Re: [ovs-dev] [PATCH v5 2/6] ipsec: reintroduce IPsec support for tunneling
On Wed, Aug 29, 2018 at 3:41 PM Ansis Atteka wrote: > > On Sun, 19 Aug 2018 at 20:31, Qiuyu Xiao wrote: > > > > On Mon, Aug 13, 2018 at 2:33 AM, Ansis Atteka wrote: > > > On Tue, 7 Aug 2018 at 09:43, Qiuyu Xiao wrote: > > >> > > >> This patch reintroduces ovs-monitor-ipsec daemon that > > >> was previously removed by commit 2b02d770 ("openvswitch: > > >> Allow external IPsec tunnel management.") > > >> > > >> After this patch, there are no IPsec flavored tunnels anymore. > > >> IPsec is enabled by setting up the right values in: > > >> 1. OVSDB:Interface:options column; > > >> 2. OVSDB:Open_vSwitch:other_config column; > > >> 3. OpenFlow pipeline. > > >> > > >> GRE, VXLAN, GENEVE, and STT IPsec tunnels are supported. LibreSwan and > > >> StrongSwan IKE daemons are supported. User can choose pre-shared key, > > >> self-signed peer certificate, or CA-signed certificate as authentication > > >> method. > > > s/mehod/methods > > >> > > >> Signed-off-by: Qiuyu Xiao > > >> Signed-off-by: Ansis Atteka > > >> Co-authored-by: Ansis Atteka > > >> --- > Sorry for responding so late. I was off for the last two weeks. > > > > > > I have two high level comments that we privately discussed earlier on > > > Friday: > > > 1. the local_ip should be wildcardable. Otherwise, if routes change, > > > then then packets may leak out unencrypted before local_ip gets > > > explicitly updated by administrator as well. > > > > I did some test. The IP can be set as %defaultroute in LibreSwan so > > that no fixed IP is required. I will use this and avoid local_ip > > setting on the next revision. > Great to hear you figured this out. > > > > > 2. the strongSwan/Ubuntu and libreswan/Fedora compatibility issue due > > > to integrity check. I know that this could be strongswan or libreswan > > > bug, but perhaps we could use some alternate configuration that works? > > > Did you find one? > > > > I didn't find alternate configuration that works. I might just send a > > email to the upstream mailing list. > ok > > > > > > Other than that see small implementation details > > > > > >> Makefile.am |1 + > > >> ipsec/automake.mk | 10 + > > >> ipsec/ovs-monitor-ipsec | 1173 +++ > > >> 3 files changed, 1184 insertions(+) > > >> create mode 100644 ipsec/automake.mk > > >> create mode 100755 ipsec/ovs-monitor-ipsec > > >> > > >> diff --git a/Makefile.am b/Makefile.am > > >> index 788972804..aeb2d108f 100644 > > >> --- a/Makefile.am > > >> +++ b/Makefile.am > > >> @@ -481,6 +481,7 @@ include tests/automake.mk > > >> include include/automake.mk > > >> include third-party/automake.mk > > >> include debian/automake.mk > > >> +include ipsec/automake.mk > > >> include vswitchd/automake.mk > > >> include ovsdb/automake.mk > > >> include rhel/automake.mk > > >> diff --git a/ipsec/automake.mk b/ipsec/automake.mk > > >> new file mode 100644 > > >> index 0..1e530cb42 > > >> --- /dev/null > > >> +++ b/ipsec/automake.mk > > >> @@ -0,0 +1,10 @@ > > >> +# Copyright (C) 2017 Nicira, Inc. > > >> +# > > >> +# Copying and distribution of this file, with or without modification, > > >> +# are permitted in any medium without royalty provided the copyright > > >> +# notice and this notice are preserved. This file is offered as-is, > > >> +# without warranty of any kind. > > >> + > > >> +EXTRA_DIST += \ > > >> +ipsec/ovs-monitor-ipsec > > >> +FLAKE8_PYFILES += ipsec/ovs-monitor-ipsec > > >> diff --git a/ipsec/ovs-monitor-ipsec b/ipsec/ovs-monitor-ipsec > > >> new file mode 100755 > > >> index 0..163b04004 > > >> --- /dev/null > > >> +++ b/ipsec/ovs-monitor-ipsec > > >> @@ -0,0 +1,1173 @@ > > >> +#!/usr/bin/env python > > >> +# Copyright (c) 2017 Nicira, Inc. > > >> +# > > >> +# Licensed under the Apache License, Version 2.0 (the "License"); > > >> +# you may not use this file except in compliance with the License. > > >> +# You may obtain a copy of the
[ovs-dev] [PATCH v7 6/6] Documentation: OVN RBAC and IPsec tutorial
This patch adds step-by-step guide for configuring OVN Role-Based Access Control and IPsec. Signed-off-by: Qiuyu Xiao --- Documentation/automake.mk | 2 + Documentation/index.rst | 4 +- Documentation/tutorials/index.rst | 2 + Documentation/tutorials/ovn-ipsec.rst | 146 ++ Documentation/tutorials/ovn-rbac.rst | 134 +++ 5 files changed, 287 insertions(+), 1 deletion(-) create mode 100644 Documentation/tutorials/ovn-ipsec.rst create mode 100644 Documentation/tutorials/ovn-rbac.rst diff --git a/Documentation/automake.mk b/Documentation/automake.mk index 5401b9bad..082438e09 100644 --- a/Documentation/automake.mk +++ b/Documentation/automake.mk @@ -29,6 +29,8 @@ DOC_SOURCE = \ Documentation/tutorials/ovn-sandbox.rst \ Documentation/tutorials/ovs-conntrack.rst \ Documentation/tutorials/ipsec.rst \ + Documentation/tutorials/ovn-ipsec.rst \ + Documentation/tutorials/ovn-rbac.rst \ Documentation/topics/index.rst \ Documentation/topics/bonding.rst \ Documentation/topics/idl-compound-indexes.rst \ diff --git a/Documentation/index.rst b/Documentation/index.rst index bab5ba1f1..46261235c 100644 --- a/Documentation/index.rst +++ b/Documentation/index.rst @@ -66,7 +66,9 @@ vSwitch? Start here. :doc:`tutorials/ovn-sandbox` | :doc:`tutorials/ovn-openstack` | :doc:`tutorials/ovs-conntrack` | - :doc:`tutorials/ipsec` + :doc:`tutorials/ipsec` | + :doc:`tutorials/ovn-ipsec` | + :doc:`tutorials/ovn-rbac` Deeper Dive --- diff --git a/Documentation/tutorials/index.rst b/Documentation/tutorials/index.rst index b481090a0..35340ee56 100644 --- a/Documentation/tutorials/index.rst +++ b/Documentation/tutorials/index.rst @@ -44,4 +44,6 @@ vSwitch. ovs-advanced ovn-sandbox ovn-openstack + ovn-rbac + ovn-ipsec ovs-conntrack diff --git a/Documentation/tutorials/ovn-ipsec.rst b/Documentation/tutorials/ovn-ipsec.rst new file mode 100644 index 0..feb695ea3 --- /dev/null +++ b/Documentation/tutorials/ovn-ipsec.rst @@ -0,0 +1,146 @@ +.. + Licensed under the Apache License, Version 2.0 (the "License"); you may + not use this file except in compliance with the License. You may obtain + a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + License for the specific language governing permissions and limitations + under the License. + + Convention for heading levels in Open vSwitch documentation: + + === Heading 0 (reserved for the title in a document) + --- Heading 1 + ~~~ Heading 2 + +++ Heading 3 + ''' Heading 4 + + Avoid deeper levels because they do not render well. + +== +OVN IPsec Tutorial +== + +This document provides a step-by-step guide for encrypting tunnel traffic with +IPsec in Open Virtual Network (OVN). OVN tunnel traffic is transported by +physical routers and switches. These physical devices could be untrusted +(devices in public network) or might be compromised. Enabling IPsec encryption +for the tunnel traffic can prevent the traffic data from being monitored and +manipulated. More details about the OVN IPsec design can be found in +``ovn-architecture``\(7) manpage. + +This document assumes OVN is installed in your system and runs normally. Also, +you need to install OVS IPsec packages in each chassis (refer to +:ref:`install-ovs-ipsec`). + +Generating Certificates and Keys + + +OVN chassis uses CA-signed certificate to authenticate peer chassis for +building IPsec tunnel. If you have enabled Role-Based Access Control (RBAC) in +OVN, you can use the RBAC SSL certificates and keys to set up OVN IPsec. Or you +can generate separate certificates and keys with ``ovs-pki`` (refer to +:ref:`gen-certs-keys`). + +.. note:: + + OVN IPsec requires x.509 version 3 certificate with the subjectAltName DNS + field setting the same string as the common name (CN) field. CN should be + set as the chassis name. ``ovs-pki`` in Open vSwitch 2.10.90 and later + generates such certificates. Please generate compatible certificates if you + use another PKI tool, or an older version of ``ovs-pki``, to manage + certificates. + +Configuring OVN IPsec +- + +You need to install the CA certificate, chassis certificate and private key in +each chassis. Use the following command:: + +$ ovs-vsctl set Open_vSwitch . \ +other_config:certificate=/path/to/chassis-cert.pem \ +other_config:private_key=/path/to/chassis-privkey.pem \ +other_
[ovs-dev] [PATCH v7 5/6] OVN: native support for tunnel encryption
This patch adds IPsec support for OVN tunnel. Basically, OVN offers a binary option to its user for encryption configuration. If the IPsec option is turned on, all tunnels will be encrypted. Otherwise, no tunnel will be encrypted. The changes are summarized as below: 1) Added a ipsec column on the NB_Global table and SB_Global table. The value of ipsec column is propagated by ovn-northd from NB_Global to SB_Global. 2) ovn-controller monitors the ipsec column in SB_Global. If the ipsec value is true, ovn-controller sets options of the tunnel interface by specifying "options:remote_name=". If the ipsec value is false, ovn-controller removes these options. 3) ovs-monitor-ipsec daemon (https://mail.openvswitch.org/pipermail/ovs-dev/2018-June/348701.html) monitors the tunnel interface options and configures IKE daemon accordingly for IPsec encryption. Signed-off-by: Qiuyu Xiao --- ovn/controller/encaps.c | 14 ++ ovn/controller/encaps.h | 6 +- ovn/controller/ovn-controller.c | 3 ++- ovn/northd/ovn-northd.c | 8 ++-- ovn/ovn-architecture.7.xml | 39 +++ ovn/ovn-nb.ovsschema| 7 --- ovn/ovn-nb.xml | 6 ++ ovn/ovn-sb.ovsschema| 7 --- ovn/ovn-sb.xml | 6 ++ 9 files changed, 82 insertions(+), 14 deletions(-) diff --git a/ovn/controller/encaps.c b/ovn/controller/encaps.c index fde017586..0495b25c2 100644 --- a/ovn/controller/encaps.c +++ b/ovn/controller/encaps.c @@ -79,8 +79,8 @@ tunnel_create_name(struct tunnel_ctx *tc, const char *chassis_id) } static void -tunnel_add(struct tunnel_ctx *tc, const char *new_chassis_id, - const struct sbrec_encap *encap) +tunnel_add(struct tunnel_ctx *tc, const struct sbrec_sb_global *sbg, + const char *new_chassis_id, const struct sbrec_encap *encap) { struct smap options = SMAP_INITIALIZER(); smap_add(, "remote_ip", encap->ip); @@ -90,6 +90,11 @@ tunnel_add(struct tunnel_ctx *tc, const char *new_chassis_id, smap_add(, "csum", csum); } +/* Add auth info if ipsec is enabled. */ +if (sbg->ipsec) { +smap_add(, "remote_name", new_chassis_id); +} + /* If there's an existing chassis record that does not need any change, * keep it. Otherwise, create a new record (if there was an existing * record, the new record will supplant it and encaps_run() will delete @@ -157,7 +162,8 @@ encaps_run(struct ovsdb_idl_txn *ovs_idl_txn, const struct ovsrec_bridge_table *bridge_table, const struct ovsrec_bridge *br_int, const struct sbrec_chassis_table *chassis_table, - const char *chassis_id) + const char *chassis_id, + const struct sbrec_sb_global *sbg) { if (!ovs_idl_txn || !br_int) { return; @@ -209,7 +215,7 @@ encaps_run(struct ovsdb_idl_txn *ovs_idl_txn, VLOG_INFO("No supported encaps for '%s'", chassis_rec->name); continue; } -tunnel_add(, chassis_rec->name, encap); +tunnel_add(, sbg, chassis_rec->name, encap); } } diff --git a/ovn/controller/encaps.h b/ovn/controller/encaps.h index 054bdfa78..3e0e110ef 100644 --- a/ovn/controller/encaps.h +++ b/ovn/controller/encaps.h @@ -23,13 +23,17 @@ struct ovsdb_idl_txn; struct ovsrec_bridge; struct ovsrec_bridge_table; struct sbrec_chassis_table; +struct sbrec_sb_global; +struct ovsrec_open_vswitch_table; void encaps_register_ovs_idl(struct ovsdb_idl *); void encaps_run(struct ovsdb_idl_txn *ovs_idl_txn, const struct ovsrec_bridge_table *, const struct ovsrec_bridge *br_int, const struct sbrec_chassis_table *, -const char *chassis_id); +const char *chassis_id, +const struct sbrec_sb_global *); + bool encaps_cleanup(struct ovsdb_idl_txn *ovs_idl_txn, const struct ovsrec_bridge *br_int); diff --git a/ovn/controller/ovn-controller.c b/ovn/controller/ovn-controller.c index 85921a03a..759b9da42 100644 --- a/ovn/controller/ovn-controller.c +++ b/ovn/controller/ovn-controller.c @@ -702,7 +702,8 @@ main(int argc, char *argv[]) chassis_id, br_int); encaps_run(ovs_idl_txn, ovsrec_bridge_table_get(ovs_idl_loop.idl), br_int, - sbrec_chassis_table_get(ovnsb_idl_loop.idl), chassis_id); + sbrec_chassis_table_get(ovnsb_idl_loop.idl), chassis_id, + sbrec_sb_global_first(ovnsb_idl_loop.idl)); bfd_calculate_active_tunnels(br_int, _tunnels); binding_run(ovnsb_idl_txn, ovs_idl_txn, sbrec_chassis_by_name, sbrec_datapath_binding_by_key, diff --git a/ovn/northd/ovn-nor
[ovs-dev] [PATCH v7 4/6] Documentation: IPsec tunnel tutorial and documentation.
tutorials/index.rst gives a step-by-setp guide to set up OVS IPsec tunnel. tutorials/ipsec.rst gives detailed explanation on the IPsec tunnel configuration methods and forwarding modes. Signed-off-by: Qiuyu Xiao Signed-off-by: Ansis Atteka Co-authored-by: Ansis Atteka --- Documentation/automake.mk | 2 + Documentation/howto/index.rst | 1 + Documentation/howto/ipsec.rst | 194 + Documentation/index.rst | 3 +- Documentation/tutorials/index.rst | 1 + Documentation/tutorials/ipsec.rst | 347 ++ vswitchd/vswitch.xml | 156 - 7 files changed, 694 insertions(+), 10 deletions(-) create mode 100644 Documentation/howto/ipsec.rst create mode 100644 Documentation/tutorials/ipsec.rst diff --git a/Documentation/automake.mk b/Documentation/automake.mk index 244479490..5401b9bad 100644 --- a/Documentation/automake.mk +++ b/Documentation/automake.mk @@ -28,6 +28,7 @@ DOC_SOURCE = \ Documentation/tutorials/ovn-openstack.rst \ Documentation/tutorials/ovn-sandbox.rst \ Documentation/tutorials/ovs-conntrack.rst \ + Documentation/tutorials/ipsec.rst \ Documentation/topics/index.rst \ Documentation/topics/bonding.rst \ Documentation/topics/idl-compound-indexes.rst \ @@ -60,6 +61,7 @@ DOC_SOURCE = \ Documentation/howto/docker.rst \ Documentation/howto/dpdk.rst \ Documentation/howto/firewalld.rst \ + Documentation/howto/ipsec.rst \ Documentation/howto/kvm.rst \ Documentation/howto/libvirt.rst \ Documentation/howto/selinux.rst \ diff --git a/Documentation/howto/index.rst b/Documentation/howto/index.rst index 201d6936b..9a3487be3 100644 --- a/Documentation/howto/index.rst +++ b/Documentation/howto/index.rst @@ -37,6 +37,7 @@ OVS :maxdepth: 2 kvm + ipsec selinux libvirt ssl diff --git a/Documentation/howto/ipsec.rst b/Documentation/howto/ipsec.rst new file mode 100644 index 0..17153ac2b --- /dev/null +++ b/Documentation/howto/ipsec.rst @@ -0,0 +1,194 @@ +.. + Licensed under the Apache License, Version 2.0 (the "License"); you may + not use this file except in compliance with the License. You may obtain + a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + License for the specific language governing permissions and limitations + under the License. + + Convention for heading levels in Open vSwitch documentation: + + === Heading 0 (reserved for the title in a document) + --- Heading 1 + ~~~ Heading 2 + +++ Heading 3 + ''' Heading 4 + + Avoid deeper levels because they do not render well. + +=== +Encrypt Open vSwitch Tunnels with IPsec +=== + +This document gives detailed description on the OVS IPsec tunnel and its +configuration modes. If you want to follow a step-by-step guide to run and +test IPsec tunnel, please refer to :doc:`/tutorials/ipsec`. + +Overview + + +Why do encryption? +~~ + +OVS tunnel packets are transported from one machine to another. Along the path, +the packets are processed by physical routers and physical switches. There are +risks that these physical devices might read or write the contents of the +tunnel packets. IPsec encrypts IP payload and prevents the malicious party +sniffing or manipulating the tunnel traffic. + +OVS IPsec +~ + +OVS IPsec aims to provide a simple interface for user to add encryption on OVS +tunnels. It supports GRE, GENEVE, VXLAN, and STT tunnel. The IPsec +configuration is done by setting options of the tunnel interface and +other_config of Open_vSwitch. You can choose different authentication methods +and plaintext tunnel policies based on your requirements. + +OVS does not currently provide any support for IPsec encryption for traffic not +encapsulated in a tunnel. + +Configuration +- + +Authentication Methods +~~ + +Hosts of the IPsec tunnel need to authenticate each other to build a secure +channel. There are three authentication methods: + +1) You can use a pre-shared key (PSK) to do authentication. In both hosts, set + the same PSK value. This PSK is like your password. You should never reveal + it to untrusted parties. This method is easier to use but less secure than + the certificate-based methods:: + + $ ovs-vsctl add-port br0 ipsec_gre0 -- \ + set interface ipsec_gre0 type=gre \ + options:remote_ip=2.2.2.2 \ +
[ovs-dev] [PATCH v7 3/6] debian and rhel: Create IPsec package.
Added rules and files to create debian and rpm ovs-ipsec packages. Signed-off-by: Qiuyu Xiao Signed-off-by: Ansis Atteka Co-authored-by: Ansis Atteka --- debian/automake.mk | 3 + debian/control | 21 +++ debian/openvswitch-ipsec.dirs | 1 + debian/openvswitch-ipsec.init | 181 + debian/openvswitch-ipsec.install | 1 + rhel/automake.mk | 1 + rhel/openvswitch-fedora.spec.in| 19 ++- ...sr_lib_systemd_system_openvswitch-ipsec.service | 13 ++ utilities/ovs-ctl.in | 27 +++ 9 files changed, 266 insertions(+), 1 deletion(-) create mode 100644 debian/openvswitch-ipsec.dirs create mode 100644 debian/openvswitch-ipsec.init create mode 100644 debian/openvswitch-ipsec.install create mode 100644 rhel/usr_lib_systemd_system_openvswitch-ipsec.service diff --git a/debian/automake.mk b/debian/automake.mk index 4d8e204bb..8a8d43c9f 100644 --- a/debian/automake.mk +++ b/debian/automake.mk @@ -20,6 +20,9 @@ EXTRA_DIST += \ debian/openvswitch-datapath-source.copyright \ debian/openvswitch-datapath-source.dirs \ debian/openvswitch-datapath-source.install \ + debian/openvswitch-ipsec.dirs \ + debian/openvswitch-ipsec.init \ + debian/openvswitch-ipsec.install \ debian/openvswitch-pki.dirs \ debian/openvswitch-pki.postinst \ debian/openvswitch-pki.postrm \ diff --git a/debian/control b/debian/control index 9ae248f27..cde93f20e 100644 --- a/debian/control +++ b/debian/control @@ -322,3 +322,24 @@ Description: Open vSwitch development package 1000V. . This package provides openvswitch headers and libopenvswitch for developers. + +Package: openvswitch-ipsec +Architecture: linux-any +Depends: iproute2, + openvswitch-common (= ${binary:Version}), + openvswitch-switch (= ${binary:Version}), + python, + python-openvswitch (= ${source:Version}), + strongswan, + ${misc:Depends}, + ${shlibs:Depends} +Description: Open vSwitch IPsec tunneling support + Open vSwitch is a production quality, multilayer, software-based, + Ethernet virtual switch. It is designed to enable massive network + automation through programmatic extension, while still supporting + standard management interfaces and protocols (e.g. NetFlow, IPFIX, + sFlow, SPAN, RSPAN, CLI, LACP, 802.1ag). In addition, it is designed + to support distribution across multiple physical servers similar to + VMware's vNetwork distributed vswitch or Cisco's Nexus 1000V. + . + This package provides IPsec tunneling support for OVS tunnels. diff --git a/debian/openvswitch-ipsec.dirs b/debian/openvswitch-ipsec.dirs new file mode 100644 index 0..fca44aa7b --- /dev/null +++ b/debian/openvswitch-ipsec.dirs @@ -0,0 +1 @@ +usr/share/openvswitch/scripts \ No newline at end of file diff --git a/debian/openvswitch-ipsec.init b/debian/openvswitch-ipsec.init new file mode 100644 index 0..aa6838454 --- /dev/null +++ b/debian/openvswitch-ipsec.init @@ -0,0 +1,181 @@ +#!/bin/sh +# +# Copyright (c) 2007, 2009 Javier Fernandez-Sanguino +# +# This is free software; you may redistribute it and/or modify +# it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2, +# or (at your option) any later version. +# +# This is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License with +# the Debian operating system, in /usr/share/common-licenses/GPL; if +# not, write to the Free Software Foundation, Inc., 59 Temple Place, +# Suite 330, Boston, MA 02111-1307 USA +# +### BEGIN INIT INFO +# Provides: openvswitch-ipsec +# Required-Start:$network $local_fs $remote_fs openvswitch-switch +# Required-Stop: $remote_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Open vSwitch GRE-over-IPsec daemon +# Description: The ovs-monitor-ipsec script provides support for +#encrypting GRE tunnels with IPsec. +### END INIT INFO + +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin + +DAEMON=/usr/share/openvswitch/scripts/ovs-monitor-ipsec # Daemon's location +NAME=ovs-monitor-ipsec # Introduce the short server's name here +LOGDIR=/var/log/openvswitch # Log directory to use +DATADIR=/usr/share/openvswitch + +PIDFILE=/var/run/openvswitch/$NAME.pid + +test -x $DAEMON || exit 0 + +. /lib/lsb/init-functions + +DODTIME=10 # Time to wait for the server to die, in seconds +# If this value is set too low you
[ovs-dev] [PATCH v7 2/6] ipsec: reintroduce IPsec support for tunneling
This patch reintroduces ovs-monitor-ipsec daemon that was previously removed by commit 2b02d770 ("openvswitch: Allow external IPsec tunnel management.") After this patch, there are no IPsec flavored tunnels anymore. IPsec is enabled by setting up the right values in: 1. OVSDB:Interface:options column; 2. OVSDB:Open_vSwitch:other_config column; 3. OpenFlow pipeline. GRE, VXLAN, GENEVE, and STT IPsec tunnels are supported. LibreSwan and StrongSwan IKE daemons are supported. User can choose pre-shared key, self-signed peer certificate, or CA-signed certificate as authentication methods. Signed-off-by: Qiuyu Xiao Signed-off-by: Ansis Atteka Co-authored-by: Ansis Atteka --- Makefile.am |1 + ipsec/automake.mk | 10 + ipsec/ovs-monitor-ipsec | 1223 +++ 3 files changed, 1234 insertions(+) create mode 100644 ipsec/automake.mk create mode 100644 ipsec/ovs-monitor-ipsec diff --git a/Makefile.am b/Makefile.am index ff472ad81..64725654c 100644 --- a/Makefile.am +++ b/Makefile.am @@ -482,6 +482,7 @@ include tests/automake.mk include include/automake.mk include third-party/automake.mk include debian/automake.mk +include ipsec/automake.mk include vswitchd/automake.mk include ovsdb/automake.mk include rhel/automake.mk diff --git a/ipsec/automake.mk b/ipsec/automake.mk new file mode 100644 index 0..1e530cb42 --- /dev/null +++ b/ipsec/automake.mk @@ -0,0 +1,10 @@ +# Copyright (C) 2017 Nicira, Inc. +# +# Copying and distribution of this file, with or without modification, +# are permitted in any medium without royalty provided the copyright +# notice and this notice are preserved. This file is offered as-is, +# without warranty of any kind. + +EXTRA_DIST += \ +ipsec/ovs-monitor-ipsec +FLAKE8_PYFILES += ipsec/ovs-monitor-ipsec diff --git a/ipsec/ovs-monitor-ipsec b/ipsec/ovs-monitor-ipsec new file mode 100644 index 0..b2be44f9c --- /dev/null +++ b/ipsec/ovs-monitor-ipsec @@ -0,0 +1,1223 @@ +#!/usr/bin/env python +# Copyright (c) 2017 Nicira, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import argparse +import re +import subprocess +import sys +import copy +import os +from string import Template + +import ovs.daemon +import ovs.db.idl +import ovs.dirs +import ovs.unixctl +import ovs.unixctl.server +import ovs.util +import ovs.vlog + + +FILE_HEADER = "# Generated by ovs-monitor-ipsec...do not modify by hand!\n\n" +transp_tmpl = {"gre": Template("""\ +conn $ifname-$version +$auth_section +leftprotoport=gre +rightprotoport=gre + +"""), "gre64": Template("""\ +conn $ifname-$version +$auth_section +leftprotoport=gre +rightprotoport=gre + +"""), "geneve": Template("""\ +conn $ifname-in-$version +$auth_section +leftprotoport=udp/6081 +rightprotoport=udp + +conn $ifname-out-$version +$auth_section +leftprotoport=udp +rightprotoport=udp/6081 + +"""), "stt": Template("""\ +conn $ifname-in-$version +$auth_section +leftprotoport=tcp/7471 +rightprotoport=tcp + +conn $ifname-out-$version +$auth_section +leftprotoport=tcp +rightprotoport=tcp/7471 + +"""), "vxlan": Template("""\ +conn $ifname-in-$version +$auth_section +leftprotoport=udp/4789 +rightprotoport=udp + +conn $ifname-out-$version +$auth_section +leftprotoport=udp +rightprotoport=udp/4789 + +""")} +vlog = ovs.vlog.Vlog("ovs-monitor-ipsec") +exiting = False +monitor = None +xfrm = None + +class XFRM(object): +"""This class is a simple wrapper around ip-xfrm (8) command line +utility. We are using this class only for informational purposes +so that ovs-monitor-ipsec could verify that IKE keying daemon has +installed IPsec policies and security associations into kernel as +expected.""" + +def __init__(self, ip_root_prefix): +self.IP = ip_root_prefix + "/sbin/ip" + +def get_policies(self): +"""This function returns IPsec policies (from kernel) in a dictionary +where is destination IPv4 address and is SELECTOR of +the IPsec policy.""" +policies = {} +proc = subprocess.Popen([self.IP, 'xfrm', 'policy'],
[ovs-dev] [PATCH v7 1/6] datapath: add transport ports in route lookup for geneve
This patch adds transport ports information for route lookup so that IPsec can select geneve tunnel traffic to do encryption. Signed-off-by: Qiuyu Xiao Reviewed-by: Greg Rose Tested-by: Greg Rose --- datapath/linux/compat/geneve.c | 29 +++-- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/datapath/linux/compat/geneve.c b/datapath/linux/compat/geneve.c index 4ccf7e34f..77632ae11 100644 --- a/datapath/linux/compat/geneve.c +++ b/datapath/linux/compat/geneve.c @@ -852,7 +852,8 @@ free_dst: static struct rtable *geneve_get_v4_rt(struct sk_buff *skb, struct net_device *dev, struct flowi4 *fl4, - struct ip_tunnel_info *info) + struct ip_tunnel_info *info, + __be16 dport, __be16 sport) { bool use_cache = ip_tunnel_dst_cache_usable(skb, info); struct geneve_dev *geneve = netdev_priv(dev); @@ -866,6 +867,8 @@ static struct rtable *geneve_get_v4_rt(struct sk_buff *skb, memset(fl4, 0, sizeof(*fl4)); fl4->flowi4_mark = skb->mark; fl4->flowi4_proto = IPPROTO_UDP; + fl4->fl4_dport = dport; + fl4->fl4_sport = sport; if (info) { fl4->daddr = info->key.u.ipv4.dst; @@ -911,7 +914,8 @@ static struct rtable *geneve_get_v4_rt(struct sk_buff *skb, static struct dst_entry *geneve_get_v6_dst(struct sk_buff *skb, struct net_device *dev, struct flowi6 *fl6, - struct ip_tunnel_info *info) + struct ip_tunnel_info *info, + __be16 dport, __be16 sport) { bool use_cache = ip_tunnel_dst_cache_usable(skb, info); struct geneve_dev *geneve = netdev_priv(dev); @@ -927,6 +931,8 @@ static struct dst_entry *geneve_get_v6_dst(struct sk_buff *skb, memset(fl6, 0, sizeof(*fl6)); fl6->flowi6_mark = skb->mark; fl6->flowi6_proto = IPPROTO_UDP; + fl6->fl6_dport = dport; + fl6->fl6_sport = sport; if (info) { fl6->daddr = info->key.u.ipv6.dst; @@ -1021,13 +1027,13 @@ static netdev_tx_t geneve_xmit_skb(struct sk_buff *skb, struct net_device *dev, goto tx_error; } - rt = geneve_get_v4_rt(skb, dev, , info); + sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); + rt = geneve_get_v4_rt(skb, dev, , info, geneve->dst_port, sport); if (IS_ERR(rt)) { err = PTR_ERR(rt); goto tx_error; } - sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); skb_reset_mac_header(skb); iip = ip_hdr(skb); @@ -1113,13 +1119,13 @@ static netdev_tx_t geneve6_xmit_skb(struct sk_buff *skb, struct net_device *dev, } } - dst = geneve_get_v6_dst(skb, dev, , info); + sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); + dst = geneve_get_v6_dst(skb, dev, , info, geneve->dst_port, sport); if (IS_ERR(dst)) { err = PTR_ERR(dst); goto tx_error; } - sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); skb_reset_mac_header(skb); iip = ip_hdr(skb); @@ -1248,13 +1254,17 @@ int ovs_geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb) struct geneve_dev *geneve = netdev_priv(dev); struct rtable *rt; struct flowi4 fl4; + __be16 sport; #if IS_ENABLED(CONFIG_IPV6) struct dst_entry *dst; struct flowi6 fl6; #endif + sport = udp_flow_src_port(geneve->net, skb, +1, USHRT_MAX, true); + if (ip_tunnel_info_af(info) == AF_INET) { - rt = geneve_get_v4_rt(skb, dev, , info); + rt = geneve_get_v4_rt(skb, dev, , info, geneve->dst_port, sport); if (IS_ERR(rt)) return PTR_ERR(rt); @@ -1262,7 +1272,7 @@ int ovs_geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb) info->key.u.ipv4.src = fl4.saddr; #if IS_ENABLED(CONFIG_IPV6) } else if (ip_tunnel_info_af(info) == AF_INET6) { - dst = geneve_get_v6_dst(skb, dev, , info); + dst = geneve_get_v6_dst(skb, dev, , info, geneve->dst_port, sport); if (IS_ERR(dst)) return PTR_ERR(dst); @@ -1273,8 +1283,7 @@ int ovs_geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb) return -EINVAL; } - info->key.tp_src = udp_flow_src_port(geneve->net, skb, -
