-
Notifications
You must be signed in to change notification settings - Fork 6
Configuration
This document provides the configuration settings for Arnika nodes Alice (MASTER) and Bob (BACKUP).
Arnika has been tested with multiple QKD and KMS systems from multiple vendors. The configuration below is a generic example that should work with most setups.
We have seen flapping caused by occasional delays in KMS key retrieval or even timeouts ( >10 seconds!) because of heavy KMS load. Such behaviour can lead to MASTER node switching to BACKUP and vice versa.
NOTE: This is not a bug in Arnika. Such behavior could be caused by the QKDN architecture implementation, KMS system (eg.: key processing time/key forwarding) or SDN.
To mitigate this, we recommend using a longer interval on the BACKUP node than on the MASTER node. The MASTER node should have a shorter interval to ensure timely key updates, while the BACKUP node can afford to wait a bit longer.
With Version v0.2.2 we have implemented a new configuration option KMS_HTTP_TIMEOUT to independently set a timeout for the KMS HTTP requests. This could be useful for fine tuning and to prevent the Arnika node from waiting too long for a response.
Interval on Alice (MASTER) should be set to 120s, which is the default re-key interval for WireGuard. This ensures that the key updates are timely and consistent with the WireGuard protocol.
Interval lower that 120 seconds are possible but does not make much sense as the WireGuard re-key interval is 120 seconds.
Interval can be set to any value, even to something like "0.001s" eg. to stress-test the KMS server, but this is not recommended for production use.
INTERVAL="120s"
LISTEN_ADDRESS="<ALICE_IP>:9999"
SERVER_ADDRESS="<BOB_IP>:9999"
CERTIFICATE="/opt/arnika/kms_certs/arnika-alice.crt"
PRIVATE_KEY="/opt/arnika/kms_certs/arnika-alice.key"
CA_CERTIFICATE="/opt/arnika/kms_certs/ca.crt"
KMS_URL="https://<ALICE_KMS_SERVER>:7000/api/v1/keys/arnika-bob"
KMS_HTTP_TIMEOUT="10s"
WIREGUARD_INTERFACE="qcicat0"
WIREGUARD_PEER_PUBLIC_KEY="<BOB_WIREGUARD_PUBLIC_KEY>"
PQC_PSK_FILE="/opt/rosenpass/key_out/pqc_psk"Recommentation: Use a longer interval on Bob to prevent MASTER/BACKUP flapping in case of delays in KMS key retrieval. The recommended interval is 137s, which includes the Alice interval, Alice's KMS HTTP timeout, and a safety margin.
INTERVAL="137s" => Alice-Interval 120s + Alice KMS HTTP timeout 10s + Safety 7s
INTERVAL="137s"
LISTEN_ADDRESS="<BOB_IP>:9999"
SERVER_ADDRESS="<ALICE_IP>:9999"
CERTIFICATE="/opt/arnika/kms_certs/arnika-bob.crt"
PRIVATE_KEY="/opt/arnika/kms_certs/arnika-bob.key"
CA_CERTIFICATE="/opt/arnika/kms_certs/ca.crt"
KMS_URL="https://<BOB_KMS_SERVER>:7000/api/v1/keys/arnika-alice"
KMS_HTTP_TIMEOUT="10s"
WIREGUARD_INTERFACE="qcicat0"
WIREGUARD_PEER_PUBLIC_KEY="<ALICE_WIREGUARD_PUBLIC_KEY>"
PQC_PSK_FILE="/opt/rosenpass/key_out/pqc_psk"