[ovs-dev] encrypting only some traffic (was: OVN: Encrypt tunnel traffic with IPsec)
Qiuyu Xiao
qiuyu.xiao.qyx at gmail.com
Mon Jun 25 22:06:39 UTC 2018
Thanks for your comments!
> For #1 and #2 you would not need skb mark at all. Are you considering
these
> two approaches as well?
My current proposal will implement #1. #2 is also a nice feature to have!
To enable #2, the northbound and southbound database can include
information that dictate which pair of transport nodes requires encryption.
Then the OVN controller can set tunnel options accordingly.
> I think you are proposing #3 here. It is the most fine grained. However,
it
> would require to use "opportunistic packet authentication" and expose Open
> vSwitch code to potential attackers, because the IPsec stack will have to
> let through packets that are not signed.
Do you mean the IPsec stack in the sending side will let packets through
without being signed?
> In other words, instead of letting IPsec stack to drop malicious packets
you
> will require OpenFlow rule to do that. Probably based on skb mark in match
> part.
In the receiving side, if the IPsec stack can set skb mark for the
decrypted packets from a logical network, then OpenFlow rules can be set to
drop those packets without the mark. Do you know whether the IPsec stack
can do this?
-Qiuyu
More information about the dev
mailing list