[ovs-dev] [PATCH v3 0/6] IPsec support for tunneling

Qiuyu Xiao qiuyu.xiao.qyx at gmail.com
Sat Jul 28 00:28:16 UTC 2018


In both cases, IPsec won't be correctly set up in the system. The
traffic might be sent out in cleartext. Maybe we can let the
ovs-monitor-ipsec daemon monitor whether IPsec tunnel is actually
taking effect in the system and report it on the tunnel interface, so
that user won't have wrong assumption about the IPsec tunnel state.

-Qiuyu

On Fri, Jul 27, 2018 at 4:52 PM, Ben Pfaff <blp at ovn.org> wrote:
> On Fri, Jul 27, 2018 at 04:32:32PM -0700, Ben Pfaff wrote:
>> On Fri, Jul 27, 2018 at 01:44:28PM -0700, Qiuyu Xiao wrote:
>> > This patch series reintroduce IPsec support for OVS tunneling and
>> > enable OVN to use IPsec tunnels. GRE, VXLAN, GENEVE, and STT IPsec
>> > tunnels are supported.  StrongSwan and LibreSwan IKE daemons are
>> > supported.
>>
>> Thank you.
>>
>> My first impression is that this is a really complete, high-quality
>> series.  I'll work on reviewing it in detail.
>
> I have a couple of overall questions about security here.  What happens
> if IPsec is configured on a tunnel in OVS, but the OVS kernel module is
> too old to support IPsec?  (Will traffic be sent and received in
> cleartext?)  What about if IPsec is configured on a tunnel, but the OVS
> userspace is too old to support IPsec?
>
> Thanks,
>
> Ben.


More information about the dev mailing list