On Thu, Jul 05, 2018 at 09:29:12PM +0100, Ian Stokes wrote: > On 6/27/2018 6:58 PM, Qiuyu Xiao wrote: > >This patch series reintroduce IPsec support for OVS tunneling and adds new > >features to prepare for the OVN IPsec support. The new features are: > > > >1) Add CA-cert based authentication support to ovs-monitor-ipsec. > >2) Enable ovs-pki to generate x.509 version 3 certificate. > > > > Thanks for working on the series. > > Just had a general query as regards IPsec in userspace. > > I had previously looked at implementing a *rough* IPsec Tunnel interface for > userspace last year for OVS DPDK. I had put the work on hold as DPDK has > begun working on a general IPsec library which would make implementation > simpler and cleaner/simpler to maintain in the future. Targeted for DPDK > 18.11 (November this year). > > Would the introduction of a specific IPsec tunnel interface still be > acceptable in light of this patch? > > There are other libraries such as macsec that DPDK has libraries for as well > that could be introduced in the future for user space. > > I'm just aware of the divergence of approaches between whats available in > kernel vs userspace so thought it was worth raising for discussion at this > point?
Qiuyu probably doesn't have the context for this so let me respond. Ideally, I'd like to have a single IPsec tunnel configuration interface that works well with all datapaths. The one that Qiuyu is (re)introducing works for the kernel datapath. I don't know IPsec or DPDK well enough to guess whether changes would be needed to better adapt it to a userspace datapath. Do you see weaknesses in that area? It'd be great to get it right now, if we can. _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
