[ovs-dev] [PATCH v7 0/6] IPsec support for tunneling

Ben Pfaff blp at ovn.org
Fri Oct 26 16:36:55 UTC 2018


Hi Ansis.  Do you plan to further review this series or should I take a
look at it in hopes of merging it?

Thanks,

Ben.

On Wed, Sep 19, 2018 at 05:15:52PM -0400, Qiuyu Xiao wrote:
> This patch series reintroduce IPsec support for OVS tunneling and enable
> OVN to
> use IPsec tunnels. GRE, VXLAN, GENEVE, and STT IPsec tunnels are
> supported.
> StrongSwan and LibreSwan IKE daemons are supported.
> 
> Changes from v1 to v2
> ---------------------
> 1. Merge the ovs-monitor-ipsec code to a single patch. Add LibreSwan IKE
> daemon support.
> 2. Add ovs-monitor-ipsec to flake8 check.
> 3. Use openssl to extract CN from certificate so that users don't need
> to
> specify the CN information in the configuration interface.
> 4. Improve documentations as suggested.
> 
> Changes from v2 to v3
> ---------------------
> 1. Add scripts and rules to create ovs-ipsec RPM package.
> 2. Add Documentation/tutorials/ipsec.rst which gives a step-by-step OVS
> IPsec
> tutorial. Modify Documentation/howto/ipsec.rst which gives a detailed
> description on OVS IPsec configuration modes.
> 3. Modify ovs-pki to generate x.509 version 3 certificate when do
> self-sign.
> 4. IPsec tunnel interface needs 'local_ip' information. Modify
> ovn-controller
> to add 'local_ip' when IPsec is enabled.
> 5. Add a section on ovn/ovn-architecture.7.xml to introduce ovn IPsec.
> 
> Changes from v3 to v4
> ---------------------
> 1. Split the datapath patch to three patches (geneve, vxlan, stt).
> 2. Add tutorial for OVN RBAC and OVN IPsec.
> 
> Changes from v4 to v5
> ---------------------
> 1. Fix coding style issues in ovs-monitor-ipsec.
> 2. Improve IPsec and OVN-IPsec tutorials as suggested.
> 3. Change the description of setting skb_mark in documentation to
> reflect the
> real situation.
> 
> Changes from v5 to v6
> ---------------------
> 1. Use wildcard IP address to match localhost IP in LibreSwan. Remove
> the 'local_ip' requirement when setting IPsec tunnel interface.
> 2. ovs-monitor-ipsec daemon accepts command line option to choose IKE
> daemon, either LibreSwan or StrongSwan. The init script chooses which
> IKE daemon to use. Currently, Debian init script chooses StrongSwan.
> Fedora init script chooses LibreSwan.
> 3. Check illegal name before removing a file in
> '_import_local_certs_and_key()'.
> 4. GRE IPsec tunnel was not activated properly when using LibreSwan. This
> version fixes it.
> 5. The plaintext policy syntax was wrong when using LibreSwan. This version
> corrects it.
> 6. Add comments and explanations about the 'remote_name'
> check in '_is_valid_tunnel_conf()'.
> 7. Replace 'ike_daemon_start()' with 'ike_daemon_restart()' to start IKE
> daemon.
> 
> Changes from v6 to v7
> ---------------------
> 1. Use os.path.abspath to generate the path of the p12 file to make sure
> the path is under '/tmp/'.
> 2. When ovs-monitor-ipsec daemon restarts, check whether NSS database
> has old certificates and private keys set by previous run. If so, delete
> those old states.
> 
> *** BLURB HERE ***
> 
> Qiuyu Xiao (6):
>   datapath: add transport ports in route lookup for geneve
>   ipsec: reintroduce IPsec support for tunneling
>   debian and rhel: Create IPsec package.
>   Documentation: IPsec tunnel tutorial and documentation.
>   OVN: native support for tunnel encryption
>   Documentation: OVN RBAC and IPsec tutorial
> 
>  Documentation/automake.mk                          |    4 +
>  Documentation/howto/index.rst                      |    1 +
>  Documentation/howto/ipsec.rst                      |  194 ++++
>  Documentation/index.rst                            |    5 +-
>  Documentation/tutorials/index.rst                  |    3 +
>  Documentation/tutorials/ipsec.rst                  |  347 ++++++
>  Documentation/tutorials/ovn-ipsec.rst              |  146 +++
>  Documentation/tutorials/ovn-rbac.rst               |  134 +++
>  Makefile.am                                        |    1 +
>  datapath/linux/compat/geneve.c                     |   29 +-
>  debian/automake.mk                                 |    3 +
>  debian/control                                     |   21 +
>  debian/openvswitch-ipsec.dirs                      |    1 +
>  debian/openvswitch-ipsec.init                      |  181 +++
>  debian/openvswitch-ipsec.install                   |    1 +
>  ipsec/automake.mk                                  |   10 +
>  ipsec/ovs-monitor-ipsec                            | 1223 ++++++++++++++++++++
>  ovn/controller/encaps.c                            |   14 +-
>  ovn/controller/encaps.h                            |    6 +-
>  ovn/controller/ovn-controller.c                    |    3 +-
>  ovn/northd/ovn-northd.c                            |    8 +-
>  ovn/ovn-architecture.7.xml                         |   39 +
>  ovn/ovn-nb.ovsschema                               |    7 +-
>  ovn/ovn-nb.xml                                     |    6 +
>  ovn/ovn-sb.ovsschema                               |    7 +-
>  ovn/ovn-sb.xml                                     |    6 +
>  rhel/automake.mk                                   |    1 +
>  rhel/openvswitch-fedora.spec.in                    |   19 +-
>  ...sr_lib_systemd_system_openvswitch-ipsec.service |   13 +
>  utilities/ovs-ctl.in                               |   27 +
>  vswitchd/vswitch.xml                               |  156 ++-
>  31 files changed, 2581 insertions(+), 35 deletions(-)
>  create mode 100644 Documentation/howto/ipsec.rst
>  create mode 100644 Documentation/tutorials/ipsec.rst
>  create mode 100644 Documentation/tutorials/ovn-ipsec.rst
>  create mode 100644 Documentation/tutorials/ovn-rbac.rst
>  create mode 100644 debian/openvswitch-ipsec.dirs
>  create mode 100644 debian/openvswitch-ipsec.init
>  create mode 100644 debian/openvswitch-ipsec.install
>  create mode 100644 ipsec/automake.mk
>  create mode 100644 ipsec/ovs-monitor-ipsec
>  create mode 100644 rhel/usr_lib_systemd_system_openvswitch-ipsec.service
> 
> -- 
> 2.14.4
> 
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev


More information about the dev mailing list