Yes. This describes the real situation. I will apply this to the next series.
Thanks, Qiuyu On Mon, Aug 6, 2018 at 4:25 PM, Ben Pfaff <[email protected]> wrote: > On Mon, Aug 06, 2018 at 11:04:36AM -0700, Qiuyu Xiao wrote: >> tutorials/index.rst gives a step-by-setp guide to set up OVS IPsec >> tunnel. >> >> tutorials/ipsec.rst gives detailed explanation on the IPsec tunnel >> configuration methods and forwarding modes. >> >> Signed-off-by: Qiuyu Xiao <[email protected]> >> Signed-off-by: Ansis Atteka <[email protected]> >> Co-authored-by: Ansis Atteka <[email protected]> > > Following our in-person discussion today, does the following correctly > reflect the real situation? > > Thanks, > > Ben. > > diff --git a/vswitchd/vswitch.xml b/vswitchd/vswitch.xml > index 3caef4f79539..e9a8d20feece 100644 > --- a/vswitchd/vswitch.xml > +++ b/vswitchd/vswitch.xml > @@ -823,11 +823,15 @@ > > <group title="Plaintext Tunnel Policy"> > <p> > - After an IPsec tunnel is configured, it takes a few round trips to > - negotiate details of the encryption with the remote host. In the > - meantime, packets sent by the local host over the tunnel can be > - transmitted in plaintext. This setting controls the behavior in > this > - situation. > + When an IPsec tunnel is configured in this database, multiple > + independent components take responsibility for implementing it. > + <code>ovs-vswitchd</code> and its datapath handle packet forwarding > + to the tunnel and a separate daemon pushes the tunnel's IPsec > policy > + configuration to the kernel or other entity that implements it. > + There is a race: if the former configuration completes before the > + latter, then packets sent by the local host over the tunnel can be > + transmitted in plaintext. Using this setting, OVS users can avoid > + this undesirable situation. > </p> > <column name="other_config" key="ipsec_skb_mark" > type='{"type": "string"}'> _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
