On Tue, Dec 10, 2024 at 6:07 PM Ilya Maximets <[email protected]> wrote: > > Typical configuration file hierarchy for Libreswan in distributions > looks like this: > > /etc > /ipsec.conf > /ipsec.d > /*.conf > /crypto-policies/back-ends/libreswan.config > > The root ipsec.conf contains the 'setup' section with the base > configuration of the IKE daemon, includes system-wide crypto-policies > and all the sub-config files in ipsec.d folder describing connections. > > ovs-monitor-ipsec today is not able to leverage this structure, because > it requires the complete ownership of the ipsec.conf. If someone > attempts to pass a sub-config file to the daemon in order to make it > not overwrite the root ipsec.conf, this may cause a lot of trouble: > > 1. New tunnel is created in OVS. > 2. ovs-monitor-ipsec writes it into sub-config file. > 3. ovs-monitor-ipsec calls ipsec --start conn --config sub-config > 4. Libreswan starts connection using configuration from only the > sub-config and not taking into account any other file. > 5. Re-start Libreswan. > 6. Libreswan now reads all the files and configures connections > using information from all the configuration files, including > system-wide crypto policies and other potential 'conn %default' > sections from all the files. > 7. Now the connection is configured differently and potentially > in an incompatible way with the other side. > > Worst of all is the behavior is unpredictable, taking into account > the re-start can happen due to a crash or other random event. > > Another point is that 'setup' and 'conn %default' sections defined > in our sub-config file will also bleed out configuration to connections > defined in other files. And it's hard to say in which order > configuration will be applied, because it's not clear in which order > the files are included and parsed. > > So, this kind of file structure cannot be safely used. > > Let's add a minimal support for running with a sub-config. A new > option '--root-ipsec-conf' is introduced to specify the location of > the root ipsec.conf file, so ovs-monitor-ipsec can provide it while > calling ipec commands instead. This will make Libreswan (pluto) to > parse the whole tree of includes and apply the same configuration > every time, regardless of restarts and other issues. > > When this new option is set, ovs-monitor-ipsec will also not define > the 'setup' section to avoid overriding global configuration and will > not define 'conn %default' section for the same reason. Instead, > important connection options will be defined for every connection, > so they are still applied without polluting defaults. > > The 'setup' section is just omitted in this case. We only define > 'uniqeids', but it's true by default and we may assume users know > what are they doing if they are changing this config in the main > ipsec.conf. The Libreswan documentation also discourages from > turning this option off and mentions that it may be removed in the > future. > > Only implementing for Libreswan, because we do not even support > non-default location of ipsec.conf with StrongSwan today. > > Signed-off-by: Ilya Maximets <[email protected]> > ---
Seems like a reasonable solution to me. Acked-by: Mike Pattrick <[email protected]> _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
