On Mon, Jul 02, 2018 at 02:50:04PM -0700, Qiuyu Xiao wrote: > This patch adds IPsec support for OVN tunnel. Basically, OVN offers a > binary option to its user for encryption configuration. If the IPsec > option is turned on, all tunnels will be encrypted. Otherwise, no tunnel > will be encrypted. > > The changes are summarized as below: > 1) Added a ipsec column on the NB_Global table and SB_Global table. The > value of ipsec column is propagated by ovn-northd from NB_Global to > SB_Global. > > 2) ovn-controller monitors the ipsec column in SB_Global. If the ipsec > value is true, ovn-controller sets options of the tunnel interface by > specifying "options:pki=ca_auth options:local_name=<local_chassis_name> > options:remote_name=<remote_chassis_name>". If the ipsec value is false, > ovn-controller removes these options. > > 3) ovs-monitor-ipsec daemon > (https://mail.openvswitch.org/pipermail/ovs-dev/2018-June/348701.html) > monitors the tunnel interface options and configures IKE daemon > accordingly for IPsec encryption.
This is much simpler than I expected. Great. Would you mind adding something, probably to the ovn-architecture document, that explains the purpose for encrypted tunnels and the threat model? You posted a document earlier that might be a good place to start. The ovn-architecture document is in ovn/ovn-architecture.7.xml. _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
