This patch series reintroduce IPsec support for OVS tunneling and enable OVN to use IPsec tunnels. GRE, VXLAN, GENEVE, and STT IPsec tunnels are supported. StrongSwan and LibreSwan IKE daemons are supported.
Changes from v1 to v2 --------------------- 1. Merge the ovs-monitor-ipsec code to a single patch. Add LibreSwan IKE daemon support. 2. Add ovs-monitor-ipsec to flake8 check. 3. Use openssl to extract CN from certificate so that users don't need to specify the CN information in the configuration interface. 4. Improve documentations as suggested. Changes from v2 to v3 --------------------- 1. Add scripts and rules to create ovs-ipsec RPM package. 2. Add Documentation/tutorials/ipsec.rst which gives a step-by-step OVS IPsec tutorial. Modify Documentation/howto/ipsec.rst which gives a detailed description on OVS IPsec configuration modes. 3. Modify ovs-pki to generate x.509 version 3 certificate when do self-sign. 4. IPsec tunnel interface needs 'local_ip' information. Modify ovn-controller to add 'local_ip' when IPsec is enabled. 5. Add a section on ovn/ovn-architecture.7.xml to introduce ovn IPsec. Changes from v3 to v4 --------------------- 1. Split the datapath patch to three patches (geneve, vxlan, stt). 2. Add tutorial for OVN RBAC and OVN IPsec. Changes from v4 to v5 --------------------- 1. Fix coding style issues in ovs-monitor-ipsec. 2. Improve IPsec and OVN-IPsec tutorials as suggested. 3. Change the description of setting skb_mark in documentation to reflect the real situation. Changes from v5 to v6 --------------------- 1. Use wildcard IP address to match localhost IP in LibreSwan. Remove the 'local_ip' requirement when setting IPsec tunnel interface. 2. ovs-monitor-ipsec daemon accepts command line option to choose IKE daemon, either LibreSwan or StrongSwan. The init script chooses which IKE daemon to use. Currently, Debian init script chooses StrongSwan. Fedora init script chooses LibreSwan. 3. Check illegal name before removing a file in '_import_local_certs_and_key()'. 4. GRE IPsec tunnel was not activated properly when using LibreSwan. This version fixes it. 5. The plaintext policy syntax was wrong when using LibreSwan. This version corrects it. 6. Add comments and explanations about the 'remote_name' check in '_is_valid_tunnel_conf()'. 7. Replace 'ike_daemon_start()' with 'ike_daemon_restart()' to start IKE daemon. Changes from v6 to v7 --------------------- 1. Use os.path.abspath to generate the path of the p12 file to make sure the path is under '/tmp/'. 2. When ovs-monitor-ipsec daemon restarts, check whether NSS database has old certificates and private keys set by previous run. If so, delete those old states. *** BLURB HERE *** Qiuyu Xiao (6): datapath: add transport ports in route lookup for geneve ipsec: reintroduce IPsec support for tunneling debian and rhel: Create IPsec package. Documentation: IPsec tunnel tutorial and documentation. OVN: native support for tunnel encryption Documentation: OVN RBAC and IPsec tutorial Documentation/automake.mk | 4 + Documentation/howto/index.rst | 1 + Documentation/howto/ipsec.rst | 194 ++++ Documentation/index.rst | 5 +- Documentation/tutorials/index.rst | 3 + Documentation/tutorials/ipsec.rst | 347 ++++++ Documentation/tutorials/ovn-ipsec.rst | 146 +++ Documentation/tutorials/ovn-rbac.rst | 134 +++ Makefile.am | 1 + datapath/linux/compat/geneve.c | 29 +- debian/automake.mk | 3 + debian/control | 21 + debian/openvswitch-ipsec.dirs | 1 + debian/openvswitch-ipsec.init | 181 +++ debian/openvswitch-ipsec.install | 1 + ipsec/automake.mk | 10 + ipsec/ovs-monitor-ipsec | 1223 ++++++++++++++++++++ ovn/controller/encaps.c | 14 +- ovn/controller/encaps.h | 6 +- ovn/controller/ovn-controller.c | 3 +- ovn/northd/ovn-northd.c | 8 +- ovn/ovn-architecture.7.xml | 39 + ovn/ovn-nb.ovsschema | 7 +- ovn/ovn-nb.xml | 6 + ovn/ovn-sb.ovsschema | 7 +- ovn/ovn-sb.xml | 6 + rhel/automake.mk | 1 + rhel/openvswitch-fedora.spec.in | 19 +- ...sr_lib_systemd_system_openvswitch-ipsec.service | 13 + utilities/ovs-ctl.in | 27 + vswitchd/vswitch.xml | 156 ++- 31 files changed, 2581 insertions(+), 35 deletions(-) create mode 100644 Documentation/howto/ipsec.rst create mode 100644 Documentation/tutorials/ipsec.rst create mode 100644 Documentation/tutorials/ovn-ipsec.rst create mode 100644 Documentation/tutorials/ovn-rbac.rst create mode 100644 debian/openvswitch-ipsec.dirs create mode 100644 debian/openvswitch-ipsec.init create mode 100644 debian/openvswitch-ipsec.install create mode 100644 ipsec/automake.mk create mode 100644 ipsec/ovs-monitor-ipsec create mode 100644 rhel/usr_lib_systemd_system_openvswitch-ipsec.service -- 2.14.4 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
