Proxy agent is an intermediate module between the CCIPS Controller and the CCIPS Agent. This module is in charge of managing the key request between the different endpoints that will form the ipsec tunnel.
It will receive a json packet from the CCIPS Controller, this packet information is based on the RFC 9061 model.We can think of this model as a template for building ipsec infrastructure.
With the parameters contained in this template, the proxy agent will construct an ETSI GS QKD 004 request that it will send to the hybridization module.
The hybridization module will reply with the key for that request and the proxy agent will end up inserting this key in the original template sent by the CCIPS Controller.
Finally, with the template filled in, it will communicate with the CCIPS Agent to install the relevant security associations.
In order to have the Proxy Agent working we only need to create a virtual environment and run the proxy_agent.py script. An example is attached:
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txtTo run the Proxy Agent we only need to run the "proxy_agent.py" script with the configuration file. An exaple is attached:
python src/proxy_agent.py config/proxy_agent.jsonAnother option is adding the path to the configuration file in the environmental variable CFGFILE. The proxy agent will use the value of this variable as a backup if it does not receive arguments.
While the proxy agent can be run directly, the tool that is usually used when deploying this component is Docker. Whether you use base docker or docker compose there are some things you may need to know:
- The docker building process does not copy the configuration files into the docker, this means that both the main configuration and the public node information must be copied to the repository at running time, this can be archived using a bind mount. This way the same image can be used for machines with different configurations.
- When running the image you must also provide the path to the config file (The one inside the container) through the environment variable
CFGFILE. - The proxy agent requires the port in
proxy_agent_addressexpose so it can receive instructions from controllers that do not belong to any docker network the proxy agent belongs.
The parameters of the config file are:
{
"input_format" : "encoding_in_which_the_input_of_the_ccips_controller_will_come",
"proxy_agent_address" : {
"host" : "host_where_the_proxy_agent_will_run",
"port" : 3000 # Port where the proxy will run
},
"log":{
"file": "logger_file",
"level": "logger_level"
},
"hybrid_module": {
"address": {
"host" : "host_where_the_hybrid_module_is_located",
"port" : 24030 # Port where the hybridation module is located
},
"public_node_info_path" : "./path/to/public_node_info.json",
"qkd_required_if_used" : false // Whether the qkd source is required or optional when used.
},
"ccips_agent": {
"address": {
"host" : "host_where_the_ccips_agent_is_located",
"port" : 12938 # Port where the ccips agent is located
},
"credentials" : {
"username": "username_to_access_to_ccips_agent_netconf_server",
"password": "password_for_ccips_agent_netconf_server"
}
}
}Check the config/proxy_agent.json to see an example correctly formatted and configured.
This files contain usefull information about the nodes in the QKD/Hybridization network:
Note: The keys in the dictionary are the prefix of the side of the ipsec tunnel the information belongs to.
{
"10.0.0.11/32": {
"node_id":"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
"proxy_agent_ip": "192.168.159.35",
"role": {
"192.168.123.200": "SERVER",
"192.168.123.300": "SERVER"
}
},
"10.0.0.20/32":{
"node_id": "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb",
"proxy_agent_ip": "192.168.159.21",
"role": {
"192.168.123.100": "CLIENT",
"192.168.123.300": "SERVER"
}
},
"192.168.123.300": {
"node_id": "cccccccc-cccc-cccc-cccc-cccccccccccc",
"proxy_agent_ip": "192.168.159.37",
"role": {
"192.168.123.100": "CLIENT",
"192.168.123.200": "CLIENT"
}
}
}