Unified Secure Channel Demo
•0 likes•1,660 views
Report
Share
Download to read offline
Unified Secure Channel (USC) is a collaborative project within OpenDaylight to enable a unified, secure, and high performance communication over many different protocols between SDN controllers and network elements across internet or unsecure public infrastructure.
Recommended
More Related Content
What's hot
What's hot(20)
Similar to Unified Secure Channel Demo
Similar to Unified Secure Channel Demo(20)
![[Cisco Connect 2018 - Vietnam] Satit adirek hn under_the_hood_sdwan deep_dive](https://cdn.slidesharecdn.com/ss_thumbnails/satitadirekhnunderthehoodsdwandeepdive-180504042440-thumbnail.jpg?width=768&fit=bounds)
More from Huawei Enterprise
More from Huawei Enterprise(11)
Recently uploaded
Recently uploaded(20)
Unified Secure Channel Demo
- 1. Unified Secure Channel Demo An Ho, Senior Engineer Enterprise Networking BU Huawei Technologies Victor Xu, XXXXXXXXXXXX Enterprise Networking BU Huawei Technologies
- 2. AppStore IoTMobileEnterprise Branch WAN/Internet Unified Secure Channel (USC) is a collaborative project within OpenDaylight to enable a unified, secure, and high performance communication over many different protocols between SDN controllers and network elements across internet or unsecure public infrastructure. High Security Encrypted communication & mutual authentication Better Performance Protocol multiplexing & converged tunneling for all protocols Large Capacity Clustering support & elastic scalability to satisfy different capacity requirements Management Secure management & reliable control of various network elements such as gateways, sensors, etc. Unified Secure Channel
- 3. USC Manager USC Agent Controller Platform Southbound Interfaces & Protocol Plugins Network Elements APIs (REST) TLS/DTLS Call Home Client Muxer/ Demuxer Protocol Proxy …CAPWAP Server SNMP Server Netconf Server USC Plugin Call Home Listener Session Manager TLS/DTLS Muxer/ Demuxer Protocol Handler CAPWAP Plugin SNMP Plugin Netconf Plugin …OpenFlow Plugin Monitoring Config Manager Cluster Manager Security Manager Service Abstraction Layer (SAL) AAA Base Network Service Functions USC API DLUX/USC UI Call Home ConnectionOutbound Connection Network Applications Orchestration & Services
- 4. Controller Node 1 USC Manager 1.1. Request to configure device APP Netconf Server NAT/Firewall USC Plugin Agent Connector Clustering Manager Protocol Handler Netconf Client 1.2. Routed by MD-SAL 1.3. Request connection 2.1. Attempt local connection 2.2. Connection blocked by firewall 4.1. Message delivered to Agent USC Agent 4.2. Message delivered to Netconf Server 3.1. Find node with established USC Channel Controller Node 2 USC Manager USC Plugin Clustering Manager Protocol Handler 3.2. Forward request to Node 2 3.3. Send via local USC Channel Agent Connector Southbound Clustering
- 5. Key Lithium Features Protocol Multiplexing Mutual Authentication Call Home Enhanced Clustering
- 6. Installing USC Integrated into ODL UI Loaded as a Karaf Feature feature:install odl-restconf odl-dlux-core odl-usc-channel-ui
- 7. Configuring USC Configuring USC Channel • certificates: This folder contains the certificate files. • akka.conf: This file contains configuration related to clustering: http://doc.akka.io • usc.properties: This file defines the location of certificates, defines the source of additional akka configurations, and assigns default settings to the USC behavior. Configuring Netconf • Configure 01-netconf.xml to use usc-netconf-dispatcher Administering USC Channel • http://${IPADDRESS}:8181/index.html • http://${IPADDRESS}:8181/apidoc/explorer/index.html • add-channel, delete-channel, and view-channel.
- 9. Unified Secure Channel An Ho (An.Ho@huawei.com) Victor Xu (S.Xu@huawei.com) Visit our booth at XXX https://wiki.opendaylight.org/view/USC:Main usc-dev@lists.opendaylight.org More Information Questions?
Editor's Notes
- The future enterprise is geographically distributed across all continents with a mobile workforce demanding access to computing, storage, and networking from anywhere at anytime. As more companies adopt IoT, the future enterprise will see greater network activities and demand from various devices and sensors, including vehicles, energy or utilities meters, or medical equipment on top of traditional mobile devices such as tablets and smart phones. All these intelligent smart things will communicate over many different protocols, each with their own specifications on security, encryption, and authentication. Even as IoT matures, companies should still expect the number of protocols and standardizations to continue to rise. Unified Secure Channel (USC) is a collaborative project within OpenDaylight to enable a unified, secure, and high performance communication over many different protocols between SDN controllers and network elements across internet or unsecure public infrastructure. Out of the box, it provides better security with encrypted communication and mutual authentication, better performance with protocol multiplexing and converged tunneling for all protocols. It supports large capacity with clustering support and elastic scalability to satisfy different capacity requirements and better management with secure reliable control of various network elements.
- The USC have five main components, the agent, plugin, manager, api, and ui components. These components leverage existing OpenDaylight modules such as yangtools, mdsal, dlux, and southbound plugins. The USC Agent is responsible for maintaining a live communications channel with the controller. It initiates call-home with the controller, acts as a demuxer/muxer for packets with the USC header, and authenticates the controller. The USC Plugin is responsible for maintaining the live communication channels and sessions with the devices. It responds to call-home with the controller, acts as a muxer/demuxer for packets with the USC header, and provides support for TLS/DTLS. The USC Plugin uses existing southbound plugins for protocol specific functions such as netconf, snmp, and capwap. The USC Manager handles configurations, high availability, security, monitoring, and clustering support for USC. The USC API resides in OpenDaylight Northbound REST layer and provides mechanisms for inquiring on the state of the USC environment The USC UI is responsible for displaying a graphical user interface representing the state of USC in the OpenDaylight DLUX UI.
- USC is designed to enhance OpenDaylight’s existing clustering capability to allow applications to communicate with any devices, even though it is not directly connected. In this diagram: There is an existing connection between Node 2 and the device. The application sends a request to node 1. Node 1 cannot reach the device directly because of NAT or firewall. And so the message is routed to node 2.
- In Lithium, we implemented four key features for the USC project. Protocol multiplexing consolidates multiple connections into a single channel, provides guaranteed security for all protocol, and reduces repetitious authentication into one handshake. Mutual authentication between both the controller and the devices provides protection from rogue entities even for protocols payloads without inherent mutual authentication. Call-Home for enterprise edge nodes allows devices to initiate the connection with the controller, even for protocols without specified call-home support. Enhanced Southbound Clustering support efficiently routes messages across multiple nodes in a controller cluster, allowing for greater performance and scalability.
- To install USC, download OpenDaylight and use the Karaf console to install the odl-usc-channel-ui karaf feature. Once the feature is installed, then USC appears as a menu item in the DLUX UI. The USC team is proud to be one of the first projects to integrate its custom User Interface in the OpenDaylight DLUX UI using DLUX modularity.
- The USC configuration files for the Karaf distribution are located in distribution ETC folder. Here the user can supply the certificates for mutual authentication or configure the akka.conf file for enhanced clustering related properties. The user can also configure other default settings to the USC behavior or configure the controller to use the USC netconf dispatcher.