[ovs-dev] [PATCH v7 0/6] IPsec support for tunneling
This patch series reintroduce IPsec support for OVS tunneling and enable OVN to use IPsec tunnels. GRE, VXLAN, GENEVE, and STT IPsec tunnels are supported. StrongSwan and LibreSwan IKE daemons are supported. Changes from v1 to v2 - 1. Merge the ovs-monitor-ipsec code to a single patch. Add LibreSwan IKE daemon support. 2. Add ovs-monitor-ipsec to flake8 check. 3. Use openssl to extract CN from certificate so that users don't need to specify the CN information in the configuration interface. 4. Improve documentations as suggested. Changes from v2 to v3 - 1. Add scripts and rules to create ovs-ipsec RPM package. 2. Add Documentation/tutorials/ipsec.rst which gives a step-by-step OVS IPsec tutorial. Modify Documentation/howto/ipsec.rst which gives a detailed description on OVS IPsec configuration modes. 3. Modify ovs-pki to generate x.509 version 3 certificate when do self-sign. 4. IPsec tunnel interface needs 'local_ip' information. Modify ovn-controller to add 'local_ip' when IPsec is enabled. 5. Add a section on ovn/ovn-architecture.7.xml to introduce ovn IPsec. Changes from v3 to v4 - 1. Split the datapath patch to three patches (geneve, vxlan, stt). 2. Add tutorial for OVN RBAC and OVN IPsec. Changes from v4 to v5 - 1. Fix coding style issues in ovs-monitor-ipsec. 2. Improve IPsec and OVN-IPsec tutorials as suggested. 3. Change the description of setting skb_mark in documentation to reflect the real situation. Changes from v5 to v6 - 1. Use wildcard IP address to match localhost IP in LibreSwan. Remove the 'local_ip' requirement when setting IPsec tunnel interface. 2. ovs-monitor-ipsec daemon accepts command line option to choose IKE daemon, either LibreSwan or StrongSwan. The init script chooses which IKE daemon to use. Currently, Debian init script chooses StrongSwan. Fedora init script chooses LibreSwan. 3. Check illegal name before removing a file in '_import_local_certs_and_key()'. 4. GRE IPsec tunnel was not activated properly when using LibreSwan. This version fixes it. 5. The plaintext policy syntax was wrong when using LibreSwan. This version corrects it. 6. Add comments and explanations about the 'remote_name' check in '_is_valid_tunnel_conf()'. 7. Replace 'ike_daemon_start()' with 'ike_daemon_restart()' to start IKE daemon. Changes from v6 to v7 - 1. Use os.path.abspath to generate the path of the p12 file to make sure the path is under '/tmp/'. 2. When ovs-monitor-ipsec daemon restarts, check whether NSS database has old certificates and private keys set by previous run. If so, delete those old states. *** BLURB HERE *** Qiuyu Xiao (6): datapath: add transport ports in route lookup for geneve ipsec: reintroduce IPsec support for tunneling debian and rhel: Create IPsec package. Documentation: IPsec tunnel tutorial and documentation. OVN: native support for tunnel encryption Documentation: OVN RBAC and IPsec tutorial Documentation/automake.mk |4 + Documentation/howto/index.rst |1 + Documentation/howto/ipsec.rst | 194 Documentation/index.rst|5 +- Documentation/tutorials/index.rst |3 + Documentation/tutorials/ipsec.rst | 347 ++ Documentation/tutorials/ovn-ipsec.rst | 146 +++ Documentation/tutorials/ovn-rbac.rst | 134 +++ Makefile.am|1 + datapath/linux/compat/geneve.c | 29 +- debian/automake.mk |3 + debian/control | 21 + debian/openvswitch-ipsec.dirs |1 + debian/openvswitch-ipsec.init | 181 +++ debian/openvswitch-ipsec.install |1 + ipsec/automake.mk | 10 + ipsec/ovs-monitor-ipsec| 1223 ovn/controller/encaps.c| 14 +- ovn/controller/encaps.h|6 +- ovn/controller/ovn-controller.c|3 +- ovn/northd/ovn-northd.c|8 +- ovn/ovn-architecture.7.xml | 39 + ovn/ovn-nb.ovsschema |7 +- ovn/ovn-nb.xml |6 + ovn/ovn-sb.ovsschema |7 +- ovn/ovn-sb.xml |6 + rhel/automake.mk |1 + rhel/openvswitch-fedora.spec.in| 19 +- ...sr_lib_systemd_system_openvswitch-ipsec.service | 13 + utilities/ovs-ctl.in | 27 + vswitchd/vswitch.xml | 156 ++- 31 files changed, 2581 insertions(+), 35
Re: [ovs-dev] [PATCH v6 0/6] IPsec support for tunneling
Two main issues remain to be resolved. 1) The GENEVE and VXLAN IPsec tunnel configuration don't work in LibreSwan. I reported this bug to the LibreSwan mailing list, which is confirmed by the maintainer. (https://lists.libreswan.org/pipermail/swan/2018/002700.html). 2) In order to match XFRM policies in the kernel, L4 port information needs to be added before route lookup. The upstream VXLAN kernel module already had this patch since 4.10. The upstream GENEVE module is not patched, so the GENEVE IPsec tunnel doesn't work in OVS. Some other minor issues: 3) When a StrongSwan daemon interoperates with a LibreSwan daemon, the IKE connection can be only initiated from LibreSwan to StrongSwan but not the other way around. 4) In LibreSwan, the plaintext policy cannot be installed without restarting the LibreSwan daemon. But restarting the daemon lost existing IKE connections. A quick solution to 1), 3), and 4) is using StrongSwan in Fedora. The interface is a little bit different from StrongSwan in Debian, but hopefully, these problems will go away. Any feedbacks are welcomed! -Qiuyu On Wed, Aug 29, 2018 at 10:14 AM Qiuyu Xiao wrote: > > This patch series reintroduce IPsec support for OVS tunneling and enable > OVN to > use IPsec tunnels. GRE, VXLAN, GENEVE, and STT IPsec tunnels are > supported. > StrongSwan and LibreSwan IKE daemons are supported. > > Changes from v1 to v2 > - > 1. Merge the ovs-monitor-ipsec code to a single patch. Add LibreSwan IKE > daemon support. > 2. Add ovs-monitor-ipsec to flake8 check. > 3. Use openssl to extract CN from certificate so that users don't need > to > specify the CN information in the configuration interface. > 4. Improve documentations as suggested. > > Changes from v2 to v3 > - > 1. Add scripts and rules to create ovs-ipsec RPM package. > 2. Add Documentation/tutorials/ipsec.rst which gives a step-by-step OVS > IPsec > tutorial. Modify Documentation/howto/ipsec.rst which gives a detailed > description on OVS IPsec configuration modes. > 3. Modify ovs-pki to generate x.509 version 3 certificate when do > self-sign. > 4. IPsec tunnel interface needs 'local_ip' information. Modify > ovn-controller > to add 'local_ip' when IPsec is enabled. > 5. Add a section on ovn/ovn-architecture.7.xml to introduce ovn IPsec. > > Changes from v3 to v4 > - > 1. Split the datapath patch to three patches (geneve, vxlan, stt). > 2. Add tutorial for OVN RBAC and OVN IPsec. > > Changes from v4 to v5 > - > 1. Fix coding style issues in ovs-monitor-ipsec. > 2. Improve IPsec and OVN-IPsec tutorials as suggested. > 3. Change the description of setting skb_mark in documentation to > reflect the > real situation. > > Changes from v5 to v6 > - > 1. Use wildcard IP address to match localhost IP in LibreSwan. Remove > the 'local_ip' requirement when setting IPsec tunnel interface. > 2. ovs-monitor-ipsec daemon accepts command line option to choose IKE > daemon, either LibreSwan or StrongSwan. The init script chooses which > IKE daemon to use. Currently, Debian init script chooses StrongSwan. > Fedora init script chooses LibreSwan. > 3. Check illegal name before removing a file in > '_import_local_certs_and_key()'. > 4. GRE IPsec tunnel was not activated properly when using LibreSwan. This > version fixes it. > 5. The plaintext policy syntax was wrong when using LibreSwan. This version > corrects it. > 6. Add comments and explanations about the 'remote_name' > check in '_is_valid_tunnel_conf()'. > 7. Replace 'ike_daemon_start()' with 'ike_daemon_restart()' to start IKE > daemon. > > *** BLURB HERE *** > > Qiuyu Xiao (6): > datapath: add transport ports in route lookup for geneve > ipsec: reintroduce IPsec support for tunneling > debian and rhel: Create IPsec package. > Documentation: IPsec tunnel tutorial and documentation. > OVN: native support for tunnel encryption > Documentation: OVN RBAC and IPsec tutorial > > Documentation/automake.mk |4 + > Documentation/howto/index.rst |1 + > Documentation/howto/ipsec.rst | 194 > Documentation/index.rst|5 +- > Documentation/tutorials/index.rst |3 + > Documentation/tutorials/ipsec.rst | 347 ++ > Documentation/tutorials/ovn-ipsec.rst | 146 +++ > Documentation/tutorials/ovn-rbac.rst | 134 +++ > Makefile.am|1 + > datapath/linux/compat/geneve.c | 29 +- > debian/automake.mk |3 + > debian/control
[ovs-dev] [PATCH v6 4/6] Documentation: IPsec tunnel tutorial and documentation.
tutorials/index.rst gives a step-by-setp guide to set up OVS IPsec tunnel. tutorials/ipsec.rst gives detailed explanation on the IPsec tunnel configuration methods and forwarding modes. Signed-off-by: Qiuyu Xiao Signed-off-by: Ansis Atteka Co-authored-by: Ansis Atteka --- Documentation/automake.mk | 2 + Documentation/howto/index.rst | 1 + Documentation/howto/ipsec.rst | 194 + Documentation/index.rst | 3 +- Documentation/tutorials/index.rst | 1 + Documentation/tutorials/ipsec.rst | 347 ++ vswitchd/vswitch.xml | 156 - 7 files changed, 694 insertions(+), 10 deletions(-) create mode 100644 Documentation/howto/ipsec.rst create mode 100644 Documentation/tutorials/ipsec.rst diff --git a/Documentation/automake.mk b/Documentation/automake.mk index 244479490..5401b9bad 100644 --- a/Documentation/automake.mk +++ b/Documentation/automake.mk @@ -28,6 +28,7 @@ DOC_SOURCE = \ Documentation/tutorials/ovn-openstack.rst \ Documentation/tutorials/ovn-sandbox.rst \ Documentation/tutorials/ovs-conntrack.rst \ + Documentation/tutorials/ipsec.rst \ Documentation/topics/index.rst \ Documentation/topics/bonding.rst \ Documentation/topics/idl-compound-indexes.rst \ @@ -60,6 +61,7 @@ DOC_SOURCE = \ Documentation/howto/docker.rst \ Documentation/howto/dpdk.rst \ Documentation/howto/firewalld.rst \ + Documentation/howto/ipsec.rst \ Documentation/howto/kvm.rst \ Documentation/howto/libvirt.rst \ Documentation/howto/selinux.rst \ diff --git a/Documentation/howto/index.rst b/Documentation/howto/index.rst index 201d6936b..9a3487be3 100644 --- a/Documentation/howto/index.rst +++ b/Documentation/howto/index.rst @@ -37,6 +37,7 @@ OVS :maxdepth: 2 kvm + ipsec selinux libvirt ssl diff --git a/Documentation/howto/ipsec.rst b/Documentation/howto/ipsec.rst new file mode 100644 index 0..17153ac2b --- /dev/null +++ b/Documentation/howto/ipsec.rst @@ -0,0 +1,194 @@ +.. + Licensed under the Apache License, Version 2.0 (the "License"); you may + not use this file except in compliance with the License. You may obtain + a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + License for the specific language governing permissions and limitations + under the License. + + Convention for heading levels in Open vSwitch documentation: + + === Heading 0 (reserved for the title in a document) + --- Heading 1 + ~~~ Heading 2 + +++ Heading 3 + ''' Heading 4 + + Avoid deeper levels because they do not render well. + +=== +Encrypt Open vSwitch Tunnels with IPsec +=== + +This document gives detailed description on the OVS IPsec tunnel and its +configuration modes. If you want to follow a step-by-step guide to run and +test IPsec tunnel, please refer to :doc:`/tutorials/ipsec`. + +Overview + + +Why do encryption? +~~ + +OVS tunnel packets are transported from one machine to another. Along the path, +the packets are processed by physical routers and physical switches. There are +risks that these physical devices might read or write the contents of the +tunnel packets. IPsec encrypts IP payload and prevents the malicious party +sniffing or manipulating the tunnel traffic. + +OVS IPsec +~ + +OVS IPsec aims to provide a simple interface for user to add encryption on OVS +tunnels. It supports GRE, GENEVE, VXLAN, and STT tunnel. The IPsec +configuration is done by setting options of the tunnel interface and +other_config of Open_vSwitch. You can choose different authentication methods +and plaintext tunnel policies based on your requirements. + +OVS does not currently provide any support for IPsec encryption for traffic not +encapsulated in a tunnel. + +Configuration +- + +Authentication Methods +~~ + +Hosts of the IPsec tunnel need to authenticate each other to build a secure +channel. There are three authentication methods: + +1) You can use a pre-shared key (PSK) to do authentication. In both hosts, set + the same PSK value. This PSK is like your password. You should never reveal + it to untrusted parties. This method is easier to use but less secure than + the certificate-based methods:: + + $ ovs-vsctl add-port br0 ipsec_gre0 -- \ + set interface ipsec_gre0 type=gre \ + options:remote_ip=2.2.2.2 \ +
[ovs-dev] [PATCH v6 6/6] Documentation: OVN RBAC and IPsec tutorial
This patch adds step-by-step guide for configuring OVN Role-Based Access Control and IPsec. Signed-off-by: Qiuyu Xiao --- Documentation/automake.mk | 2 + Documentation/index.rst | 4 +- Documentation/tutorials/index.rst | 2 + Documentation/tutorials/ovn-ipsec.rst | 146 ++ Documentation/tutorials/ovn-rbac.rst | 134 +++ 5 files changed, 287 insertions(+), 1 deletion(-) create mode 100644 Documentation/tutorials/ovn-ipsec.rst create mode 100644 Documentation/tutorials/ovn-rbac.rst diff --git a/Documentation/automake.mk b/Documentation/automake.mk index 5401b9bad..082438e09 100644 --- a/Documentation/automake.mk +++ b/Documentation/automake.mk @@ -29,6 +29,8 @@ DOC_SOURCE = \ Documentation/tutorials/ovn-sandbox.rst \ Documentation/tutorials/ovs-conntrack.rst \ Documentation/tutorials/ipsec.rst \ + Documentation/tutorials/ovn-ipsec.rst \ + Documentation/tutorials/ovn-rbac.rst \ Documentation/topics/index.rst \ Documentation/topics/bonding.rst \ Documentation/topics/idl-compound-indexes.rst \ diff --git a/Documentation/index.rst b/Documentation/index.rst index bab5ba1f1..46261235c 100644 --- a/Documentation/index.rst +++ b/Documentation/index.rst @@ -66,7 +66,9 @@ vSwitch? Start here. :doc:`tutorials/ovn-sandbox` | :doc:`tutorials/ovn-openstack` | :doc:`tutorials/ovs-conntrack` | - :doc:`tutorials/ipsec` + :doc:`tutorials/ipsec` | + :doc:`tutorials/ovn-ipsec` | + :doc:`tutorials/ovn-rbac` Deeper Dive --- diff --git a/Documentation/tutorials/index.rst b/Documentation/tutorials/index.rst index b481090a0..35340ee56 100644 --- a/Documentation/tutorials/index.rst +++ b/Documentation/tutorials/index.rst @@ -44,4 +44,6 @@ vSwitch. ovs-advanced ovn-sandbox ovn-openstack + ovn-rbac + ovn-ipsec ovs-conntrack diff --git a/Documentation/tutorials/ovn-ipsec.rst b/Documentation/tutorials/ovn-ipsec.rst new file mode 100644 index 0..feb695ea3 --- /dev/null +++ b/Documentation/tutorials/ovn-ipsec.rst @@ -0,0 +1,146 @@ +.. + Licensed under the Apache License, Version 2.0 (the "License"); you may + not use this file except in compliance with the License. You may obtain + a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + License for the specific language governing permissions and limitations + under the License. + + Convention for heading levels in Open vSwitch documentation: + + === Heading 0 (reserved for the title in a document) + --- Heading 1 + ~~~ Heading 2 + +++ Heading 3 + ''' Heading 4 + + Avoid deeper levels because they do not render well. + +== +OVN IPsec Tutorial +== + +This document provides a step-by-step guide for encrypting tunnel traffic with +IPsec in Open Virtual Network (OVN). OVN tunnel traffic is transported by +physical routers and switches. These physical devices could be untrusted +(devices in public network) or might be compromised. Enabling IPsec encryption +for the tunnel traffic can prevent the traffic data from being monitored and +manipulated. More details about the OVN IPsec design can be found in +``ovn-architecture``\(7) manpage. + +This document assumes OVN is installed in your system and runs normally. Also, +you need to install OVS IPsec packages in each chassis (refer to +:ref:`install-ovs-ipsec`). + +Generating Certificates and Keys + + +OVN chassis uses CA-signed certificate to authenticate peer chassis for +building IPsec tunnel. If you have enabled Role-Based Access Control (RBAC) in +OVN, you can use the RBAC SSL certificates and keys to set up OVN IPsec. Or you +can generate separate certificates and keys with ``ovs-pki`` (refer to +:ref:`gen-certs-keys`). + +.. note:: + + OVN IPsec requires x.509 version 3 certificate with the subjectAltName DNS + field setting the same string as the common name (CN) field. CN should be + set as the chassis name. ``ovs-pki`` in Open vSwitch 2.10.90 and later + generates such certificates. Please generate compatible certificates if you + use another PKI tool, or an older version of ``ovs-pki``, to manage + certificates. + +Configuring OVN IPsec +- + +You need to install the CA certificate, chassis certificate and private key in +each chassis. Use the following command:: + +$ ovs-vsctl set Open_vSwitch . \ +other_config:certificate=/path/to/chassis-cert.pem \ +other_config:private_key=/path/to/chassis-privkey.pem \ +other_
[ovs-dev] [PATCH v6 2/6] ipsec: reintroduce IPsec support for tunneling
This patch reintroduces ovs-monitor-ipsec daemon that was previously removed by commit 2b02d770 ("openvswitch: Allow external IPsec tunnel management.") After this patch, there are no IPsec flavored tunnels anymore. IPsec is enabled by setting up the right values in: 1. OVSDB:Interface:options column; 2. OVSDB:Open_vSwitch:other_config column; 3. OpenFlow pipeline. GRE, VXLAN, GENEVE, and STT IPsec tunnels are supported. LibreSwan and StrongSwan IKE daemons are supported. User can choose pre-shared key, self-signed peer certificate, or CA-signed certificate as authentication methods. Signed-off-by: Qiuyu Xiao Signed-off-by: Ansis Atteka Co-authored-by: Ansis Atteka --- Makefile.am |1 + ipsec/automake.mk | 10 + ipsec/ovs-monitor-ipsec | 1211 +++ 3 files changed, 1222 insertions(+) create mode 100644 ipsec/automake.mk create mode 100755 ipsec/ovs-monitor-ipsec diff --git a/Makefile.am b/Makefile.am index ff472ad81..64725654c 100644 --- a/Makefile.am +++ b/Makefile.am @@ -482,6 +482,7 @@ include tests/automake.mk include include/automake.mk include third-party/automake.mk include debian/automake.mk +include ipsec/automake.mk include vswitchd/automake.mk include ovsdb/automake.mk include rhel/automake.mk diff --git a/ipsec/automake.mk b/ipsec/automake.mk new file mode 100644 index 0..1e530cb42 --- /dev/null +++ b/ipsec/automake.mk @@ -0,0 +1,10 @@ +# Copyright (C) 2017 Nicira, Inc. +# +# Copying and distribution of this file, with or without modification, +# are permitted in any medium without royalty provided the copyright +# notice and this notice are preserved. This file is offered as-is, +# without warranty of any kind. + +EXTRA_DIST += \ +ipsec/ovs-monitor-ipsec +FLAKE8_PYFILES += ipsec/ovs-monitor-ipsec diff --git a/ipsec/ovs-monitor-ipsec b/ipsec/ovs-monitor-ipsec new file mode 100755 index 0..dfe412dbb --- /dev/null +++ b/ipsec/ovs-monitor-ipsec @@ -0,0 +1,1211 @@ +#!/usr/bin/env python +# Copyright (c) 2017 Nicira, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import argparse +import re +import subprocess +import sys +import copy +import os +from string import Template + +import ovs.daemon +import ovs.db.idl +import ovs.dirs +import ovs.unixctl +import ovs.unixctl.server +import ovs.util +import ovs.vlog + + +FILE_HEADER = "# Generated by ovs-monitor-ipsec...do not modify by hand!\n\n" +transp_tmpl = {"gre": Template("""\ +conn $ifname-$version +$auth_section +leftprotoport=gre +rightprotoport=gre + +"""), "gre64": Template("""\ +conn $ifname-$version +$auth_section +leftprotoport=gre +rightprotoport=gre + +"""), "geneve": Template("""\ +conn $ifname-in-$version +$auth_section +leftprotoport=udp/6081 +rightprotoport=udp + +conn $ifname-out-$version +$auth_section +leftprotoport=udp +rightprotoport=udp/6081 + +"""), "stt": Template("""\ +conn $ifname-in-$version +$auth_section +leftprotoport=tcp/7471 +rightprotoport=tcp + +conn $ifname-out-$version +$auth_section +leftprotoport=tcp +rightprotoport=tcp/7471 + +"""), "vxlan": Template("""\ +conn $ifname-in-$version +$auth_section +leftprotoport=udp/4789 +rightprotoport=udp + +conn $ifname-out-$version +$auth_section +leftprotoport=udp +rightprotoport=udp/4789 + +""")} +vlog = ovs.vlog.Vlog("ovs-monitor-ipsec") +exiting = False +monitor = None +xfrm = None + +class XFRM(object): +"""This class is a simple wrapper around ip-xfrm (8) command line +utility. We are using this class only for informational purposes +so that ovs-monitor-ipsec could verify that IKE keying daemon has +installed IPsec policies and security associations into kernel as +expected.""" + +def __init__(self, ip_root_prefix): +self.IP = ip_root_prefix + "/sbin/ip" + +def get_policies(self): +"""This function returns IPsec policies (from kernel) in a dictionary +where is destination IPv4 address and is SELECTOR of +the IPsec policy.""" +policies = {} +proc = subprocess.Popen([self.IP, 'xfrm', 'policy'],
[ovs-dev] [PATCH v6 5/6] OVN: native support for tunnel encryption
This patch adds IPsec support for OVN tunnel. Basically, OVN offers a binary option to its user for encryption configuration. If the IPsec option is turned on, all tunnels will be encrypted. Otherwise, no tunnel will be encrypted. The changes are summarized as below: 1) Added a ipsec column on the NB_Global table and SB_Global table. The value of ipsec column is propagated by ovn-northd from NB_Global to SB_Global. 2) ovn-controller monitors the ipsec column in SB_Global. If the ipsec value is true, ovn-controller sets options of the tunnel interface by specifying "options:remote_name=". If the ipsec value is false, ovn-controller removes these options. 3) ovs-monitor-ipsec daemon (https://mail.openvswitch.org/pipermail/ovs-dev/2018-June/348701.html) monitors the tunnel interface options and configures IKE daemon accordingly for IPsec encryption. Signed-off-by: Qiuyu Xiao --- ovn/controller/encaps.c | 14 ++ ovn/controller/encaps.h | 6 +- ovn/controller/ovn-controller.c | 3 ++- ovn/northd/ovn-northd.c | 8 ++-- ovn/ovn-architecture.7.xml | 39 +++ ovn/ovn-nb.ovsschema| 7 --- ovn/ovn-nb.xml | 6 ++ ovn/ovn-sb.ovsschema| 7 --- ovn/ovn-sb.xml | 6 ++ 9 files changed, 82 insertions(+), 14 deletions(-) diff --git a/ovn/controller/encaps.c b/ovn/controller/encaps.c index fde017586..0495b25c2 100644 --- a/ovn/controller/encaps.c +++ b/ovn/controller/encaps.c @@ -79,8 +79,8 @@ tunnel_create_name(struct tunnel_ctx *tc, const char *chassis_id) } static void -tunnel_add(struct tunnel_ctx *tc, const char *new_chassis_id, - const struct sbrec_encap *encap) +tunnel_add(struct tunnel_ctx *tc, const struct sbrec_sb_global *sbg, + const char *new_chassis_id, const struct sbrec_encap *encap) { struct smap options = SMAP_INITIALIZER(); smap_add(, "remote_ip", encap->ip); @@ -90,6 +90,11 @@ tunnel_add(struct tunnel_ctx *tc, const char *new_chassis_id, smap_add(, "csum", csum); } +/* Add auth info if ipsec is enabled. */ +if (sbg->ipsec) { +smap_add(, "remote_name", new_chassis_id); +} + /* If there's an existing chassis record that does not need any change, * keep it. Otherwise, create a new record (if there was an existing * record, the new record will supplant it and encaps_run() will delete @@ -157,7 +162,8 @@ encaps_run(struct ovsdb_idl_txn *ovs_idl_txn, const struct ovsrec_bridge_table *bridge_table, const struct ovsrec_bridge *br_int, const struct sbrec_chassis_table *chassis_table, - const char *chassis_id) + const char *chassis_id, + const struct sbrec_sb_global *sbg) { if (!ovs_idl_txn || !br_int) { return; @@ -209,7 +215,7 @@ encaps_run(struct ovsdb_idl_txn *ovs_idl_txn, VLOG_INFO("No supported encaps for '%s'", chassis_rec->name); continue; } -tunnel_add(, chassis_rec->name, encap); +tunnel_add(, sbg, chassis_rec->name, encap); } } diff --git a/ovn/controller/encaps.h b/ovn/controller/encaps.h index 054bdfa78..3e0e110ef 100644 --- a/ovn/controller/encaps.h +++ b/ovn/controller/encaps.h @@ -23,13 +23,17 @@ struct ovsdb_idl_txn; struct ovsrec_bridge; struct ovsrec_bridge_table; struct sbrec_chassis_table; +struct sbrec_sb_global; +struct ovsrec_open_vswitch_table; void encaps_register_ovs_idl(struct ovsdb_idl *); void encaps_run(struct ovsdb_idl_txn *ovs_idl_txn, const struct ovsrec_bridge_table *, const struct ovsrec_bridge *br_int, const struct sbrec_chassis_table *, -const char *chassis_id); +const char *chassis_id, +const struct sbrec_sb_global *); + bool encaps_cleanup(struct ovsdb_idl_txn *ovs_idl_txn, const struct ovsrec_bridge *br_int); diff --git a/ovn/controller/ovn-controller.c b/ovn/controller/ovn-controller.c index 85921a03a..759b9da42 100644 --- a/ovn/controller/ovn-controller.c +++ b/ovn/controller/ovn-controller.c @@ -702,7 +702,8 @@ main(int argc, char *argv[]) chassis_id, br_int); encaps_run(ovs_idl_txn, ovsrec_bridge_table_get(ovs_idl_loop.idl), br_int, - sbrec_chassis_table_get(ovnsb_idl_loop.idl), chassis_id); + sbrec_chassis_table_get(ovnsb_idl_loop.idl), chassis_id, + sbrec_sb_global_first(ovnsb_idl_loop.idl)); bfd_calculate_active_tunnels(br_int, _tunnels); binding_run(ovnsb_idl_txn, ovs_idl_txn, sbrec_chassis_by_name, sbrec_datapath_binding_by_key, diff --git a/ovn/northd/ovn-nor
[ovs-dev] [PATCH v6 3/6] debian and rhel: Create IPsec package.
