netconf call home
TRANSCRIPT
NETCONF Call Home
Rajendra Nagabhushan, senior staff engineer, ADVA Optical Networking
Vikram Darsi, senior lead engineer, ADVA Optical Networking
© 2017 ADVA Optical Networking. All rights reserved. Confidential.2
1 2 3
4 5 6
Agenda
Introduction to
Reverse SSH
(Call Home)
NETCONF Call
Home Overview
OpenDaylight
NETCONF Module
Architecture
Adding NETCONF
Call Home Support
Into OpenDaylight
Demo Future Works and Deviation (w.r.t. draft-ietf-netconf-call-home-17)
© 2017 ADVA Optical Networking. All rights reserved. Confidential.3
Introduction to Reverse SSH (Call Home)
Call Home or Reverse SSH is a technique where the SSH server initiates
a request that the SSH client establish an SSH connection to the server
PE1
InternetPE
PE
Firewall/NAT
Private Network
Management Network
© 2017 ADVA Optical Networking. All rights reserved. Confidential.4
Call Home is useful where:
• NE may be deployed behind a firewall that implements NAT
• Dynamic IP assignment
• Firewall prevents management access to internal network
• NE doesn't open any ports for management system to connect to
• The operator prefers NE to initiate management connection (easier
to secure one open port in data center)
Introduction to Reverse SSH (Call Home)
© 2017 ADVA Optical Networking. All rights reserved. Confidential.5
NETCONF Call Home Overview
NETCONF Server (NE) TCP Connection
SSH/TLS Session
NETCONF Session
NETCONF Client (Controller)
• RFC draft: https://tools.ietf.org/html/draft-ietf-netconf-call-home-17
• Enables a NETCONF server (network element or device) to initiate a
secure connection to a NETCONF client (network management system)
• Role reversal in TCP layer (while calling home, device is tcp-client)
• Other layer roles (SSH/TLS server, NETCONF server) remain the same
© 2017 ADVA Optical Networking. All rights reserved. Confidential.6
OpenDaylight NETCONF Subsystem
Reference: https://wiki.opendaylight.org/view/OpenDaylight_Controller:Netconf:Design
© 2017 ADVA Optical Networking. All rights reserved. Confidential.7
Connecting to NETCONF Device
• Method: PUT
• URI:http://localhost:8181/restconf/config/network-topology:network-topology/topology/topology-netconf/node/new-netconf-device
• Headers:Accept: application/xmlContent-Type: application/xml
• Payload:<node xmlns="urn:TBD:params:xml:ns:yang:network-topology">
<node-id>new-netconf-device</node-id> <host xmlns="urn:opendaylight:netconf-node-topology">127.0.0.1</host> <port xmlns="urn:opendaylight:netconf-node-topology">17830</port><username xmlns="urn:opendaylight:netconf-node-topology">admin</username> <password xmlns="urn:opendaylight:netconf-node-topology">admin</password> <tcp-only xmlns="urn:opendaylight:netconf-node-topology">false</tcp-only> <keepalive-delay xmlns="urn:opendaylight:netconf-node-topology">0</keepalive-delay>
</node>
Reference: https://wiki.opendaylight.org/view/OpenDaylight_Conroller:Config:Examples:Netconf
© 2017 ADVA Optical Networking. All rights reserved. Confidential.8
Connecting to NETCONF Device
NetconfTopologyImpl
NetconfDeviceSalFacade
NetconfDevice
NetconfDeviceCommunicator
MD-SAL
NETCONF Device
Channel
Protocol Framework
NetconfClientDispatcherImpl
NetconfClientConfiguration
UsesAsyncSshHandler
© 2017 ADVA Optical Networking. All rights reserved. Confidential.9
Netty Channel Netty Channel Pipeline
OpenDaylight NETCONF/NETTY
Reads From Buffer
Writes Into Buffer
Buffer
Buffer
ClientChannelServer
Channel Pipeline
Outbound Handler 1
Outbound Handler 2
Outbound Handler M-1
Outbound Handler M
Inbound Handler 2
Inbound Handler N-1
Inbound Handler 1
Inbound Handler N
Socket.read() Socket.write()
Netty Internal IO threads (Transport Implementation)
IO Requests via ChannelHandlerContext
Reference: https://netty.io/
© 2017 ADVA Optical Networking. All rights reserved. Confidential.10
Adding Call Home Support to OpenDaylight
NetconfDeviceSalFacade
NetconfDevice
CallhomeDeviceCommunicator
MD-SAL
NETCONF Device
