On Mon, Aug 06, 2018 at 11:04:36AM -0700, Qiuyu Xiao wrote:
> tutorials/index.rst gives a step-by-setp guide to set up OVS IPsec
> tunnel.
>
> tutorials/ipsec.rst gives detailed explanation on the IPsec tunnel
> configuration methods and forwarding modes.
>
> Signed-off-by: Qiuyu Xiao <[email protected]>
> Signed-off-by: Ansis Atteka <[email protected]>
> Co-authored-by: Ansis Atteka <[email protected]>
Following our in-person discussion today, does the following correctly
reflect the real situation?
Thanks,
Ben.
diff --git a/vswitchd/vswitch.xml b/vswitchd/vswitch.xml
index 3caef4f79539..e9a8d20feece 100644
--- a/vswitchd/vswitch.xml
+++ b/vswitchd/vswitch.xml
@@ -823,11 +823,15 @@
<group title="Plaintext Tunnel Policy">
<p>
- After an IPsec tunnel is configured, it takes a few round trips to
- negotiate details of the encryption with the remote host. In the
- meantime, packets sent by the local host over the tunnel can be
- transmitted in plaintext. This setting controls the behavior in this
- situation.
+ When an IPsec tunnel is configured in this database, multiple
+ independent components take responsibility for implementing it.
+ <code>ovs-vswitchd</code> and its datapath handle packet forwarding
+ to the tunnel and a separate daemon pushes the tunnel's IPsec policy
+ configuration to the kernel or other entity that implements it.
+ There is a race: if the former configuration completes before the
+ latter, then packets sent by the local host over the tunnel can be
+ transmitted in plaintext. Using this setting, OVS users can avoid
+ this undesirable situation.
</p>
<column name="other_config" key="ipsec_skb_mark"
type='{"type": "string"}'>
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
