On Tue, Jul 31, 2018 at 02:08:53PM -0700, Qiuyu Xiao wrote: > This patch adds IPsec support for OVN tunnel. Basically, OVN offers a > binary option to its user for encryption configuration. If the IPsec > option is turned on, all tunnels will be encrypted. Otherwise, no tunnel > will be encrypted. > > The changes are summarized as below: > 1) Added a ipsec column on the NB_Global table and SB_Global table. The > value of ipsec column is propagated by ovn-northd from NB_Global to > SB_Global. > > 2) ovn-controller monitors the ipsec column in SB_Global. If the ipsec > value is true, ovn-controller sets options of the tunnel interface by > specifying "options:remote_name=<remote_chassis_name>". If the ipsec > value is false, ovn-controller removes these options. > > 3) ovs-monitor-ipsec daemon > (https://mail.openvswitch.org/pipermail/ovs-dev/2018-June/348701.html) > monitors the tunnel interface options and configures IKE daemon > accordingly for IPsec encryption. > > Signed-off-by: Qiuyu Xiao <[email protected]>
It seems like, to be more secure, it would be wise for ovn-controller in ipsec mode to set ipsec_skb_mark to 1/1 and then add an OpenFlow flow that sets skb_mark to 1. What do you think? Thanks, Ben. _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
