首页 > 代码库 > [转]Open vSwitch with SSL and Mininet

[转]Open vSwitch with SSL and Mininet

Open vSwitch with SSL and Mininet

By default, Mininet uses the unencrypted port in Open vSwitch for OpenFlow. This makes total sense since the purpose of Mininet is a research tool, so encryption isn’t usually needed and using unencrypted control traffic allows for the use of tools like Wireshark to see the OpenFlow packets. But there are times when you might want to try and use OpenFlow over SSL. So I did a little research and as usual, doing my brain dump here to keep a record for myself.

To try it out, Mininet comes with the OpenFlow reference controller and the ovs-controller. I looked at the OpenFlow reference, but it doesn’t seem to support SSL.

mininet@mininet:~$ controller --helpcontroller: OpenFlow controllerusage: controller [OPTIONS] METHODwhere METHOD is any OpenFlow connection method.Active OpenFlow connection methods:  nl:DP_IDX               local datapath DP_IDX  tcp:HOST[:PORT]         PORT (default: 6633) on remote TCP HOST  unix:FILE               Unix domain socket named FILE  fd:N                    File descriptor NPassive OpenFlow connection methods:  ptcp:[PORT]             listen to TCP PORT (default: 6633)  punix:FILE              listen on Unix domain socket FILE

But it seems that the ovs-controller supports SSL.

mininet@mininet:~$ ovs-controller --helpovs-controller: OpenFlow controllerusage: ovs-controller [OPTIONS] METHODwhere METHOD is any OpenFlow connection method.Active OpenFlow connection methods:  tcp:IP[:PORT]           PORT (default: 6633) at remote IP  ssl:IP[:PORT]           SSL PORT (default: 6633) at remote IP  unix:FILE               Unix domain socket named FILEPassive OpenFlow connection methods:  ptcp:[PORT][:IP]        listen to TCP PORT (default: 6633) on IP  pssl:[PORT][:IP]        listen for SSL on PORT (default: 6633) on IP  punix:FILE              listen on Unix domain socket FILEPKI configuration (required to use SSL):  -p, --private-key=FILE  file with private key  -c, --certificate=FILE  file with certificate for private key  -C, --ca-cert=FILE      file with peer CA certificate

So for this little experiment, I just used ovs-controller. Other controllers like RYU can also be used as mentioned in this post that helped me work out some issues. So lets get started.

Create all the keys for both OVS and the ovs-controller we will use and set the SSL parameters for OVS.

cd /etc/openvswitchsudo ovs-pki req+sign ctl controllersudo ovs-pki req+sign sc switchsudo ovs-vsctl set-ssl     /etc/openvswitch/sc-privkey.pem     /etc/openvswitch/sc-cert.pem     /var/lib/openvswitch/pki/controllerca/cacert.pem

The above might not be the most secure way to manage the keys, but again, this is for research and experimentation.

In one window, let’s start the ovs-controller with SSL support.

sudo ovs-controller -v pssl:6633 \      -p /etc/openvswitch/ctl-privkey.pem \      -c /etc/openvswitch/ctl-cert.pem \      -C /var/lib/openvswitch/pki/switchca/cacert.pem

Next, below is the Mininet Python script I used. Run this Mininet script that creates a simple single switch tology and sets the controller to SSL.

#!/usr/bin/pythonfrom mininet.net import Mininetfrom mininet.node import Controller, RemoteControllerfrom mininet.cli import CLIfrom mininet.log import setLogLevel, infodef emptyNet():    net = Mininet( controller=RemoteController )    net.addController( ‘c0‘ )    h1 = net.addHost( ‘h1‘ )    h2 = net.addHost( ‘h2‘ )    s1 = net.addSwitch( ‘s1‘ )    net.addLink( h1, s1 )    net.addLink( h2, s1 )        net.start()    s1.cmd(‘ovs-vsctl set-controller s1 ssl:127.0.0.1:6633‘)        net.pingAll()    CLI( net )    net.stop()    if __name__ == ‘__main__‘:    setLogLevel( ‘info‘ )    emptyNet()

When you run the script, you will see that a PingAll test ran and passed. You can also check and see that switch is connected using SSL.

mininet@mininet:~$ sudo ovs-vsctl show902d6aa3-6a0a-4708-a286-3301c8b36430    Bridge "s1"        Controller "ssl:127.0.0.1:6633"            is_connected: true        fail_mode: secure        Port "s1"            Interface "s1"                type: internal        Port "s1-eth1"            Interface "s1-eth1"        Port "s1-eth2"            Interface "s1-eth2"    ovs_version: "2.0.1"

This post ‘Open vSwitch with SSL and Mininet’ first appeared on http://gregorygee.wordpress.com/.