Open vSwitch with SSL and Mininet

Open vSwitch with SSL and Mininet

By default, Mininet uses the unencrypted port in Open vSwitch for OpenFlow. This makes total sense since the purpose of Mininet is a research tool, so encryption isn’t usually needed and using unencrypted control traffic allows for the use of tools like Wireshark to see the OpenFlow packets. But there are times when you might want to try and use OpenFlow over SSL. So I did a little research and as usual, doing my brain dump here to keep a record for myself.

To try it out, Mininet comes with the OpenFlow reference controller and the ovs-controller. I looked at the OpenFlow reference, but it doesn’t seem to support SSL.

[email protected]:~$ controller --help
controller: OpenFlow controller
usage: controller [OPTIONS] METHOD
where METHOD is any OpenFlow connection method.

Active OpenFlow connection methods:
  nl:DP_IDX               local datapath DP_IDX
  tcp:HOST[:PORT]         PORT (default: 6633) on remote TCP HOST
  unix:FILE               Unix domain socket named FILE
  fd:N                    File descriptor N
Passive OpenFlow connection methods:
  ptcp:[PORT]             listen to TCP PORT (default: 6633)
  punix:FILE              listen on Unix domain socket FILE

But it seems that the ovs-controller supports SSL.

[email protected]:~$ ovs-controller --help
ovs-controller: OpenFlow controller
usage: ovs-controller [OPTIONS] METHOD
where METHOD is any OpenFlow connection method.

Active OpenFlow connection methods:
  tcp:IP[:PORT]           PORT (default: 6633) at remote IP
  ssl:IP[:PORT]           SSL PORT (default: 6633) at remote IP
  unix:FILE               Unix domain socket named FILE
Passive OpenFlow connection methods:
  ptcp:[PORT][:IP]        listen to TCP PORT (default: 6633) on IP
  pssl:[PORT][:IP]        listen for SSL on PORT (default: 6633) on IP
  punix:FILE              listen on Unix domain socket FILE
PKI configuration (required to use SSL):
  -p, --private-key=FILE  file with private key
  -c, --certificate=FILE  file with certificate for private key
  -C, --ca-cert=FILE      file with peer CA certificate

So for this little experiment, I just used ovs-controller. Other controllers like RYU can also be used as mentioned in this post that helped me work out some issues. So lets get started.

Create all the keys for both OVS and the ovs-controller we will use and set the SSL parameters for OVS.

cd /etc/openvswitch
sudo ovs-pki req+sign ctl controller
sudo ovs-pki req+sign sc switch
sudo ovs-vsctl set-ssl     /etc/openvswitch/sc-privkey.pem     /etc/openvswitch/sc-cert.pem     /var/lib/openvswitch/pki/controllerca/cacert.pem

The above might not be the most secure way to manage the keys, but again, this is for research and experimentation.

In one window, let’s start the ovs-controller with SSL support.

sudo ovs-controller -v pssl:6633 \      -p /etc/openvswitch/ctl-privkey.pem \      -c /etc/openvswitch/ctl-cert.pem \      -C /var/lib/openvswitch/pki/switchca/cacert.pem

Next, below is the Mininet Python script I used. Run this Mininet script that creates a simple single switch tology and sets the controller to SSL.

#!/usr/bin/python
from mininet.net import Mininet
from mininet.node import Controller, RemoteController
from mininet.cli import CLI
from mininet.log import setLogLevel, info

def emptyNet():
    net = Mininet( controller=RemoteController )
    net.addController( ‘c0‘ )
    h1 = net.addHost( ‘h1‘ )
    h2 = net.addHost( ‘h2‘ )
    s1 = net.addSwitch( ‘s1‘ )
    net.addLink( h1, s1 )
    net.addLink( h2, s1 )

    net.start()
    s1.cmd(‘ovs-vsctl set-controller s1 ssl:127.0.0.1:6633‘)

    net.pingAll()
    CLI( net )
    net.stop()

if __name__ == ‘__main__‘:
    setLogLevel( ‘info‘ )
    emptyNet()

When you run the script, you will see that a PingAll test ran and passed. You can also check and see that switch is connected using SSL.

