[ovs-discuss] enforce TLSv1.2 in OVN

Dominik Holler dholler at redhat.com
Wed Jun 7 07:48:45 UTC 2017


On Tue, 6 Jun 2017 12:26:21 -0400 (EDT)
Lance Richardson <lrichard at redhat.com> wrote:

> > From: "Dominik Holler" <dholler at redhat.com>
> > To: ovs-discuss at openvswitch.org
> > Cc: "Lance Richardson" <lrichard at redhat.com>, "Numan Siddique"
> > <nusiddiq at redhat.com>, "Marcin Mirecki" <mmirecki at redhat.com>, "Dan
> > Kenigsberg" <danken at redhat.com> Sent: Tuesday, 6 June, 2017
> > 11:30:07 AM Subject: enforce TLSv1.2 in OVN
> > 
> > Hello,
> > We want to ensure that OVN uses only TLSv1.2, but not TLSv1 or
> > TLSv1.1 in our scenario.
> > 
> > There are multiple connection, identified to be relevant:
> > 
> > - The tunneling data connection between the hypervisors/chassis,
> > like geneve listening on UDP port 6081.
> > 
> > - The meta data connections:
> > 
> >  - The connections to the OVN Southbound DB, which is hosted by
> >    ovsdb-server and listening typically TCP port 6642. Connections
> >    may be initiated by from the ovn-controllers and ovn-northd.
> > 
> >  - The connections to the OVN Northbound DB, which is hosted by
> >    ovsdb-server and listening typically on TCP port 6641.
> > Connections may be initiated by the Cloud Management System and
> > ovn-northd.
> > 
> > Is it correct that encryption is not supported at all for the
> > tunneling data connection?  
> 
> That's correct. There has been some recent work to support the use of
> IPSec for tunnel encryption, but as far as I know no one has
> investigated using IPSec with OVN tunnels. If there is a need for
> this, we could look into it. See:
> 
>     https://patchwork.ozlabs.org/patch/674858/
> 
> > 
> > For the meta data connections ovsdb-server acts as the server.
> > ovsdb-server has the command line option --ssl-protocols, but I do
> > not understand how to apply this. ovsdb-server seems to be started
> > by ovn-ctl, but I do not recognize a way to utilize ovn-ctl to
> > pass the --ssl-protocols option.
> > How should the --ssl-protocols option passed to ovsdb-server?
> >   
> 
> I think we'll need to add a new option to ovn-ctl to allow this option
> to be specified.
> 
> I also think we should allow the --ssl-protocols configuration to be
> stored in the ovsdb database and have support in ovn-nbctl/ovn-sbctl
> etc. for setting it.
> 
> I'll go ahead and start working on that, 

Great to hear!

> it would be good if you
> could open a BZ for tracking the upstream and backport work.
> 

add a new option to ovn-ctl
master: https://bugzilla.redhat.com/1459438
backport: https://bugzilla.redhat.com/1459440

configuration to be stored in the ovsdb database
master: https://bugzilla.redhat.com/1459441
backport: https://bugzilla.redhat.com/1459442




More information about the discuss mailing list