4 This section describes how to use the SNBI feature in OpenDaylight and
5 contains configuration, administration, and management section for the
11 Key distribution in a scaled network has always been a challenge.
12 Typically, operators must perform some manual key distribution process
13 before secure communication is possible between a set of network
14 devices. The Secure Network Bootstrapping Infrastructure (SNBI) project
15 securely and automatically brings up an integrated set of network
16 devices and controllers, simplifying the process of bootstrapping
17 network devices with the keys required for secure communication. SNBI
18 enables connectivity to the network devices by assigning unique IPv6
19 addresses and bootstrapping devices with the required keys. Admission
20 control of devices into a specific domain is achieved using whitelist of
26 At a high level, SNBI architecture consists of the following components:
30 - SNBI Forwarding Element (FE)
32 .. figure:: images/snbi/snbi_arch.png
33 :alt: SNBI Architecture Diagram
35 SNBI Architecture Diagram
40 Registrar is a device in a network that validates device against a
41 whitelist and delivers device domain certificate. Registrar includes the
44 - RESCONF API for Domain Whitelist Configuration
46 - SNBI Southbound Plugin
48 - Certificate Authority
50 **RESTCONF API for Domain Whitelist Configuration:.**
52 Below is the YANG model to configure the whitelist of devices for a
58 //The yang version - today only 1 version exists. If omitted defaults to 1.
61 //a unique namespace for this SNBI module, to uniquely identify it from other modules that may have the same name.
62 namespace "http://netconfcentral.org/ns/snbi";
64 //a shorter prefix that represents the namespace for references used below
67 //Defines the organization which defined / owns this .yang file.
68 organization "Netconf Central";
70 //defines the primary contact of this yang file.
73 //provides a description of this .yang file.
74 description "YANG version for SNBI.";
76 //defines the dates of revisions for this yang file
77 revision "2024-07-02" {
78 description "SNBI module";
83 description "Unique Device Identifier";
86 container snbi-domain {
89 description "The SNBI domain name";
97 description "Name of the device list";
104 description "Indicates the type of the list";
109 description "Indicates whether the list is active or not";
113 key "device-identifier";
114 leaf device-identifier {
124 **Southbound Plugin:.**
126 The Southbound Plugin implements the protocol state machine necessary to
127 exchange device identifiers, and deliver certificates.
129 **Certificate Authority:.**
131 A simple certificate authority is implemented using the Bouncy Castle
132 package. The Certificate Authority creates the certificates from the
133 device CSR requests received from the devices. The certificates thus
134 generated are delivered to the devices using the Southbound Plugin.
136 SNBI Forwarding Element
137 ~~~~~~~~~~~~~~~~~~~~~~~
139 The forwarding element must be installed or unpacked on a Linux host
140 whose network layer traffic must be secured. The FE performs the
149 **Neighbour Discovery:.**
151 Neighbour Discovery (ND) is the first step in accommodating devices in a
152 secure network. SNBI performs periodic neighbour discovery of SNBI
153 agents by transmitting ND hello packets. The discovered devices are
154 populated in an ND table. Neighbour Discovery is periodic and
155 bidirectional. ND hello packets are transmitted every 10 seconds. A 40
156 second refresh timer is set for each discovered neighbour. On expiry of
157 the refresh timer, the Neighbour Adjacency is removed from the ND table
158 as the Neighbour Adjacency is no longer valid. It is possible that the
159 same SNBI neighbour is discovered on multiple links, the expiry of a
160 device on one link does not automatically remove the device entry from
165 Bootstrapping a device involves the following sequential steps:
167 - Authenticate a device using device identifier (UDI or SUDI)
169 - Allocate the appropriate device ID and IPv6 address to uniquely
170 identify the device in the network
172 - Allocate the required keys by installing a Device Domain Certificate
174 - Accommodate the device in the domain
176 **Host Configuration:.**
178 Involves configuring a host to create a secure overlay network,
179 assigning appropriate ipv6 address, setting up gre tunnels, securing the
180 tunnels traffic via IPsec and enabling connectivity via a routing
183 The SNBI Forwarding Element is packaged in a docker container available
184 at this link: https://hub.docker.com/r/snbi/boron/. For more information
185 on docker, refer to this link: https://docs.docker.com/linux/.
187 Prerequisites for Configuring SNBI
188 ----------------------------------
190 Before proceeding further, ensure that the following system requirements
193 - 64bit Ubunutu 14.04 LTS
197 - 4GB of hard disk space, sufficient enough to store certificates
199 - Java Virtual Machine 1.8 or above
201 - Apache Maven 3.3.3 or above
203 - Make sure the time on all the devices or synced either manually or
206 - The docker version must be greater than 1.0 on a 14.04 Ubuntu
211 This section contains the following:
213 - Setting up SNBI Registrar on the controller
215 - Configuring Whitelist
217 - Setting up SNBI FE on Linux Hosts
219 Setting up SNBI Registrar on the controller
220 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
222 This section contains the following:
224 - Configuring the Registrar Host
226 - Installing Karaf Package
228 - Configuring SNBI Registrar
230 **Configuring the Registrar Host:.**
232 Before enabling the SNBI registrar service, assign an IPv6 address to an
233 interface on the registrar host. This is to bind the registrar service
234 to an IPv6 address (**fd08::aaaa:bbbb:1/128**).
