• Using stunnel (TLS Proxy) to secure OpenFlow on EOS

 
 
Print Friendly, PDF & Email

Do you have an OpenFlow controller that supports communication channel encryption via TLS and you’d like to take advantage of that option with an Arista switch? No problem! Just follow these simple steps and in mere minutes you’ll have a secure TLS connection up and running. Just imagine the look of shock and amazement on the faces of your friends, family and coworkers as you extend the capabilities of your EOS powered switch in near real time!

1) Please download Stunnel from here: http://dl.fedoraproject.org/pub/archive/fedora/linux/releases/14/Fedora/i386/os/Packages/stunnel-4.33-1.fc14.i686.rpm

 

2) Copy it to flash on the switch: switch#copy scp://@//stunnel-4.33-1.fc14.i686.rpm flash:

 

3) Install the RPM as an extension: switch#copy flash:stunnel-4.33-1.fc14.i686.rpm extension: switch#extension stunnel-4.33-1.fc14.i686.rpm

 

4) Verify that the RPM was installed:

switch# show extensions

Name                                                        Version/Release         Status extension

—————————————— ————————- ——    —-

stunnel-4.33-1.fc14.i686.rpm             4.33/1.fc14                    A,      I 1

A: available | NA: not available | I: installed | NI: not installed | F: forced

 

5) Configure the switch to load the extension at boot time: switch#copy installed-extensions boot-extensions

 

6) Create the stunnel.conf file:

switch#bash vi /mnt/flash/stunnel.conf

Paste in the following:

# Stunnel configuration file

sslVersion = TLSv1

cert = /persist/secure/capi.pem

# This is the built-in cert file, feel free to load and use your own.

key = /persist/secure/capikey.pem

# This is the built-in cert key file, feel free to load and use your own.

client = yes

# Service definition [6633]

accept = 127.0.0.1:6633 connect = :6633

 

7) Configure stunnel to start at boot time:

switch(config)#event-handler stunnel

switch(config-handler-stunnel)#trigger on-boot

switch(config-handler-stunnel)#delay 0

switch(config-handler-stunnel)#action bash sudo stunnel /mnt/flash/stunnel.conf

switch(config-handler-stunnel)#exit

 

Performing these steps will ensure that stunnel is loaded, started and managed as an extension at boot time. The are many more stunnel options that could we used including CA checking, logging options, PID files, etc.

 

8) Verify that stunnel is up and running with: switch#bash sudo netstat -an | grep 6633 switch#bash sudo ps -ef | grep stunnel

 

9) Configure Openflow on the switch to point to itself (stunnel client side):

switch(config)#openflow

switch(config-openflow)#controller tcp:127.0.0.1:6633

 

If you have any questions be sure to reach out to your local Arista Systems Engineer.

Follow

Get every new post on this blog delivered to your Inbox.

Join other followers: