Thanks for the review! I will on adding this documentation soon. -Qiuyu
On Tue, Jul 3, 2018 at 1:13 PM, Ben Pfaff <[email protected]> wrote: > On Mon, Jul 02, 2018 at 02:50:04PM -0700, Qiuyu Xiao wrote: >> This patch adds IPsec support for OVN tunnel. Basically, OVN offers a >> binary option to its user for encryption configuration. If the IPsec >> option is turned on, all tunnels will be encrypted. Otherwise, no tunnel >> will be encrypted. >> >> The changes are summarized as below: >> 1) Added a ipsec column on the NB_Global table and SB_Global table. The >> value of ipsec column is propagated by ovn-northd from NB_Global to >> SB_Global. >> >> 2) ovn-controller monitors the ipsec column in SB_Global. If the ipsec >> value is true, ovn-controller sets options of the tunnel interface by >> specifying "options:pki=ca_auth options:local_name=<local_chassis_name> >> options:remote_name=<remote_chassis_name>". If the ipsec value is false, >> ovn-controller removes these options. >> >> 3) ovs-monitor-ipsec daemon >> (https://mail.openvswitch.org/pipermail/ovs-dev/2018-June/348701.html) >> monitors the tunnel interface options and configures IKE daemon >> accordingly for IPsec encryption. > > This is much simpler than I expected. Great. > > Would you mind adding something, probably to the ovn-architecture > document, that explains the purpose for encrypted tunnels and the > threat model? You posted a document earlier that might be a good place > to start. > > The ovn-architecture document is in ovn/ovn-architecture.7.xml. _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
