[ovs-discuss] IPSec and Open vSwitch
Ansis Atteka
aatteka at nicira.com
Mon Jan 18 21:42:49 UTC 2016
On Mon, Jan 18, 2016 at 10:16 AM, mostafa uddin <muddin at cs.odu.edu> wrote:
> I have a clarification question,
>
> Does the IPSec packet processing is done before the OVS datapath, in the
> network stack?
For incoming packets IPsec is done before reaching OVS datapath.
For egressing packets IPsec is done after the packet has already left
OVS datapath.
See http://inai.de/images/nf-packet-flow.png for more details where of
"local process" you could think as if it was OVS datapath that owns
tunneling socket. And IPsec is done in"XFRM" boxes.
>
>
> Is it possible to bring the IPSec packet processing inside the OVS Datapath?
> That means all the packet header formation, and encryption algorithm will be
> called when the packet is in the process path of OVS datapath module.
I haven't thought too much about this, but I am afraid that this might
get a little bit intrusive for Linux IP stack, because you would have
to get ESP packets somehow to OVS kernel module which means that OVS
would need to intercept *all* the ESP traffic that would otherwise
have went to XFRM boxes in that diagram.
If you have an idea how to do this in elegant way please propose.
Regards,
Ansis
More information about the discuss
mailing list