238 sudo ip link add snbi-ra type dummy
239 sudo ip addr add fd08::aaaa:bbbb:1/128 dev snbi-ra
240 sudo ifconfig snbi-ra up
242 **Installing Karaf Package:.**
244 Download the karaf package from this link:
245 http://www.opendaylight.org/software/downloads, unzip and run the
246 ``karaf`` executable present in the bin folder. Here is an example of
251 cd distribution-karaf-0.3.0-Boron/bin
254 Additional information on useful Karaf commands are available at this
256 https://wiki.opendaylight.org/view/CrossProject:Integration_Group:karaf.
258 **Configuring SNBI Registrar:.**
260 Before you perform this step, ensure that you have completed the tasks
261 `above <#_configuring_snbi>`__:
263 To use RESTCONF APIs, install the RESTCONF feature available in the
264 Karaf package. If required, install mdsal-apidocs module for access to
266 https://wiki.opendaylight.org/view/OpenDaylight_Controller:MD-SAL:Restconf_API_Explorer
267 for more information on MDSAL API docs.
269 Use the commands below to install the required features and verify the
274 feature:install odl-restconf
275 feature:install odl-mdsal-apidocs
276 feature:install odl-snbi-all
279 After confirming that the features are installed, use the following
280 command to start SNBI registrar:
284 snbi:start <domain-name>
286 Configuring Whitelist
287 ~~~~~~~~~~~~~~~~~~~~~
289 The registrar must be configured with a whitelist of devices that are
290 accommodated in a specific domain. The YANG for configuring the domain
291 and the associated whitelist in the controller is avaialble at this
293 https://wiki.opendaylight.org/view/SNBI_Architecture_and_Design#Registrar_YANG_Definition.
294 It is recommended to use Postman to configure the registrar using
297 This section contains the following:
301 - Configuring Whitelist using REST API
303 **Installing PostMan:.**
305 Follow the steps below to install postman on your Google Chrome Browser.
307 - Install Postman via Google Chrome browser available at this link:
308 https://chrome.google.com/webstore/detail/postman-rest-client/fdmmgilgnpjigdojojpjoooidkmcomcm?hl=en
310 - In the chrome browser address bar, enter: chrome://apps/
318 - Enter Accept: header.
320 - Click Basic Auth tab to create user credentials, such as user name
325 You can download a sample Postman configuration to get started from this
326 link: https://www.getpostman.com/collections/c929a2a4007ffd0a7b51
328 **Configuring Whitelist using REST API:.**
330 The POST method below configures a domain - "secure-domain" and
331 configures a whitelist set of devices to be accommodated to the domain.
337 "domain-name": "secure-domain",
340 "list-name": "demo list",
341 "list-type": "white",
345 "device-id": "UDI-FirstFE"
348 "device-id": "UDI-dev1"
351 "device-id": "UDI-dev2"
359 The associated device ID must be configured on the SNBI FE (see below).
360 You can also use REST APIs using the API docs interface to push the
361 domain and whitelist information. The API docs could be accessed at
362 link:http://localhost:8080/apidoc/explorer. More details on the API docs
364 link:https://wiki.opendaylight.org/view/OpenDaylight\_Controller:MD-SAL:Restconf\_API\_Explorer
366 Setting up SNBI FE on Linux Hosts
367 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
369 The SNBI Daemon is used to bootstrap the host device with a valid device
370 domain certificate and IP address for connectivity and to create a
371 reachable overlay network by interacting with multiple software modules.
375 The Device UDI or the device Unique Identifier can be derived from a
376 multitude of parameters in the host machine, but most derived parameters
377 are already known or do not remain constant across reloads. Therefore,
378 every SNBI FE must be configured explicitly with a UDI that is present
379 in the device whitelist.
381 **First Forwarding Element:.**
383 The registrar service IP address must be provided to the first host
384 (Forwarding Element) to be bootstrapped. As mentioned in the
385 "Configuring the Registrar Host" section, the registrar service IP
386 address is **fd08::aaaa:bbbb:1**. The First Forwarding Element must be
387 configured with this IPv6 address.
389 **Running the SNBI docker image:.**
391 The SNBI FE in the docker image picks the UDI of the ForwardingElement
392 via an environment variable provided when executing docker instance. If
393 the Forwarding Element is a first forwarding element, the IP address of
394 the registrar service should also be provided.
398 sudo docker run -v /etc/timezone:/etc/timezone:ro --net=host --privileged=true
399 --rm -t -i -e SNBI_UDI=UDI-FirstFE -e SNBI_REGISTRAR=fd08::aaaa:bbbb:1 snbi/boron:latest /bin/bash
401 After the docker image is executed, you are placed in the snbi.d command
404 A new Forwarding Element is bootstrapped in the same way, except that
405 the registrar IP address is not required while running the docker image.
409 sudo docker run --net=host --privileged=true --rm -t -i -e SNBI_UDI=UDI-dev1 snbi/boron:latest /bin/bash
411 Administering or Managing SNBI
412 ------------------------------
414 The SNBI daemon provides various show commands to verify the current
415 state of the daemon. The commands are completed automatically when you
416 press Tab in your keyboard. There are help strings "?" to list commands.
422 neighbors SNBI Neighbors
423 debugs Debugs enabled
424 certificate Certificate information