Yes, it makes sense. I will add this to the next revision. Thanks, Qiuyu
On Thu, Aug 2, 2018 at 11:31 AM, Ben Pfaff <[email protected]> wrote: > On Tue, Jul 31, 2018 at 02:08:53PM -0700, Qiuyu Xiao wrote: >> This patch adds IPsec support for OVN tunnel. Basically, OVN offers a >> binary option to its user for encryption configuration. If the IPsec >> option is turned on, all tunnels will be encrypted. Otherwise, no tunnel >> will be encrypted. >> >> The changes are summarized as below: >> 1) Added a ipsec column on the NB_Global table and SB_Global table. The >> value of ipsec column is propagated by ovn-northd from NB_Global to >> SB_Global. >> >> 2) ovn-controller monitors the ipsec column in SB_Global. If the ipsec >> value is true, ovn-controller sets options of the tunnel interface by >> specifying "options:remote_name=<remote_chassis_name>". If the ipsec >> value is false, ovn-controller removes these options. >> >> 3) ovs-monitor-ipsec daemon >> (https://mail.openvswitch.org/pipermail/ovs-dev/2018-June/348701.html) >> monitors the tunnel interface options and configures IKE daemon >> accordingly for IPsec encryption. >> >> Signed-off-by: Qiuyu Xiao <[email protected]> > > It seems like, to be more secure, it would be wise for ovn-controller in > ipsec mode to set ipsec_skb_mark to 1/1 and then add an OpenFlow flow > that sets skb_mark to 1. What do you think? > > Thanks, > > Ben. _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
