Transport Layer Security (TLS) Encryption Overview

Transport Layer Security (TLS) is used to secure the connection between OpenFlow controllers and the switch. Mutual authentication is provided by X.509 certificates, which are issued by a hierarchical system of certificate authorities (CAs). The system of certificates and CAs, and the people, policies, and procedures to distribute them is known as a Public Key Infrastructure (PKI).

The switch and controller may communicate through either a secure TLS connection or through an insecure Transmission Control Protocol (TCP) connection. If TLS is configured, the switch and controller must mutually authenticate by exchanging certificates.

Note

Note

Secure Socket Layer (SSL) and TLS are sometimes used interchangeably, but TLS is a more secure successor of SSL. SSL has been around for a while, and all versions are now considered insecure; therefore, no versions of SSL are allowed.
To use TLS, the switch must have three credentials configured:
  • Switch‘s private key—The private key which corresponds to the switch certificate. Any device which possess this key has cryptographic proof that they own the corresponding certificate. Therefore, it is imperative that this key be kept secret
  • Switch‘s certificate—A public X.509 certificate which provides the switch‘s identity for outgoing TLS connections. Each switch must be issued its own X.509 certificate. Controllers that wish to connect to the switch must be configured to trust the CA certificate (or chain of CA certificates) that issued this switch certificate.
    Note

    Note

    Switches cannot generate self-signed certificates. The switch's certificate must be generated and signed by the PKI host.
  • Controller Certificate Authority (CA) certificate(s)—Used to authenticate controller‘s certificate. The switch trusts any controller certificate issued by the controller CA certificate (or chain of CA certificates) configured here. If the configured controller CA certificate is used (by the CA) to sign 50 different controller certificates, then the switch allows any of those 50 controllers to connect.
    Note

    Note

    Open vSwitch "bootstrap" mode is not supported. The controller's CA certificate must be manually copied to the switch.

TLS 1.0, 1.1, and 1.2 are supported.