Sure. I will document this. "ip xfrm state" also shows whether encryption is taking effect in the kernel.
-Qiuyu On Thu, Jul 5, 2018 at 11:11 AM, Ben Pfaff <[email protected]> wrote: > On Tue, Jul 03, 2018 at 01:13:05PM -0700, Ben Pfaff wrote: >> On Mon, Jul 02, 2018 at 02:50:04PM -0700, Qiuyu Xiao wrote: >> > This patch adds IPsec support for OVN tunnel. Basically, OVN offers a >> > binary option to its user for encryption configuration. If the IPsec >> > option is turned on, all tunnels will be encrypted. Otherwise, no tunnel >> > will be encrypted. >> > >> > The changes are summarized as below: >> > 1) Added a ipsec column on the NB_Global table and SB_Global table. The >> > value of ipsec column is propagated by ovn-northd from NB_Global to >> > SB_Global. >> > >> > 2) ovn-controller monitors the ipsec column in SB_Global. If the ipsec >> > value is true, ovn-controller sets options of the tunnel interface by >> > specifying "options:pki=ca_auth options:local_name=<local_chassis_name> >> > options:remote_name=<remote_chassis_name>". If the ipsec value is false, >> > ovn-controller removes these options. >> > >> > 3) ovs-monitor-ipsec daemon >> > (https://mail.openvswitch.org/pipermail/ovs-dev/2018-June/348701.html) >> > monitors the tunnel interface options and configures IKE daemon >> > accordingly for IPsec encryption. >> >> This is much simpler than I expected. Great. >> >> Would you mind adding something, probably to the ovn-architecture >> document, that explains the purpose for encrypted tunnels and the >> threat model? You posted a document earlier that might be a good place >> to start. >> >> The ovn-architecture document is in ovn/ovn-architecture.7.xml. > > There was a new suggestion in the OVN meeting morning, which is that it > would be valuable to document good ways to verify that encryption is > actually working and in use. I suggested using tcpdump or wireshark to > see that IPSEC traffic is really flowing, but there may be other or > better ways. _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