Channel
Protocol Framework
CallhomeClientDispatcherImpl
NioSocketAcceptor
NetconfCallHome
ReversedNetconfClientConfiguration
UsesReversedAsyncSshHandler
Reference: https://git.opendaylight.org/gerrit/#/c/14119/1
© 2017 ADVA Optical Networking. All rights reserved. Confidential.11
Adding Call Home Support to OpenDaylight
© 2017 ADVA Optical Networking. All rights reserved. Confidential.12
Demo
• REST Client: Postman UI to view the auto
discovered NETCONF device data, like
capabilities etc …
• ODL Controller: Installed Call Home feature
which starts TCP server on port 60830
• NETCONF Simulator: ODL NETCONF project has
a built in NETCONF simulator. This simulator is
modified to initiate TCP connection to the TCP
server in the ODL controller
REST ClientIP: 192.168.56.1
ODL Controller(With Call Home Feature)
IP: 192.168.56.101
ODL NETCONF Simulator
(Initiates TCP Connection)
IP: 192.168.56.102
© 2017 ADVA Optical Networking. All rights reserved. Confidential.13
Future Works and Deviations
• Enhancements
• Implement security considerations according to the draft-ietf-netconf-call-
home-17 recommendation
• Certificate-based authentication support
• Precautions to mitigate DoS attacks
• Deviation
• Keep-alive mechanism implemented in NETCONF client
© 2017 ADVA Optical Networking. All rights reserved. Confidential.14
Summary
• NETCONF Call Home can be integrated into OpenDaylight as a
karaf deployable feature
• Addition of Call Home doesn’t impact the functionality of any
existing OpenDaylight features
• Addition of Call Home feature is useful in many deployment
scenarios of OpenDaylight controller
© 2017 ADVA Optical Networking. All rights reserved. Confidential.15
References
• NETCONF Call Home and RESTCONF Call Home RFC Draft:
https://tools.ietf.org/html/draft-ietf-netconf-call-home-17
• OpenDaylight Controller: Netconf: Design:
https://wiki.opendaylight.org/view/OpenDaylight_Controller:Netco
nf:Design
• OpenDaylight Netconf Examples:
https://wiki.opendaylight.org/view/OpenDaylight_Controller:Config
:Examples:Netconf
• Gerrit Patch by Maros Marsalek:
https://git.opendaylight.org/gerrit/#/c/14119/1
• Netty.io:
https://netty.io/4.0/api/io/netty/channel/ChannelPipeline.html
IMPORTANT NOTICE
The content of this presentation is strictly confidential. ADVA Optical Networking is the exclusive owner or licensee of the content, material, and information in this presentation. Any reproduction, publication or reprint, in whole or in part, is strictly prohibited.
The information in this presentation may not be accurate, complete or up to date, and is provided without warranties or representations of any kind, either express or implied. ADVA Optical Networking shall not be responsible for and disclaims any liability for any loss or damages, including without limitation, direct, indirect, incidental, consequential and special damages, alleged to have been caused by or in connection with using and/or relying on the information contained in this presentation.
Copyright © for the entire content of this presentation: ADVA Optical Networking.
Thank You
IMPORTANT NOTICE
The content of this presentation is strictly confidential. ADVA Optical Networking is the exclusive owner or licensee of the content, material, and information in this presentation. Any reproduction, publication or reprint, in whole or in part, is strictly prohibited.
The information in this presentation may not be accurate, complete or up to date, and is provided without warranties or representations of any kind, either express or implied. ADVA Optical Networking shall not be responsible for and disclaims any liability for any loss or damages, including without limitation, direct, indirect, incidental, consequential and special damages, alleged to have been caused by or in connection with using and/or relying on the information contained in this presentation.
Copyright © for the entire content of this presentation: ADVA Optical Networking.