[ovs-dev] encrypting only some traffic (was: OVN: Encrypt tunnel traffic with IPsec)

Qiuyu Xiao qiuyu.xiao.qyx at gmail.com
Mon Jun 25 22:06:39 UTC 2018

Thanks for your comments!

> For #1 and #2 you would not need skb mark at all. Are you considering
> two approaches as well?

My current proposal will implement #1. #2 is also a nice feature to have!
To enable #2, the northbound and southbound database can include
information that dictate which pair of transport nodes requires encryption.
Then the OVN controller can set tunnel options accordingly.

> I think you are proposing #3 here. It is the most fine grained. However,
> would require to use "opportunistic packet authentication" and expose Open
> vSwitch code to potential attackers, because the IPsec stack will have to
> let through packets that are not signed.

Do you mean the IPsec stack in the sending side will let packets through
without being signed?

> In other words, instead of letting IPsec stack to drop malicious packets
> will require OpenFlow rule to do that. Probably based on skb mark in match
> part.

In the receiving side, if the IPsec stack can set skb mark for the
decrypted packets from a logical network, then OpenFlow rules can be set to
drop those packets without the mark. Do you know whether the IPsec stack
can do this?


More information about the dev mailing list