[ovs-dev] [RFC PATCH] OVN: native support for tunnel encryption

Qiuyu Xiao qiuyu.xiao.qyx at gmail.com
Thu Jul 5 19:32:10 UTC 2018


Sure. I will document this. "ip xfrm state" also shows whether
encryption is taking effect in the kernel.

-Qiuyu

On Thu, Jul 5, 2018 at 11:11 AM, Ben Pfaff <blp at ovn.org> wrote:
> On Tue, Jul 03, 2018 at 01:13:05PM -0700, Ben Pfaff wrote:
>> On Mon, Jul 02, 2018 at 02:50:04PM -0700, Qiuyu Xiao wrote:
>> > This patch adds IPsec support for OVN tunnel. Basically, OVN offers a
>> > binary option to its user for encryption configuration. If the IPsec
>> > option is turned on, all tunnels will be encrypted. Otherwise, no tunnel
>> > will be encrypted.
>> >
>> > The changes are summarized as below:
>> > 1) Added a ipsec column on the NB_Global table and SB_Global table. The
>> > value of ipsec column is propagated by ovn-northd from NB_Global to
>> > SB_Global.
>> >
>> > 2) ovn-controller monitors the ipsec column in SB_Global. If the ipsec
>> > value is true, ovn-controller sets options of the tunnel interface by
>> > specifying "options:pki=ca_auth options:local_name=<local_chassis_name>
>> > options:remote_name=<remote_chassis_name>". If the ipsec value is false,
>> > ovn-controller removes these options.
>> >
>> > 3) ovs-monitor-ipsec daemon
>> > (https://mail.openvswitch.org/pipermail/ovs-dev/2018-June/348701.html)
>> > monitors the tunnel interface options and configures IKE daemon
>> > accordingly for IPsec encryption.
>>
>> This is much simpler than I expected.  Great.
>>
>> Would you mind adding something, probably to the ovn-architecture
>> document, that explains the purpose for encrypted tunnels and the
>> threat model?  You posted a document earlier that might be a good place
>> to start.
>>
>> The ovn-architecture document is in ovn/ovn-architecture.7.xml.
>
> There was a new suggestion in the OVN meeting morning, which is that it
> would be valuable to document good ways to verify that encryption is
> actually working and in use.  I suggested using tcpdump or wireshark to
> see that IPSEC traffic is really flowing, but there may be other or
> better ways.


More information about the dev mailing list