搭建Openflow over tls
设置tls连接
如果您想使用安全通道连接OpenFlow交换机,则需要使用TLS连接。本文档介绍如何设置Ryu以通过TLS连接到Open vSwitch。
安装Open vSwitch
cat /etc/lsb-release #查看系统版本
# DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS"
sudo apt-get install openvswitch-controller openvswitch-switch openvswitch-datapath-source -y
安装Ryu
pip3 install ryu
配置公钥基础结构
使用ovs-PKI脚本创建PKI:
ovs-pki init
#(Default directory is /var/lib/openvswitch/pki)
#pki目录由controllerca和switchca子目录组成。每个目录都包含CA文件。
创建控制器私钥和证书:
ovs-pki req+sign ctl controller
mkdir -p /home/path/to/cert/
cp ctl-privkey.pem /home/path/to/cert/;cp ctl-cert.pem /home/path/to/cert/
#ctl-privkey.pem和ctl-cert.pem在当前目录中生成。
创建交换机私钥和证书:
ovs-pki req+sign sc switch
#sc-privkey.pem和sc-cert.pem在当前目录中生成。
cp sc-privkey.pem /etc/openvswitch/;cp sc-cert.pem /etc/openvswitch/
测试TLS连接
使用ovs-vsctl“set ssl”命令配置ovs-vswitchd以使用CA文件
ovs-vsctl set-ssl /etc/openvswitch/sc-privkey.pem \
/etc/openvswitch/sc-cert.pem \
/usr/local/var/lib/openvswitch/pki/controllerca/cacert.pem
ovs-vsctl add-br br0
ovs-vsctl set-controller br0 ssl:127.0.0.1:6633
运行带ca的ryu
ryu-manager --ctl-privkey ctl-privkey.pem \
--ctl-cert ctl-cert.pem \
--ca-certs /usr/local/var/lib/openvswitch/pki/switchca/cacert.pem \
--verbose
(可选)运行tls_agent.py
#修改ovs的ssl配置
ovs-vsctl set-controller br0 ssl:127.0.0.1:443
# 查看代理使用方式
python3 tls_agent.py -h
Usage: tls_agent.py [options]
tls agent
Options:
-h, --help show this help message and exit
--host=HOST self hostname or IP address , default 0.0.0.0
-p PORT, --port=PORT self TCP port number ,default 443
--server_host=SERVER_HOST
proxy server hostname or IP address,defau1t 127.0.0.1
--server_port=SERVER_PORT
proxy server TCP port number
-l LISTEN, --listen=LISTEN
tcp max listen number, default 10
-b BUFSIZE, --bufsize=BUFSIZE
recv bufsize, default 2k bytes size
-d DELAY, --delay=DELAY
recv delay ,default 1ms
-T, --tls tls enable ,defalut True
-m, --make_ca_cert test: use gen keyfile and certfile,defalut None
--client_key=KEYFILE run as server: path to server KEY file ,default in
/etc/openvswitch/sc-privkey.pem
--client_cert=CERTFILE
run as server: path to server CERT file ,default in
/etc/openvswitch/sc-cert.pem
--server_key=KEYFILE run as server: path to server KEY file ,default in
/home/path/to/cert/ctl-privkey.pem
--server_cert=CERTFILE
run as server: path to server CERT file ,default in
/home/path/to/cert/ctl-cert.pem
--server_cacert=CACERTFILE
run as server: path to server CACERT file ,default in
/var/lib/openvswitch/pki/switchca/cacert.pem
# 启动代理
python3 tls_agent.py