COOP: Council of
Oracle Protocol – A Modern Overview
The Council of Oracle Protocol (COOP) serves as a critical mechanism for transmitting endpoint mapping data—such as identity and location—from leaf switches to spine proxies within a network.
This communication is facilitated using Zero
Message Queue (ZMQ), enabling leaf switches to relay endpoint details to a
designated spine switch known as the "Oracle."
Spine nodes running
COOP maintain a synchronized repository of endpoint mappings, ensuring
consistency across the network. Additionally, COOP manages a Distributed
Hash Table (DHT) that stores identity-to-location mappings, forming
the backbone of the protocol’s database infrastructure.
To prioritize secure
and efficient data transport, COOP uses high-priority channels and encrypted
connections. Security is further reinforced through MD5-based
authentication, which safeguards COOP messages against unauthorized traffic
injection. Both the APIC controller and network switches
support this authentication mechanism.
COOP now supports two
distinct ZMQ authentication modes:
- Strict Mode: Only MD5-authenticated ZMQ connections
are permitted, ensuring maximum security.
- Compatible Mode: Allows both authenticated and
non-authenticated ZMQ connections, offering flexibility for diverse
network environments.
Integrating COOP with Cisco APIC: Secure ZMQ Authentication in ACI Fabric
To enable secure communication across the Cisco Application Centric Infrastructure (ACI), the Application Policy Infrastructure Controller (APIC) incorporates support for COOP Zero Message Queue (ZMQ) authentication. This includes the use of MD5-based password protection and a secure operational mode for COOP messaging.
Configuration of COOP ZMQ Authentication Type
A new managed object, coop:AuthP, has been introduced within the Data Management Engine (DME) under the COOP database path (coop/inst/auth). This object allows administrators to define the authentication mode for COOP ZMQ connections. By default, the mode is set to "compatible", permitting both authenticated and unauthenticated connections. For environments requiring stricter security, the mode can be switched to "strict", which enforces MD5 authentication exclusively.
Managing the MD5 Password for COOP Authentication
The APIC also provides a managed object named fabric:SecurityToken, which includes a dynamic attribute called "token". This token serves as the MD5 password and is refreshed automatically every hour. COOP receives update notifications from the DME to ensure the password remains current. For security reasons, the actual token value is not exposed or displayed.
COOP Strict Mode Behavior During ACI Fabric Upgrades
When performing an upgrade across the Cisco ACI fabric, the system temporarily disables COOP strict mode until all switches have completed the upgrade process. This safeguard is designed to prevent disruptions in COOP communication—specifically, it avoids the risk of a switch rejecting COOP connections due to premature enforcement of strict authentication. By deferring strict mode activation, the fabric ensures seamless interoperability and avoids authentication mismatches during transitional states.
Configuring COOP
Authentication Policy in Cisco ACI
Using the Cisco
APIC GUI
To set the COOP
authentication mode through the APIC interface:
- Navigate to System > System
Settings from the top menu.
- In the left-hand Navigation pane,
select COOP Group.
- In the Work pane, locate
the Policy Property section. Under the Type field,
choose either:
- Compatible Type – allows both authenticated and
unauthenticated ZMQ connections.
- Strict Type – enforces MD5 authentication for
all ZMQ connections.
- Click Submit to apply the
changes.
This completes the
configuration of the COOP authentication policy via the APIC GUI.
Using the Cisco
NX-OS-Style CLI
To configure COOP
authentication using the command-line interface:
This sets the COOP
authentication mode to strict, ensuring that only MD5-authenticated
ZMQ connections are accepted.
apic1(config)# coop-fabric
apic1(config-coop-fabric)# authentication type ?
compatible Compatible type strict Strict type
apic1(config-coop-fabric)# authentication type strict
No comments:
Post a Comment