Added rules and files to create debian and rpm ovs-ipsec packages. Signed-off-by: Qiuyu Xiao Signed-off-by: Ansis Atteka Co-authored-by: Ansis Atteka --- debian/automake.mk | 3 + debian/control | 21 +++ debian/openvswitch-ipsec.dirs | 1 + debian/openvswitch-ipsec.init | 181 + debian/openvswitch-ipsec.install | 1 + rhel/automake.mk | 1 + rhel/openvswitch-fedora.spec.in| 19 ++- ...sr_lib_systemd_system_openvswitch-ipsec.service | 13 ++ utilities/ovs-ctl.in | 27 +++ 9 files changed, 266 insertions(+), 1 deletion(-) create mode 100644 debian/openvswitch-ipsec.dirs create mode 100644 debian/openvswitch-ipsec.init create mode 100644 debian/openvswitch-ipsec.install create mode 100644 rhel/usr_lib_systemd_system_openvswitch-ipsec.service diff --git a/debian/automake.mk b/debian/automake.mk index 4d8e204bb..8a8d43c9f 100644 --- a/debian/automake.mk +++ b/debian/automake.mk @@ -20,6 +20,9 @@ EXTRA_DIST += \ debian/openvswitch-datapath-source.copyright \ debian/openvswitch-datapath-source.dirs \ debian/openvswitch-datapath-source.install \ + debian/openvswitch-ipsec.dirs \ + debian/openvswitch-ipsec.init \ + debian/openvswitch-ipsec.install \ debian/openvswitch-pki.dirs \ debian/openvswitch-pki.postinst \ debian/openvswitch-pki.postrm \ diff --git a/debian/control b/debian/control index 9ae248f27..cde93f20e 100644 --- a/debian/control +++ b/debian/control @@ -322,3 +322,24 @@ Description: Open vSwitch development package 1000V. . This package provides openvswitch headers and libopenvswitch for developers. + +Package: openvswitch-ipsec +Architecture: linux-any +Depends: iproute2, + openvswitch-common (= ${binary:Version}), + openvswitch-switch (= ${binary:Version}), + python, + python-openvswitch (= ${source:Version}), + strongswan, + ${misc:Depends}, + ${shlibs:Depends} +Description: Open vSwitch IPsec tunneling support + Open vSwitch is a production quality, multilayer, software-based, + Ethernet virtual switch. It is designed to enable massive network + automation through programmatic extension, while still supporting + standard management interfaces and protocols (e.g. NetFlow, IPFIX, + sFlow, SPAN, RSPAN, CLI, LACP, 802.1ag). In addition, it is designed + to support distribution across multiple physical servers similar to + VMware's vNetwork distributed vswitch or Cisco's Nexus 1000V. + . + This package provides IPsec tunneling support for OVS tunnels. diff --git a/debian/openvswitch-ipsec.dirs b/debian/openvswitch-ipsec.dirs new file mode 100644 index 0..fca44aa7b --- /dev/null +++ b/debian/openvswitch-ipsec.dirs @@ -0,0 +1 @@ +usr/share/openvswitch/scripts \ No newline at end of file diff --git a/debian/openvswitch-ipsec.init b/debian/openvswitch-ipsec.init new file mode 100644 index 0..aa6838454 --- /dev/null +++ b/debian/openvswitch-ipsec.init @@ -0,0 +1,181 @@ +#!/bin/sh +# +# Copyright (c) 2007, 2009 Javier Fernandez-Sanguino +# +# This is free software; you may redistribute it and/or modify +# it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2, +# or (at your option) any later version. +# +# This is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License with +# the Debian operating system, in /usr/share/common-licenses/GPL; if +# not, write to the Free Software Foundation, Inc., 59 Temple Place, +# Suite 330, Boston, MA 02111-1307 USA +# +### BEGIN INIT INFO +# Provides: openvswitch-ipsec +# Required-Start:$network $local_fs $remote_fs openvswitch-switch +# Required-Stop: $remote_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Open vSwitch GRE-over-IPsec daemon +# Description: The ovs-monitor-ipsec script provides support for +#encrypting GRE tunnels with IPsec. +### END INIT INFO + +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin + +DAEMON=/usr/share/openvswitch/scripts/ovs-monitor-ipsec # Daemon's location +NAME=ovs-monitor-ipsec # Introduce the short server's name here +LOGDIR=/var/log/openvswitch # Log directory to use +DATADIR=/usr/share/openvswitch + +PIDFILE=/var/run/openvswitch/$NAME.pid + +test -x $DAEMON || exit 0 + +. /lib/lsb/init-functions + +DODTIME=10 # Time to wait for the server to die, in seconds +# If this value is set too low you
[ovs-dev] [PATCH v6 1/6] datapath: add transport ports in route lookup for geneve
This patch adds transport ports information for route lookup so that IPsec can select geneve tunnel traffic to do encryption. Signed-off-by: Qiuyu Xiao Reviewed-by: Greg Rose Tested-by: Greg Rose --- datapath/linux/compat/geneve.c | 29 +++-- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/datapath/linux/compat/geneve.c b/datapath/linux/compat/geneve.c index 4ccf7e34f..77632ae11 100644 --- a/datapath/linux/compat/geneve.c +++ b/datapath/linux/compat/geneve.c @@ -852,7 +852,8 @@ free_dst: static struct rtable *geneve_get_v4_rt(struct sk_buff *skb, struct net_device *dev, struct flowi4 *fl4, - struct ip_tunnel_info *info) + struct ip_tunnel_info *info, + __be16 dport, __be16 sport) { bool use_cache = ip_tunnel_dst_cache_usable(skb, info); struct geneve_dev *geneve = netdev_priv(dev); @@ -866,6 +867,8 @@ static struct rtable *geneve_get_v4_rt(struct sk_buff *skb, memset(fl4, 0, sizeof(*fl4)); fl4->flowi4_mark = skb->mark; fl4->flowi4_proto = IPPROTO_UDP; + fl4->fl4_dport = dport; + fl4->fl4_sport = sport; if (info) { fl4->daddr = info->key.u.ipv4.dst; @@ -911,7 +914,8 @@ static struct rtable *geneve_get_v4_rt(struct sk_buff *skb, static struct dst_entry *geneve_get_v6_dst(struct sk_buff *skb, struct net_device *dev, struct flowi6 *fl6, - struct ip_tunnel_info *info) + struct ip_tunnel_info *info, + __be16 dport, __be16 sport) { bool use_cache = ip_tunnel_dst_cache_usable(skb, info); struct geneve_dev *geneve = netdev_priv(dev); @@ -927,6 +931,8 @@ static struct dst_entry *geneve_get_v6_dst(struct sk_buff *skb, memset(fl6, 0, sizeof(*fl6)); fl6->flowi6_mark = skb->mark; fl6->flowi6_proto = IPPROTO_UDP; + fl6->fl6_dport = dport; + fl6->fl6_sport = sport; if (info) { fl6->daddr = info->key.u.ipv6.dst; @@ -1021,13 +1027,13 @@ static netdev_tx_t geneve_xmit_skb(struct sk_buff *skb, struct net_device *dev, goto tx_error; } - rt = geneve_get_v4_rt(skb, dev, , info); + sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); + rt = geneve_get_v4_rt(skb, dev, , info, geneve->dst_port, sport); if (IS_ERR(rt)) { err = PTR_ERR(rt); goto tx_error; } - sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); skb_reset_mac_header(skb); iip = ip_hdr(skb); @@ -1113,13 +1119,13 @@ static netdev_tx_t geneve6_xmit_skb(struct sk_buff *skb, struct net_device *dev, } } - dst = geneve_get_v6_dst(skb, dev, , info); + sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); + dst = geneve_get_v6_dst(skb, dev, , info, geneve->dst_port, sport); if (IS_ERR(dst)) { err = PTR_ERR(dst); goto tx_error; } - sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); skb_reset_mac_header(skb); iip = ip_hdr(skb); @@ -1248,13 +1254,17 @@ int ovs_geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb) struct geneve_dev *geneve = netdev_priv(dev); struct rtable *rt; struct flowi4 fl4; + __be16 sport; #if IS_ENABLED(CONFIG_IPV6) struct dst_entry *dst; struct flowi6 fl6; #endif + sport = udp_flow_src_port(geneve->net, skb, +1, USHRT_MAX, true); + if (ip_tunnel_info_af(info) == AF_INET) { - rt = geneve_get_v4_rt(skb, dev, , info); + rt = geneve_get_v4_rt(skb, dev, , info, geneve->dst_port, sport); if (IS_ERR(rt)) return PTR_ERR(rt); @@ -1262,7 +1272,7 @@ int ovs_geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb) info->key.u.ipv4.src = fl4.saddr; #if IS_ENABLED(CONFIG_IPV6) } else if (ip_tunnel_info_af(info) == AF_INET6) { - dst = geneve_get_v6_dst(skb, dev, , info); + dst = geneve_get_v6_dst(skb, dev, , info, geneve->dst_port, sport); if (IS_ERR(dst)) return PTR_ERR(dst); @@ -1273,8 +1283,7 @@ int ovs_geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb) return -EINVAL; } - info->key.tp_src = udp_flow_src_port(geneve->net, skb, -
[ovs-dev] [PATCH v6 0/6] IPsec support for tunneling
This patch series reintroduce IPsec support for OVS tunneling and enable OVN to use IPsec tunnels. GRE, VXLAN, GENEVE, and STT IPsec tunnels are supported. StrongSwan and LibreSwan IKE daemons are supported. Changes from v1 to v2 - 1. Merge the ovs-monitor-ipsec code to a single patch. Add LibreSwan IKE daemon support. 2. Add ovs-monitor-ipsec to flake8 check. 3. Use openssl to extract CN from certificate so that users don't need to specify the CN information in the configuration interface. 4. Improve documentations as suggested. Changes from v2 to v3 - 1. Add scripts and rules to create ovs-ipsec RPM package. 2. Add Documentation/tutorials/ipsec.rst which gives a step-by-step OVS IPsec tutorial. Modify Documentation/howto/ipsec.rst which gives a detailed description on OVS IPsec configuration modes. 3. Modify ovs-pki to generate x.509 version 3 certificate when do self-sign. 4. IPsec tunnel interface needs 'local_ip' information. Modify ovn-controller to add 'local_ip' when IPsec is enabled. 5. Add a section on ovn/ovn-architecture.7.xml to introduce ovn IPsec. Changes from v3 to v4 - 1. Split the datapath patch to three patches (geneve, vxlan, stt). 2. Add tutorial for OVN RBAC and OVN IPsec. Changes from v4 to v5 - 1. Fix coding style issues in ovs-monitor-ipsec. 2. Improve IPsec and OVN-IPsec tutorials as suggested. 3. Change the description of setting skb_mark in documentation to reflect the real situation. Changes from v5 to v6 - 1. Use wildcard IP address to match localhost IP in LibreSwan. Remove the 'local_ip' requirement when setting IPsec tunnel interface. 2. ovs-monitor-ipsec daemon accepts command line option to choose IKE daemon, either LibreSwan or StrongSwan. The init script chooses which IKE daemon to use. Currently, Debian init script chooses StrongSwan. Fedora init script chooses LibreSwan. 3. Check illegal name before removing a file in '_import_local_certs_and_key()'. 4. GRE IPsec tunnel was not activated properly when using LibreSwan. This version fixes it. 5. The plaintext policy syntax was wrong when using LibreSwan. This version corrects it. 6. Add comments and explanations about the 'remote_name' check in '_is_valid_tunnel_conf()'. 7. Replace 'ike_daemon_start()' with 'ike_daemon_restart()' to start IKE daemon. *** BLURB HERE *** Qiuyu Xiao (6): datapath: add transport ports in route lookup for geneve ipsec: reintroduce IPsec support for tunneling debian and rhel: Create IPsec package. Documentation: IPsec tunnel tutorial and documentation. OVN: native support for tunnel encryption Documentation: OVN RBAC and IPsec tutorial Documentation/automake.mk |4 + Documentation/howto/index.rst |1 + Documentation/howto/ipsec.rst | 194 Documentation/index.rst|5 +- Documentation/tutorials/index.rst |3 + Documentation/tutorials/ipsec.rst | 347 ++ Documentation/tutorials/ovn-ipsec.rst | 146 +++ Documentation/tutorials/ovn-rbac.rst | 134 +++ Makefile.am|1 + datapath/linux/compat/geneve.c | 29 +- debian/automake.mk |3 + debian/control | 21 + debian/openvswitch-ipsec.dirs |1 + debian/openvswitch-ipsec.init | 181 +++ debian/openvswitch-ipsec.install |1 + ipsec/automake.mk | 10 + ipsec/ovs-monitor-ipsec| 1211 ovn/controller/encaps.c| 14 +- ovn/controller/encaps.h|6 +- ovn/controller/ovn-controller.c|3 +- ovn/northd/ovn-northd.c|8 +- ovn/ovn-architecture.7.xml | 39 + ovn/ovn-nb.ovsschema |7 +- ovn/ovn-nb.xml |6 + ovn/ovn-sb.ovsschema |7 +- ovn/ovn-sb.xml |6 + rhel/automake.mk |1 + rhel/openvswitch-fedora.spec.in| 19 +- ...sr_lib_systemd_system_openvswitch-ipsec.service | 13 + utilities/ovs-ctl.in | 27 + vswitchd/vswitch.xml | 156 ++- 31 files changed, 2569 insertions(+), 35 deletions(-) create mode 100644 Documentation/howto/ipsec.rst create mode 100644 Documentation/tutorials/ipsec.rst create mode 100644 Documentation/tutorials/ovn-ipsec.rst create mode 100644 Documentation/tutorials/ovn-rbac.rst create mode 100644 debian/openvswitch-ipsec.dirs create mode 100644
Re: [ovs-dev] [PATCH v5 2/6] ipsec: reintroduce IPsec support for tunneling
On Mon, Aug 13, 2018 at 2:33 AM, Ansis Atteka wrote: > On Tue, 7 Aug 2018 at 09:43, Qiuyu Xiao wrote: >> >> This patch reintroduces ovs-monitor-ipsec daemon that >> was previously removed by commit 2b02d770 ("openvswitch: >> Allow external IPsec tunnel management.") >> >> After this patch, there are no IPsec flavored tunnels anymore. >> IPsec is enabled by setting up the right values in: >> 1. OVSDB:Interface:options column; >> 2. OVSDB:Open_vSwitch:other_config column; >> 3. OpenFlow pipeline. >> >> GRE, VXLAN, GENEVE, and STT IPsec tunnels are supported. LibreSwan and >> StrongSwan IKE daemons are supported. User can choose pre-shared key, >> self-signed peer certificate, or CA-signed certificate as authentication >> method. > s/mehod/methods >> >> Signed-off-by: Qiuyu Xiao >> Signed-off-by: Ansis Atteka >> Co-authored-by: Ansis Atteka >> --- > > I have two high level comments that we privately discussed earlier on Friday: > 1. the local_ip should be wildcardable. Otherwise, if routes change, > then then packets may leak out unencrypted before local_ip gets > explicitly updated by administrator as well. I did some test. The IP can be set as %defaultroute in LibreSwan so that no fixed IP is required. I will use this and avoid local_ip setting on the next revision. > 2. the strongSwan/Ubuntu and libreswan/Fedora compatibility issue due > to integrity check. I know that this could be strongswan or libreswan > bug, but perhaps we could use some alternate configuration that works? > Did you find one? I didn't find alternate configuration that works. I might just send a email to the upstream mailing list. > Other than that see small implementation details > >> Makefile.am |1 + >> ipsec/automake.mk | 10 + >> ipsec/ovs-monitor-ipsec | 1173 +++ >> 3 files changed, 1184 insertions(+) >> create mode 100644 ipsec/automake.mk >> create mode 100755 ipsec/ovs-monitor-ipsec >> >> diff --git a/Makefile.am b/Makefile.am >> index 788972804..aeb2d108f 100644 >> --- a/Makefile.am >> +++ b/Makefile.am >> @@ -481,6 +481,7 @@ include tests/automake.mk >> include include/automake.mk >> include third-party/automake.mk >> include debian/automake.mk >> +include ipsec/automake.mk >> include vswitchd/automake.mk >> include ovsdb/automake.mk >> include rhel/automake.mk >> diff --git a/ipsec/automake.mk b/ipsec/automake.mk >> new file mode 100644 >> index 0..1e530cb42 >> --- /dev/null >> +++ b/ipsec/automake.mk >> @@ -0,0 +1,10 @@ >> +# Copyright (C) 2017 Nicira, Inc. >> +# >> +# Copying and distribution of this file, with or without modification, >> +# are permitted in any medium without royalty provided the copyright >> +# notice and this notice are preserved. This file is offered as-is, >> +# without warranty of any kind. >> + >> +EXTRA_DIST += \ >> +ipsec/ovs-monitor-ipsec >> +FLAKE8_PYFILES += ipsec/ovs-monitor-ipsec >> diff --git a/ipsec/ovs-monitor-ipsec b/ipsec/ovs-monitor-ipsec >> new file mode 100755 >> index 0..163b04004 >> --- /dev/null >> +++ b/ipsec/ovs-monitor-ipsec >> @@ -0,0 +1,1173 @@ >> +#!/usr/bin/env python >> +# Copyright (c) 2017 Nicira, Inc. >> +# >> +# Licensed under the Apache License, Version 2.0 (the "License"); >> +# you may not use this file except in compliance with the License. >> +# You may obtain a copy of the License at: >> +# >> +# http://www.apache.org/licenses/LICENSE-2.0 >> +# >> +# Unless required by applicable law or agreed to in writing, software >> +# distributed under the License is distributed on an "AS IS" BASIS, >> +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. >> +# See the License for the specific language governing permissions and >> +# limitations under the License. >> + >> +import argparse >> +import re >> +import subprocess >> +import sys >> +import copy >> +from string import Template >> + >> +import ovs.daemon >> +import ovs.db.idl >> +import ovs.dirs >> +import ovs.unixctl >> +import ovs.unixctl.server >> +import ovs.util >> +import ovs.vlog >> + >> + >> +FILE_HEADER = "# Generated by ovs-monitor-ipsec...do not modify by >> hand!\n\n" >> +SHUNT_POLICY = """conn prevent_unencrypted_gre >> +type=drop >> +leftprotoport=gre >> +mark={0} >> + >> +conn p
Re: [ovs-dev] [PATCH v5 2/6] ipsec: reintroduce IPsec support for tunneling
Thanks for the review! I will address your comments and post the next revision. But it might take a while because I need to deal with school stuff. Thanks, Qiuyu > On Aug 13, 2018, at 2:33 AM, Ansis Atteka wrote: > > On Tue, 7 Aug 2018 at 09:43, Qiuyu Xiao <mailto:qiuyu.xiao@gmail.com>> wrote: >> >> This patch reintroduces ovs-monitor-ipsec daemon that >> was previously removed by commit 2b02d770 ("openvswitch: >> Allow external IPsec tunnel management.") >> >> After this patch, there are no IPsec flavored tunnels anymore. >> IPsec is enabled by setting up the right values in: >> 1. OVSDB:Interface:options column; >> 2. OVSDB:Open_vSwitch:other_config column; >> 3. OpenFlow pipeline. >> >> GRE, VXLAN, GENEVE, and STT IPsec tunnels are supported. LibreSwan and >> StrongSwan IKE daemons are supported. User can choose pre-shared key, >> self-signed peer certificate, or CA-signed certificate as authentication >> method. > s/mehod/methods >> >> Signed-off-by: Qiuyu Xiao > <mailto:qiuyu.xiao@gmail.com>> >> Signed-off-by: Ansis Atteka mailto:aatt...@ovn.org>> >> Co-authored-by: Ansis Atteka mailto:aatt...@ovn.org>> >> --- > > I have two high level comments that we privately discussed earlier on Friday: > 1. the local_ip should be wildcardable. Otherwise, if routes change, > then then packets may leak out unencrypted before local_ip gets > explicitly updated by administrator as well. > 2. the strongSwan/Ubuntu and libreswan/Fedora compatibility issue due > to integrity check. I know that this could be strongswan or libreswan > bug, but perhaps we could use some alternate configuration that works? > Did you find one? > > Other than that see small implementation details > >> Makefile.am |1 + >> ipsec/automake.mk | 10 + >> ipsec/ovs-monitor-ipsec | 1173 +++ >> 3 files changed, 1184 insertions(+) >> create mode 100644 ipsec/automake.mk >> create mode 100755 ipsec/ovs-monitor-ipsec >> >> diff --git a/Makefile.am b/Makefile.am >> index 788972804..aeb2d108f 100644 >> --- a/Makefile.am >> +++ b/Makefile.am >> @@ -481,6 +481,7 @@ include tests/automake.mk >> include include/automake.mk >> include third-party/automake.mk >> include debian/automake.mk >> +include ipsec/automake.mk >> include vswitchd/automake.mk >> include ovsdb/automake.mk >> include rhel/automake.mk >> diff --git a/ipsec/automake.mk b/ipsec/automake.mk >> new file mode 100644 >> index 0..1e530cb42 >> --- /dev/null >> +++ b/ipsec/automake.mk >> @@ -0,0 +1,10 @@ >> +# Copyright (C) 2017 Nicira, Inc. >> +# >> +# Copying and distribution of this file, with or without modification, >> +# are permitted in any medium without royalty provided the copyright >> +# notice and this notice are preserved. This file is offered as-is, >> +# without warranty of any kind. >> + >> +EXTRA_DIST += \ >> +ipsec/ovs-monitor-ipsec >> +FLAKE8_PYFILES += ipsec/ovs-monitor-ipsec >> diff --git a/ipsec/ovs-monitor-ipsec b/ipsec/ovs-monitor-ipsec >> new file mode 100755 >> index 0..163b04004 >> --- /dev/null >> +++ b/ipsec/ovs-monitor-ipsec >> @@ -0,0 +1,1173 @@ >> +#!/usr/bin/env python >> +# Copyright (c) 2017 Nicira, Inc. >> +# >> +# Licensed under the Apache License, Version 2.0 (the "License"); >> +# you may not use this file except in compliance with the License. >> +# You may obtain a copy of the License at: >> +# >> +# http://www.apache.org/licenses/LICENSE-2.0 >> +# >> +# Unless required by applicable law or agreed to in writing, software >> +# distributed under the License is distributed on an "AS IS" BASIS, >> +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. >> +# See the License for the specific language governing permissions and >> +# limitations under the License. >> + >> +import argparse >> +import re >> +import subprocess >> +import sys >> +import copy >> +from string import Template >> + >> +import ovs.daemon >> +import ovs.db.idl >> +import ovs.dirs >> +import ovs.unixctl >> +import ovs.unixctl.server >> +import ovs.util >> +import ovs.vlog >> + >> + >> +FILE_HEADER = "# Generated by ovs-monitor-ipsec...do not modify by >> hand!\n\n" >> +SHUNT_POLICY = """conn prevent_unencrypted_gre >> +type=drop >> +left
Re: [ovs-dev] [PATCH v5 3/6] debian and rhel: Create IPsec package.
