[ovs-git] [openvswitch/ovs] d96d0b: datapath: add transport ports in route lookup for ...

Fri Nov 9 23:10:17 UTC 2018

  Branch: refs/heads/master
  Home:   https://github.com/openvswitch/ovs
  Commit: d96d0b019a6557d41d11af48925da840b3a1ecb6
      https://github.com/openvswitch/ovs/commit/d96d0b019a6557d41d11af48925da840b3a1ecb6
  Author: Qiuyu Xiao <qiuyu.xiao.qyx at gmail.com>
  Date:   2018-11-09 (Fri, 09 Nov 2018)

  Changed paths:
    M datapath/linux/compat/geneve.c

  Log Message:
  -----------
  datapath: add transport ports in route lookup for geneve

This patch adds transport ports information for route lookup so that
IPsec can select geneve tunnel traffic to do encryption.

Signed-off-by: Qiuyu Xiao <qiuyu.xiao.qyx at gmail.com>
Reviewed-by: Greg Rose <gvrose8192 at gmail.com>
Tested-by: Greg Rose <gvrose8192 at gmail.com>
Signed-off-by: Ben Pfaff <blp at ovn.org>

  Commit: 22c5eafb6efa874014a5234de8ca587b693db4df
      https://github.com/openvswitch/ovs/commit/22c5eafb6efa874014a5234de8ca587b693db4df
  Author: Qiuyu Xiao <qiuyu.xiao.qyx at gmail.com>
  Date:   2018-11-09 (Fri, 09 Nov 2018)

  Changed paths:
    M Makefile.am
    A ipsec/automake.mk
    A ipsec/ovs-monitor-ipsec

  Log Message:
  -----------
  ipsec: reintroduce IPsec support for tunneling

This patch reintroduces ovs-monitor-ipsec daemon that
was previously removed by commit 2b02d770 ("openvswitch:
Allow external IPsec tunnel management.")

After this patch, there are no IPsec flavored tunnels anymore.
IPsec is enabled by setting up the right values in:
1. OVSDB:Interface:options column;
2. OVSDB:Open_vSwitch:other_config column;
3. OpenFlow pipeline.

GRE, VXLAN, GENEVE, and STT IPsec tunnels are supported. LibreSwan and
StrongSwan IKE daemons are supported. User can choose pre-shared key,
self-signed peer certificate, or CA-signed certificate as authentication
methods.

Signed-off-by: Qiuyu Xiao <qiuyu.xiao.qyx at gmail.com>
Signed-off-by: Ansis Atteka <aatteka at ovn.org>
Co-authored-by: Ansis Atteka <aatteka at ovn.org>
Signed-off-by: Ben Pfaff <blp at ovn.org>

  Commit: bdddc715358e346a5a19365ad59dc8627ebd4e9a
      https://github.com/openvswitch/ovs/commit/bdddc715358e346a5a19365ad59dc8627ebd4e9a
  Author: Qiuyu Xiao <qiuyu.xiao.qyx at gmail.com>
  Date:   2018-11-09 (Fri, 09 Nov 2018)

  Changed paths:
    M debian/automake.mk
    M debian/control
    A debian/openvswitch-ipsec.dirs
    A debian/openvswitch-ipsec.init
    A debian/openvswitch-ipsec.install
    M rhel/automake.mk
    M rhel/openvswitch-fedora.spec.in
    A rhel/usr_lib_systemd_system_openvswitch-ipsec.service
    M utilities/ovs-ctl.in

  Log Message:
  -----------
  debian and rhel: Create IPsec package.

Added rules and files to create debian and rpm ovs-ipsec packages.

