roan's Blog

依先前寫的一篇 編譯 OpenvSwitch v2.1.2 on Ubuntu 12.04 LTS OpenvSwitch 與 OpenFlow controller 溝通, 並無任何的安全性, OpenFlow control meeage 等於裸奔在網路上, 十分不安全, OpenvSwitch 內建有 ovs-pki 可以產生相對應的 ssl key 來加以保護傳輸行為

OpenvSwitch 相關

• 產生 key

  ovs-pki init --force
  cd /usr/local/etc/openvswitch
  ovs-pki req+sign roan-controller-ssl controller
  ovs-pki req+sign roan-switch-ssl switch
  

  • 如有開 logfile 的話, 可以查詢 /usr/local/var/log/openvswitch/ovs-pki.log
  • 你應該要把以下三個檔案傳到 OpenFlow controller server 上
    1. /usr/local/etc/openvswitch/roan-controller-ssl-cert.pem
    2. /usr/local/etc/openvswitch/roan-controller-ssl-privkey.pem
    3. /usr/local/var/lib/openvswitch/pki/switchca/cacert.pem

• OpenvSwitch setting TLS

  ovs-vsctl -- --bootstrap set-ssl /usr/local/etc/openvswitch/roan-switch-ssl-privkey.pem \
                                  /usr/local/etc/openvswitch/roan-switch-ssl-req.pem \
                /usr/local/var/lib/openvswitch/pki/controllerca/cacert.pem                  
  

  • ovs-vsctl get-ssl 可查詢狀況

• ovs-vsctl 設定

  ovs-vsctl add-br ovs-br
  ovs-vsctl set-controller ovs-br ssl:x.x.x.x:6633
  

• Screenshot
  

OpenFlow Controller

Pox

• Try Failed
• 依照 Re: [pox-dev] Does pox supports SSL?

Floodlight

• Not Support

Ryu

• Try Failed
• 依照 Setup TLS Connection 產生 EOF occurred in violation of protocol 錯誤

Trema

• Not Support

Q&A

Q: 在 ovs-vswitchd.log 發現到 Private key specified but Open vSwitch was built without SSL support 該如何處理
A: 少裝 libssl 或 openssl 相關套件

Reference

• Configuring Open vSwitch for SSL
• Open vSwitch with SSL and Mininet