Open VSwitch with SSL and mininet

Source: Internet
Author: User
Tags unix domain socket openvswitch

Open VSwitch with SSL and mininet

By default, Mininet uses the unencrypted port in Open vSwitch for OpenFlow. This makes total sense since the purpose of Mininet is a a-tool, so encryption isn ' t usually needed and using Unenc Rypted control traffic allows for the use of tools like Wireshark to see the OpenFlow packets. But there is times when you might want-to-try and use OpenFlow over SSL. So I did a little the and as usual, doing my brain dump here to keep a record for myself.

To try it out, Mininet comes with the OpenFlow reference controller and the Ovs-controller. I looked at the OpenFlow-reference, but it doesn ' t seem-to-support SSL.

[Email protected]:~$ controller--helpcontroller:openflow Controllerusage:controller [OPTIONS] Methodwhere METHOD is an Y OpenFlow connection method. Active OpenFlow Connection methods:  nl:dp_idx               local datapath dp_idx  tcp:host[:P ort]         PORT (default: 6633) on remote TCP HOST  unix:file               UNIX domain socket named file  fd:n                    file descriptor npassive OpenFlow Co Nnection methods:  Ptcp:[port]             listen to TCP ports (default:6633)  punix:file              listen on Unix domain Socket FILE

But it seems the Ovs-controller supports SSL.

 [email protected]:~$ ovs-controller--helpovs-controller:openflow Controllerusage:ovs-controller [ OPTIONS] Methodwhere method is any OpenFlow connection method. Active OpenFlow Connection methods:tcp:ip[:P ort] PORT (default:6633) at remote IP ssl:ip[:P ORT] SS L PORT (default:6633) at remote IP unix:file UNIX domain socket named filepassive OpenFlow connection Meth ODS:PTCP:[PORT][:IP] Listen to TCP port (default:6633) over IP Pssl:[port][:ip] listen for SSL on PORT (DE  fault:6633) on IP punix:file listen on Unix domain sockets FILEPKI configuration (required to use SSL):-P, --private-key=file file with private key-c,--certificate=file file with certificate for private key-c,--ca-cert=f ILE file with peer CA certificate 

So for this little experiment, I just used Ovs-controller. Other controllers like RYU can also is used as mentioned in the This post the helped me work out some issues. So lets get started.

Create all the keys for both OVS and the Ovs-controller we'll use and set the SSL parameters for OVS.

Cd/etc/openvswitchsudo ovs-pki req+sign ctl controllersudo ovs-pki req+sign sc switchsudo ovs-vsctl set-ssl     /etc/ope Nvswitch/sc-privkey.pem     /etc/openvswitch/sc-cert.pem     /var/lib/openvswitch/pki/controllerca/cacert.pem

The above might not being the most secure-to-manage the keys, but again, this is for the and experimentation.

In one window, let's start the Ovs-controller with SSL support.

sudo ovs-controller-v pssl:6633 \-p/etc/openvswitch/ctl-privkey.pem \-C/ETC/OPENVSWITCH/CTL-CERT.PEM \ -c/var/lib/openvswitch/pki/switchca/cacert.pem

Next, Below is the mininet Python script I used. Run This mininet script, creates a simple single switch tology and sets the controller to SSL.

#!/usr/bin/pythonfrom mininet.net Import mininetfrom mininet.node import Controller, Remotecontrollerfrom mininet.cli Import clifrom mininet.log import Setloglevel, Infodef emptynet ():    net = mininet (Controller=remotecontroller)    Net.addcontroller (' C0 ')    h1 = Net.addhost (' h1 ')    h2 = net.addhost (' h2 ')    S1 = Net.addswitch (' s1 ')    net . Addlink (H1, S1)    Net.addlink (H2, S1)        Net.start ()    s1.cmd (' Ovs-vsctl set-controller s1 ssl:127.0.0.1:6633 ')        Net.pingall ()    CLI (net)    net.stop ()    if __name__ = = ' __main__ ':    setloglevel (' info ')    Emptynet ()

When you run the script, you'll see that a Pingall test ran and passed. You can also the check and see this switch is connected using SSL.

[Email protected]:~$ sudo ovs-vsctl show902d6aa3-6a0a-4708-a286-3301c8b36430    Bridge "S1"        Controller "SSL : 127.0.0.1:6633 "            is_connected:true        fail_mode:secure        Port" S1 "                Interface" S1 "type:internal        Port "S1-eth1"            Interface "S1-eth1"        Port "s1-eth2"            Interface "S1-eth2"    ovs_version: "2.0.1"

This post ' Open VSwitch with SSL and Mininet ' first appeared on http://gregorygee.wordpress.com/.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.