[ovs-dev] [PATCH v3 0/6] IPsec support for tunneling

Qiuyu Xiao qiuyu.xiao.qyx at gmail.com
Fri Jul 27 20:44:28 UTC 2018


This patch series reintroduce IPsec support for OVS tunneling and enable OVN to
use IPsec tunnels. GRE, VXLAN, GENEVE, and STT IPsec tunnels are supported.
StrongSwan and LibreSwan IKE daemons are supported.

Changes from v1 to v2
---------------------
1. Merged the ovs-monitor-ipsec code to a single patch. Added LibreSwan IKE
daemon support.
2. Added ovs-monitor-ipsec to flake8 check.
3. Used openssl to extract CN from certificate so that users don't need to
specify the CN information in the configuration interface.
4. Improved documentations as suggested.

Changes from v2 to v3
---------------------
1. Added scripts and rules to create ovs-ipsec RPM package.
2. Added Documentation/tutorials/ipsec.rst which gives a step-by-step OVS IPsec
tutorial. Modified Documentation/howto/ipsec.rst which gives a detailed
description on OVS IPsec configuration modes.
3. Modified ovs-pki to generate x.509 version 3 certificate when do self-sign.
4. IPsec tunnel interface needs 'local_ip' information. Modified ovn-controller
to add 'local_ip' when IPsec is enabled.
5. Added a section on ovn/ovn-architecture.7.xml to introduce ovn IPsec.

Qiuyu Xiao (6):
  datapath: add transport ports in route lookup to enable IPsec policy
    match.
  ipsec: reintroduce IPsec support for tunneling
  debian and rhel: Create IPsec package.
  Documentation: IPsec tunnel tutorial and documentation.
  ovs-pki: generate x.509 v3 certificate
  OVN: native support for tunnel encryption

 Documentation/automake.mk                     |    2 +
 Documentation/howto/index.rst                 |    1 +
 Documentation/howto/ipsec.rst                 |  193 +++
 Documentation/tutorials/index.rst             |    1 +
 Documentation/tutorials/ipsec.rst             |  340 +++++
 Makefile.am                                   |    1 +
 NEWS                                          |    3 +
 datapath/linux/compat/geneve.c                |   29 +-
 datapath/linux/compat/stt.c                   |   15 +-
 datapath/linux/compat/vxlan.c                 |   14 +-
 debian/automake.mk                            |    3 +
 debian/control                                |   21 +
 debian/openvswitch-ipsec.dirs                 |    1 +
 debian/openvswitch-ipsec.init                 |  181 +++
 debian/openvswitch-ipsec.install              |    1 +
 ipsec/automake.mk                             |   10 +
 ipsec/ovs-monitor-ipsec                       | 1158 +++++++++++++++++
 ovn/controller/encaps.c                       |   31 +-
 ovn/controller/encaps.h                       |    7 +-
 ovn/controller/ovn-controller.c               |    4 +-
 ovn/northd/ovn-northd.c                       |    8 +-
 ovn/ovn-architecture.7.xml                    |   39 +
 ovn/ovn-nb.ovsschema                          |    7 +-
 ovn/ovn-nb.xml                                |    6 +
 ovn/ovn-sb.ovsschema                          |    7 +-
 ovn/ovn-sb.xml                                |    6 +
 rhel/automake.mk                              |    1 +
 rhel/openvswitch-fedora.spec.in               |   19 +-
 ...b_systemd_system_openvswitch-ipsec.service |   12 +
 utilities/ovs-ctl.in                          |   18 +
 utilities/ovs-pki.in                          |   25 +-
 vswitchd/vswitch.xml                          |  122 +-
 32 files changed, 2241 insertions(+), 45 deletions(-)
 create mode 100644 Documentation/howto/ipsec.rst
 create mode 100644 Documentation/tutorials/ipsec.rst
 create mode 100644 debian/openvswitch-ipsec.dirs
 create mode 100644 debian/openvswitch-ipsec.init
 create mode 100644 debian/openvswitch-ipsec.install
 create mode 100644 ipsec/automake.mk
 create mode 100755 ipsec/ovs-monitor-ipsec
 create mode 100644 rhel/usr_lib_systemd_system_openvswitch-ipsec.service

-- 
2.18.0



More information about the dev mailing list