[email protected]:~$ sudo ovs-vsctl show
902d6aa3-6a0a-4708-a286-3301c8b36430
    Bridge "s1"
        Controller "ssl:127.0.0.1:6633"
            is_connected: true
        fail_mode: secure
        Port "s1"
            Interface "s1"
                type: internal
        Port "s1-eth1"
            Interface "s1-eth1"
        Port "s1-eth2"
            Interface "s1-eth2"
    ovs_version: "2.0.1"

This post ‘Open vSwitch with SSL and Mininet’ first appeared on http://gregorygee.wordpress.com/.

Open vSwitch with SSL and Mininet

时间: 2024-11-26 01:28:57

Open vSwitch with SSL and Mininet的相关文章

[转]Open vSwitch with SSL and Mininet

Open vSwitch with SSL and Mininet By default, Mininet uses the unencrypted port in Open vSwitch for OpenFlow. This makes total sense since the purpose of Mininet is a research tool, so encryption isn't usually needed and using unencrypted control tra

ovs的卸载

使用apt-get安装的openvswitch,然后卸载好麻烦撒,而且还没有相关资料说一下怎么删除的,特此记录一下,希望有个参考 首先把服务器上使用ovs新建的虚拟网桥全部删除掉 然后把原有的内核删除 sudo rmmod openvswitch 再然后把之前服务停掉 sudo killall ovsdb-server sudo killall ovs-vswitchd 最后按照说明文档即可(很多命令需要sudo的,请注意,一下标红的是用到的命令) once you have installed

[转]SSL on Open vSwitch and ovs controller

There are two places that SSL will need to be configured if SSL is to be used between the controller and the Open vSwtich. The instructions below assume an installation of Open vSwitch using Ubuntu packages. If you installed by alternate means, the l

SSL on Open vSwitch and ovs controller

There are two places that SSL will need to be configured if SSL is to be used between the controller and the Open vSwtich. The instructions below assume an installation of Open vSwitch using Ubuntu packages. If you installed by alternate means, the l

SDN环境搭建(mininet,OVS,ryu安装及命令)

1.mininet安装与使用 1.1mininet安装 ubuntu 12.04/14.04/14.10      命令行  sudo apt-get install mininet 1.2 mininet基本命令 nodes:查看全部节点 net:查看链路信息 dump:查看各节点详细信息 mn –c:mininet退出后,清理 pingall:测试所有结点是否连通 网络调试命令: 格式:node cmd 举例: h1 ifconfig h1 ping h2 h1 ping –c 3 h2 打

[转]Open vSwitch 安装及配置

Open vSwitch安装及配置 一. Open vSwitch简介 1.1概述 Open vSwitch是一个高质量的.多层虚拟交换机,使用开源Apache 2.0许可协议,由Nicira Networks开发,主要实现代码为可移植的C代码. 它的目的是让大规模网络自动化可以通过编程扩展,同时仍然支持标准的管理接口和协议(例如NetFlow, sFlow, SPAN, RSPAN, CLI, LACP, 802.1ag).此外,它被设计位支持跨越多个物理服务器的分布式环境,类似于VMware

mininet安装,使用

http://mininet.org/download/ -----------------------------------源码安装------------------------------------------------------------------- 1.从GITHUB上获取mininet源码 git clone git://github.com/mininet/mininet 2.安装 mininet/util/install.sh [options] 参数包括 -a: 全

OpenDaylight与Mininet应用实战之OpenFlow1.0协议分析

继本专题基本环境搭建(一)之后,本文在此基础上熟悉平台操作,以及通过wireshark抓包工具分析OpenFlow(以下简写为OF)协议.具体的OF官方协议及白皮书可在资料库栏目中下载阅读.注:此文涉及的环境仅支持OF1.0版本,对于OF1.2.OF1.3版本可用其他平台测试,后续会另做专题讨论. 1 打开wireshark并创建拓扑 按照章节一搭建平台,启动ODL,并打开wireshark.进入装有Mininet的VM,通过mn命令指定网络拓扑及指定此ODL控制器. Mininet创建网络拓扑

docker+open vswitch多宿主间容器互连构建tomcat服务

1.本文介绍centos7下的docker容器互联及端口映射问题 环境介绍: docker1:192.168.1.230 docker2:192.168.1.231 a.两台宿主分别更改主机名docker1  and  docker2 # hostnamectl set-hostname docker1 # reboot b.在docker1和docker2上分别用yum方式安装docker并启动服务 [[email protected] ~]# yum -y install docker [[