Open vSwitch with SSL and Mininet
April 27, 2014 9 Comments
By default, Mininet uses the unencrypted port in Open vSwitch for OpenFlow. This makes total sense since the purpose of Mininet is a research tool, so encryption isn’t usually needed and using unencrypted control traffic allows for the use of tools like Wireshark to see the OpenFlow packets. But there are times when you might want to try and use OpenFlow over SSL. So I did a little research and as usual, doing my brain dump here to keep a record for myself.
To try it out, Mininet comes with the OpenFlow reference controller and the ovs-controller. I looked at the OpenFlow reference, but it doesn’t seem to support SSL.
mininet@mininet:~$ controller --help controller: OpenFlow controller usage: controller [OPTIONS] METHOD where METHOD is any OpenFlow connection method. Active OpenFlow connection methods: nl:DP_IDX local datapath DP_IDX tcp:HOST[:PORT] PORT (default: 6633) on remote TCP HOST unix:FILE Unix domain socket named FILE fd:N File descriptor N Passive OpenFlow connection methods: ptcp:[PORT] listen to TCP PORT (default: 6633) punix:FILE listen on Unix domain socket FILE
But it seems that the ovs-controller supports SSL.
mininet@mininet:~$ ovs-controller --help ovs-controller: OpenFlow controller usage: ovs-controller [OPTIONS] METHOD where METHOD is any OpenFlow connection method. Active OpenFlow connection methods: tcp:IP[:PORT] PORT (default: 6633) at remote IP ssl:IP[:PORT] SSL PORT (default: 6633) at remote IP unix:FILE Unix domain socket named FILE Passive OpenFlow connection methods: ptcp:[PORT][:IP] listen to TCP PORT (default: 6633) on IP pssl:[PORT][:IP] listen for SSL on PORT (default: 6633) on IP punix:FILE listen on Unix domain socket FILE PKI configuration (required to use SSL): -p, --private-key=FILE file with private key -c, --certificate=FILE file with certificate for private key -C, --ca-cert=FILE file with peer CA certificate
So for this little experiment, I just used ovs-controller. Other controllers like RYU can also be used as mentioned in this post that helped me work out some issues. So lets get started.
Create all the keys for both OVS and the ovs-controller we will use and set the SSL parameters for OVS.
cd /etc/openvswitch
sudo ovs-pki req+sign ctl controller
sudo ovs-pki req+sign sc switch
sudo ovs-vsctl set-ssl \
/etc/openvswitch/sc-privkey.pem \
/etc/openvswitch/sc-cert.pem \
/var/lib/openvswitch/pki/controllerca/cacert.pem
The above might not be the most secure way to manage the keys, but again, this is for research and experimentation.
In one window, let’s start the ovs-controller with SSL support.
sudo ovs-controller -v pssl:6633 \ -p /etc/openvswitch/ctl-privkey.pem \ -c /etc/openvswitch/ctl-cert.pem \ -C /var/lib/openvswitch/pki/switchca/cacert.pem
Next, below is the Mininet Python script I used. Run this Mininet script that creates a simple single switch tology and sets the controller to SSL.
#!/usr/bin/python
from mininet.net import Mininet
from mininet.node import Controller, RemoteController
from mininet.cli import CLI
from mininet.log import setLogLevel, info
def emptyNet():
net = Mininet( controller=RemoteController )
net.addController( 'c0' )
h1 = net.addHost( 'h1' )
h2 = net.addHost( 'h2' )
s1 = net.addSwitch( 's1' )
net.addLink( h1, s1 )
net.addLink( h2, s1 )
net.start()
s1.cmd('ovs-vsctl set-controller s1 ssl:127.0.0.1:6633')
net.pingAll()
CLI( net )
net.stop()
if __name__ == '__main__':
setLogLevel( 'info' )
emptyNet()
When you run the script, you will see that a PingAll test ran and passed. You can also check and see that switch is connected using SSL.
mininet@mininet:~$ sudo ovs-vsctl show
902d6aa3-6a0a-4708-a286-3301c8b36430
Bridge "s1"
Controller "ssl:127.0.0.1:6633"
is_connected: true
fail_mode: secure
Port "s1"
Interface "s1"
type: internal
Port "s1-eth1"
Interface "s1-eth1"
Port "s1-eth2"
Interface "s1-eth2"
ovs_version: "2.0.1"
This post ‘Open vSwitch with SSL and Mininet’ first appeared on https://gregorygee.wordpress.com/.
Tech and Trains 
Hi,may I ask you a question?
Besides OVSController,Ryu,is there any controllers support ssl connection? I want to implement a ssl connection between OVSwitch and POX.
Thank you.
I haven’t really investigated which controllers support SSL. I’m assuming that most are supporting SSL. It is only the Openflow reference controller that didn’t, which can be expected. I’m assuming that Floodlight and OpenDaylight support SSL.
But according to the INSTALL.SSL ,I found the controller need ctl-privkey.pem ,ctl-cert.pem and switcha/cacert.pem files, the Floodlifht and OpenDaylight seem do not have certain procedures to support these files. I was so confused about this,so i want to ask you if you have any suggestions?
Thank you.
I’ve been looking, but I haven’t been able to find anything about Floodlight support of SSL. I even checked the Floodlight source code and it doesn’t seem to support it. I just recently made another post about how to get SSL enabled with Open Daylight. Hope you find it useful.
Pingback: Open Daylight Controller with SSL and Mininet | Tech and Trains
I cant find the etc directory…can you tell me where it can be found?
Which etc directory? If you mean /etc/openvswitch, then it should already exist if you installed Open vSwitch and started it up for the first time. If you installed OVS from source, you may have a different ‘prefix’ directory for you installation. Some packages like to put the folder under /usr/local/etc or something like that.
Hi every one, i want to set up ssl in all the Mininet:controller,Switch and hosts….how can i do it
Hello, I just wanted to check if it is possible to implement TLS resumption in SDN. I know mininet does not support ‘C’ unless compiled if I am not wrong and converting the code to python make the program really slow and not work. Is this correct?