Hi Aaron, Thanks for the feedback! On Fri, Aug 10, 2018 at 12:03 PM, Aaron Conole wrote: > > Ben Pfaff writes: > > > On Thu, Aug 09, 2018 at 06:31:31PM -0400, Aaron Conole wrote: > >> Ben Pfaff writes: > >> > >> > On Thu, Aug 09, 2018 at 12:40:39PM -0700, Ansis Atteka wrote: > >> >> On Tue, 7 Aug 2018 at 09:43, Qiuyu Xiao > >> >> wrote: > >> >> > > >> >> > Added rules and files to create debian and rpm ovs-ipsec packages. > >> >> > > >> >> > Signed-off-by: Qiuyu Xiao > >> >> > Signed-off-by: Ansis Atteka > >> >> > Co-authored-by: Ansis Atteka > >> >> > >> >> Did you test this patch on Fedora with SElinux enabled? > >> >> ovs-monitor-ipsec daemon fails to start. You need to create SElinux > >> >> policy too: > >> > > > Looking at the documentation and playing around here are my thoughts: > > 1. We probably can squelch the .local and ldconfig AVCs that pop out. > These seem to be related more to the python environment of the ipsec > monitor. > > dontaudit openvswitch_t gconf_home_t:dir { search }; > dontaudit openvswitch_t ldconfig_exec_t:file { execute }; > > I don't think there's any harm in them, so the above would simply keep > the alert log quiet. > > 2. The actual ipsec side seems a bit more complicated. > > Since the openvswitch-ipsec daemon writes configurations to /etc, it > would be best to build a transition domain that has the ability just to > modify those files and start the ipsec daemon. I'm not sure it makes > sense to allow openvswitch_t domain to write to all of /etc. We can > certainly grant that for now and make the transition domain something to > do in the future. I'll write that policy up and send it out (but it's a > bit bigger - even the non-domain transition one - just because of the > extra headache to allow /etc access). The openvswitch-ipsec directly changes `/etc/ipsec.conf` and `/etc/ipsec.secrects`, and uses `certutil` command to access NSS db files in `/etc/ipsec.d/` directory. Can we only grant SELinux permissions to those files? > > On the other hand, it might be possible to use an existing ipsec service > and use the ipsec dbus interface. Can you take a look to see if we > could integrate that by default and fall back to the manual monitoring > mode. That would be my preferred solution (but I don't know if it has > all of the support needed). The selinux policy for that is much simpler > as well (just a few macros). LibreSwan wiki says that the dbus API is still under development. Currently, openvswitch-ipsec daemon use `ipsec` command to communicate with LibreSwan IPsec service. -Qiuyu ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH v5 1/9] datapath: add transport ports in route lookup for geneve
Hi William, ip_route_output_key() calls xfrm_lookup(). xfrm_lookup() needs L4 ports so that the packet can match IPsec's security policy based on L4 ports. IPsec security policy for Geneve selects udp packets with dst port 6081. If no port information, the IPsec stack won't know the packet is a Geneve packet and the packet won't be encrypted. Different dport and sport affect `struct xfrm_state` in the `struct dst_entry`. But this structure only matters to the xfrm module. The Linux upstream VXLAN module already included L4 ports for VXLAN route look up. Thanks, Qiuyu On Thu, Aug 9, 2018 at 2:13 PM, William Tu wrote: > Hi Qiuyu, > > Can you explain a little more about why you need L4 ports for route lookup? > Does Linux kernel support different route for different L4 ports? > I thought it only uses L3 address for route lookup. > > On Mon, Aug 6, 2018 at 11:04 AM, Qiuyu Xiao > wrote: > >> This patch adds transport ports information for route lookup so that >> IPsec can select geneve tunnel traffic to do encryption. >> >> Signed-off-by: Qiuyu Xiao >> Reviewed-by: Greg Rose >> Tested-by: Greg Rose >> --- >> datapath/linux/compat/geneve.c | 29 +++-- >> 1 file changed, 19 insertions(+), 10 deletions(-) >> >> diff --git a/datapath/linux/compat/geneve.c >> b/datapath/linux/compat/geneve.c >> index 435a23fb7..95a665ddd 100644 >> --- a/datapath/linux/compat/geneve.c >> +++ b/datapath/linux/compat/geneve.c >> @@ -836,7 +836,8 @@ free_dst: >> static struct rtable *geneve_get_v4_rt(struct sk_buff *skb, >>struct net_device *dev, >>struct flowi4 *fl4, >> - struct ip_tunnel_info *info) >> + struct ip_tunnel_info *info, >> + __be16 dport, __be16 sport) >> { >> bool use_cache = ip_tunnel_dst_cache_usable(skb, info); >> struct geneve_dev *geneve = netdev_priv(dev); >> @@ -850,6 +851,8 @@ static struct rtable *geneve_get_v4_rt(struct sk_buff >> *skb, >> memset(fl4, 0, sizeof(*fl4)); >> fl4->flowi4_mark = skb->mark; >> fl4->flowi4_proto = IPPROTO_UDP; >> + fl4->fl4_dport = dport; >> + fl4->fl4_sport = sport; > > > the route entry (rt) is from > rt = ip_route_output_key(geneve->net, fl4) > > Does different dport and sport return different route lookup entry? > > Thanks > William > > >> > if (info) { >> fl4->daddr = info->key.u.ipv4.dst; >> @@ -895,7 +898,8 @@ static struct rtable *geneve_get_v4_rt(struct sk_buff >> *skb, >> static struct dst_entry *geneve_get_v6_dst(struct sk_buff *skb, >>struct net_device *dev, >>struct flowi6 *fl6, >> - struct ip_tunnel_info *info) >> + struct ip_tunnel_info *info, >> + __be16 dport, __be16 sport) >> { >> bool use_cache = ip_tunnel_dst_cache_usable(skb, info); >> struct geneve_dev *geneve = netdev_priv(dev); >> @@ -911,6 +915,8 @@ static struct dst_entry *geneve_get_v6_dst(struct >> sk_buff *skb, >> memset(fl6, 0, sizeof(*fl6)); >> fl6->flowi6_mark = skb->mark; >> fl6->flowi6_proto = IPPROTO_UDP; >> + fl6->fl6_dport = dport; >> + fl6->fl6_sport = sport; >> >> if (info) { >> fl6->daddr = info->key.u.ipv6.dst; >> @@ -1005,13 +1011,13 @@ static netdev_tx_t geneve_xmit_skb(struct sk_buff >> *skb, struct net_device *dev, >> goto tx_error; >> } >> >> - rt = geneve_get_v4_rt(skb, dev, , info); >> + sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); >> + rt = geneve_get_v4_rt(skb, dev, , info, geneve->dst_port, >> sport); >> if (IS_ERR(rt)) { >> err = PTR_ERR(rt); >> goto tx_error; >> } >> >> - sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); >> skb_reset_mac_header(skb); >> >> iip = ip_hdr(skb); >> @@ -1097,13 +1103,13 @@ static netdev_tx_t geneve6_xmit_skb(struct >> sk_buff *skb, struct net_device *dev, >> } >> } >> >> - dst = geneve_get_v6_dst(skb, dev,
[ovs-dev] [PATCH v5 6/6] Documentation: OVN RBAC and IPsec tutorial
This patch adds step-by-step guide for configuring OVN Role-Based Access Control and IPsec. Signed-off-by: Qiuyu Xiao --- Documentation/automake.mk | 2 + Documentation/index.rst | 4 +- Documentation/tutorials/index.rst | 2 + Documentation/tutorials/ovn-ipsec.rst | 147 ++ Documentation/tutorials/ovn-rbac.rst | 134 +++ 5 files changed, 288 insertions(+), 1 deletion(-) create mode 100644 Documentation/tutorials/ovn-ipsec.rst create mode 100644 Documentation/tutorials/ovn-rbac.rst diff --git a/Documentation/automake.mk b/Documentation/automake.mk index 5401b9bad..082438e09 100644 --- a/Documentation/automake.mk +++ b/Documentation/automake.mk @@ -29,6 +29,8 @@ DOC_SOURCE = \ Documentation/tutorials/ovn-sandbox.rst \ Documentation/tutorials/ovs-conntrack.rst \ Documentation/tutorials/ipsec.rst \ + Documentation/tutorials/ovn-ipsec.rst \ + Documentation/tutorials/ovn-rbac.rst \ Documentation/topics/index.rst \ Documentation/topics/bonding.rst \ Documentation/topics/idl-compound-indexes.rst \ diff --git a/Documentation/index.rst b/Documentation/index.rst index bab5ba1f1..46261235c 100644 --- a/Documentation/index.rst +++ b/Documentation/index.rst @@ -66,7 +66,9 @@ vSwitch? Start here. :doc:`tutorials/ovn-sandbox` | :doc:`tutorials/ovn-openstack` | :doc:`tutorials/ovs-conntrack` | - :doc:`tutorials/ipsec` + :doc:`tutorials/ipsec` | + :doc:`tutorials/ovn-ipsec` | + :doc:`tutorials/ovn-rbac` Deeper Dive --- diff --git a/Documentation/tutorials/index.rst b/Documentation/tutorials/index.rst index b481090a0..35340ee56 100644 --- a/Documentation/tutorials/index.rst +++ b/Documentation/tutorials/index.rst @@ -44,4 +44,6 @@ vSwitch. ovs-advanced ovn-sandbox ovn-openstack + ovn-rbac + ovn-ipsec ovs-conntrack diff --git a/Documentation/tutorials/ovn-ipsec.rst b/Documentation/tutorials/ovn-ipsec.rst new file mode 100644 index 0..db3d5bc43 --- /dev/null +++ b/Documentation/tutorials/ovn-ipsec.rst @@ -0,0 +1,147 @@ +.. + Licensed under the Apache License, Version 2.0 (the "License"); you may + not use this file except in compliance with the License. You may obtain + a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + License for the specific language governing permissions and limitations + under the License. + + Convention for heading levels in Open vSwitch documentation: + + === Heading 0 (reserved for the title in a document) + --- Heading 1 + ~~~ Heading 2 + +++ Heading 3 + ''' Heading 4 + + Avoid deeper levels because they do not render well. + +== +OVN IPsec Tutorial +== + +This document provides a step-by-step guide for encrypting tunnel traffic with +IPsec in Open Virtual Network (OVN). OVN tunnel traffic is transported by +physical routers and switches. These physical devices could be untrusted +(devices in public network) or might be compromised. Enabling IPsec encryption +for the tunnel traffic can prevent the traffic data from being monitored and +manipulated. More details about the OVN IPsec design can be found in +``ovn-architecture``\(7) manpage. + +This document assumes OVN is installed in your system and runs normally. Also, +you need to install OVS IPsec packages in each chassis (refer to +:ref:`install-ovs-ipsec`). + +Generating Certificates and Keys + + +OVN chassis uses CA-signed certificate to authenticate peer chassis for +building IPsec tunnel. If you have enabled Role-Based Access Control (RBAC) in +OVN, you can use the RBAC SSL certificates and keys to set up OVN IPsec. Or you +can generate separate certificates and keys with ``ovs-pki`` (refer to +:ref:`gen-certs-keys`). + +.. note:: + + OVN IPsec requires x.509 version 3 certificate with the subjectAltName DNS + field setting the same string as the common name (CN) field. CN should be + set as the chassis name. ``ovs-pki`` in Open vSwitch 2.10.90 and later + generates such certificates. Please generate compatible certificates if you + use another PKI tool, or an older version of ``ovs-pki``, to manage + certificates. + +Configuring OVN IPsec +- + +You need to install the CA certificate, chassis certificate and private key in +each chassis. Use the following command:: + +$ ovs-vsctl set Open_vSwitch . \ +other_config:certificate=/path/to/chassis-cert.pem \ +other_config:private_key=/path/to/chassis-privkey.pem \ +other_config:ca_cert
[ovs-dev] [PATCH v5 5/6] OVN: native support for tunnel encryption
This patch adds IPsec support for OVN tunnel. Basically, OVN offers a binary option to its user for encryption configuration. If the IPsec option is turned on, all tunnels will be encrypted. Otherwise, no tunnel will be encrypted. The changes are summarized as below: 1) Added a ipsec column on the NB_Global table and SB_Global table. The value of ipsec column is propagated by ovn-northd from NB_Global to SB_Global. 2) ovn-controller monitors the ipsec column in SB_Global. If the ipsec value is true, ovn-controller sets options of the tunnel interface by specifying "options:remote_name=". If the ipsec value is false, ovn-controller removes these options. 3) ovs-monitor-ipsec daemon (https://mail.openvswitch.org/pipermail/ovs-dev/2018-June/348701.html) monitors the tunnel interface options and configures IKE daemon accordingly for IPsec encryption. Signed-off-by: Qiuyu Xiao --- ovn/controller/encaps.c | 31 ++ ovn/controller/encaps.h | 7 +- ovn/controller/ovn-controller.c | 4 +++- ovn/northd/ovn-northd.c | 8 +-- ovn/ovn-architecture.7.xml | 39 + ovn/ovn-nb.ovsschema| 7 +++--- ovn/ovn-nb.xml | 6 + ovn/ovn-sb.ovsschema| 7 +++--- ovn/ovn-sb.xml | 6 + 9 files changed, 101 insertions(+), 14 deletions(-) diff --git a/ovn/controller/encaps.c b/ovn/controller/encaps.c index fde017586..2169920ba 100644 --- a/ovn/controller/encaps.c +++ b/ovn/controller/encaps.c @@ -79,8 +79,9 @@ tunnel_create_name(struct tunnel_ctx *tc, const char *chassis_id) } static void -tunnel_add(struct tunnel_ctx *tc, const char *new_chassis_id, - const struct sbrec_encap *encap) +tunnel_add(struct tunnel_ctx *tc, const struct sbrec_sb_global *sbg, + const char *new_chassis_id, const struct sbrec_encap *encap, + const char *local_ip) { struct smap options = SMAP_INITIALIZER(); smap_add(, "remote_ip", encap->ip); @@ -90,6 +91,16 @@ tunnel_add(struct tunnel_ctx *tc, const char *new_chassis_id, smap_add(, "csum", csum); } +/* Add auth info if ipsec is enabled. */ +if (sbg->ipsec) { +smap_add(, "remote_name", new_chassis_id); +if (local_ip) { +smap_add(, "local_ip", local_ip); +} else { +VLOG_INFO("Need to specify encap ip for IPsec tunnels."); +} +} + /* If there's an existing chassis record that does not need any change, * keep it. Otherwise, create a new record (if there was an existing * record, the new record will supplant it and encaps_run() will delete @@ -157,7 +168,9 @@ encaps_run(struct ovsdb_idl_txn *ovs_idl_txn, const struct ovsrec_bridge_table *bridge_table, const struct ovsrec_bridge *br_int, const struct sbrec_chassis_table *chassis_table, - const char *chassis_id) + const char *chassis_id, + const struct sbrec_sb_global *sbg, + const struct ovsrec_open_vswitch_table *ovs_table) { if (!ovs_idl_txn || !br_int) { return; @@ -201,6 +214,16 @@ encaps_run(struct ovsdb_idl_txn *ovs_idl_txn, } } +/* Get IP address of local chassis. */ +const char *chassis_ip; +const struct ovsrec_open_vswitch *cfg; +cfg = ovsrec_open_vswitch_table_first(ovs_table); +if (cfg) { +chassis_ip = smap_get(>external_ids, "ovn-encap-ip"); +} else { +chassis_ip = NULL; +} + SBREC_CHASSIS_TABLE_FOR_EACH (chassis_rec, chassis_table) { if (strcmp(chassis_rec->name, chassis_id)) { /* Create tunnels to the other chassis. */ @@ -209,7 +232,7 @@ encaps_run(struct ovsdb_idl_txn *ovs_idl_txn, VLOG_INFO("No supported encaps for '%s'", chassis_rec->name); continue; } -tunnel_add(, chassis_rec->name, encap); +tunnel_add(, sbg, chassis_rec->name, encap, chassis_ip); } } diff --git a/ovn/controller/encaps.h b/ovn/controller/encaps.h index 054bdfa78..680b62df7 100644 --- a/ovn/controller/encaps.h +++ b/ovn/controller/encaps.h @@ -23,13 +23,18 @@ struct ovsdb_idl_txn; struct ovsrec_bridge; struct ovsrec_bridge_table; struct sbrec_chassis_table; +struct sbrec_sb_global; +struct ovsrec_open_vswitch_table; void encaps_register_ovs_idl(struct ovsdb_idl *); void encaps_run(struct ovsdb_idl_txn *ovs_idl_txn, const struct ovsrec_bridge_table *, const struct ovsrec_bridge *br_int, const struct sbrec_chassis_table *, -const char *chassis_id); +const char *chassis_id, +const struct sbrec_sb_global *, +const struct ovsrec_open_vswitch_table *); + bool encaps_cleanup(struct ovsdb_idl_txn
[ovs-dev] [PATCH v5 4/6] Documentation: IPsec tunnel tutorial and documentation.
tutorials/index.rst gives a step-by-setp guide to set up OVS IPsec tunnel. tutorials/ipsec.rst gives detailed explanation on the IPsec tunnel configuration methods and forwarding modes. Signed-off-by: Qiuyu Xiao Signed-off-by: Ansis Atteka Co-authored-by: Ansis Atteka --- Documentation/automake.mk | 2 + Documentation/howto/index.rst | 1 + Documentation/howto/ipsec.rst | 204 + Documentation/index.rst | 3 +- Documentation/tutorials/index.rst | 1 + Documentation/tutorials/ipsec.rst | 353 ++ vswitchd/vswitch.xml | 157 - 7 files changed, 711 insertions(+), 10 deletions(-) create mode 100644 Documentation/howto/ipsec.rst create mode 100644 Documentation/tutorials/ipsec.rst diff --git a/Documentation/automake.mk b/Documentation/automake.mk index 244479490..5401b9bad 100644 --- a/Documentation/automake.mk +++ b/Documentation/automake.mk @@ -28,6 +28,7 @@ DOC_SOURCE = \ Documentation/tutorials/ovn-openstack.rst \ Documentation/tutorials/ovn-sandbox.rst \ Documentation/tutorials/ovs-conntrack.rst \ + Documentation/tutorials/ipsec.rst \ Documentation/topics/index.rst \ Documentation/topics/bonding.rst \ Documentation/topics/idl-compound-indexes.rst \ @@ -60,6 +61,7 @@ DOC_SOURCE = \ Documentation/howto/docker.rst \ Documentation/howto/dpdk.rst \ Documentation/howto/firewalld.rst \ + Documentation/howto/ipsec.rst \ Documentation/howto/kvm.rst \ Documentation/howto/libvirt.rst \ Documentation/howto/selinux.rst \ diff --git a/Documentation/howto/index.rst b/Documentation/howto/index.rst index 201d6936b..9a3487be3 100644 --- a/Documentation/howto/index.rst +++ b/Documentation/howto/index.rst @@ -37,6 +37,7 @@ OVS :maxdepth: 2 kvm + ipsec selinux libvirt ssl diff --git a/Documentation/howto/ipsec.rst b/Documentation/howto/ipsec.rst new file mode 100644 index 0..d3fb190be --- /dev/null +++ b/Documentation/howto/ipsec.rst @@ -0,0 +1,204 @@ +.. + Licensed under the Apache License, Version 2.0 (the "License"); you may + not use this file except in compliance with the License. You may obtain + a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + License for the specific language governing permissions and limitations + under the License. + + Convention for heading levels in Open vSwitch documentation: + + === Heading 0 (reserved for the title in a document) + --- Heading 1 + ~~~ Heading 2 + +++ Heading 3 + ''' Heading 4 + + Avoid deeper levels because they do not render well. + +=== +Encrypt Open vSwitch Tunnels with IPsec +=== + +This document gives detailed description on the OVS IPsec tunnel and its +configuration modes. If you want to follow a step-by-step guide to run and +test IPsec tunnel, please refer to :doc:`/tutorials/ipsec`. + +Overview + + +Why do encryption? +~~ + +OVS tunnel packets are transported from one machine to another. Along the path, +the packets are processed by physical routers and physical switches. There are +risks that these physical devices might read or write the contents of the +tunnel packets. IPsec encrypts IP payload and prevents the malicious party +sniffing or manipulating the tunnel traffic. + +OVS IPsec +~ + +OVS IPsec aims to provide a simple interface for user to add encryption on OVS +tunnels. It supports GRE, GENEVE, VXLAN, and STT tunnel. The IPsec +configuration is done by setting options of the tunnel interface and +other_config of Open_vSwitch. You can choose different authentication methods +and plaintext tunnel policies based on your requirements. + +OVS does not currently provide any support for IPsec encryption for traffic not +encapsulated in a tunnel. + +Configuration +- + +Authentication Methods +~~ + +Hosts of the IPsec tunnel need to authenticate each other to build a secure +channel. There are three authentication methods: + +1) You can use a pre-shared key (PSK) to do authentication. In both hosts, set + the same PSK value. This PSK is like your password. You should never reveal + it to untrusted parties. This method is easier to use but less secure than + the certificate-based methods:: + + $ ovs-vsctl add-port br0 ipsec_gre0 -- \ + set interface ipsec_gre0 type=gre \ + options:local_ip=1.1.1.1 \ + optio
[ovs-dev] [PATCH v5 3/6] debian and rhel: Create IPsec package.
