1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
********************
Setup TLS Connection
********************
If you want to use secure channel to connect OpenFlow switches, you
need to use TLS connection. This document describes how to setup Ryu
to connect to the Open vSwitch over TLS.
Configuring a Public Key Infrastructure
========================================
If you don't have a PKI, the ovs-pki script included with Open vSwitch
can help you. This section is based on the INSTALL.SSL in the Open
vSwitch source code.
NOTE: How to install Open vSwitch isn't described in this
document. Please refer to the Open vSwitch documents.
Create a PKI by using ovs-pki script::
% ovs-pki init
(Default directory is /usr/local/var/lib/openvswitch/pki)
The pki directory consists of controllerca and switchca
subdirectories. Each directory contains CA files.
Create a controller private key and certificate::
% ovs-pki req+sign ctl controller
ctl-privkey.pem and ctl-cert.pem are generated in the current
directory.
Create a switch private key and certificate::
% ovs-pki req+sign sc switch
sc-privkey.pem and sc-cert.pem are generated in the current directory.
Testing TLS Connection
======================
Configuring ovs-vswitchd to use CA files using the ovs-vsctl "set-ssl"
command, e.g.::
% ovs-vsctl set-ssl /etc/openvswitch/sc-privkey.pem \
/etc/openvswitch/sc-cert.pem \
/usr/local/var/lib/openvswitch/pki/controllerca/cacert.pem
% ovs-vsctl add-br br0
% ovs-vsctl set-controller br0 ssl:127.0.0.1:6633
Substitute the correct file names, if they differ from the ones used
above. You should use absolute file names.
Run Ryu with CA files::
% ryu-manager --ctl-privkey ctl-privkey.pem \
--ctl-cert ctl-cert.pem \
--ca-certs /usr/local/var/lib/openvswitch/pki/switchca/cacert.pem \
--verbose
You can see something like::
loading app ryu.controller.ofp_handler
instantiating app ryu.controller.ofp_handler
BRICK ofp_event
CONSUMES EventOFPSwitchFeatures
CONSUMES EventOFPErrorMsg
CONSUMES EventOFPHello
CONSUMES EventOFPEchoRequest
connected socket:<SSLSocket fileno=4 sock=127.0.0.1:6633 peer=127.0.0.1:61302> a
ddress:('127.0.0.1', 61302)
hello ev <ryu.controller.ofp_event.EventOFPHello object at 0x1047806d0>
move onto config mode
switch features ev version: 0x1 msg_type 0x6 xid 0xb0bb34e5 port OFPPhyPort(port
_no=65534, hw_addr='\x16\xdc\xa2\xe2}K', name='br0\x00\x00\x00\x00\x00\x00\x00\x
00\x00\x00\x00\x00\x00', config=0, state=0, curr=0, advertised=0, supported=0, p
eer=0)
move onto main mode
|
