TLS-based encryption

The gRPC server on SR OS can operate in the following modes:

without TLS encryption
with TLS encryption

TLS encryption is used for added security; however, TLS encryption can be disabled in lab environments.

If TLS is not enabled, gRPC messages are not encrypted and usernames and passwords required in gRPC communication are visible to anyone capturing the packets. Therefore, Nokia recommends disabling TLS encryption only in a closed environment.

Before a gRPC connection comes up without TLS, the following conditions must be met:

no TLS server profile is assigned to the gRPC server
the allow-unsecure-connection flag is set

The following summarizes the process of encryption; to use TLS encryption:

The gRPC session must be in an encrypted state.
If the gRPC client and gRPC server are unable to negotiate an encrypted gRPC session, the gRPC session fails and the gRPC server sends an error.
Fallback from an encrypted to an unencrypted gRPC session is not allowed.

For information about how to configure TLS with gRPC, see the TLS chapter.

Note: SR OS TLS supports both ALPN and NPN, which are defined in RFC 7301. For any SR OS TLS server or client profile, SR OS TLS handshake always offers ALPN first, and offers NPN only if the gNMI client does not support ALPN. Consequently, no specific configurations are needed in SR OS to enable or disable ALPN or NPN extensions. For gNMI clients that use ALPN, SR OS verifies the specified HTTP2 ID and port (if needed) before replying to the gNMI client with the same HTTP2 ID and port. For gNMI clients that use NPN, SR OS retains NPN support for backward compatibility.