Open Daylight Controller with SSL and Mininet

May 8, 2014 Leave a comment

In a previous post, I discussed how to run Open vSwtich using SSL for the control traffic using Mininet and also how to start the Open vSwitch test controller (ovs-controller) to listen with SSL. In this post I show how to use Open Daylight as the controller using SSL.

First, go to ODL directory and create a directory we’ll work in. You could use the ‘configuration’ directory. I’m going to create a directory called ssl.

cd /home/odl/controller/opendaylight/distribution/opendaylight/target/distribution.opendaylight-osgipackage/opendaylight
mkdir ssl
cd ssl

Get keys and certs from Mininet VM described in other post and put them in your ssl directory.

Get the controller keys.
/etc/openvswitch/ctl-privkey.pem
/etc/openvswitch/ctl-cert.pem
Get the switch cacert.
/var/lib/openvswitch/pki/switchca/cacert.pem  -> and rename to sw-cacert.pem

Create controller key store for ODL using the keys.

cat ctl-privkey.pem ctl-cert.pem > ctl.pem
openssl pkcs12 -export -out ctl.p12 -in ctl.pem
  # when asked for passwords, just enter 'mininet', as an example.
keytool -importkeystore -srckeystore ctl.p12 -srcstoretype pkcs12 -destkeystore ctlKeyStore -deststoretype jks
  # when asked for passwords, just enter 'mininet', as an example.

Add switch CA to controller trust store.

keytool -import -alias swca1 -file sw-cacert.pem -keystore ctlTrustStore
  # when asked for passwords, just enter 'mininet', as an example.

Edit opendaylight/configuration/config.ini to enable SSL and set properties for store location and password.

secureChannelEnabled=true
controllerKeyStore=./ssl/ctlKeyStore
controllerKeyStorePassword=mininet
controllerTrustStore=./ssl/ctlTrustStore
controllerTrustStorePassword=mininet

Now you can start the ODL controller.

./run.sh

Then, back in your Mininet VM, run the same script used in the other post to start Mininet using SSL.

Hope you find this useful.

This post ‘Open Daylight Controller with SSL and Mininet’ first appeared on https://techandtrains.com/.

Filed under Mininet, SDN

Starting OVS Controller with SSL inside Mininet

May 3, 2014 3 Comments

To continue with my previous post about using SSL, I thought I would pass along another alternative way to start the test OVS Controller. In the other post, we start the ovs-controller manually and set the Mininet script to use a RemoteController. But if you want to start the ovs-controller from your script, we just replace the RemoteController with OVSController and also pass in the parameters to start the controller listening on SSL. Below is the same script as my last post but with the changes I just mentioned.

#!/usr/bin/python
from mininet.net import Mininet
from mininet.node import Controller, RemoteController, OVSController
from mininet.cli import CLI
from mininet.log import setLogLevel, info

def emptyNet():
    net = Mininet( controller=OVSController)
    net.addController( 'c0', cargs='-v pssl:%d -p /etc/openvswitch/ctl-privkey.pem \
     -c /etc/openvswitch/ctl-cert.pem \
     -C /var/lib/openvswitch/pki/switchca/cacert.pem' )
    h1 = net.addHost( 'h1' )
    h2 = net.addHost( 'h2' )
    s1 = net.addSwitch( 's1' )
    net.addLink( h1, s1 )
    net.addLink( h2, s1 )

    net.start()
    s1.cmd('ovs-vsctl set-controller s1 ssl:127.0.0.1:6633')

    net.pingAll()
    CLI( net )
    net.stop()

if __name__ == '__main__':
    setLogLevel( 'info' )
    emptyNet()

This post ‘Starting OVS Controller with SSL inside Mininet’ first appeared on https://gregorygee.wordpress.com/.

Filed under Mininet, SDN Tagged with , , ,

Open vSwitch with SSL and Mininet

April 27, 2014 9 Comments

By default, Mininet uses the unencrypted port in Open vSwitch for OpenFlow. This makes total sense since the purpose of Mininet is a research tool, so encryption isn’t usually needed and using unencrypted control traffic allows for the use of tools like Wireshark to see the OpenFlow packets. But there are times when you might want to try and use OpenFlow over SSL. So I did a little research and as usual, doing my brain dump here to keep a record for myself.

