Secure TLS connection

At this point, you have a pretty good migration story, having already developed your application to work with existing infrastructure, and on your way to flip more devices. You might be wondering if you should encrypt the messages between the controller and the network devices. In fact, you might be wondering why we waited this long to discuss this topic.

There are several reasons:

During development and initial migration, you want to have as little moving variable as possible. It is difficult enough to do something new; you do not need to worry about encryption if you don't have to.
Sometimes for troubleshooting, you might not have a switch that can capture packets natively or the switch not having enough buffer to perform verbose captures. You would be required to do tcpdump outside of your two endpoints.
You may already have your own PKI infrastructure, if that is the case, please follow your own cert generation and steps for signing by your own certificate authority.

Having said that, we are here, so let's go over the steps to have the Open vSwitch communicating with Ryu controller over SSL.

You can consult the Ryu document on setting up TLS connection (http://ryu.readthedocs.io/en/latest/tls.html) and the article on configure Open vSwitch for SSL (http://openvswitch.org/support/dist-docs-2.5/INSTALL.SSL.md.html). I combined the steps from those two articles to be more specific to our SDNHub virtual machine. For example, we do not need to initialize the PKI script and cacert.pem is under /var/lib/openvswitch/pki/controllerca/ instead of /usr/local/var/lib/openvswitch/pki/controllerca.

Let's change to the Open vSwitch directory on our VM and create a switch private key and certificate:

$ cd /etc/openvswitch
$ sudo ovs-pki req+sign sc switch

Let's also create the controller private key and certificate in the same directory:

$ sudo ovs-pki req+sign ctl controller

I have created the Mininet topology that is similar to the other topology, with the exception of the following line to specify SSL connection for the controller:

c1 = net.addController('c0')
...
s1 = net.addSwitch('s1')
...
s1.cmd('ovs-vsctl set-controller s1 ssl:127.0.0.1:6633')

We can launch the Mininet topology:

$ sudo python mastering_python_networking/Chapter13/chapter13_mininet_4.py

We will launch the controller with the private key and cert options:

$ sudo ryu-manager --ctl-privkey /etc/openvswitch/ctl-privkey.pem --ctl-cert /etc/openvswitch/ctl-cert.pem --ca-certs /var/lib/openvswitch/pki/switchca/cacert.pem --verbose ryu/app/simple_switch_13.py

You should be able to see the SSL message on the Ryu console. You can also verify using the ovs-vsctl show command:

# Ryu console
connected socket:<eventlet.green.ssl.GreenSSLSocket object at 0x7f603f8b0c08> address:('127.0.0.1', 59430)

# ovs-vsctl
$ sudo ovs-vsctl show
873c293e-912d-4067-82ad-d1116d2ad39f
 Bridge "s1"
 Controller "ssl:127.0.0.1:6633"
 is_connected: true
 fail_mode: secure

Great! Now we can avoid any casual snooping of our OpenFlow messages between Ryu and the switch (yes, I realize our setup is in a single virtual machine). In the next section, let's examine a few of the marketplace switches implementation of OpenFlow to help us pick the best switch for our network.

Table of Contents for Secure TLS connection

Create new playlist

Sign In

Sign Up

Table of Contents for
Secure TLS connection