Added rules and files to create debian and rpm ovs-ipsec packages. Signed-off-by: Qiuyu Xiao Signed-off-by: Ansis Atteka Co-authored-by: Ansis Atteka --- debian/automake.mk| 3 + debian/control| 21 ++ debian/openvswitch-ipsec.dirs | 1 + debian/openvswitch-ipsec.init | 181 ++ debian/openvswitch-ipsec.install | 1 + rhel/automake.mk | 1 + rhel/openvswitch-fedora.spec.in | 19 +- ...b_systemd_system_openvswitch-ipsec.service | 12 ++ utilities/ovs-ctl.in | 18 ++ 9 files changed, 256 insertions(+), 1 deletion(-) create mode 100644 debian/openvswitch-ipsec.dirs create mode 100644 debian/openvswitch-ipsec.init create mode 100644 debian/openvswitch-ipsec.install create mode 100644 rhel/usr_lib_systemd_system_openvswitch-ipsec.service diff --git a/debian/automake.mk b/debian/automake.mk index 4d8e204bb..8a8d43c9f 100644 --- a/debian/automake.mk +++ b/debian/automake.mk @@ -20,6 +20,9 @@ EXTRA_DIST += \ debian/openvswitch-datapath-source.copyright \ debian/openvswitch-datapath-source.dirs \ debian/openvswitch-datapath-source.install \ + debian/openvswitch-ipsec.dirs \ + debian/openvswitch-ipsec.init \ + debian/openvswitch-ipsec.install \ debian/openvswitch-pki.dirs \ debian/openvswitch-pki.postinst \ debian/openvswitch-pki.postrm \ diff --git a/debian/control b/debian/control index 9ae248f27..cde93f20e 100644 --- a/debian/control +++ b/debian/control @@ -322,3 +322,24 @@ Description: Open vSwitch development package 1000V. . This package provides openvswitch headers and libopenvswitch for developers. + +Package: openvswitch-ipsec +Architecture: linux-any +Depends: iproute2, + openvswitch-common (= ${binary:Version}), + openvswitch-switch (= ${binary:Version}), + python, + python-openvswitch (= ${source:Version}), + strongswan, + ${misc:Depends}, + ${shlibs:Depends} +Description: Open vSwitch IPsec tunneling support + Open vSwitch is a production quality, multilayer, software-based, + Ethernet virtual switch. It is designed to enable massive network + automation through programmatic extension, while still supporting + standard management interfaces and protocols (e.g. NetFlow, IPFIX, + sFlow, SPAN, RSPAN, CLI, LACP, 802.1ag). In addition, it is designed + to support distribution across multiple physical servers similar to + VMware's vNetwork distributed vswitch or Cisco's Nexus 1000V. + . + This package provides IPsec tunneling support for OVS tunnels. diff --git a/debian/openvswitch-ipsec.dirs b/debian/openvswitch-ipsec.dirs new file mode 100644 index 0..fca44aa7b --- /dev/null +++ b/debian/openvswitch-ipsec.dirs @@ -0,0 +1 @@ +usr/share/openvswitch/scripts \ No newline at end of file diff --git a/debian/openvswitch-ipsec.init b/debian/openvswitch-ipsec.init new file mode 100644 index 0..8488beccf --- /dev/null +++ b/debian/openvswitch-ipsec.init @@ -0,0 +1,181 @@ +#!/bin/sh +# +# Copyright (c) 2007, 2009 Javier Fernandez-Sanguino +# +# This is free software; you may redistribute it and/or modify +# it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2, +# or (at your option) any later version. +# +# This is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License with +# the Debian operating system, in /usr/share/common-licenses/GPL; if +# not, write to the Free Software Foundation, Inc., 59 Temple Place, +# Suite 330, Boston, MA 02111-1307 USA +# +### BEGIN INIT INFO +# Provides: openvswitch-ipsec +# Required-Start:$network $local_fs $remote_fs openvswitch-switch +# Required-Stop: $remote_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Open vSwitch GRE-over-IPsec daemon +# Description: The ovs-monitor-ipsec script provides support for +#encrypting GRE tunnels with IPsec. +### END INIT INFO + +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin + +DAEMON=/usr/share/openvswitch/scripts/ovs-monitor-ipsec # Daemon's location +NAME=ovs-monitor-ipsec # Introduce the short server's name here +LOGDIR=/var/log/openvswitch # Log directory to use +DATADIR=/usr/share/openvswitch + +PIDFILE=/var/run/openvswitch/$NAME.pid + +test -x $DAEMON || exit 0 + +. /lib/lsb/init-functions + +DODTIME=10 # Time to wait for the server to die, in seconds +# If this value is set too low you might not +# let some servers
[ovs-dev] [PATCH v5 1/6] datapath: add transport ports in route lookup for geneve
This patch adds transport ports information for route lookup so that IPsec can select geneve tunnel traffic to do encryption. Signed-off-by: Qiuyu Xiao Reviewed-by: Greg Rose Tested-by: Greg Rose --- datapath/linux/compat/geneve.c | 29 +++-- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/datapath/linux/compat/geneve.c b/datapath/linux/compat/geneve.c index 435a23fb7..95a665ddd 100644 --- a/datapath/linux/compat/geneve.c +++ b/datapath/linux/compat/geneve.c @@ -836,7 +836,8 @@ free_dst: static struct rtable *geneve_get_v4_rt(struct sk_buff *skb, struct net_device *dev, struct flowi4 *fl4, - struct ip_tunnel_info *info) + struct ip_tunnel_info *info, + __be16 dport, __be16 sport) { bool use_cache = ip_tunnel_dst_cache_usable(skb, info); struct geneve_dev *geneve = netdev_priv(dev); @@ -850,6 +851,8 @@ static struct rtable *geneve_get_v4_rt(struct sk_buff *skb, memset(fl4, 0, sizeof(*fl4)); fl4->flowi4_mark = skb->mark; fl4->flowi4_proto = IPPROTO_UDP; + fl4->fl4_dport = dport; + fl4->fl4_sport = sport; if (info) { fl4->daddr = info->key.u.ipv4.dst; @@ -895,7 +898,8 @@ static struct rtable *geneve_get_v4_rt(struct sk_buff *skb, static struct dst_entry *geneve_get_v6_dst(struct sk_buff *skb, struct net_device *dev, struct flowi6 *fl6, - struct ip_tunnel_info *info) + struct ip_tunnel_info *info, + __be16 dport, __be16 sport) { bool use_cache = ip_tunnel_dst_cache_usable(skb, info); struct geneve_dev *geneve = netdev_priv(dev); @@ -911,6 +915,8 @@ static struct dst_entry *geneve_get_v6_dst(struct sk_buff *skb, memset(fl6, 0, sizeof(*fl6)); fl6->flowi6_mark = skb->mark; fl6->flowi6_proto = IPPROTO_UDP; + fl6->fl6_dport = dport; + fl6->fl6_sport = sport; if (info) { fl6->daddr = info->key.u.ipv6.dst; @@ -1005,13 +1011,13 @@ static netdev_tx_t geneve_xmit_skb(struct sk_buff *skb, struct net_device *dev, goto tx_error; } - rt = geneve_get_v4_rt(skb, dev, , info); + sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); + rt = geneve_get_v4_rt(skb, dev, , info, geneve->dst_port, sport); if (IS_ERR(rt)) { err = PTR_ERR(rt); goto tx_error; } - sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); skb_reset_mac_header(skb); iip = ip_hdr(skb); @@ -1097,13 +1103,13 @@ static netdev_tx_t geneve6_xmit_skb(struct sk_buff *skb, struct net_device *dev, } } - dst = geneve_get_v6_dst(skb, dev, , info); + sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); + dst = geneve_get_v6_dst(skb, dev, , info, geneve->dst_port, sport); if (IS_ERR(dst)) { err = PTR_ERR(dst); goto tx_error; } - sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); skb_reset_mac_header(skb); iip = ip_hdr(skb); @@ -1232,13 +1238,17 @@ int ovs_geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb) struct geneve_dev *geneve = netdev_priv(dev); struct rtable *rt; struct flowi4 fl4; + __be16 sport; #if IS_ENABLED(CONFIG_IPV6) struct dst_entry *dst; struct flowi6 fl6; #endif + sport = udp_flow_src_port(geneve->net, skb, +1, USHRT_MAX, true); + if (ip_tunnel_info_af(info) == AF_INET) { - rt = geneve_get_v4_rt(skb, dev, , info); + rt = geneve_get_v4_rt(skb, dev, , info, geneve->dst_port, sport); if (IS_ERR(rt)) return PTR_ERR(rt); @@ -1246,7 +1256,7 @@ int ovs_geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb) info->key.u.ipv4.src = fl4.saddr; #if IS_ENABLED(CONFIG_IPV6) } else if (ip_tunnel_info_af(info) == AF_INET6) { - dst = geneve_get_v6_dst(skb, dev, , info); + dst = geneve_get_v6_dst(skb, dev, , info, geneve->dst_port, sport); if (IS_ERR(dst)) return PTR_ERR(dst); @@ -1257,8 +1267,7 @@ int ovs_geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb) return -EINVAL; } - info->key.tp_src = udp_flow_src_port(geneve->net, skb, -
[ovs-dev] [PATCH v5 0/6] IPsec support for tunneling
This patch series reintroduce IPsec support for OVS tunneling and enable OVN to use IPsec tunnels. GRE, VXLAN, GENEVE, and STT IPsec tunnels are supported. StrongSwan and LibreSwan IKE daemons are supported. Changes from v1 to v2 - 1. Merge the ovs-monitor-ipsec code to a single patch. Add LibreSwan IKE daemon support. 2. Add ovs-monitor-ipsec to flake8 check. 3. Use openssl to extract CN from certificate so that users don't need to specify the CN information in the configuration interface. 4. Improve documentations as suggested. Changes from v2 to v3 - 1. Add scripts and rules to create ovs-ipsec RPM package. 2. Add Documentation/tutorials/ipsec.rst which gives a step-by-step OVS IPsec tutorial. Modify Documentation/howto/ipsec.rst which gives a detailed description on OVS IPsec configuration modes. 3. Modify ovs-pki to generate x.509 version 3 certificate when do self-sign. 4. IPsec tunnel interface needs 'local_ip' information. Modify ovn-controller to add 'local_ip' when IPsec is enabled. 5. Add a section on ovn/ovn-architecture.7.xml to introduce ovn IPsec. Changes from v3 to v4 - 1. Split the datapath patch to three patches (geneve, vxlan, stt). 2. Add tutorial for OVN RBAC and OVN IPsec. Changes from v4 to v5 - 1. Fix coding style issues in ovs-monitor-ipsec. 2. Improve IPsec and OVN-IPsec tutorials as suggested. 3. Change the description of setting skb_mark in documentation to reflect the real situation. Qiuyu Xiao (6): datapath: add transport ports in route lookup for geneve ipsec: reintroduce IPsec support for tunneling debian and rhel: Create IPsec package. Documentation: IPsec tunnel tutorial and documentation. OVN: native support for tunnel encryption Documentation: OVN RBAC and IPsec tutorial Documentation/automake.mk |4 + Documentation/howto/index.rst |1 + Documentation/howto/ipsec.rst | 204 +++ Documentation/index.rst |5 +- Documentation/tutorials/index.rst |3 + Documentation/tutorials/ipsec.rst | 353 + Documentation/tutorials/ovn-ipsec.rst | 147 +++ Documentation/tutorials/ovn-rbac.rst | 134 ++ Makefile.am |1 + datapath/linux/compat/geneve.c| 29 +- debian/automake.mk|3 + debian/control| 21 + debian/openvswitch-ipsec.dirs |1 + debian/openvswitch-ipsec.init | 181 +++ debian/openvswitch-ipsec.install |1 + ipsec/automake.mk | 10 + ipsec/ovs-monitor-ipsec | 1173 + ovn/controller/encaps.c | 31 +- ovn/controller/encaps.h |7 +- ovn/controller/ovn-controller.c |4 +- ovn/northd/ovn-northd.c |8 +- ovn/ovn-architecture.7.xml| 39 + ovn/ovn-nb.ovsschema |7 +- ovn/ovn-nb.xml|6 + ovn/ovn-sb.ovsschema |7 +- ovn/ovn-sb.xml|6 + rhel/automake.mk |1 + rhel/openvswitch-fedora.spec.in | 19 +- ...b_systemd_system_openvswitch-ipsec.service | 12 + utilities/ovs-ctl.in | 18 + vswitchd/vswitch.xml | 157 ++- 31 files changed, 2558 insertions(+), 35 deletions(-) create mode 100644 Documentation/howto/ipsec.rst create mode 100644 Documentation/tutorials/ipsec.rst create mode 100644 Documentation/tutorials/ovn-ipsec.rst create mode 100644 Documentation/tutorials/ovn-rbac.rst create mode 100644 debian/openvswitch-ipsec.dirs create mode 100644 debian/openvswitch-ipsec.init create mode 100644 debian/openvswitch-ipsec.install create mode 100644 ipsec/automake.mk create mode 100755 ipsec/ovs-monitor-ipsec create mode 100644 rhel/usr_lib_systemd_system_openvswitch-ipsec.service -- 2.18.0 ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH v5 6/9] Documentation: IPsec tunnel tutorial and documentation.
Yes. This describes the real situation. I will apply this to the next series. Thanks, Qiuyu On Mon, Aug 6, 2018 at 4:25 PM, Ben Pfaff wrote: > On Mon, Aug 06, 2018 at 11:04:36AM -0700, Qiuyu Xiao wrote: >> tutorials/index.rst gives a step-by-setp guide to set up OVS IPsec >> tunnel. >> >> tutorials/ipsec.rst gives detailed explanation on the IPsec tunnel >> configuration methods and forwarding modes. >> >> Signed-off-by: Qiuyu Xiao >> Signed-off-by: Ansis Atteka >> Co-authored-by: Ansis Atteka > > Following our in-person discussion today, does the following correctly > reflect the real situation? > > Thanks, > > Ben. > > diff --git a/vswitchd/vswitch.xml b/vswitchd/vswitch.xml > index 3caef4f79539..e9a8d20feece 100644 > --- a/vswitchd/vswitch.xml > +++ b/vswitchd/vswitch.xml > @@ -823,11 +823,15 @@ > > > > - After an IPsec tunnel is configured, it takes a few round trips to > - negotiate details of the encryption with the remote host. In the > - meantime, packets sent by the local host over the tunnel can be > - transmitted in plaintext. This setting controls the behavior in > this > - situation. > + When an IPsec tunnel is configured in this database, multiple > + independent components take responsibility for implementing it. > + ovs-vswitchd and its datapath handle packet forwarding > + to the tunnel and a separate daemon pushes the tunnel's IPsec > policy > + configuration to the kernel or other entity that implements it. > + There is a race: if the former configuration completes before the > + latter, then packets sent by the local host over the tunnel can be > + transmitted in plaintext. Using this setting, OVS users can avoid > + this undesirable situation. > >type='{"type": "string"}'> ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH v5 8/9] OVN: native support for tunnel encryption
This patch adds IPsec support for OVN tunnel. Basically, OVN offers a binary option to its user for encryption configuration. If the IPsec option is turned on, all tunnels will be encrypted. Otherwise, no tunnel will be encrypted. The changes are summarized as below: 1) Added a ipsec column on the NB_Global table and SB_Global table. The value of ipsec column is propagated by ovn-northd from NB_Global to SB_Global. 2) ovn-controller monitors the ipsec column in SB_Global. If the ipsec value is true, ovn-controller sets options of the tunnel interface by specifying "options:remote_name=". If the ipsec value is false, ovn-controller removes these options. 3) ovs-monitor-ipsec daemon (https://mail.openvswitch.org/pipermail/ovs-dev/2018-June/348701.html) monitors the tunnel interface options and configures IKE daemon accordingly for IPsec encryption. Signed-off-by: Qiuyu Xiao --- ovn/controller/encaps.c | 31 ++ ovn/controller/encaps.h | 7 +- ovn/controller/ovn-controller.c | 4 +++- ovn/northd/ovn-northd.c | 8 +-- ovn/ovn-architecture.7.xml | 39 + ovn/ovn-nb.ovsschema| 7 +++--- ovn/ovn-nb.xml | 6 + ovn/ovn-sb.ovsschema| 7 +++--- ovn/ovn-sb.xml | 6 + 9 files changed, 101 insertions(+), 14 deletions(-) diff --git a/ovn/controller/encaps.c b/ovn/controller/encaps.c index fde017586..2169920ba 100644 --- a/ovn/controller/encaps.c +++ b/ovn/controller/encaps.c @@ -79,8 +79,9 @@ tunnel_create_name(struct tunnel_ctx *tc, const char *chassis_id) } static void -tunnel_add(struct tunnel_ctx *tc, const char *new_chassis_id, - const struct sbrec_encap *encap) +tunnel_add(struct tunnel_ctx *tc, const struct sbrec_sb_global *sbg, + const char *new_chassis_id, const struct sbrec_encap *encap, + const char *local_ip) { struct smap options = SMAP_INITIALIZER(); smap_add(, "remote_ip", encap->ip); @@ -90,6 +91,16 @@ tunnel_add(struct tunnel_ctx *tc, const char *new_chassis_id, smap_add(, "csum", csum); } +/* Add auth info if ipsec is enabled. */ +if (sbg->ipsec) { +smap_add(, "remote_name", new_chassis_id); +if (local_ip) { +smap_add(, "local_ip", local_ip); +} else { +VLOG_INFO("Need to specify encap ip for IPsec tunnels."); +} +} + /* If there's an existing chassis record that does not need any change, * keep it. Otherwise, create a new record (if there was an existing * record, the new record will supplant it and encaps_run() will delete @@ -157,7 +168,9 @@ encaps_run(struct ovsdb_idl_txn *ovs_idl_txn, const struct ovsrec_bridge_table *bridge_table, const struct ovsrec_bridge *br_int, const struct sbrec_chassis_table *chassis_table, - const char *chassis_id) + const char *chassis_id, + const struct sbrec_sb_global *sbg, + const struct ovsrec_open_vswitch_table *ovs_table) { if (!ovs_idl_txn || !br_int) { return; @@ -201,6 +214,16 @@ encaps_run(struct ovsdb_idl_txn *ovs_idl_txn, } } +/* Get IP address of local chassis. */ +const char *chassis_ip; +const struct ovsrec_open_vswitch *cfg; +cfg = ovsrec_open_vswitch_table_first(ovs_table); +if (cfg) { +chassis_ip = smap_get(>external_ids, "ovn-encap-ip"); +} else { +chassis_ip = NULL; +} + SBREC_CHASSIS_TABLE_FOR_EACH (chassis_rec, chassis_table) { if (strcmp(chassis_rec->name, chassis_id)) { /* Create tunnels to the other chassis. */ @@ -209,7 +232,7 @@ encaps_run(struct ovsdb_idl_txn *ovs_idl_txn, VLOG_INFO("No supported encaps for '%s'", chassis_rec->name); continue; } -tunnel_add(, chassis_rec->name, encap); +tunnel_add(, sbg, chassis_rec->name, encap, chassis_ip); } } diff --git a/ovn/controller/encaps.h b/ovn/controller/encaps.h index 054bdfa78..680b62df7 100644 --- a/ovn/controller/encaps.h +++ b/ovn/controller/encaps.h @@ -23,13 +23,18 @@ struct ovsdb_idl_txn; struct ovsrec_bridge; struct ovsrec_bridge_table; struct sbrec_chassis_table; +struct sbrec_sb_global; +struct ovsrec_open_vswitch_table; void encaps_register_ovs_idl(struct ovsdb_idl *); void encaps_run(struct ovsdb_idl_txn *ovs_idl_txn, const struct ovsrec_bridge_table *, const struct ovsrec_bridge *br_int, const struct sbrec_chassis_table *, -const char *chassis_id); +const char *chassis_id, +const struct sbrec_sb_global *, +const struct ovsrec_open_vswitch_table *); + bool encaps_cleanup(struct ovsdb_idl_txn
[ovs-dev] [PATCH v5 9/9] Documentation: OVN RBAC and IPsec tutorial
This patch adds step-by-step guide for configuring OVN Role-Based Access Control and IPsec. Signed-off-by: Qiuyu Xiao --- Documentation/automake.mk | 2 + Documentation/index.rst | 4 +- Documentation/tutorials/index.rst | 2 + Documentation/tutorials/ovn-ipsec.rst | 146 ++ Documentation/tutorials/ovn-rbac.rst | 134 +++ 5 files changed, 287 insertions(+), 1 deletion(-) create mode 100644 Documentation/tutorials/ovn-ipsec.rst create mode 100644 Documentation/tutorials/ovn-rbac.rst diff --git a/Documentation/automake.mk b/Documentation/automake.mk index 5401b9bad..082438e09 100644 --- a/Documentation/automake.mk +++ b/Documentation/automake.mk @@ -29,6 +29,8 @@ DOC_SOURCE = \ Documentation/tutorials/ovn-sandbox.rst \ Documentation/tutorials/ovs-conntrack.rst \ Documentation/tutorials/ipsec.rst \ + Documentation/tutorials/ovn-ipsec.rst \ + Documentation/tutorials/ovn-rbac.rst \ Documentation/topics/index.rst \ Documentation/topics/bonding.rst \ Documentation/topics/idl-compound-indexes.rst \ diff --git a/Documentation/index.rst b/Documentation/index.rst index bab5ba1f1..46261235c 100644 --- a/Documentation/index.rst +++ b/Documentation/index.rst @@ -66,7 +66,9 @@ vSwitch? Start here. :doc:`tutorials/ovn-sandbox` | :doc:`tutorials/ovn-openstack` | :doc:`tutorials/ovs-conntrack` | - :doc:`tutorials/ipsec` + :doc:`tutorials/ipsec` | + :doc:`tutorials/ovn-ipsec` | + :doc:`tutorials/ovn-rbac` Deeper Dive --- diff --git a/Documentation/tutorials/index.rst b/Documentation/tutorials/index.rst index b481090a0..35340ee56 100644 --- a/Documentation/tutorials/index.rst +++ b/Documentation/tutorials/index.rst @@ -44,4 +44,6 @@ vSwitch. ovs-advanced ovn-sandbox ovn-openstack + ovn-rbac + ovn-ipsec ovs-conntrack diff --git a/Documentation/tutorials/ovn-ipsec.rst b/Documentation/tutorials/ovn-ipsec.rst new file mode 100644 index 0..5a8701905 --- /dev/null +++ b/Documentation/tutorials/ovn-ipsec.rst @@ -0,0 +1,146 @@ +.. + Licensed under the Apache License, Version 2.0 (the "License"); you may + not use this file except in compliance with the License. You may obtain + a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + License for the specific language governing permissions and limitations + under the License. + + Convention for heading levels in Open vSwitch documentation: + + === Heading 0 (reserved for the title in a document) + --- Heading 1 + ~~~ Heading 2 + +++ Heading 3 + ''' Heading 4 + + Avoid deeper levels because they do not render well. + +== +OVN IPsec Tutorial +== + +This document provides a step-by-step guide for encrypting tunnel traffic with +IPsec in Open Virtual Network (OVN). OVN tunnel traffic is transported by +physical routers and switches. These physical devices could be untrusted +(devices in public network) or might be compromised. Enabling IPsec encryption +for the tunnel traffic can prevent the traffic data from being monitored and +manipulated. More details about the OVN IPsec design can be found in +``ovn-architecture``\(7) manpage. + +This document assumes OVN is installed in your system and runs normally. Also, +you need to install OVS IPsec packages in each chassis (refer to +:ref:`install-ovs-ipsec`). + +Generating Certificates and Keys + + +OVN chassis uses CA-signed certificate to authenticate peer chassis for +building IPsec tunnel. If you have enabled Role-Based Access Control (RBAC) in +OVN, you can use the RBAC SSL certificates and keys to set up OVN IPsec. Or you +can generate separate certificates and keys with ``ovs-pki`` (refer to +:ref:`gen-certs-keys`). + +.. note:: + + OVN IPsec requires x.509 version 3 certificate with the subjectAltName DNS + field setting the same string as the common name (CN) field. CN should be + set as the chassis name. ``ovs-pki`` in Open vSwitch 2.10.90 and later + generates such certificates. Please generate compatible certificates if you + use another PKI tool, or an older version of ``ovs-pki``, to manage + certificates. + +Configuring OVN IPsec +- + +You need to install the CA certificate, chassis certificate and private key in +each chassis. Use the following command:: + +$ ovs-vsctl set Open_vSwitch . \ +other_config:certificate=/path/to/chassis-cert.pem \ +other_config:private_key=/path/to/chassis-privkey.pem \ +other_config:ca_cert
[ovs-dev] [PATCH v5 6/9] Documentation: IPsec tunnel tutorial and documentation.
tutorials/index.rst gives a step-by-setp guide to set up OVS IPsec tunnel. tutorials/ipsec.rst gives detailed explanation on the IPsec tunnel configuration methods and forwarding modes. Signed-off-by: Qiuyu Xiao Signed-off-by: Ansis Atteka Co-authored-by: Ansis Atteka --- Documentation/automake.mk | 2 + Documentation/howto/index.rst | 1 + Documentation/howto/ipsec.rst | 200 + Documentation/index.rst | 3 +- Documentation/tutorials/index.rst | 1 + Documentation/tutorials/ipsec.rst | 353 ++ vswitchd/vswitch.xml | 153 - 7 files changed, 703 insertions(+), 10 deletions(-) create mode 100644 Documentation/howto/ipsec.rst create mode 100644 Documentation/tutorials/ipsec.rst diff --git a/Documentation/automake.mk b/Documentation/automake.mk index 244479490..5401b9bad 100644 --- a/Documentation/automake.mk +++ b/Documentation/automake.mk @@ -28,6 +28,7 @@ DOC_SOURCE = \ Documentation/tutorials/ovn-openstack.rst \ Documentation/tutorials/ovn-sandbox.rst \ Documentation/tutorials/ovs-conntrack.rst \ + Documentation/tutorials/ipsec.rst \ Documentation/topics/index.rst \ Documentation/topics/bonding.rst \ Documentation/topics/idl-compound-indexes.rst \ @@ -60,6 +61,7 @@ DOC_SOURCE = \ Documentation/howto/docker.rst \ Documentation/howto/dpdk.rst \ Documentation/howto/firewalld.rst \ + Documentation/howto/ipsec.rst \ Documentation/howto/kvm.rst \ Documentation/howto/libvirt.rst \ Documentation/howto/selinux.rst \ diff --git a/Documentation/howto/index.rst b/Documentation/howto/index.rst index 201d6936b..9a3487be3 100644 --- a/Documentation/howto/index.rst +++ b/Documentation/howto/index.rst @@ -37,6 +37,7 @@ OVS :maxdepth: 2 kvm + ipsec selinux libvirt ssl diff --git a/Documentation/howto/ipsec.rst b/Documentation/howto/ipsec.rst new file mode 100644 index 0..32e55b5ac --- /dev/null +++ b/Documentation/howto/ipsec.rst @@ -0,0 +1,200 @@ +.. + Licensed under the Apache License, Version 2.0 (the "License"); you may + not use this file except in compliance with the License. You may obtain + a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + License for the specific language governing permissions and limitations + under the License. + + Convention for heading levels in Open vSwitch documentation: + + === Heading 0 (reserved for the title in a document) + --- Heading 1 + ~~~ Heading 2 + +++ Heading 3 + ''' Heading 4 + + Avoid deeper levels because they do not render well. + +=== +Encrypt Open vSwitch Tunnels with IPsec +=== + +This document gives detailed description on the OVS IPsec tunnel and its +configuration modes. If you want to follow a step-by-step guide to run and +test IPsec tunnel, please refer to :doc:`/tutorials/ipsec`. + +Overview + + +Why do encryption? +~~ + +OVS tunnel packets are transported from one machine to another. Along the path, +the packets are processed by physical routers and physical switches. There are +risks that these physical devices might read or write the contents of the +tunnel packets. IPsec encrypts IP payload and prevents the malicious party +sniffing or manipulating the tunnel traffic. + +OVS IPsec +~ + +OVS IPsec aims to provide a simple interface for user to add encryption on OVS +tunnels. It supports GRE, GENEVE, VXLAN, and STT tunnel. The IPsec +configuration is done by setting options of the tunnel interface and +other_config of Open_vSwitch. You can choose different authentication methods +and forwarding modes based on your requirements. + +OVS does not currently provide any support for IPsec encryption for traffic not +encapsulated in a tunnel. + +Configuration +- + +Authentication Methods +~~ + +Hosts of the IPsec tunnel need to authenticate each other to build a secure +channel. There are three authentication methods: + +1) You can use a pre-shared key (PSK) to do authentication. In both hosts, set + the same PSK value. This PSK is like your password. You should never reveal + it to untrusted parties. This method is easier to use but less secure than + the certificate-based methods:: + + $ ovs-vsctl add-port br0 ipsec_gre0 -- \ + set interface ipsec_gre0 type=gre \ + options:local_ip=1.1.1.1 \ + optio
[ovs-dev] [PATCH v5 7/9] ovs-pki: generate x.509 v3 certificate
This patch modifies ovs-pki to generate x.509 version 3 certificate. Compared with the x.509 v1 certificate generated by ovs-pki, version 3 certificate adds subjectAltName field and sets its value the same as common name (CN). The main reason for this change is to enable strongSwan IKE daemon to extract certificate identity string from the subjectAltName field, which makes OVN IPsec implementation easier. Signed-off-by: Qiuyu Xiao --- NEWS | 3 +++ utilities/ovs-pki.in | 25 + 2 files changed, 24 insertions(+), 4 deletions(-) diff --git a/NEWS b/NEWS index f05a6e976..27ef12d59 100644 --- a/NEWS +++ b/NEWS @@ -59,6 +59,9 @@ v2.10.0 - xx xxx both kernel datapath and userspace datapath. * Added port-based and flow-based ERSPAN tunnel port support, added OpenFlow rules matching ERSPAN fields. See ovs-fields(7). + - ovs-pki + * ovs-pki now generates x.509 version 3 certificate. The new format adds + subjectAltName field and sets its value the same as common name (CN). v2.9.0 - 19 Feb 2018 diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in index 4f6941865..e0ba910f9 100755 --- a/utilities/ovs-pki.in +++ b/utilities/ovs-pki.in @@ -284,7 +284,7 @@ policy = policy# default policy email_in_dn= no# Don't add the email into cert DN name_opt = ca_default# Subject name display option cert_opt = ca_default# Certificate display option -copy_extensions = none # Don't copy extensions from request +copy_extensions = copy # Copy extensions from request unique_subject = no# Allow certs with duplicate subjects # For the CA policy @@ -295,6 +295,13 @@ organizationName= match organizationalUnitName = optional commonName = supplied emailAddress= optional + +# For the x509v3 extension +[ ca_cert ] +basicConstraints=CA:true + +[ usr_cert ] +basicConstraints=CA:false EOF fi @@ -307,7 +314,8 @@ EOF openssl req -config ca.cnf -nodes \ -newkey $newkey -keyout private/cakey.pem -out careq.pem \ 1>&3 2>&3 -openssl ca -config ca.cnf -create_serial -out cacert.pem \ +openssl ca -config ca.cnf -create_serial \ +-extensions ca_cert -out cacert.pem \ -days 3650 -batch -keyfile private/cakey.pem -selfsign \ -infiles careq.pem 1>&3 2>&3 chmod 0700 private/cakey.pem @@ -445,6 +453,7 @@ make_request() { [ req ] prompt = no distinguished_name = req_distinguished_name +req_extensions = v3_req [ req_distinguished_name ] C = US @@ -453,6 +462,9 @@ L = Palo Alto O = Open vSwitch OU = Open vSwitch certifier CN = $cn + +[ v3_req ] +subjectAltName = DNS:$cn EOF if test $keytype = rsa; then (umask 077 && openssl genrsa -out "$1-privkey.pem" $bits) 1>&3 2>&3 \ @@ -481,7 +493,7 @@ sign_request() { esac (cd "$pkidir/${type}ca" && - openssl ca -config ca.cnf -batch -in "$request_file") \ + openssl ca -config ca.cnf -extensions usr_cert -batch -in "$request_file") \ > "$2.tmp$$" 2>&3 mv "$2.tmp$$" "$2" } @@ -529,11 +541,16 @@ elif test "$command" = self-sign; then must_exist "$arg1-req.pem" must_exist "$arg1-privkey.pem" must_not_exist "$arg1-cert.pem" +make_tmpdir +cat > "$TMP/v3.ext" <&3 || exit $? + -signkey "$arg1-privkey.pem" -req -days 3650 -text \ + -extfile $TMP/v3.ext) 2>&3 || exit $? # Reset the permissions on the certificate to the user's default. cat "$arg1-cert.pem.tmp" > "$arg1-cert.pem" -- 2.18.0 ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH v5 5/9] debian and rhel: Create IPsec package.
