On Mon, Aug 06, 2018 at 11:04:36AM -0700, Qiuyu Xiao wrote: > tutorials/index.rst gives a step-by-setp guide to set up OVS IPsec > tunnel. > > tutorials/ipsec.rst gives detailed explanation on the IPsec tunnel > configuration methods and forwarding modes. > > Signed-off-by: Qiuyu Xiao <qiuyu.xiao....@gmail.com> > Signed-off-by: Ansis Atteka <aatt...@ovn.org> > Co-authored-by: Ansis Atteka <aatt...@ovn.org>
Following our in-person discussion today, does the following correctly reflect the real situation? Thanks, Ben. diff --git a/vswitchd/vswitch.xml b/vswitchd/vswitch.xml index 3caef4f79539..e9a8d20feece 100644 --- a/vswitchd/vswitch.xml +++ b/vswitchd/vswitch.xml @@ -823,11 +823,15 @@ <group title="Plaintext Tunnel Policy"> <p> - After an IPsec tunnel is configured, it takes a few round trips to - negotiate details of the encryption with the remote host. In the - meantime, packets sent by the local host over the tunnel can be - transmitted in plaintext. This setting controls the behavior in this - situation. + When an IPsec tunnel is configured in this database, multiple + independent components take responsibility for implementing it. + <code>ovs-vswitchd</code> and its datapath handle packet forwarding + to the tunnel and a separate daemon pushes the tunnel's IPsec policy + configuration to the kernel or other entity that implements it. + There is a race: if the former configuration completes before the + latter, then packets sent by the local host over the tunnel can be + transmitted in plaintext. Using this setting, OVS users can avoid + this undesirable situation. </p> <column name="other_config" key="ipsec_skb_mark" type='{"type": "string"}'> _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev