[ovs-dev] [PATCH v3 0/6] IPsec support for tunneling

Ben Pfaff blp at ovn.org
Fri Jul 27 23:52:52 UTC 2018


On Fri, Jul 27, 2018 at 04:32:32PM -0700, Ben Pfaff wrote:
> On Fri, Jul 27, 2018 at 01:44:28PM -0700, Qiuyu Xiao wrote:
> > This patch series reintroduce IPsec support for OVS tunneling and
> > enable OVN to use IPsec tunnels. GRE, VXLAN, GENEVE, and STT IPsec
> > tunnels are supported.  StrongSwan and LibreSwan IKE daemons are
> > supported.
> 
> Thank you.
> 
> My first impression is that this is a really complete, high-quality
> series.  I'll work on reviewing it in detail.

I have a couple of overall questions about security here.  What happens
if IPsec is configured on a tunnel in OVS, but the OVS kernel module is
too old to support IPsec?  (Will traffic be sent and received in
cleartext?)  What about if IPsec is configured on a tunnel, but the OVS
userspace is too old to support IPsec?

Thanks,

Ben.


More information about the dev mailing list