WAN Emulation¶
Purpose¶
WAN emulation uses Linux tc netem to simulate degraded network conditions. This is critical for HDCP validation: Defence deployable datacenters operate under DDIL (Denied, Disrupted, Intermittent, Limited) conditions, and the infrastructure must tolerate high latency, packet loss, and bandwidth constraints.
tc netem Overview¶
tc netem (Traffic Control - Network Emulator) is a Linux kernel module that adds configurable delay, loss, duplication, and reordering to network traffic. It operates at the qdisc (queueing discipline) level.
# Basic syntax
tc qdisc add dev <interface> root netem <parameters>
# Remove emulation
tc qdisc del dev <interface> root
Latency Profiles¶
Three predefined profiles in wan-emulation/profiles/:
Normal (Baseline)¶
Simulates a typical European internet connection. Used as the control case.
# wan-emulation/profiles/normal.sh
tc qdisc add dev eth0 root netem \
delay 15ms 5ms distribution normal \
loss 0.1%
| Parameter | Value |
|---|---|
| Latency | 15ms +/- 5ms (normal distribution) |
| Packet loss | 0.1% |
| Bandwidth | Unlimited |
| Use case | Baseline testing, normal operations |
Degraded¶
Simulates a congested or long-haul satellite link. Typical for rear-area Defence operations.
# wan-emulation/profiles/degraded.sh
tc qdisc add dev eth0 root netem \
delay 200ms 50ms distribution pareto \
loss 2% 25% \
duplicate 0.5% \
reorder 5% 50%
| Parameter | Value |
|---|---|
| Latency | 200ms +/- 50ms (pareto distribution -- bursty) |
| Packet loss | 2% (25% correlation) |
| Duplication | 0.5% |
| Reorder | 5% (50% correlation) |
| Use case | Satellite link, congested WAN |
DDIL Severe¶
Simulates denied/disrupted conditions. Tests resilience under extreme degradation.
# wan-emulation/profiles/ddil-severe.sh
tc qdisc add dev eth0 root netem \
delay 800ms 300ms distribution pareto \
loss 15% 50% \
duplicate 2% \
reorder 25% 75% \
rate 256kbit
| Parameter | Value |
|---|---|
| Latency | 800ms +/- 300ms (pareto -- highly variable) |
| Packet loss | 15% (50% correlation -- burst losses) |
| Duplication | 2% |
| Reorder | 25% (75% correlation) |
| Bandwidth | 256 kbit/s |
| Use case | Tactical edge, DDIL environment |
Network Namespace Topologies¶
To avoid affecting production traffic, WAN emulation runs inside isolated network namespaces:
flowchart TB
subgraph Default["Default Namespace (production)"]
App["K3s workloads"]
Mgmt["Management traffic"]
end
subgraph WanNS["wan-test Namespace"]
Client["Test client"]
Netem["tc netem rules"]
Server["Test server / target"]
end
Client -->|"degraded link"| Netem
Netem -->|"emulated"| Server
App -.->|"unaffected"| Internet((Internet))
Setup¶
# Create isolated namespace
ip netns add wan-test
# Create veth pair
ip link add wan-a type veth peer name wan-b
ip link set wan-b netns wan-test
# Assign IPs
ip addr add 192.168.100.1/24 dev wan-a
ip netns exec wan-test ip addr add 192.168.100.2/24 dev wan-b
# Bring up interfaces
ip link set wan-a up
ip netns exec wan-test ip link set wan-b up
ip netns exec wan-test ip link set lo up
# Apply netem to the veth inside the namespace
ip netns exec wan-test tc qdisc add dev wan-b root netem delay 200ms 50ms loss 2%
Testing Inside the Namespace¶
# Run a test from within the namespace
ip netns exec wan-test ping 192.168.100.1
ip netns exec wan-test curl http://192.168.100.1:8080/
ip netns exec wan-test iperf3 -c 192.168.100.1
# Run entire applications in the namespace
ip netns exec wan-test kubectl --kubeconfig=/etc/rancher/k3s/k3s.yaml get pods
HDCP Relevance¶
| HDCP Concept | WAN Emulation Application |
|---|---|
| Deployable DC resilience | Test cluster operations under DDIL conditions |
| Federated cluster sync | Simulate Fleet GitOps sync over degraded links |
| Edge autonomy | Validate that Beast can operate with intermittent Hub connectivity |
| Graceful degradation | Verify monitoring/alerting still functions under packet loss |
| Bandwidth planning | Determine minimum bandwidth for K3s agent-server communication |
| Satellite link simulation | Test Rancher downstream cluster management over high-latency links |
Key finding
K3s agent-to-server communication tolerates up to ~500ms latency and 5% packet loss before node status flaps between Ready/NotReady. Above 10% loss, the agent loses registration and must rejoin.
Automation¶
The scripts/wan-test.sh wrapper applies profiles and runs test suites:
# Apply a profile
./scripts/wan-test.sh apply degraded
# Run test suite under a profile
./scripts/wan-test.sh test ddil-severe
# Clean up
./scripts/wan-test.sh clean
Test results are logged to wan-emulation/results/ with timestamps for comparison across profiles.