[ovs-dev] [RFC PATCH] OVN: native support for tunnel encryption

Ben Pfaff blp at ovn.org
Tue Jul 3 20:13:05 UTC 2018

On Mon, Jul 02, 2018 at 02:50:04PM -0700, Qiuyu Xiao wrote:
> This patch adds IPsec support for OVN tunnel. Basically, OVN offers a
> binary option to its user for encryption configuration. If the IPsec
> option is turned on, all tunnels will be encrypted. Otherwise, no tunnel
> will be encrypted.
> The changes are summarized as below:
> 1) Added a ipsec column on the NB_Global table and SB_Global table. The
> value of ipsec column is propagated by ovn-northd from NB_Global to
> SB_Global.
> 2) ovn-controller monitors the ipsec column in SB_Global. If the ipsec
> value is true, ovn-controller sets options of the tunnel interface by
> specifying "options:pki=ca_auth options:local_name=<local_chassis_name>
> options:remote_name=<remote_chassis_name>". If the ipsec value is false,
> ovn-controller removes these options.
> 3) ovs-monitor-ipsec daemon
> (https://mail.openvswitch.org/pipermail/ovs-dev/2018-June/348701.html)
> monitors the tunnel interface options and configures IKE daemon
> accordingly for IPsec encryption.

This is much simpler than I expected.  Great.

Would you mind adding something, probably to the ovn-architecture
document, that explains the purpose for encrypted tunnels and the
threat model?  You posted a document earlier that might be a good place
to start.

The ovn-architecture document is in ovn/ovn-architecture.7.xml.

More information about the dev mailing list