Added rules and files to create debian and rpm ovs-ipsec packages. Signed-off-by: Qiuyu Xiao Signed-off-by: Ansis Atteka Co-authored-by: Ansis Atteka --- debian/automake.mk| 3 + debian/control| 21 ++ debian/openvswitch-ipsec.dirs | 1 + debian/openvswitch-ipsec.init | 181 ++ debian/openvswitch-ipsec.install | 1 + rhel/automake.mk | 1 + rhel/openvswitch-fedora.spec.in | 19 +- ...b_systemd_system_openvswitch-ipsec.service | 12 ++ utilities/ovs-ctl.in | 18 ++ 9 files changed, 256 insertions(+), 1 deletion(-) create mode 100644 debian/openvswitch-ipsec.dirs create mode 100644 debian/openvswitch-ipsec.init create mode 100644 debian/openvswitch-ipsec.install create mode 100644 rhel/usr_lib_systemd_system_openvswitch-ipsec.service diff --git a/debian/automake.mk b/debian/automake.mk index 4d8e204bb..8a8d43c9f 100644 --- a/debian/automake.mk +++ b/debian/automake.mk @@ -20,6 +20,9 @@ EXTRA_DIST += \ debian/openvswitch-datapath-source.copyright \ debian/openvswitch-datapath-source.dirs \ debian/openvswitch-datapath-source.install \ + debian/openvswitch-ipsec.dirs \ + debian/openvswitch-ipsec.init \ + debian/openvswitch-ipsec.install \ debian/openvswitch-pki.dirs \ debian/openvswitch-pki.postinst \ debian/openvswitch-pki.postrm \ diff --git a/debian/control b/debian/control index 9ae248f27..cde93f20e 100644 --- a/debian/control +++ b/debian/control @@ -322,3 +322,24 @@ Description: Open vSwitch development package 1000V. . This package provides openvswitch headers and libopenvswitch for developers. + +Package: openvswitch-ipsec +Architecture: linux-any +Depends: iproute2, + openvswitch-common (= ${binary:Version}), + openvswitch-switch (= ${binary:Version}), + python, + python-openvswitch (= ${source:Version}), + strongswan, + ${misc:Depends}, + ${shlibs:Depends} +Description: Open vSwitch IPsec tunneling support + Open vSwitch is a production quality, multilayer, software-based, + Ethernet virtual switch. It is designed to enable massive network + automation through programmatic extension, while still supporting + standard management interfaces and protocols (e.g. NetFlow, IPFIX, + sFlow, SPAN, RSPAN, CLI, LACP, 802.1ag). In addition, it is designed + to support distribution across multiple physical servers similar to + VMware's vNetwork distributed vswitch or Cisco's Nexus 1000V. + . + This package provides IPsec tunneling support for OVS tunnels. diff --git a/debian/openvswitch-ipsec.dirs b/debian/openvswitch-ipsec.dirs new file mode 100644 index 0..fca44aa7b --- /dev/null +++ b/debian/openvswitch-ipsec.dirs @@ -0,0 +1 @@ +usr/share/openvswitch/scripts \ No newline at end of file diff --git a/debian/openvswitch-ipsec.init b/debian/openvswitch-ipsec.init new file mode 100644 index 0..8488beccf --- /dev/null +++ b/debian/openvswitch-ipsec.init @@ -0,0 +1,181 @@ +#!/bin/sh +# +# Copyright (c) 2007, 2009 Javier Fernandez-Sanguino +# +# This is free software; you may redistribute it and/or modify +# it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2, +# or (at your option) any later version. +# +# This is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License with +# the Debian operating system, in /usr/share/common-licenses/GPL; if +# not, write to the Free Software Foundation, Inc., 59 Temple Place, +# Suite 330, Boston, MA 02111-1307 USA +# +### BEGIN INIT INFO +# Provides: openvswitch-ipsec +# Required-Start:$network $local_fs $remote_fs openvswitch-switch +# Required-Stop: $remote_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Open vSwitch GRE-over-IPsec daemon +# Description: The ovs-monitor-ipsec script provides support for +#encrypting GRE tunnels with IPsec. +### END INIT INFO + +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin + +DAEMON=/usr/share/openvswitch/scripts/ovs-monitor-ipsec # Daemon's location +NAME=ovs-monitor-ipsec # Introduce the short server's name here +LOGDIR=/var/log/openvswitch # Log directory to use +DATADIR=/usr/share/openvswitch + +PIDFILE=/var/run/openvswitch/$NAME.pid + +test -x $DAEMON || exit 0 + +. /lib/lsb/init-functions + +DODTIME=10 # Time to wait for the server to die, in seconds +# If this value is set too low you might not +# let some servers
[ovs-dev] [PATCH v5 4/9] ipsec: reintroduce IPsec support for tunneling
This patch reintroduces ovs-monitor-ipsec daemon that was previously removed by commit 2b02d770 ("openvswitch: Allow external IPsec tunnel management.") After this patch, there are no IPsec flavored tunnels anymore. IPsec is enabled by setting up the right values in: 1. OVSDB:Interface:options column; 2. OVSDB:Open_vSwitch:other_config column; 3. OpenFlow pipeline. GRE, VXLAN, GENEVE, and STT IPsec tunnels are supported. LibreSwan and StrongSwan IKE daemons are supported. User can choose pre-shared key, self-signed peer certificate, or CA-signed certificate as authentication method. Signed-off-by: Qiuyu Xiao Signed-off-by: Ansis Atteka Co-authored-by: Ansis Atteka --- Makefile.am |1 + ipsec/automake.mk | 10 + ipsec/ovs-monitor-ipsec | 1173 +++ 3 files changed, 1184 insertions(+) create mode 100644 ipsec/automake.mk create mode 100755 ipsec/ovs-monitor-ipsec diff --git a/Makefile.am b/Makefile.am index 788972804..aeb2d108f 100644 --- a/Makefile.am +++ b/Makefile.am @@ -481,6 +481,7 @@ include tests/automake.mk include include/automake.mk include third-party/automake.mk include debian/automake.mk +include ipsec/automake.mk include vswitchd/automake.mk include ovsdb/automake.mk include rhel/automake.mk diff --git a/ipsec/automake.mk b/ipsec/automake.mk new file mode 100644 index 0..1e530cb42 --- /dev/null +++ b/ipsec/automake.mk @@ -0,0 +1,10 @@ +# Copyright (C) 2017 Nicira, Inc. +# +# Copying and distribution of this file, with or without modification, +# are permitted in any medium without royalty provided the copyright +# notice and this notice are preserved. This file is offered as-is, +# without warranty of any kind. + +EXTRA_DIST += \ +ipsec/ovs-monitor-ipsec +FLAKE8_PYFILES += ipsec/ovs-monitor-ipsec diff --git a/ipsec/ovs-monitor-ipsec b/ipsec/ovs-monitor-ipsec new file mode 100755 index 0..163b04004 --- /dev/null +++ b/ipsec/ovs-monitor-ipsec @@ -0,0 +1,1173 @@ +#!/usr/bin/env python +# Copyright (c) 2017 Nicira, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import argparse +import re +import subprocess +import sys +import copy +from string import Template + +import ovs.daemon +import ovs.db.idl +import ovs.dirs +import ovs.unixctl +import ovs.unixctl.server +import ovs.util +import ovs.vlog + + +FILE_HEADER = "# Generated by ovs-monitor-ipsec...do not modify by hand!\n\n" +SHUNT_POLICY = """conn prevent_unencrypted_gre +type=drop +leftprotoport=gre +mark={0} + +conn prevent_unencrypted_geneve +type=drop +leftprotoport=udp/6081 +mark={0} + +conn prevent_unencrypted_stt +type=drop +leftprotoport=tcp/7471 +mark={0} + +conn prevent_unencrypted_vxlan +type=drop +leftprotoport=udp/4789 +mark={0} + +""" +transp_tmpl = {"gre": Template("""\ +conn $ifname-$version +$auth_section +leftprotoport=gre +rightprotoport=gre + +"""), "gre64": Template("""\ +conn $ifname-$version +$auth_section +leftprotoport=gre +rightprotoport=gre + +"""), "geneve": Template("""\ +conn $ifname-in-$version +$auth_section +leftprotoport=udp/6081 +rightprotoport=udp + +conn $ifname-out-$version +$auth_section +leftprotoport=udp +rightprotoport=udp/6081 + +"""), "stt": Template("""\ +conn $ifname-in-$version +$auth_section +leftprotoport=tcp/7471 +rightprotoport=tcp + +conn $ifname-out-$version +$auth_section +leftprotoport=tcp +rightprotoport=tcp/7471 + +"""), "vxlan": Template("""\ +conn $ifname-in-$version +$auth_section +leftprotoport=udp/4789 +rightprotoport=udp + +conn $ifname-out-$version +$auth_section +leftprotoport=udp +rightprotoport=udp/4789 + +""")} +vlog = ovs.vlog.Vlog("ovs-monitor-ipsec") +exiting = False +monitor = None +xfrm = None + + +class XFRM(object): +"""This class is a simple wrapper around ip-xfrm (8) command line +utility. We are using this class only for informational purposes +so that ovs-monitor-ipsec could verify that IKE keying daemon has +installed IPsec policies and security associations into kernel as +expected.""" + +def __init__(
[ovs-dev] [PATCH v5 3/9] datapath: add transport ports in route lookup for stt
This patch adds transport ports information for route lookup so that IPsec can select stt tunnel traffic to do encryption. Signed-off-by: Qiuyu Xiao Reviewed-by: Greg Rose Tested-by: Greg Rose --- datapath/linux/compat/stt.c | 15 ++- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/datapath/linux/compat/stt.c b/datapath/linux/compat/stt.c index fc7e74f6d..8d16c1f2e 100644 --- a/datapath/linux/compat/stt.c +++ b/datapath/linux/compat/stt.c @@ -972,7 +972,8 @@ err_free_rt: static struct rtable *stt_get_rt(struct sk_buff *skb, struct net_device *dev, struct flowi4 *fl, -const struct ip_tunnel_key *key) +const struct ip_tunnel_key *key, +__be16 dport, __be16 sport) { struct net *net = dev_net(dev); @@ -983,6 +984,8 @@ static struct rtable *stt_get_rt(struct sk_buff *skb, fl->flowi4_tos = RT_TOS(key->tos); fl->flowi4_mark = skb->mark; fl->flowi4_proto = IPPROTO_TCP; + fl->fl4_dport = dport; + fl->fl4_sport = sport; return ip_route_output_key(net, fl); } @@ -1009,14 +1012,14 @@ netdev_tx_t ovs_stt_xmit(struct sk_buff *skb) tun_key = _info->key; - rt = stt_get_rt(skb, dev, , tun_key); + sport = udp_flow_src_port(net, skb, 1, USHRT_MAX, true); + rt = stt_get_rt(skb, dev, , tun_key, dport, sport); if (IS_ERR(rt)) { err = PTR_ERR(rt); goto error; } df = tun_key->tun_flags & TUNNEL_DONT_FRAGMENT ? htons(IP_DF) : 0; - sport = udp_flow_src_port(net, skb, 1, USHRT_MAX, true); skb->ignore_df = 1; stt_xmit_skb(skb, rt, fl.saddr, tun_key->u.ipv4.dst, @@ -1818,20 +1821,22 @@ int ovs_stt_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb) struct stt_dev *stt_dev = netdev_priv(dev); struct net *net = stt_dev->net; __be16 dport = stt_dev->dst_port; + __be16 sport; struct flowi4 fl4; struct rtable *rt; if (ip_tunnel_info_af(info) != AF_INET) return -EINVAL; - rt = stt_get_rt(skb, dev, , >key); + sport = udp_flow_src_port(net, skb, 1, USHRT_MAX, true); + rt = stt_get_rt(skb, dev, , >key, dport, sport); if (IS_ERR(rt)) return PTR_ERR(rt); ip_rt_put(rt); info->key.u.ipv4.src = fl4.saddr; - info->key.tp_src = udp_flow_src_port(net, skb, 1, USHRT_MAX, true); + info->key.tp_src = sport; info->key.tp_dst = dport; return 0; } -- 2.18.0 ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH v5 2/9] datapath: add transport ports in route lookup for vxlan
This patch adds transport ports information for route lookup so that IPsec can select vxlan tunnel traffic to do encryption. Signed-off-by: Qiuyu Xiao Reviewed-by: Greg Rose Tested-by: Greg Rose --- datapath/linux/compat/vxlan.c | 14 -- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/datapath/linux/compat/vxlan.c b/datapath/linux/compat/vxlan.c index 7f5d5ce64..b850fdd44 100644 --- a/datapath/linux/compat/vxlan.c +++ b/datapath/linux/compat/vxlan.c @@ -896,6 +896,7 @@ out_free: static struct rtable *vxlan_get_route(struct vxlan_dev *vxlan, struct sk_buff *skb, int oif, u8 tos, __be32 daddr, __be32 *saddr, + __be16 dport, __be16 sport, struct dst_cache *dst_cache, const struct ip_tunnel_info *info) { @@ -918,6 +919,8 @@ static struct rtable *vxlan_get_route(struct vxlan_dev *vxlan, fl4.flowi4_proto = IPPROTO_UDP; fl4.daddr = daddr; fl4.saddr = *saddr; + fl4.fl4_dport = dport; + fl4.fl4_sport = sport; rt = ip_route_output_key(vxlan->net, ); if (!IS_ERR(rt)) { @@ -934,6 +937,7 @@ static struct dst_entry *vxlan6_get_route(struct vxlan_dev *vxlan, __be32 label, const struct in6_addr *daddr, struct in6_addr *saddr, + __be16 dport, __be16 sport, struct dst_cache *dst_cache, const struct ip_tunnel_info *info) { @@ -961,6 +965,8 @@ static struct dst_entry *vxlan6_get_route(struct vxlan_dev *vxlan, fl6.flowlabel = ip6_make_flowinfo(RT_TOS(tos), label); fl6.flowi6_mark = skb->mark; fl6.flowi6_proto = IPPROTO_UDP; + fl6.fl6_dport = dport; + fl6.fl6_sport = sport; #ifdef HAVE_IPV6_DST_LOOKUP_NET err = ipv6_stub->ipv6_dst_lookup(vxlan->net, @@ -1090,6 +1096,7 @@ static void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev, rdst ? rdst->remote_ifindex : 0, tos, dst->sin.sin_addr.s_addr, >sin.sin_addr.s_addr, +dst_port, src_port, dst_cache, info); if (IS_ERR(rt)) { netdev_dbg(dev, "no route to %pI4\n", @@ -1149,6 +1156,7 @@ static void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev, rdst ? rdst->remote_ifindex : 0, tos, label, >sin6.sin6_addr, >sin6.sin6_addr, + dst_port, src_port, dst_cache, info); if (IS_ERR(ndst)) { netdev_dbg(dev, "no route to %pI6\n", @@ -1439,7 +1447,8 @@ int ovs_vxlan_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb) return -EINVAL; rt = vxlan_get_route(vxlan, skb, 0, info->key.tos, info->key.u.ipv4.dst, ->key.u.ipv4.src, NULL, info); +>key.u.ipv4.src, +dport, sport, NULL, info); if (IS_ERR(rt)) return PTR_ERR(rt); ip_rt_put(rt); @@ -1449,7 +1458,8 @@ int ovs_vxlan_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb) ndst = vxlan6_get_route(vxlan, skb, 0, info->key.tos, info->key.label, >key.u.ipv6.dst, - >key.u.ipv6.src, NULL, info); + >key.u.ipv6.src, + dport, sport, NULL, info); if (IS_ERR(ndst)) return PTR_ERR(ndst); dst_release(ndst); -- 2.18.0 ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH v5 1/9] datapath: add transport ports in route lookup for geneve
This patch adds transport ports information for route lookup so that IPsec can select geneve tunnel traffic to do encryption. Signed-off-by: Qiuyu Xiao Reviewed-by: Greg Rose Tested-by: Greg Rose --- datapath/linux/compat/geneve.c | 29 +++-- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/datapath/linux/compat/geneve.c b/datapath/linux/compat/geneve.c index 435a23fb7..95a665ddd 100644 --- a/datapath/linux/compat/geneve.c +++ b/datapath/linux/compat/geneve.c @@ -836,7 +836,8 @@ free_dst: static struct rtable *geneve_get_v4_rt(struct sk_buff *skb, struct net_device *dev, struct flowi4 *fl4, - struct ip_tunnel_info *info) + struct ip_tunnel_info *info, + __be16 dport, __be16 sport) { bool use_cache = ip_tunnel_dst_cache_usable(skb, info); struct geneve_dev *geneve = netdev_priv(dev); @@ -850,6 +851,8 @@ static struct rtable *geneve_get_v4_rt(struct sk_buff *skb, memset(fl4, 0, sizeof(*fl4)); fl4->flowi4_mark = skb->mark; fl4->flowi4_proto = IPPROTO_UDP; + fl4->fl4_dport = dport; + fl4->fl4_sport = sport; if (info) { fl4->daddr = info->key.u.ipv4.dst; @@ -895,7 +898,8 @@ static struct rtable *geneve_get_v4_rt(struct sk_buff *skb, static struct dst_entry *geneve_get_v6_dst(struct sk_buff *skb, struct net_device *dev, struct flowi6 *fl6, - struct ip_tunnel_info *info) + struct ip_tunnel_info *info, + __be16 dport, __be16 sport) { bool use_cache = ip_tunnel_dst_cache_usable(skb, info); struct geneve_dev *geneve = netdev_priv(dev); @@ -911,6 +915,8 @@ static struct dst_entry *geneve_get_v6_dst(struct sk_buff *skb, memset(fl6, 0, sizeof(*fl6)); fl6->flowi6_mark = skb->mark; fl6->flowi6_proto = IPPROTO_UDP; + fl6->fl6_dport = dport; + fl6->fl6_sport = sport; if (info) { fl6->daddr = info->key.u.ipv6.dst; @@ -1005,13 +1011,13 @@ static netdev_tx_t geneve_xmit_skb(struct sk_buff *skb, struct net_device *dev, goto tx_error; } - rt = geneve_get_v4_rt(skb, dev, , info); + sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); + rt = geneve_get_v4_rt(skb, dev, , info, geneve->dst_port, sport); if (IS_ERR(rt)) { err = PTR_ERR(rt); goto tx_error; } - sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); skb_reset_mac_header(skb); iip = ip_hdr(skb); @@ -1097,13 +1103,13 @@ static netdev_tx_t geneve6_xmit_skb(struct sk_buff *skb, struct net_device *dev, } } - dst = geneve_get_v6_dst(skb, dev, , info); + sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); + dst = geneve_get_v6_dst(skb, dev, , info, geneve->dst_port, sport); if (IS_ERR(dst)) { err = PTR_ERR(dst); goto tx_error; } - sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); skb_reset_mac_header(skb); iip = ip_hdr(skb); @@ -1232,13 +1238,17 @@ int ovs_geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb) struct geneve_dev *geneve = netdev_priv(dev); struct rtable *rt; struct flowi4 fl4; + __be16 sport; #if IS_ENABLED(CONFIG_IPV6) struct dst_entry *dst; struct flowi6 fl6; #endif + sport = udp_flow_src_port(geneve->net, skb, +1, USHRT_MAX, true); + if (ip_tunnel_info_af(info) == AF_INET) { - rt = geneve_get_v4_rt(skb, dev, , info); + rt = geneve_get_v4_rt(skb, dev, , info, geneve->dst_port, sport); if (IS_ERR(rt)) return PTR_ERR(rt); @@ -1246,7 +1256,7 @@ int ovs_geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb) info->key.u.ipv4.src = fl4.saddr; #if IS_ENABLED(CONFIG_IPV6) } else if (ip_tunnel_info_af(info) == AF_INET6) { - dst = geneve_get_v6_dst(skb, dev, , info); + dst = geneve_get_v6_dst(skb, dev, , info, geneve->dst_port, sport); if (IS_ERR(dst)) return PTR_ERR(dst); @@ -1257,8 +1267,7 @@ int ovs_geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb) return -EINVAL; } - info->key.tp_src = udp_flow_src_port(geneve->net, skb, -
[ovs-dev] [PATCH v5 0/9] IPsec support for tunneling
This patch series reintroduce IPsec support for OVS tunneling and enable OVN to use IPsec tunnels. GRE, VXLAN, GENEVE, and STT IPsec tunnels are supported. StrongSwan and LibreSwan IKE daemons are supported. Changes from v1 to v2 - 1. Merge the ovs-monitor-ipsec code to a single patch. Add LibreSwan IKE daemon support. 2. Add ovs-monitor-ipsec to flake8 check. 3. Use openssl to extract CN from certificate so that users don't need to specify the CN information in the configuration interface. 4. Improve documentations as suggested. Changes from v2 to v3 - 1. Add scripts and rules to create ovs-ipsec RPM package. 2. Add Documentation/tutorials/ipsec.rst which gives a step-by-step OVS IPsec tutorial. Modify Documentation/howto/ipsec.rst which gives a detailed description on OVS IPsec configuration modes. 3. Modify ovs-pki to generate x.509 version 3 certificate when do self-sign. 4. IPsec tunnel interface needs 'local_ip' information. Modify ovn-controller to add 'local_ip' when IPsec is enabled. 5. Add a section on ovn/ovn-architecture.7.xml to introduce ovn IPsec. Changes from v3 to v4 - 1. Split the datapath patch to three patches (geneve, vxlan, stt). 2. Add tutorial for OVN RBAC and OVN IPsec. Changes from v4 to v5 - 1. Fix coding style issues in ovs-monitor-ipsec. 2. Improve IPsec and OVN-IPsec tutorials as suggested. Qiuyu Xiao (9): datapath: add transport ports in route lookup for geneve datapath: add transport ports in route lookup for vxlan datapath: add transport ports in route lookup for stt ipsec: reintroduce IPsec support for tunneling debian and rhel: Create IPsec package. Documentation: IPsec tunnel tutorial and documentation. ovs-pki: generate x.509 v3 certificate OVN: native support for tunnel encryption Documentation: OVN RBAC and IPsec tutorial Documentation/automake.mk |4 + Documentation/howto/index.rst |1 + Documentation/howto/ipsec.rst | 200 +++ Documentation/index.rst |5 +- Documentation/tutorials/index.rst |3 + Documentation/tutorials/ipsec.rst | 353 + Documentation/tutorials/ovn-ipsec.rst | 146 ++ Documentation/tutorials/ovn-rbac.rst | 134 ++ Makefile.am |1 + NEWS |3 + datapath/linux/compat/geneve.c| 29 +- datapath/linux/compat/stt.c | 15 +- datapath/linux/compat/vxlan.c | 14 +- debian/automake.mk|3 + debian/control| 21 + debian/openvswitch-ipsec.dirs |1 + debian/openvswitch-ipsec.init | 181 +++ debian/openvswitch-ipsec.install |1 + ipsec/automake.mk | 10 + ipsec/ovs-monitor-ipsec | 1173 + ovn/controller/encaps.c | 31 +- ovn/controller/encaps.h |7 +- ovn/controller/ovn-controller.c |4 +- ovn/northd/ovn-northd.c |8 +- ovn/ovn-architecture.7.xml| 39 + ovn/ovn-nb.ovsschema |7 +- ovn/ovn-nb.xml|6 + ovn/ovn-sb.ovsschema |7 +- ovn/ovn-sb.xml|6 + rhel/automake.mk |1 + rhel/openvswitch-fedora.spec.in | 19 +- ...b_systemd_system_openvswitch-ipsec.service | 12 + utilities/ovs-ctl.in | 18 + utilities/ovs-pki.in | 25 +- vswitchd/vswitch.xml | 153 ++- 35 files changed, 2595 insertions(+), 46 deletions(-) create mode 100644 Documentation/howto/ipsec.rst create mode 100644 Documentation/tutorials/ipsec.rst create mode 100644 Documentation/tutorials/ovn-ipsec.rst create mode 100644 Documentation/tutorials/ovn-rbac.rst create mode 100644 debian/openvswitch-ipsec.dirs create mode 100644 debian/openvswitch-ipsec.init create mode 100644 debian/openvswitch-ipsec.install create mode 100644 ipsec/automake.mk create mode 100755 ipsec/ovs-monitor-ipsec create mode 100644 rhel/usr_lib_systemd_system_openvswitch-ipsec.service -- 2.18.0 ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH v4 0/9] IPsec support for tunneling
Thanks for the review! I will start to work on the v5 patch. -Qiuyu On Thu, Aug 2, 2018 at 11:47 AM, Ben Pfaff wrote: > On Tue, Jul 31, 2018 at 02:08:45PM -0700, Qiuyu Xiao wrote: >> This patch series reintroduce IPsec support for OVS tunneling and enable OVN >> to >> use IPsec tunnels. GRE, VXLAN, GENEVE, and STT IPsec tunnels are supported. >> StrongSwan and LibreSwan IKE daemons are supported. > > Thanks a lot for this. I finished my review of v4, and applied some of > the patches. I hope that you can fold in my suggestions and your own > comments and post v5. > > Thanks again, > > Ben. ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH v4 8/9] OVN: native support for tunnel encryption
Yes, it makes sense. I will add this to the next revision. Thanks, Qiuyu On Thu, Aug 2, 2018 at 11:31 AM, Ben Pfaff wrote: > On Tue, Jul 31, 2018 at 02:08:53PM -0700, Qiuyu Xiao wrote: >> This patch adds IPsec support for OVN tunnel. Basically, OVN offers a >> binary option to its user for encryption configuration. If the IPsec >> option is turned on, all tunnels will be encrypted. Otherwise, no tunnel >> will be encrypted. >> >> The changes are summarized as below: >> 1) Added a ipsec column on the NB_Global table and SB_Global table. The >> value of ipsec column is propagated by ovn-northd from NB_Global to >> SB_Global. >> >> 2) ovn-controller monitors the ipsec column in SB_Global. If the ipsec >> value is true, ovn-controller sets options of the tunnel interface by >> specifying "options:remote_name=". If the ipsec >> value is false, ovn-controller removes these options. >> >> 3) ovs-monitor-ipsec daemon >> (https://mail.openvswitch.org/pipermail/ovs-dev/2018-June/348701.html) >> monitors the tunnel interface options and configures IKE daemon >> accordingly for IPsec encryption. >> >> Signed-off-by: Qiuyu Xiao > > It seems like, to be more secure, it would be wise for ovn-controller in > ipsec mode to set ipsec_skb_mark to 1/1 and then add an OpenFlow flow > that sets skb_mark to 1. What do you think? > > Thanks, > > Ben. ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH v4 9/9] Documentation: OVN RBAC and IPsec tutorial
Thanks Ben! I made a few comments below. Other than that, all looks pretty good! -Qiuyu On Wed, Aug 1, 2018 at 10:03 AM, Ben Pfaff wrote: > On Tue, Jul 31, 2018 at 02:08:54PM -0700, Qiuyu Xiao wrote: >> This patch adds step-by-step guide for configuring OVN Role-Based Access >> Control and IPsec. >> >> Signed-off-by: Qiuyu Xiao > > You wrote a lot of documentation, and it's really good! Thank you. > > I spent some time working to make it even better. I'm appending an > incremental that I'd suggest folding in. Does it make sense to you? > > Thanks, > > Ben. > > --8<--cut here-->8-- > > diff --git a/Documentation/howto/ipsec.rst b/Documentation/howto/ipsec.rst > index 17dead5010cf..32e55b5acd0d 100644 > --- a/Documentation/howto/ipsec.rst > +++ b/Documentation/howto/ipsec.rst > @@ -48,7 +48,10 @@ OVS IPsec aims to provide a simple interface for user to > add encryption on OVS > tunnels. It supports GRE, GENEVE, VXLAN, and STT tunnel. The IPsec > configuration is done by setting options of the tunnel interface and > other_config of Open_vSwitch. You can choose different authentication methods > -and fowarding modes based on your system requirement. > +and forwarding modes based on your requirements. > + > +OVS does not currently provide any support for IPsec encryption for traffic > not > +encapsulated in a tunnel. > > Configuration > - > @@ -59,7 +62,7 @@ Authentication Methods > Hosts of the IPsec tunnel need to authenticate each other to build a secure > channel. There are three authentication methods: > > -1) You can use pre-shared key (PSK) to do authentication. In both hosts, set > +1) You can use a pre-shared key (PSK) to do authentication. In both hosts, > set > the same PSK value. This PSK is like your password. You should never > reveal > it to untrusted parties. This method is easier to use but less secure than > the certificate-based methods:: > @@ -72,9 +75,9 @@ channel. There are three authentication methods: > > .. note:: > > - The local_ip field is required for the IPsec tunnel. > + The ``local_ip`` field is required for the IPsec tunnel. > > -2) You can use self-signed certificate to do authentication. In each host, > +2) You can use a self-signed certificate to do authentication. In each host, > generate a certificate and the paired private key. Copy the certificate of > the remote host to the local host and configure the OVS as following:: > > @@ -98,6 +101,10 @@ channel. There are three authentication methods: >follow the tutorial in :doc:`/tutorials/ipsec` and use ovs-pki(8) to >generate compatible certificate and key. > > + (Before OVS version 2.10.90, ovs-pki(8) did not generate x.509 v3 > + certificates, so if your existing PKI was generated by an older > version, > + it is not suitable for this purpose.) > + > 3) You can also use CA-signed certificate to do authentication. First, you > need > to create a CA certificate and sign each host certificate with the CA key > (please see :doc:`/tutorials/ipsec`). Copy the CA certificate to each > @@ -133,8 +140,8 @@ actually taking affect to encrypt packets. To offset the > risk of unencrypted > packets leaking out during this period, you can choose a more secure > forwarding > mode. There are three forwarding modes: > > -1) The default mode allows unencrypted packets being sent out before IPsec > - taking effect:: > +1) The default mode allows unencrypted packets to be sent before IPsec > + completes negotiation:: > > $ ovs-vsctl add-port br0 ipsec_gre0 -- \ >set interface ipsec_gre0 type=gre \ > @@ -146,7 +153,7 @@ mode. There are three forwarding modes: > and/or if there is firewall that can drop the plain packets that > occasionally leak the tunnel unencrypted on OVSDB (re)configuration > events. > > -2) The ipsec_skb_mark mode filters unencrypted packets by using skb mark of > +2) The ipsec_skb_mark mode drops unencrypted packets by using skb_mark of > tunnel packets:: > > $ ovs-vsctl set Open_vSwitch . other_config:ipsec_skb_mark=0/1 > @@ -156,15 +163,15 @@ mode. There are three forwarding modes: > options:remote_ip=2.2.2.2 \ > options:psk=swordfish > > - OVS IPsec filters unencrypted packets which carry the same skb mark as > + OVS IPsec drops unencrypted packets which carry the same skb_mark as > `ipsec_skb_mark`. By setting the ipsec_skb_mark as 0/1, OVS IPsec prevents > - all unencrypted tunnel packets leaving the host s
Re: [ovs-dev] [PATCH v4 5/9] debian and rhel: Create IPsec package.
