SNBI User Guide =============== This section describes how to use the SNBI feature in OpenDaylight and contains configuration, administration, and management section for the feature. Overview -------- Key distribution in a scaled network has always been a challenge. Typically, operators must perform some manual key distribution process before secure communication is possible between a set of network devices. The Secure Network Bootstrapping Infrastructure (SNBI) project securely and automatically brings up an integrated set of network devices and controllers, simplifying the process of bootstrapping network devices with the keys required for secure communication. SNBI enables connectivity to the network devices by assigning unique IPv6 addresses and bootstrapping devices with the required keys. Admission control of devices into a specific domain is achieved using whitelist of authorized devices. SNBI Architecture ----------------- At a high level, SNBI architecture consists of the following components: - SNBI Registrar - SNBI Forwarding Element (FE) .. figure:: ./images/snbi/snbi_arch.png :alt: SNBI Architecture Diagram SNBI Architecture Diagram SNBI Registrar ~~~~~~~~~~~~~~ Registrar is a device in a network that validates device against a whitelist and delivers device domain certificate. Registrar includes the following: - RESCONF API for Domain Whitelist Configuration - SNBI Southbound Plugin - Certificate Authority **RESTCONF API for Domain Whitelist Configuration:.** Below is the YANG model to configure the whitelist of devices for a particular domain. :: module snbi { //The yang version - today only 1 version exists. If omitted defaults to 1. yang-version 1; //a unique namespace for this SNBI module, to uniquely identify it from other modules that may have the same name. namespace ""; //a shorter prefix that represents the namespace for references used below prefix snbi; //Defines the organization which defined / owns this .yang file. organization "Netconf Central"; //defines the primary contact of this yang file. contact "snbi-dev"; //provides a description of this .yang file. description "YANG version for SNBI."; //defines the dates of revisions for this yang file revision "2024-07-02" { description "SNBI module"; } typedef UDI { type string; description "Unique Device Identifier"; } container snbi-domain { leaf domain-name { type string; description "The SNBI domain name"; } list device-list { key "list-name"; leaf list-name { type string; description "Name of the device list"; } leaf list-type { type enumeration { enum "white"; } description "Indicates the type of the list"; } leaf active { type boolean; description "Indicates whether the list is active or not"; } list devices { key "device-identifier"; leaf device-identifier { type union { type UDI; } } } } } } **Southbound Plugin:.** The Southbound Plugin implements the protocol state machine necessary to exchange device identifiers, and deliver certificates. **Certificate Authority:.** A simple certificate authority is implemented using the Bouncy Castle package. The Certificate Authority creates the certificates from the device CSR requests received from the devices. The certificates thus generated are delivered to the devices using the Southbound Plugin. SNBI Forwarding Element ~~~~~~~~~~~~~~~~~~~~~~~ The forwarding element must be installed or unpacked on a Linux host whose network layer traffic must be secured. The FE performs the following functions: - Neighour Discovery - Bootstrap - Host Configuration **Neighbour Discovery:.** Neighbour Discovery (ND) is the first step in accommodating devices in a secure network. SNBI performs periodic neighbour discovery of SNBI agents by transmitting ND hello packets. The discovered devices are populated in an ND table. Neighbour Discovery is periodic and bidirectional. ND hello packets are transmitted every 10 seconds. A 40 second refresh timer is set for each discovered neighbour. On expiry of the refresh timer, the Neighbour Adjacency is removed from the ND table as the Neighbour Adjacency is no longer valid. It is possible that the same SNBI neighbour is discovered on multiple links, the expiry of a device on one link does not automatically remove the device entry from the ND table. **Bootstrapping:.** Bootstrapping a device involves the following sequential steps: - Authenticate a device using device identifier (UDI or SUDI) - Allocate the appropriate device ID and IPv6 address to uniquely identify the device in the network - Allocate the required keys by installing a Device Domain Certificate - Accommodate the device in the domain **Host Configuration:.** Involves configuring a host to create a secure overlay network, assigning appropriate ipv6 address, setting up gre tunnels, securing the tunnels traffic via IPsec and enabling connectivity via a routing protocol. The SNBI Forwarding Element is packaged in a docker container available at this link: For more information on docker, refer to this link: Prerequisites for Configuring SNBI ---------------------------------- Before proceeding further, ensure that the following system requirements are met: - 64bit Ubunutu 14.04 LTS - 4GB RAM - 4GB of hard disk space, sufficient enough to store certificates - Java Virtual Machine 1.8 or above - Apache Maven 3.3.3 or above - Make sure the time on all the devices or synced either manually or using NTP - The docker version must be greater than 1.0 on a 14.04 Ubuntu Configuring SNBI ---------------- This section contains the following: - Setting up SNBI Registrar on the controller - Configuring Whitelist - Setting up SNBI FE on Linux Hosts Setting up SNBI Registrar on the controller ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This section contains the following: - Configuring the Registrar Host - Installing Karaf Package - Configuring SNBI Registrar **Configuring the Registrar Host:.