[ovs-dev] [RFC PATCH] OVN: native support for tunnel encryption

Ben Pfaff blp at ovn.org
Thu Jul 5 18:11:39 UTC 2018

On Tue, Jul 03, 2018 at 01:13:05PM -0700, Ben Pfaff wrote:
> On Mon, Jul 02, 2018 at 02:50:04PM -0700, Qiuyu Xiao wrote:
> > This patch adds IPsec support for OVN tunnel. Basically, OVN offers a
> > binary option to its user for encryption configuration. If the IPsec
> > option is turned on, all tunnels will be encrypted. Otherwise, no tunnel
> > will be encrypted.
> > 
> > The changes are summarized as below:
> > 1) Added a ipsec column on the NB_Global table and SB_Global table. The
> > value of ipsec column is propagated by ovn-northd from NB_Global to
> > SB_Global.
> > 
> > 2) ovn-controller monitors the ipsec column in SB_Global. If the ipsec
> > value is true, ovn-controller sets options of the tunnel interface by
> > specifying "options:pki=ca_auth options:local_name=<local_chassis_name>
> > options:remote_name=<remote_chassis_name>". If the ipsec value is false,
> > ovn-controller removes these options.
> > 
> > 3) ovs-monitor-ipsec daemon
> > (https://mail.openvswitch.org/pipermail/ovs-dev/2018-June/348701.html)
> > monitors the tunnel interface options and configures IKE daemon
> > accordingly for IPsec encryption.
> This is much simpler than I expected.  Great.
> Would you mind adding something, probably to the ovn-architecture
> document, that explains the purpose for encrypted tunnels and the
> threat model?  You posted a document earlier that might be a good place
> to start.
> The ovn-architecture document is in ovn/ovn-architecture.7.xml.

There was a new suggestion in the OVN meeting morning, which is that it
would be valuable to document good ways to verify that encryption is
actually working and in use.  I suggested using tcpdump or wireshark to
see that IPSEC traffic is really flowing, but there may be other or
better ways.

More information about the dev mailing list