The debian packaging is the same as the packaging we previously had. For debian package, I tested it by installing it in ubuntu 16.04 with 'dpkg -i'. For rpm package, I tested it by installing it in Fedora 27 with 'rpm -i'. Is there any standard method to test packaging? Thanks, Qiuyu On Tue, Jul 31, 2018 at 3:33 PM, Ben Pfaff wrote: > On Tue, Jul 31, 2018 at 02:08:50PM -0700, Qiuyu Xiao wrote: >> Added rules and files to create debian and rpm ovs-ipsec packages. >> >> Signed-off-by: Qiuyu Xiao >> Signed-off-by: Ansis Atteka >> Co-authored-by: Ansis Atteka > > Do you or Ansis test the packaging? (Or, for the Debian packaging, is > it similar enough to the packaging we previously had that it is > "probably" correct?) > > Thanks, > > Ben. ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH v4 4/9] ipsec: reintroduce IPsec support for tunneling
This looks good. Thanks for fixing them! -Qiuyu On Tue, Jul 31, 2018 at 3:29 PM, Ben Pfaff wrote: > On Tue, Jul 31, 2018 at 02:08:49PM -0700, Qiuyu Xiao wrote: >> This patch reintroduces ovs-monitor-ipsec daemon that >> was previously removed by commit 2b02d770 ("openvswitch: >> Allow external IPsec tunnel management.") >> >> After this patch, there are no IPsec flavored tunnels anymore. >> IPsec is enabled by setting up the right values in: >> 1. OVSDB:Interface:options column; >> 2. OVSDB:Open_vSwitch:other_config column; >> 3. OpenFlow pipeline. >> >> GRE, VXLAN, GENEVE, and STT IPsec tunnels are supported. LibreSwan and >> StrongSwan IKE daemons are supported. User can choose pre-shared key, >> self-signed peer certificate, or CA-signed certificate as authentication >> method. >> >> Signed-off-by: Qiuyu Xiao >> Signed-off-by: Ansis Atteka >> Co-authored-by: Ansis Atteka > > Thanks for the patch. > > I think that you must not have flake8 installed. It gave me a long list > of stylistic errors. The following incremental fixes them. Does it > look OK? > > --8<--cut here-->8-- > > diff --git a/ipsec/ovs-monitor-ipsec b/ipsec/ovs-monitor-ipsec > index 580c8d8c80a6..163b04004f84 100755 > --- a/ipsec/ovs-monitor-ipsec > +++ b/ipsec/ovs-monitor-ipsec > @@ -14,16 +14,12 @@ > # limitations under the License. > > import argparse > -import glob > -import os > import re > import subprocess > import sys > import copy > from string import Template > > -from ovs.db import error > -from ovs.db import types > import ovs.daemon > import ovs.db.idl > import ovs.dirs > @@ -55,19 +51,19 @@ conn prevent_unencrypted_vxlan > mark={0} > > """ > -transp_tmpl = {"gre" : Template("""\ > +transp_tmpl = {"gre": Template("""\ > conn $ifname-$version > $auth_section > leftprotoport=gre > rightprotoport=gre > > -"""), "gre64" : Template("""\ > +"""), "gre64": Template("""\ > conn $ifname-$version > $auth_section > leftprotoport=gre > rightprotoport=gre > > -"""), "geneve" : Template("""\ > +"""), "geneve": Template("""\ > conn $ifname-in-$version > $auth_section > leftprotoport=udp/6081 > @@ -78,7 +74,7 @@ $auth_section > leftprotoport=udp > rightprotoport=udp/6081 > > -"""), "stt" : Template("""\ > +"""), "stt": Template("""\ > conn $ifname-in-$version > $auth_section > leftprotoport=tcp/7471 > @@ -89,7 +85,7 @@ $auth_section > leftprotoport=tcp > rightprotoport=tcp/7471 > > -"""), "vxlan" : Template("""\ > +"""), "vxlan": Template("""\ > conn $ifname-in-$version > $auth_section > leftprotoport=udp/4789 > @@ -106,6 +102,7 @@ exiting = False > monitor = None > xfrm = None > > + > class XFRM(object): > """This class is a simple wrapper around ip-xfrm (8) command line > utility. We are using this class only for informational purposes > @@ -130,11 +127,11 @@ class XFRM(object): > a = line.split(" ") > if len(a) >= 4 and a[0] == "src" and a[2] == "dst": > dst = (a[3].split("/"))[0] > -if not dst in policies: > +if dst not in policies: > policies[dst] = [] > policies[dst].append(line) > src = (a[3].split("/"))[0] > -if not src in policies: > +if src not in policies: > policies[src] = [] > policies[src].append(line) > return policies > @@ -155,14 +152,15 @@ class XFRM(object): > and a[1] == "src" and a[3] == "dst": > remote_ip = a[4].rstrip().split("/")[0] > local_ip = a[2].rstrip().split("/")[0] > -if not remote_ip in securities: > +if remote_ip not in securities: > securities[remote_ip] = [] > securities[remote_ip].append(line) > -if not local_ip in securities: > +if local_ip not in securities: >
[ovs-dev] [PATCH v4 9/9] Documentation: OVN RBAC and IPsec tutorial
This patch adds step-by-step guide for configuring OVN Role-Based Access Control and IPsec. Signed-off-by: Qiuyu Xiao --- Documentation/automake.mk | 2 + Documentation/tutorials/index.rst | 2 + Documentation/tutorials/ovn-ipsec.rst | 144 ++ Documentation/tutorials/ovn-rbac.rst | 134 4 files changed, 282 insertions(+) create mode 100644 Documentation/tutorials/ovn-ipsec.rst create mode 100644 Documentation/tutorials/ovn-rbac.rst diff --git a/Documentation/automake.mk b/Documentation/automake.mk index 5401b9bad..082438e09 100644 --- a/Documentation/automake.mk +++ b/Documentation/automake.mk @@ -29,6 +29,8 @@ DOC_SOURCE = \ Documentation/tutorials/ovn-sandbox.rst \ Documentation/tutorials/ovs-conntrack.rst \ Documentation/tutorials/ipsec.rst \ + Documentation/tutorials/ovn-ipsec.rst \ + Documentation/tutorials/ovn-rbac.rst \ Documentation/topics/index.rst \ Documentation/topics/bonding.rst \ Documentation/topics/idl-compound-indexes.rst \ diff --git a/Documentation/tutorials/index.rst b/Documentation/tutorials/index.rst index b481090a0..35340ee56 100644 --- a/Documentation/tutorials/index.rst +++ b/Documentation/tutorials/index.rst @@ -44,4 +44,6 @@ vSwitch. ovs-advanced ovn-sandbox ovn-openstack + ovn-rbac + ovn-ipsec ovs-conntrack diff --git a/Documentation/tutorials/ovn-ipsec.rst b/Documentation/tutorials/ovn-ipsec.rst new file mode 100644 index 0..76269c46a --- /dev/null +++ b/Documentation/tutorials/ovn-ipsec.rst @@ -0,0 +1,144 @@ +.. + Licensed under the Apache License, Version 2.0 (the "License"); you may + not use this file except in compliance with the License. You may obtain + a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + License for the specific language governing permissions and limitations + under the License. + + Convention for heading levels in Open vSwitch documentation: + + === Heading 0 (reserved for the title in a document) + --- Heading 1 + ~~~ Heading 2 + +++ Heading 3 + ''' Heading 4 + + Avoid deeper levels because they do not render well. + +== +OVN IPsec Tutorial +== + +This document provides a step-by-step guide for encrypting tunnel traffic with +IPsec in Open Virtual Network (OVN). OVN tunnel traffic is transported by +physical routers and switches. These physical devices could be untrusted +(devices in public network) or might be compromised. Enabling IPsec encryption +for the tunnel traffic can prevent the traffic data from being monitored and +manipulated. More details about the OVN IPsec design can be found in +``ovn-architecture``\(7) manpage. + +This document assumes OVN is installed in your system and runs normally. Also, +you need to install OVS IPsec packages in each chassis (refer to +:ref:`install-ovs-ipsec`). + +Generating Certificates and Keys + + +OVN chassis uses CA-signed certificate to authenticate peer chassis for +building IPsec tunnel. If you have enabled Role-Based Access Control (RBAC) in +OVN, you can use the RBAC SSL certificates and keys to set up OVN IPsec. Or you +can generate seperate certificates and keys with ``ovs-pki`` (refer to +:ref:`gen-certs-keys`). + +.. note:: + + OVN IPsec requires x.509 version 3 certificate with the subjectAltName DNS + field setting the same string as the common name (CN) field. CN should be + set as the chassis name. Please generate compatible certificates if you use + another PKI tool to manage certificates. + +Configuring OVN IPsec +- + +You need to install the CA certificate, chassis certificate and private key in +each chassis. Use the following command:: + +$ ovs-vsctl set Open_vSwitch . \ +other_config:certificate=/path/to/chassis-cert.pem \ +other_config:private_key=/path/to/chassis-privkey.pem \ +other_config:ca_cert=/path/to/cacert.pem + +Enabling OVN IPsec +-- + +To enable OVN IPsec, set `ipsec` column in `NB_Global` table of the northbound +database to be true:: + +$ ovn-nbctl set nb_global . ipsec=true + +With OVN IPsec enabled, all tunnel traffic in OVN will be encrypted with IPsec. +To disable it, set `ipsec` column in `NB_Global` table of the northbound +database to be false:: + +$ ovn-nbctl set nb_global . ipsec=false + +Troubleshooting +--- + +ovs-monitor-ipsec daemon in each chassis manages and monitors the IPsec tunnel +state. Use the following ovs-apptcl command to get ovs-monitor-ipsec inte
[ovs-dev] [PATCH v4 6/9] Documentation: IPsec tunnel tutorial and documentation.
tutorials/index.rst gives a step-by-setp guide to set up OVS IPsec tunnel. tutorials/ipsec.rst gives detailed explanation on the IPsec tunnel configuration methods and forwarding modes. Signed-off-by: Qiuyu Xiao Signed-off-by: Ansis Atteka Co-authored-by: Ansis Atteka --- Documentation/automake.mk | 2 + Documentation/howto/index.rst | 1 + Documentation/howto/ipsec.rst | 193 + Documentation/tutorials/index.rst | 1 + Documentation/tutorials/ipsec.rst | 342 ++ vswitchd/vswitch.xml | 122 ++- 6 files changed, 652 insertions(+), 9 deletions(-) create mode 100644 Documentation/howto/ipsec.rst create mode 100644 Documentation/tutorials/ipsec.rst diff --git a/Documentation/automake.mk b/Documentation/automake.mk index 244479490..5401b9bad 100644 --- a/Documentation/automake.mk +++ b/Documentation/automake.mk @@ -28,6 +28,7 @@ DOC_SOURCE = \ Documentation/tutorials/ovn-openstack.rst \ Documentation/tutorials/ovn-sandbox.rst \ Documentation/tutorials/ovs-conntrack.rst \ + Documentation/tutorials/ipsec.rst \ Documentation/topics/index.rst \ Documentation/topics/bonding.rst \ Documentation/topics/idl-compound-indexes.rst \ @@ -60,6 +61,7 @@ DOC_SOURCE = \ Documentation/howto/docker.rst \ Documentation/howto/dpdk.rst \ Documentation/howto/firewalld.rst \ + Documentation/howto/ipsec.rst \ Documentation/howto/kvm.rst \ Documentation/howto/libvirt.rst \ Documentation/howto/selinux.rst \ diff --git a/Documentation/howto/index.rst b/Documentation/howto/index.rst index 201d6936b..9a3487be3 100644 --- a/Documentation/howto/index.rst +++ b/Documentation/howto/index.rst @@ -37,6 +37,7 @@ OVS :maxdepth: 2 kvm + ipsec selinux libvirt ssl diff --git a/Documentation/howto/ipsec.rst b/Documentation/howto/ipsec.rst new file mode 100644 index 0..17dead501 --- /dev/null +++ b/Documentation/howto/ipsec.rst @@ -0,0 +1,193 @@ +.. + Licensed under the Apache License, Version 2.0 (the "License"); you may + not use this file except in compliance with the License. You may obtain + a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + License for the specific language governing permissions and limitations + under the License. + + Convention for heading levels in Open vSwitch documentation: + + === Heading 0 (reserved for the title in a document) + --- Heading 1 + ~~~ Heading 2 + +++ Heading 3 + ''' Heading 4 + + Avoid deeper levels because they do not render well. + +=== +Encrypt Open vSwitch Tunnels with IPsec +=== + +This document gives detailed description on the OVS IPsec tunnel and its +configuration modes. If you want to follow a step-by-step guide to run and +test IPsec tunnel, please refer to :doc:`/tutorials/ipsec`. + +Overview + + +Why do encryption? +~~ + +OVS tunnel packets are transported from one machine to another. Along the path, +the packets are processed by physical routers and physical switches. There are +risks that these physical devices might read or write the contents of the +tunnel packets. IPsec encrypts IP payload and prevents the malicious party +sniffing or manipulating the tunnel traffic. + +OVS IPsec +~ + +OVS IPsec aims to provide a simple interface for user to add encryption on OVS +tunnels. It supports GRE, GENEVE, VXLAN, and STT tunnel. The IPsec +configuration is done by setting options of the tunnel interface and +other_config of Open_vSwitch. You can choose different authentication methods +and fowarding modes based on your system requirement. + +Configuration +- + +Authentication Methods +~~ + +Hosts of the IPsec tunnel need to authenticate each other to build a secure +channel. There are three authentication methods: + +1) You can use pre-shared key (PSK) to do authentication. In both hosts, set + the same PSK value. This PSK is like your password. You should never reveal + it to untrusted parties. This method is easier to use but less secure than + the certificate-based methods:: + + $ ovs-vsctl add-port br0 ipsec_gre0 -- \ + set interface ipsec_gre0 type=gre \ + options:local_ip=1.1.1.1 \ + options:remote_ip=2.2.2.2 \ + options:psk=swordfish + + .. note:: + + The local_ip field is required for the IPsec tunnel. + +2) You
[ovs-dev] [PATCH v4 8/9] OVN: native support for tunnel encryption
This patch adds IPsec support for OVN tunnel. Basically, OVN offers a binary option to its user for encryption configuration. If the IPsec option is turned on, all tunnels will be encrypted. Otherwise, no tunnel will be encrypted. The changes are summarized as below: 1) Added a ipsec column on the NB_Global table and SB_Global table. The value of ipsec column is propagated by ovn-northd from NB_Global to SB_Global. 2) ovn-controller monitors the ipsec column in SB_Global. If the ipsec value is true, ovn-controller sets options of the tunnel interface by specifying "options:remote_name=". If the ipsec value is false, ovn-controller removes these options. 3) ovs-monitor-ipsec daemon (https://mail.openvswitch.org/pipermail/ovs-dev/2018-June/348701.html) monitors the tunnel interface options and configures IKE daemon accordingly for IPsec encryption. Signed-off-by: Qiuyu Xiao --- ovn/controller/encaps.c | 31 ++ ovn/controller/encaps.h | 7 +- ovn/controller/ovn-controller.c | 4 +++- ovn/northd/ovn-northd.c | 8 +-- ovn/ovn-architecture.7.xml | 39 + ovn/ovn-nb.ovsschema| 7 +++--- ovn/ovn-nb.xml | 6 + ovn/ovn-sb.ovsschema| 7 +++--- ovn/ovn-sb.xml | 6 + 9 files changed, 101 insertions(+), 14 deletions(-) diff --git a/ovn/controller/encaps.c b/ovn/controller/encaps.c index fde017586..2169920ba 100644 --- a/ovn/controller/encaps.c +++ b/ovn/controller/encaps.c @@ -79,8 +79,9 @@ tunnel_create_name(struct tunnel_ctx *tc, const char *chassis_id) } static void -tunnel_add(struct tunnel_ctx *tc, const char *new_chassis_id, - const struct sbrec_encap *encap) +tunnel_add(struct tunnel_ctx *tc, const struct sbrec_sb_global *sbg, + const char *new_chassis_id, const struct sbrec_encap *encap, + const char *local_ip) { struct smap options = SMAP_INITIALIZER(); smap_add(, "remote_ip", encap->ip); @@ -90,6 +91,16 @@ tunnel_add(struct tunnel_ctx *tc, const char *new_chassis_id, smap_add(, "csum", csum); } +/* Add auth info if ipsec is enabled. */ +if (sbg->ipsec) { +smap_add(, "remote_name", new_chassis_id); +if (local_ip) { +smap_add(, "local_ip", local_ip); +} else { +VLOG_INFO("Need to specify encap ip for IPsec tunnels."); +} +} + /* If there's an existing chassis record that does not need any change, * keep it. Otherwise, create a new record (if there was an existing * record, the new record will supplant it and encaps_run() will delete @@ -157,7 +168,9 @@ encaps_run(struct ovsdb_idl_txn *ovs_idl_txn, const struct ovsrec_bridge_table *bridge_table, const struct ovsrec_bridge *br_int, const struct sbrec_chassis_table *chassis_table, - const char *chassis_id) + const char *chassis_id, + const struct sbrec_sb_global *sbg, + const struct ovsrec_open_vswitch_table *ovs_table) { if (!ovs_idl_txn || !br_int) { return; @@ -201,6 +214,16 @@ encaps_run(struct ovsdb_idl_txn *ovs_idl_txn, } } +/* Get IP address of local chassis. */ +const char *chassis_ip; +const struct ovsrec_open_vswitch *cfg; +cfg = ovsrec_open_vswitch_table_first(ovs_table); +if (cfg) { +chassis_ip = smap_get(>external_ids, "ovn-encap-ip"); +} else { +chassis_ip = NULL; +} + SBREC_CHASSIS_TABLE_FOR_EACH (chassis_rec, chassis_table) { if (strcmp(chassis_rec->name, chassis_id)) { /* Create tunnels to the other chassis. */ @@ -209,7 +232,7 @@ encaps_run(struct ovsdb_idl_txn *ovs_idl_txn, VLOG_INFO("No supported encaps for '%s'", chassis_rec->name); continue; } -tunnel_add(, chassis_rec->name, encap); +tunnel_add(, sbg, chassis_rec->name, encap, chassis_ip); } } diff --git a/ovn/controller/encaps.h b/ovn/controller/encaps.h index 054bdfa78..680b62df7 100644 --- a/ovn/controller/encaps.h +++ b/ovn/controller/encaps.h @@ -23,13 +23,18 @@ struct ovsdb_idl_txn; struct ovsrec_bridge; struct ovsrec_bridge_table; struct sbrec_chassis_table; +struct sbrec_sb_global; +struct ovsrec_open_vswitch_table; void encaps_register_ovs_idl(struct ovsdb_idl *); void encaps_run(struct ovsdb_idl_txn *ovs_idl_txn, const struct ovsrec_bridge_table *, const struct ovsrec_bridge *br_int, const struct sbrec_chassis_table *, -const char *chassis_id); +const char *chassis_id, +const struct sbrec_sb_global *, +const struct ovsrec_open_vswitch_table *); + bool encaps_cleanup(struct ovsdb_idl_txn
[ovs-dev] [PATCH v4 7/9] ovs-pki: generate x.509 v3 certificate
This patch modifies ovs-pki to generate x.509 version 3 certificate. Compared with the x.509 v1 certificate generated by ovs-pki, version 3 certificate adds subjectAltName field and sets its value the same as common name (CN). The main reason for this change is to enable strongSwan IKE daemon to extract certificate identity string from the subjectAltName field, which makes OVN IPsec implementation easier. Signed-off-by: Qiuyu Xiao --- NEWS | 3 +++ utilities/ovs-pki.in | 25 + 2 files changed, 24 insertions(+), 4 deletions(-) diff --git a/NEWS b/NEWS index f05a6e976..27ef12d59 100644 --- a/NEWS +++ b/NEWS @@ -59,6 +59,9 @@ v2.10.0 - xx xxx both kernel datapath and userspace datapath. * Added port-based and flow-based ERSPAN tunnel port support, added OpenFlow rules matching ERSPAN fields. See ovs-fields(7). + - ovs-pki + * ovs-pki now generates x.509 version 3 certificate. The new format adds + subjectAltName field and sets its value the same as common name (CN). v2.9.0 - 19 Feb 2018 diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in index 4f6941865..e0ba910f9 100755 --- a/utilities/ovs-pki.in +++ b/utilities/ovs-pki.in @@ -284,7 +284,7 @@ policy = policy# default policy email_in_dn= no# Don't add the email into cert DN name_opt = ca_default# Subject name display option cert_opt = ca_default# Certificate display option -copy_extensions = none # Don't copy extensions from request +copy_extensions = copy # Copy extensions from request unique_subject = no# Allow certs with duplicate subjects # For the CA policy @@ -295,6 +295,13 @@ organizationName= match organizationalUnitName = optional commonName = supplied emailAddress= optional + +# For the x509v3 extension +[ ca_cert ] +basicConstraints=CA:true + +[ usr_cert ] +basicConstraints=CA:false EOF fi @@ -307,7 +314,8 @@ EOF openssl req -config ca.cnf -nodes \ -newkey $newkey -keyout private/cakey.pem -out careq.pem \ 1>&3 2>&3 -openssl ca -config ca.cnf -create_serial -out cacert.pem \ +openssl ca -config ca.cnf -create_serial \ +-extensions ca_cert -out cacert.pem \ -days 3650 -batch -keyfile private/cakey.pem -selfsign \ -infiles careq.pem 1>&3 2>&3 chmod 0700 private/cakey.pem @@ -445,6 +453,7 @@ make_request() { [ req ] prompt = no distinguished_name = req_distinguished_name +req_extensions = v3_req [ req_distinguished_name ] C = US @@ -453,6 +462,9 @@ L = Palo Alto O = Open vSwitch OU = Open vSwitch certifier CN = $cn + +[ v3_req ] +subjectAltName = DNS:$cn EOF if test $keytype = rsa; then (umask 077 && openssl genrsa -out "$1-privkey.pem" $bits) 1>&3 2>&3 \ @@ -481,7 +493,7 @@ sign_request() { esac (cd "$pkidir/${type}ca" && - openssl ca -config ca.cnf -batch -in "$request_file") \ + openssl ca -config ca.cnf -extensions usr_cert -batch -in "$request_file") \ > "$2.tmp$$" 2>&3 mv "$2.tmp$$" "$2" } @@ -529,11 +541,16 @@ elif test "$command" = self-sign; then must_exist "$arg1-req.pem" must_exist "$arg1-privkey.pem" must_not_exist "$arg1-cert.pem" +make_tmpdir +cat > "$TMP/v3.ext" <&3 || exit $? + -signkey "$arg1-privkey.pem" -req -days 3650 -text \ + -extfile $TMP/v3.ext) 2>&3 || exit $? # Reset the permissions on the certificate to the user's default. cat "$arg1-cert.pem.tmp" > "$arg1-cert.pem" -- 2.18.0 ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH v4 5/9] debian and rhel: Create IPsec package.