** Before enabling the SNBI registrar service, assign an IPv6 address to an interface on the registrar host. This is to bind the registrar service to an IPv6 address (**fd08::aaaa:bbbb:1/128**). :: sudo ip link add snbi-ra type dummy sudo ip addr add fd08::aaaa:bbbb:1/128 dev snbi-ra sudo ifconfig snbi-ra up **Installing Karaf Package:.** Download the karaf package from this link:, unzip and run the ``karaf`` executable present in the bin folder. Here is an example of this step: :: cd distribution-karaf-0.3.0-Boron/bin ./karaf Additional information on useful Karaf commands are available at this link: **Configuring SNBI Registrar:.** Before you perform this step, ensure that you have completed the tasks `above <#_configuring_snbi>`__: To use RESTCONF APIs, install the RESTCONF feature available in the Karaf package. If required, install mdsal-apidocs module for access to documentation. Refer for more information on MDSAL API docs. Use the commands below to install the required features and verify the same. :: feature:install odl-restconf feature:install odl-mdsal-apidocs feature:install odl-snbi-all feature:list -i After confirming that the features are installed, use the following command to start SNBI registrar: :: snbi:start Configuring Whitelist ~~~~~~~~~~~~~~~~~~~~~ The registrar must be configured with a whitelist of devices that are accommodated in a specific domain. The YANG for configuring the domain and the associated whitelist in the controller is avaialble at this link: It is recommended to use Postman to configure the registrar using RESTCONF. This section contains the following: - Installing PostMan - Configuring Whitelist using REST API **Installing PostMan:.** Follow the steps below to install postman on your Google Chrome Browser. - Install Postman via Google Chrome browser available at this link: - In the chrome browser address bar, enter: chrome://apps/ - Click Postman. - Enter the URL. - Click Headers. - Enter Accept: header. - Click Basic Auth tab to create user credentials, such as user name and password. - Send. You can download a sample Postman configuration to get started from this link: **Configuring Whitelist using REST API:.** The POST method below configures a domain - "secure-domain" and configures a whitelist set of devices to be accommodated to the domain. :: { "snbi-domain": { "domain-name": "secure-domain", "device-list": [ { "list-name": "demo list", "list-type": "white", "active": true, "devices": [ { "device-id": "UDI-FirstFE" }, { "device-id": "UDI-dev1" }, { "device-id": "UDI-dev2" } ] } ] } } The associated device ID must be configured on the SNBI FE (see below). You can also use REST APIs using the API docs interface to push the domain and whitelist information. The API docs could be accessed at link:http://localhost:8080/apidoc/explorer. More details on the API docs is available at link:\_Controller:MD-SAL:Restconf\_API\_Explorer Setting up SNBI FE on Linux Hosts ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The SNBI Daemon is used to bootstrap the host device with a valid device domain certificate and IP address for connectivity and to create a reachable overlay network by interacting with multiple software modules. **Device UDI:.** The Device UDI or the device Unique Identifier can be derived from a multitude of parameters in the host machine, but most derived parameters are already known or do not remain constant across reloads. Therefore, every SNBI FE must be configured explicitly with a UDI that is present in the device whitelist. **First Forwarding Element:.** The registrar service IP address must be provided to the first host (Forwarding Element) to be bootstrapped. As mentioned in the "Configuring the Registrar Host" section, the registrar service IP address is **fd08::aaaa:bbbb:1**. The First Forwarding Element must be configured with this IPv6 address. **Running the SNBI docker image:.** The SNBI FE in the docker image picks the UDI of the ForwardingElement via an environment variable provided when executing docker instance. If the Forwarding Element is a first forwarding element, the IP address of the registrar service should also be provided. :: sudo docker run -v /etc/timezone:/etc/timezone:ro --net=host --privileged=true --rm -t -i -e SNBI_UDI=UDI-FirstFE -e SNBI_REGISTRAR=fd08::aaaa:bbbb:1 snbi/boron:latest /bin/bash After the docker image is executed, you are placed in the snbi.d command prompt. A new Forwarding Element is bootstrapped in the same way, except that the registrar IP address is not required while running the docker image. :: sudo docker run --net=host --privileged=true --rm -t -i -e SNBI_UDI=UDI-dev1 snbi/boron:latest /bin/bash Administering or Managing SNBI ------------------------------ The SNBI daemon provides various show commands to verify the current state of the daemon. The commands are completed automatically when you press Tab in your keyboard. There are help strings "?" to list commands. :: snbi.d > show snbi device Host deevice neighbors SNBI Neighbors debugs Debugs enabled certificate Certificate information