Signed-off-by: Qiuyu Xiao <qiuyu.xiao.qyx at gmail.com>
Signed-off-by: Ansis Atteka <aatteka at ovn.org>
Co-authored-by: Ansis Atteka <aatteka at ovn.org>
Signed-off-by: Ben Pfaff <blp at ovn.org>

  Commit: 7b243c308967bec769667c458580caba27b587c8
      https://github.com/openvswitch/ovs/commit/7b243c308967bec769667c458580caba27b587c8
  Author: Qiuyu Xiao <qiuyu.xiao.qyx at gmail.com>
  Date:   2018-11-09 (Fri, 09 Nov 2018)

  Changed paths:
    M Documentation/automake.mk
    M Documentation/howto/index.rst
    A Documentation/howto/ipsec.rst
    M Documentation/index.rst
    M Documentation/tutorials/index.rst
    A Documentation/tutorials/ipsec.rst
    M vswitchd/vswitch.xml

  Log Message:
  -----------
  Documentation: IPsec tunnel tutorial and documentation.

tutorials/index.rst gives a step-by-setp guide to set up OVS IPsec
tunnel.

tutorials/ipsec.rst gives detailed explanation on the IPsec tunnel
configuration methods and forwarding modes.

Signed-off-by: Qiuyu Xiao <qiuyu.xiao.qyx at gmail.com>
Signed-off-by: Ansis Atteka <aatteka at ovn.org>
Co-authored-by: Ansis Atteka <aatteka at ovn.org>
Signed-off-by: Ben Pfaff <blp at ovn.org>

  Commit: b1cc0dbac0ebbc32f5c0da3a27ec67f2a303636a
      https://github.com/openvswitch/ovs/commit/b1cc0dbac0ebbc32f5c0da3a27ec67f2a303636a
  Author: Qiuyu Xiao <qiuyu.xiao.qyx at gmail.com>
  Date:   2018-11-09 (Fri, 09 Nov 2018)

  Changed paths:
    M ovn/controller/encaps.c
    M ovn/controller/encaps.h
    M ovn/controller/ovn-controller.c
    M ovn/northd/ovn-northd.c
    M ovn/ovn-architecture.7.xml
    M ovn/ovn-nb.ovsschema
    M ovn/ovn-nb.xml
    M ovn/ovn-sb.ovsschema
    M ovn/ovn-sb.xml

  Log Message:
  -----------
  OVN: native support for tunnel encryption

This patch adds IPsec support for OVN tunnel. Basically, OVN offers a
binary option to its user for encryption configuration. If the IPsec
option is turned on, all tunnels will be encrypted. Otherwise, no tunnel
will be encrypted.

The changes are summarized as below:
1) Added a ipsec column on the NB_Global table and SB_Global table. The
value of ipsec column is propagated by ovn-northd from NB_Global to
SB_Global.

2) ovn-controller monitors the ipsec column in SB_Global. If the ipsec
value is true, ovn-controller sets options of the tunnel interface by
specifying "options:remote_name=<remote_chassis_name>". If the ipsec
value is false, ovn-controller removes these options.

3) ovs-monitor-ipsec daemon
(https://mail.openvswitch.org/pipermail/ovs-dev/2018-June/348701.html)
monitors the tunnel interface options and configures IKE daemon
accordingly for IPsec encryption.

Signed-off-by: Qiuyu Xiao <qiuyu.xiao.qyx at gmail.com>
Signed-off-by: Ben Pfaff <blp at ovn.org>

  Commit: fcd8f561b6fb8d58b4a4d0aaef5c8b59a55aa8a3
      https://github.com/openvswitch/ovs/commit/fcd8f561b6fb8d58b4a4d0aaef5c8b59a55aa8a3
  Author: Qiuyu Xiao <qiuyu.xiao.qyx at gmail.com>
  Date:   2018-11-09 (Fri, 09 Nov 2018)

  Changed paths:
    M Documentation/automake.mk
    M Documentation/index.rst
    M Documentation/tutorials/index.rst
    A Documentation/tutorials/ovn-ipsec.rst
    A Documentation/tutorials/ovn-rbac.rst
    M NEWS

  Log Message:
  -----------
  Documentation: OVN RBAC and IPsec tutorial

This patch adds step-by-step guide for configuring OVN Role-Based Access
Control and IPsec.

Signed-off-by: Qiuyu Xiao <qiuyu.xiao.qyx at gmail.com>
Signed-off-by: Ben Pfaff <blp at ovn.org>

Compare: https://github.com/openvswitch/ovs/compare/29f3e6cf65a1...fcd8f561b6fb
      **NOTE:** This service has been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/

      Functionality will be removed from GitHub.com on January 31st, 2019.