[ovs-dev] [PATCH v4 8/9] OVN: native support for tunnel encryption
Ben Pfaff
blp at ovn.org
Thu Aug 2 18:31:22 UTC 2018
On Tue, Jul 31, 2018 at 02:08:53PM -0700, Qiuyu Xiao wrote:
> This patch adds IPsec support for OVN tunnel. Basically, OVN offers a
> binary option to its user for encryption configuration. If the IPsec
> option is turned on, all tunnels will be encrypted. Otherwise, no tunnel
> will be encrypted.
>
> The changes are summarized as below:
> 1) Added a ipsec column on the NB_Global table and SB_Global table. The
> value of ipsec column is propagated by ovn-northd from NB_Global to
> SB_Global.
>
> 2) ovn-controller monitors the ipsec column in SB_Global. If the ipsec
> value is true, ovn-controller sets options of the tunnel interface by
> specifying "options:remote_name=<remote_chassis_name>". If the ipsec
> value is false, ovn-controller removes these options.
>
> 3) ovs-monitor-ipsec daemon
> (https://mail.openvswitch.org/pipermail/ovs-dev/2018-June/348701.html)
> monitors the tunnel interface options and configures IKE daemon
> accordingly for IPsec encryption.
>
> Signed-off-by: Qiuyu Xiao <qiuyu.xiao.qyx at gmail.com>
It seems like, to be more secure, it would be wise for ovn-controller in
ipsec mode to set ipsec_skb_mark to 1/1 and then add an OpenFlow flow
that sets skb_mark to 1. What do you think?
Thanks,
Ben.
More information about the dev
mailing list