[ovs-dev] [RFC PATCH] OVN: native support for tunnel encryption

Qiuyu Xiao qiuyu.xiao.qyx at gmail.com
Tue Jul 3 20:20:48 UTC 2018

Thanks for the review! I will on adding this documentation soon.


On Tue, Jul 3, 2018 at 1:13 PM, Ben Pfaff <blp at ovn.org> wrote:
> On Mon, Jul 02, 2018 at 02:50:04PM -0700, Qiuyu Xiao wrote:
>> This patch adds IPsec support for OVN tunnel. Basically, OVN offers a
>> binary option to its user for encryption configuration. If the IPsec
>> option is turned on, all tunnels will be encrypted. Otherwise, no tunnel
>> will be encrypted.
>> The changes are summarized as below:
>> 1) Added a ipsec column on the NB_Global table and SB_Global table. The
>> value of ipsec column is propagated by ovn-northd from NB_Global to
>> SB_Global.
>> 2) ovn-controller monitors the ipsec column in SB_Global. If the ipsec
>> value is true, ovn-controller sets options of the tunnel interface by
>> specifying "options:pki=ca_auth options:local_name=<local_chassis_name>
>> options:remote_name=<remote_chassis_name>". If the ipsec value is false,
>> ovn-controller removes these options.
>> 3) ovs-monitor-ipsec daemon
>> (https://mail.openvswitch.org/pipermail/ovs-dev/2018-June/348701.html)
>> monitors the tunnel interface options and configures IKE daemon
>> accordingly for IPsec encryption.
> This is much simpler than I expected.  Great.
> Would you mind adding something, probably to the ovn-architecture
> document, that explains the purpose for encrypted tunnels and the
> threat model?  You posted a document earlier that might be a good place
> to start.
> The ovn-architecture document is in ovn/ovn-architecture.7.xml.

More information about the dev mailing list