> From: "Dominik Holler" <[email protected]>
> To: [email protected]
> Cc: "Lance Richardson" <[email protected]>, "Numan Siddique"
> <[email protected]>, "Marcin Mirecki"
> <[email protected]>, "Dan Kenigsberg" <[email protected]>
> Sent: Tuesday, 6 June, 2017 11:30:07 AM
> Subject: enforce TLSv1.2 in OVN
>
> Hello,
> We want to ensure that OVN uses only TLSv1.2, but not TLSv1 or TLSv1.1
> in our scenario.
>
> There are multiple connection, identified to be relevant:
>
> - The tunneling data connection between the hypervisors/chassis, like
> geneve listening on UDP port 6081.
>
> - The meta data connections:
>
> - The connections to the OVN Southbound DB, which is hosted by
> ovsdb-server and listening typically TCP port 6642. Connections
> may be initiated by from the ovn-controllers and ovn-northd.
>
> - The connections to the OVN Northbound DB, which is hosted by
> ovsdb-server and listening typically on TCP port 6641. Connections
> may be initiated by the Cloud Management System and ovn-northd.
>
> Is it correct that encryption is not supported at all for the tunneling
> data connection?
That's correct. There has been some recent work to support the use of
IPSec for tunnel encryption, but as far as I know no one has investigated
using IPSec with OVN tunnels. If there is a need for this, we could
look into it. See:
https://patchwork.ozlabs.org/patch/674858/
>
> For the meta data connections ovsdb-server acts as the server.
> ovsdb-server has the command line option --ssl-protocols, but I do not
> understand how to apply this. ovsdb-server seems to be started by
> ovn-ctl, but I do not recognize a way to utilize ovn-ctl to
> pass the --ssl-protocols option.
> How should the --ssl-protocols option passed to ovsdb-server?
>
I think we'll need to add a new option to ovn-ctl to allow this option
to be specified.
I also think we should allow the --ssl-protocols configuration to be
stored in the ovsdb database and have support in ovn-nbctl/ovn-sbctl
etc. for setting it.
I'll go ahead and start working on that, it would be good if you could
open a BZ for tracking the upstream and backport work.
> Thanks and regards
> Dominik
>
>
>
>
>
>
_______________________________________________
discuss mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