To try it out, Mininet comes with the OpenFlow reference controller and the ovs-controller. I looked at the OpenFlow reference, but it doesn’t seem to support SSL.

mininet@mininet:~$ controller --help
controller: OpenFlow controller
usage: controller [OPTIONS] METHOD
where METHOD is any OpenFlow connection method.

Active OpenFlow connection methods:
  nl:DP_IDX               local datapath DP_IDX
  tcp:HOST[:PORT]         PORT (default: 6633) on remote TCP HOST
  unix:FILE               Unix domain socket named FILE
  fd:N                    File descriptor N
Passive OpenFlow connection methods:
  ptcp:[PORT]             listen to TCP PORT (default: 6633)
  punix:FILE              listen on Unix domain socket FILE

But it seems that the ovs-controller supports SSL.

mininet@mininet:~$ ovs-controller --help
ovs-controller: OpenFlow controller
usage: ovs-controller [OPTIONS] METHOD
where METHOD is any OpenFlow connection method.

Active OpenFlow connection methods:
  tcp:IP[:PORT]           PORT (default: 6633) at remote IP
  ssl:IP[:PORT]           SSL PORT (default: 6633) at remote IP
  unix:FILE               Unix domain socket named FILE
Passive OpenFlow connection methods:
  ptcp:[PORT][:IP]        listen to TCP PORT (default: 6633) on IP
  pssl:[PORT][:IP]        listen for SSL on PORT (default: 6633) on IP
  punix:FILE              listen on Unix domain socket FILE
PKI configuration (required to use SSL):
  -p, --private-key=FILE  file with private key
  -c, --certificate=FILE  file with certificate for private key
  -C, --ca-cert=FILE      file with peer CA certificate

So for this little experiment, I just used ovs-controller. Other controllers like RYU can also be used as mentioned in this post that helped me work out some issues. So lets get started.

Create all the keys for both OVS and the ovs-controller we will use and set the SSL parameters for OVS.

cd /etc/openvswitch
sudo ovs-pki req+sign ctl controller
sudo ovs-pki req+sign sc switch
sudo ovs-vsctl set-ssl \
    /etc/openvswitch/sc-privkey.pem \
    /etc/openvswitch/sc-cert.pem \
    /var/lib/openvswitch/pki/controllerca/cacert.pem

The above might not be the most secure way to manage the keys, but again, this is for research and experimentation.

In one window, let’s start the ovs-controller with SSL support.

sudo ovs-controller -v pssl:6633 \
     -p /etc/openvswitch/ctl-privkey.pem \
     -c /etc/openvswitch/ctl-cert.pem \
     -C /var/lib/openvswitch/pki/switchca/cacert.pem

Next, below is the Mininet Python script I used. Run this Mininet script that creates a simple single switch tology and sets the controller to SSL.

#!/usr/bin/python
from mininet.net import Mininet
from mininet.node import Controller, RemoteController
from mininet.cli import CLI
from mininet.log import setLogLevel, info

def emptyNet():
    net = Mininet( controller=RemoteController )
    net.addController( 'c0' )
    h1 = net.addHost( 'h1' )
    h2 = net.addHost( 'h2' )
    s1 = net.addSwitch( 's1' )
    net.addLink( h1, s1 )
    net.addLink( h2, s1 )
    
    net.start()
    s1.cmd('ovs-vsctl set-controller s1 ssl:127.0.0.1:6633')
    
    net.pingAll()
    CLI( net )
    net.stop()
    
if __name__ == '__main__':
    setLogLevel( 'info' )
    emptyNet()

When you run the script, you will see that a PingAll test ran and passed. You can also check and see that switch is connected using SSL.

mininet@mininet:~$ sudo ovs-vsctl show
902d6aa3-6a0a-4708-a286-3301c8b36430
    Bridge "s1"
        Controller "ssl:127.0.0.1:6633"
            is_connected: true
        fail_mode: secure
        Port "s1"
            Interface "s1"
                type: internal
        Port "s1-eth1"
            Interface "s1-eth1"
        Port "s1-eth2"
            Interface "s1-eth2"
    ovs_version: "2.0.1"

This post ‘Open vSwitch with SSL and Mininet’ first appeared on https://gregorygee.wordpress.com/.

Filed under Mininet, SDN Tagged with ,

Older posts

Newer posts