Frequently-Asked Questions (FAQ) (The Official X-Bone cookie - A.S. Hughes) About X-Bone What is the X-Bone useful for? How is the X-Bone different from other VPN and overlay systems? Can the X-Bone deploy more than one overlay at a time? Is the X-Bone secure? How do I get an X.509 key? What are the requirements to run the X-Bone? Protocols Will there be a version that does not require multicast? Will there be a version supporting overlays at a different protocol layer than IP, e.g., ATM / Ethernet / etc.? Will there be support for QoS (e.g., RSVP / etc.)? Will there be support for IPv6? Will the X-Bone be available without SSL/X.509? Will there be a port available that does not require a DNS server? Ports Will there be support for FreeBSD 4.0? Will there be support for Solaris / MacOS / NetBSD / Windows2000 etc.? Will there be support for non host-based routers? About X-Bone The X-Bone is a software system that configures overlay networks, also known as VPNs. It uses a web-based GUI, as well as Perl-based daemons, to discover, configure, and deploy an overlay network. The X-Bone installs routes, configures interfaces, updates DNS entries, and installs IPSEC keys. What is the X-Bone useful for? The X-Bone can be used for: Deploying VPNs Network research Network lab classes More information is available in our 'application notes' area. How is the X-Bone different fron other VPN and overlay systems? The X-Bone differs from other VPN and overlay systems in the following ways: Supports multiple concurrent overlays Requires no kernel or application modification Uses no new network-level protocols (only IP) Supports data security (via IPSEC) without requiring application support Provides control security (via X.509/SSL) Can the X-bone deploy more than one overlay at a time? Yes! The X-Bone can deploy multiple concurrent overlays. A single host or router can participate in more than one overlay at a time as well. Is the X-Bone secure? The X-Bone includes a deamon that configures interfaces and installs routes on hosts and routers. Messages between the GUI and the daemon are encrypted using X.509 (via software known as SSL), the same software used to encrypt commercial web purchases. How do I get an X.509 key? There are three ways to get an X.509 key. If you are a small project collaborating with the X-Bone group, we invite you to request a key from us directly. We manage our own key signing certificate authority, and can sign keys on request. However, because there are two alternatives available, this option is limited to groups working directly with us. You can purchase a key from a commercial certificate authority, such as Verisign. You can configure your own certificate authority, as we have done, and sign your own keys. This is useful mostly if you limit shared access to your X-Bone to those whose keys you sign; if you intend to share access with others whose keys you do not sign, you should use a commercial service so you can both trust each others' signatures. What are the requirements to run the X-Bone? The X-Bone requires the following: some kernel configuration (and, in some cases, kernel patches for bug fixes) supporting application software More information is available in the installation instructions. Protocols Will there be a version that does not require multicast? The X-Bone uses multicast for resource discovery, to reduce configuration. We are looking at ways to relax that requirement, so that the X-Bone can be used to deploy an M-Bone where it does not already exist in the underlying network. Will there be a version supporting overlays at a different protocol layer than IP, e.g., ATM / Ethernet / etc.? IP was chosen precisely because it is a unifying layer. IP runs over anything. By focusing the X-Bone on IP, we can run over anything IP runs over, which is, in short, anything. Customizing the X-Bone to other protocols would defeat its goals of ubiquitous deployment and recursion. Will there be support for QoS (e.g., RSVP / etc.)? No. The X-Bone runs over many systems for which there is no RSVP implementation available, and our project is not focused on developing that service. There are other projects, notably CMU's Darwin/VNS, which are developing QoS support for overlays. The X-Bone can be ported to use that service when it is available. Also, the X-Bone was designed to be used with minimal, if any, modifications to operating systems. Requiring QoS would defeat this goal. Will there be support for IPv6? Yes. Version 3.0 supports IPv4 overlays as well as IPv6. Will the X-Bone be available without SSL/X.509? No. The X-Bone allows overlay requesters to inject interface addresses and routes onto your machines; as such, it would be a severe security hole were it deployed without the use of secure control links. Will there be a port available that does not require a DNS server? There is no inherent requirement for a DNS server. From release later than 1.3 you can disable DNS at the time of creating overlays from the web interface. Ports Will there be support for FreeBSD 4.0? Yes. Version 1.3 supports FreeBSD 4.0 without IPSEC. Will there be support for Win98 / Win2000 / Solaris / MacOS / NetBSD / etc.? The X-Bone requires support for IPIP tunnels and virtual interfaces. It also requires renumbering interfaces on the fly, and setting up routes. As such, some current operating systems (notably Win98, Win2000, Mac pre-X, and Solaris pre 2.8) cannot easily be supported, as far as we understand. Support for other systems, e.g., Solaris 2.8, MacOS-X, are being evaluated. We do not currently plan to port to other BSD's; such ports should be comparatively trivial. Some components of the distribution also require other facilities, e.g., IPSEC, X.509/SSL, or the Apache web server. Will there be support for non host-based routers? Yes. This summer we plan to include SNMP support, tested with a commercial router.	Index About X-Bone Protocols Ports
		Copyright © 1998-2004 The X-Bone Project @ USC/ISI. $Revision: 1.5 $ $Date: 2004/02/06 19:21:20 $ XHTML \| CSS