[ovs-dev] [RFC PATCH v2 06/10] vxlanipsec: Add userspace support for vxlan ipsec.

Ben Pfaff blp at ovn.org
Tue Oct 31 22:00:42 UTC 2017


On Fri, Aug 25, 2017 at 05:40:28PM +0100, Ian Stokes wrote:
> This patch introduces a new tunnel port type 'vxlanipsec'. This port
> combines vxlan tunnelling with IPsec operating in transport mode.
> 
> Ciphering and authentication actions ares provided by a DPDK cryptodev.
> The cryptodev operates as a vdev and is associated with the vxlan tunnel
> port. Upon tunnel encapsulation packets are encrypted and a hash digest
> attached to the packet as per RFC4303. Upon decapsulation a packet is
> first verified via the hash and then decrypted.
> 
> The cipher algorithm used is 128 AES-CBC and the authentication algorithm
> is HMAC-SHA1-96. Note this work is in progress and is not meant for
> upstream. It's purpose is to solicit feedback on the approach and known
> issues flagged in the accompanying cover letter to the patch series.
> 
> Signed-off-by: Ian Stokes <ian.stokes at intel.com>

Thanks a lot for working on this feature!

When I compile without dpdk enabled, I now get:

    ../lib/netdev-vport.c:31:10: fatal error: 'rte_config.h' file not found
    ../lib/netdev-native-tnl.c:35:10: fatal error: 'rte_config.h' file not found
"sparse" complains:

../lib/netdev-vport.h:40:22: warning: symbol 'spi_map' was not declared. Should it be static?

There is obviously a lot of code here to review, but I have not started
on that yet.


More information about the dev mailing list