EMAIL SUPPORT

dclessons@dclessons.com

LOCATION

NZ

Authentication between vSmart & vBond

Authentication between vSmart & vBond

Posted on Jan 27, 2020 (0)

Authentication between vSmart & vBond

The first two devices that starts validation and authentication to each other are vSmart and vBond over Viptela Overlay network. This Validation and authentication is initiated by vSmart controller.

When you begin to Provision the vSmart, you will add the DNS name of vBond orchestrator or IP address of vBond. When vSmart controller send request to vBond, vBond is primed to reply because:

  • vBond is aware that its role is to authenticate system , as this information is included in vBond configuration
  • The vSmart serial number is download from vManage and provided to vBond orchestrator

If vBond is not started, vSmart will send the authentication request periodically until authentication is successful.

VSmart controller initiates the encrypted DTLS connection to vBond, this encryption is provided by RSA and each device automatically generates RSA public and Private Key when it boots.

Over this secure channel, vSmart controller and vBond authenticates each other, so to start with let’s see with vSmart controller authentication of the vBond orchestrator.

  1. vBond send the trusted root CA signed certificate to the vSmart controller
  2. vBond also sends the vEdge authorized serial number file to vSmart Controller.
  3. vSmart extract the organization name from certificate and its compares with its own organization name configured on it. If the match is not correct vSmart will tear down the DTLS connection
  4. If it matches , then it will use the root CA chain to verify certificate , if Certificate signature is correct vSmart confirm that certificate is valid and if signature is not correct vSmart will tear down the connection

Once these checks are performed, vSmart confirm the authentication of vBond orchestrator and is complete

In other direction let’s see how vBond Orchestrator authenticates the vSmart Controller

  1. vSmart send the trusted root CA signed certificate to the vBond Orchestrator
  2. vBond Orchestrator uses its chain of trust to extract the vSmart Controller Serial name , and compares the Serial number from vSmart authorized serial number file , and if does not match then DTLS connection is teared down.
  3. If the SN matches, vBond extract the organization name from certificate and its compares with its own organization name configured on it. If the match is not correct vBond will tear down the DTLS connection
  4. If it matches , then it will use the root CA chain to verify certificate , if Certificate signature is correct vBond confirm that certificate is valid and if signature is not correct vBond will tear down the connection

Once these checks are performed, vBond confirm the authentication of vSmart and is complete

Once bi-directional authentication is complete, then a permanent DTLS connection is established from temporary DTLS connection and these two devices establishes OMP session over these connection.

If in a domain, multiple vSmart and vBond are present for redundancy, these process repeats between each pair of vSmart and vBond devices.

A vBond orchestrator has many Permanent DTLS Connection as number of vSmart controller present in network Topology. Once all vSmart controller have registered with vBond orchestrator, they both are now ready to validate and authenticate vEdge routers in Viptela network


Comment

    You are will be the first.

LEAVE A COMMENT

Please login here to comment.