Added rules and files to create debian and rpm ovs-ipsec packages. Signed-off-by: Qiuyu Xiao Signed-off-by: Ansis Atteka Co-authored-by: Ansis Atteka --- debian/automake.mk| 3 + debian/control| 21 ++ debian/openvswitch-ipsec.dirs | 1 + debian/openvswitch-ipsec.init | 181 ++ debian/openvswitch-ipsec.install | 1 + rhel/automake.mk | 1 + rhel/openvswitch-fedora.spec.in | 19 +- ...b_systemd_system_openvswitch-ipsec.service | 12 ++ utilities/ovs-ctl.in | 18 ++ 9 files changed, 256 insertions(+), 1 deletion(-) create mode 100644 debian/openvswitch-ipsec.dirs create mode 100644 debian/openvswitch-ipsec.init create mode 100644 debian/openvswitch-ipsec.install create mode 100644 rhel/usr_lib_systemd_system_openvswitch-ipsec.service diff --git a/debian/automake.mk b/debian/automake.mk index 4d8e204bb..8a8d43c9f 100644 --- a/debian/automake.mk +++ b/debian/automake.mk @@ -20,6 +20,9 @@ EXTRA_DIST += \ debian/openvswitch-datapath-source.copyright \ debian/openvswitch-datapath-source.dirs \ debian/openvswitch-datapath-source.install \ + debian/openvswitch-ipsec.dirs \ + debian/openvswitch-ipsec.init \ + debian/openvswitch-ipsec.install \ debian/openvswitch-pki.dirs \ debian/openvswitch-pki.postinst \ debian/openvswitch-pki.postrm \ diff --git a/debian/control b/debian/control index 9ae248f27..cde93f20e 100644 --- a/debian/control +++ b/debian/control @@ -322,3 +322,24 @@ Description: Open vSwitch development package 1000V. . This package provides openvswitch headers and libopenvswitch for developers. + +Package: openvswitch-ipsec +Architecture: linux-any +Depends: iproute2, + openvswitch-common (= ${binary:Version}), + openvswitch-switch (= ${binary:Version}), + python, + python-openvswitch (= ${source:Version}), + strongswan, + ${misc:Depends}, + ${shlibs:Depends} +Description: Open vSwitch IPsec tunneling support + Open vSwitch is a production quality, multilayer, software-based, + Ethernet virtual switch. It is designed to enable massive network + automation through programmatic extension, while still supporting + standard management interfaces and protocols (e.g. NetFlow, IPFIX, + sFlow, SPAN, RSPAN, CLI, LACP, 802.1ag). In addition, it is designed + to support distribution across multiple physical servers similar to + VMware's vNetwork distributed vswitch or Cisco's Nexus 1000V. + . + This package provides IPsec tunneling support for OVS tunnels. diff --git a/debian/openvswitch-ipsec.dirs b/debian/openvswitch-ipsec.dirs new file mode 100644 index 0..fca44aa7b --- /dev/null +++ b/debian/openvswitch-ipsec.dirs @@ -0,0 +1 @@ +usr/share/openvswitch/scripts \ No newline at end of file diff --git a/debian/openvswitch-ipsec.init b/debian/openvswitch-ipsec.init new file mode 100644 index 0..8488beccf --- /dev/null +++ b/debian/openvswitch-ipsec.init @@ -0,0 +1,181 @@ +#!/bin/sh +# +# Copyright (c) 2007, 2009 Javier Fernandez-Sanguino +# +# This is free software; you may redistribute it and/or modify +# it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2, +# or (at your option) any later version. +# +# This is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License with +# the Debian operating system, in /usr/share/common-licenses/GPL; if +# not, write to the Free Software Foundation, Inc., 59 Temple Place, +# Suite 330, Boston, MA 02111-1307 USA +# +### BEGIN INIT INFO +# Provides: openvswitch-ipsec +# Required-Start:$network $local_fs $remote_fs openvswitch-switch +# Required-Stop: $remote_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Open vSwitch GRE-over-IPsec daemon +# Description: The ovs-monitor-ipsec script provides support for +#encrypting GRE tunnels with IPsec. +### END INIT INFO + +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin + +DAEMON=/usr/share/openvswitch/scripts/ovs-monitor-ipsec # Daemon's location +NAME=ovs-monitor-ipsec # Introduce the short server's name here +LOGDIR=/var/log/openvswitch # Log directory to use +DATADIR=/usr/share/openvswitch + +PIDFILE=/var/run/openvswitch/$NAME.pid + +test -x $DAEMON || exit 0 + +. /lib/lsb/init-functions + +DODTIME=10 # Time to wait for the server to die, in seconds +# If this value is set too low you might not +# let some servers
[ovs-dev] [PATCH v4 4/9] ipsec: reintroduce IPsec support for tunneling
This patch reintroduces ovs-monitor-ipsec daemon that was previously removed by commit 2b02d770 ("openvswitch: Allow external IPsec tunnel management.") After this patch, there are no IPsec flavored tunnels anymore. IPsec is enabled by setting up the right values in: 1. OVSDB:Interface:options column; 2. OVSDB:Open_vSwitch:other_config column; 3. OpenFlow pipeline. GRE, VXLAN, GENEVE, and STT IPsec tunnels are supported. LibreSwan and StrongSwan IKE daemons are supported. User can choose pre-shared key, self-signed peer certificate, or CA-signed certificate as authentication method. Signed-off-by: Qiuyu Xiao Signed-off-by: Ansis Atteka Co-authored-by: Ansis Atteka --- Makefile.am |1 + ipsec/automake.mk | 10 + ipsec/ovs-monitor-ipsec | 1158 +++ 3 files changed, 1169 insertions(+) create mode 100644 ipsec/automake.mk create mode 100755 ipsec/ovs-monitor-ipsec diff --git a/Makefile.am b/Makefile.am index 788972804..aeb2d108f 100644 --- a/Makefile.am +++ b/Makefile.am @@ -481,6 +481,7 @@ include tests/automake.mk include include/automake.mk include third-party/automake.mk include debian/automake.mk +include ipsec/automake.mk include vswitchd/automake.mk include ovsdb/automake.mk include rhel/automake.mk diff --git a/ipsec/automake.mk b/ipsec/automake.mk new file mode 100644 index 0..1e530cb42 --- /dev/null +++ b/ipsec/automake.mk @@ -0,0 +1,10 @@ +# Copyright (C) 2017 Nicira, Inc. +# +# Copying and distribution of this file, with or without modification, +# are permitted in any medium without royalty provided the copyright +# notice and this notice are preserved. This file is offered as-is, +# without warranty of any kind. + +EXTRA_DIST += \ +ipsec/ovs-monitor-ipsec +FLAKE8_PYFILES += ipsec/ovs-monitor-ipsec diff --git a/ipsec/ovs-monitor-ipsec b/ipsec/ovs-monitor-ipsec new file mode 100755 index 0..580c8d8c8 --- /dev/null +++ b/ipsec/ovs-monitor-ipsec @@ -0,0 +1,1158 @@ +#!/usr/bin/env python +# Copyright (c) 2017 Nicira, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import argparse +import glob +import os +import re +import subprocess +import sys +import copy +from string import Template + +from ovs.db import error +from ovs.db import types +import ovs.daemon +import ovs.db.idl +import ovs.dirs +import ovs.unixctl +import ovs.unixctl.server +import ovs.util +import ovs.vlog + + +FILE_HEADER = "# Generated by ovs-monitor-ipsec...do not modify by hand!\n\n" +SHUNT_POLICY = """conn prevent_unencrypted_gre +type=drop +leftprotoport=gre +mark={0} + +conn prevent_unencrypted_geneve +type=drop +leftprotoport=udp/6081 +mark={0} + +conn prevent_unencrypted_stt +type=drop +leftprotoport=tcp/7471 +mark={0} + +conn prevent_unencrypted_vxlan +type=drop +leftprotoport=udp/4789 +mark={0} + +""" +transp_tmpl = {"gre" : Template("""\ +conn $ifname-$version +$auth_section +leftprotoport=gre +rightprotoport=gre + +"""), "gre64" : Template("""\ +conn $ifname-$version +$auth_section +leftprotoport=gre +rightprotoport=gre + +"""), "geneve" : Template("""\ +conn $ifname-in-$version +$auth_section +leftprotoport=udp/6081 +rightprotoport=udp + +conn $ifname-out-$version +$auth_section +leftprotoport=udp +rightprotoport=udp/6081 + +"""), "stt" : Template("""\ +conn $ifname-in-$version +$auth_section +leftprotoport=tcp/7471 +rightprotoport=tcp + +conn $ifname-out-$version +$auth_section +leftprotoport=tcp +rightprotoport=tcp/7471 + +"""), "vxlan" : Template("""\ +conn $ifname-in-$version +$auth_section +leftprotoport=udp/4789 +rightprotoport=udp + +conn $ifname-out-$version +$auth_section +leftprotoport=udp +rightprotoport=udp/4789 + +""")} +vlog = ovs.vlog.Vlog("ovs-monitor-ipsec") +exiting = False +monitor = None +xfrm = None + +class XFRM(object): +"""This class is a simple wrapper around ip-xfrm (8) command line +utility. We are using this class only for informational purposes +so that ovs-monitor-ipsec could verify that IKE keying daemon has +installed IPsec policies and security association
[ovs-dev] [PATCH v4 3/9] datapath: add transport ports in route lookup for stt
This patch adds transport ports information for route lookup so that IPsec can select stt tunnel traffic to do encryption. Signed-off-by: Qiuyu Xiao Reviewed-by: Greg Rose Tested-by: Greg Rose --- datapath/linux/compat/stt.c | 15 ++- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/datapath/linux/compat/stt.c b/datapath/linux/compat/stt.c index fc7e74f6d..8d16c1f2e 100644 --- a/datapath/linux/compat/stt.c +++ b/datapath/linux/compat/stt.c @@ -972,7 +972,8 @@ err_free_rt: static struct rtable *stt_get_rt(struct sk_buff *skb, struct net_device *dev, struct flowi4 *fl, -const struct ip_tunnel_key *key) +const struct ip_tunnel_key *key, +__be16 dport, __be16 sport) { struct net *net = dev_net(dev); @@ -983,6 +984,8 @@ static struct rtable *stt_get_rt(struct sk_buff *skb, fl->flowi4_tos = RT_TOS(key->tos); fl->flowi4_mark = skb->mark; fl->flowi4_proto = IPPROTO_TCP; + fl->fl4_dport = dport; + fl->fl4_sport = sport; return ip_route_output_key(net, fl); } @@ -1009,14 +1012,14 @@ netdev_tx_t ovs_stt_xmit(struct sk_buff *skb) tun_key = _info->key; - rt = stt_get_rt(skb, dev, , tun_key); + sport = udp_flow_src_port(net, skb, 1, USHRT_MAX, true); + rt = stt_get_rt(skb, dev, , tun_key, dport, sport); if (IS_ERR(rt)) { err = PTR_ERR(rt); goto error; } df = tun_key->tun_flags & TUNNEL_DONT_FRAGMENT ? htons(IP_DF) : 0; - sport = udp_flow_src_port(net, skb, 1, USHRT_MAX, true); skb->ignore_df = 1; stt_xmit_skb(skb, rt, fl.saddr, tun_key->u.ipv4.dst, @@ -1818,20 +1821,22 @@ int ovs_stt_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb) struct stt_dev *stt_dev = netdev_priv(dev); struct net *net = stt_dev->net; __be16 dport = stt_dev->dst_port; + __be16 sport; struct flowi4 fl4; struct rtable *rt; if (ip_tunnel_info_af(info) != AF_INET) return -EINVAL; - rt = stt_get_rt(skb, dev, , >key); + sport = udp_flow_src_port(net, skb, 1, USHRT_MAX, true); + rt = stt_get_rt(skb, dev, , >key, dport, sport); if (IS_ERR(rt)) return PTR_ERR(rt); ip_rt_put(rt); info->key.u.ipv4.src = fl4.saddr; - info->key.tp_src = udp_flow_src_port(net, skb, 1, USHRT_MAX, true); + info->key.tp_src = sport; info->key.tp_dst = dport; return 0; } -- 2.18.0 ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH v4 2/9] datapath: add transport ports in route lookup for vxlan
This patch adds transport ports information for route lookup so that IPsec can select vxlan tunnel traffic to do encryption. Signed-off-by: Qiuyu Xiao Reviewed-by: Greg Rose Tested-by: Greg Rose --- datapath/linux/compat/vxlan.c | 14 -- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/datapath/linux/compat/vxlan.c b/datapath/linux/compat/vxlan.c index 7f5d5ce64..b850fdd44 100644 --- a/datapath/linux/compat/vxlan.c +++ b/datapath/linux/compat/vxlan.c @@ -896,6 +896,7 @@ out_free: static struct rtable *vxlan_get_route(struct vxlan_dev *vxlan, struct sk_buff *skb, int oif, u8 tos, __be32 daddr, __be32 *saddr, + __be16 dport, __be16 sport, struct dst_cache *dst_cache, const struct ip_tunnel_info *info) { @@ -918,6 +919,8 @@ static struct rtable *vxlan_get_route(struct vxlan_dev *vxlan, fl4.flowi4_proto = IPPROTO_UDP; fl4.daddr = daddr; fl4.saddr = *saddr; + fl4.fl4_dport = dport; + fl4.fl4_sport = sport; rt = ip_route_output_key(vxlan->net, ); if (!IS_ERR(rt)) { @@ -934,6 +937,7 @@ static struct dst_entry *vxlan6_get_route(struct vxlan_dev *vxlan, __be32 label, const struct in6_addr *daddr, struct in6_addr *saddr, + __be16 dport, __be16 sport, struct dst_cache *dst_cache, const struct ip_tunnel_info *info) { @@ -961,6 +965,8 @@ static struct dst_entry *vxlan6_get_route(struct vxlan_dev *vxlan, fl6.flowlabel = ip6_make_flowinfo(RT_TOS(tos), label); fl6.flowi6_mark = skb->mark; fl6.flowi6_proto = IPPROTO_UDP; + fl6.fl6_dport = dport; + fl6.fl6_sport = sport; #ifdef HAVE_IPV6_DST_LOOKUP_NET err = ipv6_stub->ipv6_dst_lookup(vxlan->net, @@ -1090,6 +1096,7 @@ static void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev, rdst ? rdst->remote_ifindex : 0, tos, dst->sin.sin_addr.s_addr, >sin.sin_addr.s_addr, +dst_port, src_port, dst_cache, info); if (IS_ERR(rt)) { netdev_dbg(dev, "no route to %pI4\n", @@ -1149,6 +1156,7 @@ static void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev, rdst ? rdst->remote_ifindex : 0, tos, label, >sin6.sin6_addr, >sin6.sin6_addr, + dst_port, src_port, dst_cache, info); if (IS_ERR(ndst)) { netdev_dbg(dev, "no route to %pI6\n", @@ -1439,7 +1447,8 @@ int ovs_vxlan_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb) return -EINVAL; rt = vxlan_get_route(vxlan, skb, 0, info->key.tos, info->key.u.ipv4.dst, ->key.u.ipv4.src, NULL, info); +>key.u.ipv4.src, +dport, sport, NULL, info); if (IS_ERR(rt)) return PTR_ERR(rt); ip_rt_put(rt); @@ -1449,7 +1458,8 @@ int ovs_vxlan_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb) ndst = vxlan6_get_route(vxlan, skb, 0, info->key.tos, info->key.label, >key.u.ipv6.dst, - >key.u.ipv6.src, NULL, info); + >key.u.ipv6.src, + dport, sport, NULL, info); if (IS_ERR(ndst)) return PTR_ERR(ndst); dst_release(ndst); -- 2.18.0 ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH v4 1/9] datapath: add transport ports in route lookup for geneve
This patch adds transport ports information for route lookup so that IPsec can select geneve tunnel traffic to do encryption. Signed-off-by: Qiuyu Xiao Reviewed-by: Greg Rose Tested-by: Greg Rose --- datapath/linux/compat/geneve.c | 29 +++-- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/datapath/linux/compat/geneve.c b/datapath/linux/compat/geneve.c index 435a23fb7..95a665ddd 100644 --- a/datapath/linux/compat/geneve.c +++ b/datapath/linux/compat/geneve.c @@ -836,7 +836,8 @@ free_dst: static struct rtable *geneve_get_v4_rt(struct sk_buff *skb, struct net_device *dev, struct flowi4 *fl4, - struct ip_tunnel_info *info) + struct ip_tunnel_info *info, + __be16 dport, __be16 sport) { bool use_cache = ip_tunnel_dst_cache_usable(skb, info); struct geneve_dev *geneve = netdev_priv(dev); @@ -850,6 +851,8 @@ static struct rtable *geneve_get_v4_rt(struct sk_buff *skb, memset(fl4, 0, sizeof(*fl4)); fl4->flowi4_mark = skb->mark; fl4->flowi4_proto = IPPROTO_UDP; + fl4->fl4_dport = dport; + fl4->fl4_sport = sport; if (info) { fl4->daddr = info->key.u.ipv4.dst; @@ -895,7 +898,8 @@ static struct rtable *geneve_get_v4_rt(struct sk_buff *skb, static struct dst_entry *geneve_get_v6_dst(struct sk_buff *skb, struct net_device *dev, struct flowi6 *fl6, - struct ip_tunnel_info *info) + struct ip_tunnel_info *info, + __be16 dport, __be16 sport) { bool use_cache = ip_tunnel_dst_cache_usable(skb, info); struct geneve_dev *geneve = netdev_priv(dev); @@ -911,6 +915,8 @@ static struct dst_entry *geneve_get_v6_dst(struct sk_buff *skb, memset(fl6, 0, sizeof(*fl6)); fl6->flowi6_mark = skb->mark; fl6->flowi6_proto = IPPROTO_UDP; + fl6->fl6_dport = dport; + fl6->fl6_sport = sport; if (info) { fl6->daddr = info->key.u.ipv6.dst; @@ -1005,13 +1011,13 @@ static netdev_tx_t geneve_xmit_skb(struct sk_buff *skb, struct net_device *dev, goto tx_error; } - rt = geneve_get_v4_rt(skb, dev, , info); + sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); + rt = geneve_get_v4_rt(skb, dev, , info, geneve->dst_port, sport); if (IS_ERR(rt)) { err = PTR_ERR(rt); goto tx_error; } - sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); skb_reset_mac_header(skb); iip = ip_hdr(skb); @@ -1097,13 +1103,13 @@ static netdev_tx_t geneve6_xmit_skb(struct sk_buff *skb, struct net_device *dev, } } - dst = geneve_get_v6_dst(skb, dev, , info); + sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); + dst = geneve_get_v6_dst(skb, dev, , info, geneve->dst_port, sport); if (IS_ERR(dst)) { err = PTR_ERR(dst); goto tx_error; } - sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); skb_reset_mac_header(skb); iip = ip_hdr(skb); @@ -1232,13 +1238,17 @@ int ovs_geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb) struct geneve_dev *geneve = netdev_priv(dev); struct rtable *rt; struct flowi4 fl4; + __be16 sport; #if IS_ENABLED(CONFIG_IPV6) struct dst_entry *dst; struct flowi6 fl6; #endif + sport = udp_flow_src_port(geneve->net, skb, +1, USHRT_MAX, true); + if (ip_tunnel_info_af(info) == AF_INET) { - rt = geneve_get_v4_rt(skb, dev, , info); + rt = geneve_get_v4_rt(skb, dev, , info, geneve->dst_port, sport); if (IS_ERR(rt)) return PTR_ERR(rt); @@ -1246,7 +1256,7 @@ int ovs_geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb) info->key.u.ipv4.src = fl4.saddr; #if IS_ENABLED(CONFIG_IPV6) } else if (ip_tunnel_info_af(info) == AF_INET6) { - dst = geneve_get_v6_dst(skb, dev, , info); + dst = geneve_get_v6_dst(skb, dev, , info, geneve->dst_port, sport); if (IS_ERR(dst)) return PTR_ERR(dst); @@ -1257,8 +1267,7 @@ int ovs_geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb) return -EINVAL; } - info->key.tp_src = udp_flow_src_port(geneve->net, skb, -
[ovs-dev] [PATCH v4 0/9] IPsec support for tunneling
This patch series reintroduce IPsec support for OVS tunneling and enable OVN to use IPsec tunnels. GRE, VXLAN, GENEVE, and STT IPsec tunnels are supported. StrongSwan and LibreSwan IKE daemons are supported. Changes from v1 to v2 - 1. Merge the ovs-monitor-ipsec code to a single patch. Add LibreSwan IKE daemon support. 2. Add ovs-monitor-ipsec to flake8 check. 3. Use openssl to extract CN from certificate so that users don't need to specify the CN information in the configuration interface. 4. Improve documentations as suggested. Changes from v2 to v3 - 1. Add scripts and rules to create ovs-ipsec RPM package. 2. Add Documentation/tutorials/ipsec.rst which gives a step-by-step OVS IPsec tutorial. Modify Documentation/howto/ipsec.rst which gives a detailed description on OVS IPsec configuration modes. 3. Modify ovs-pki to generate x.509 version 3 certificate when do self-sign. 4. IPsec tunnel interface needs 'local_ip' information. Modify ovn-controller to add 'local_ip' when IPsec is enabled. 5. Add a section on ovn/ovn-architecture.7.xml to introduce ovn IPsec. Changes from v3 to v4 - 1. Split the datapath patch to three patches (geneve, vxlan, stt). 2. Add tutorial for OVN RBAC and OVN IPsec. Qiuyu Xiao (9): datapath: add transport ports in route lookup for geneve datapath: add transport ports in route lookup for vxlan datapath: add transport ports in route lookup for stt ipsec: reintroduce IPsec support for tunneling debian and rhel: Create IPsec package. Documentation: IPsec tunnel tutorial and documentation. ovs-pki: generate x.509 v3 certificate OVN: native support for tunnel encryption Documentation: OVN RBAC and IPsec tutorial Documentation/automake.mk |4 + Documentation/howto/index.rst |1 + Documentation/howto/ipsec.rst | 193 +++ Documentation/tutorials/index.rst |3 + Documentation/tutorials/ipsec.rst | 342 + Documentation/tutorials/ovn-ipsec.rst | 144 ++ Documentation/tutorials/ovn-rbac.rst | 134 ++ Makefile.am |1 + NEWS |3 + datapath/linux/compat/geneve.c| 29 +- datapath/linux/compat/stt.c | 15 +- datapath/linux/compat/vxlan.c | 14 +- debian/automake.mk|3 + debian/control| 21 + debian/openvswitch-ipsec.dirs |1 + debian/openvswitch-ipsec.init | 181 +++ debian/openvswitch-ipsec.install |1 + ipsec/automake.mk | 10 + ipsec/ovs-monitor-ipsec | 1158 + ovn/controller/encaps.c | 31 +- ovn/controller/encaps.h |7 +- ovn/controller/ovn-controller.c |4 +- ovn/northd/ovn-northd.c |8 +- ovn/ovn-architecture.7.xml| 39 + ovn/ovn-nb.ovsschema |7 +- ovn/ovn-nb.xml|6 + ovn/ovn-sb.ovsschema |7 +- ovn/ovn-sb.xml|6 + rhel/automake.mk |1 + rhel/openvswitch-fedora.spec.in | 19 +- ...b_systemd_system_openvswitch-ipsec.service | 12 + utilities/ovs-ctl.in | 18 + utilities/ovs-pki.in | 25 +- vswitchd/vswitch.xml | 122 +- 34 files changed, 2525 insertions(+), 45 deletions(-) create mode 100644 Documentation/howto/ipsec.rst create mode 100644 Documentation/tutorials/ipsec.rst create mode 100644 Documentation/tutorials/ovn-ipsec.rst create mode 100644 Documentation/tutorials/ovn-rbac.rst create mode 100644 debian/openvswitch-ipsec.dirs create mode 100644 debian/openvswitch-ipsec.init create mode 100644 debian/openvswitch-ipsec.install create mode 100644 ipsec/automake.mk create mode 100755 ipsec/ovs-monitor-ipsec create mode 100644 rhel/usr_lib_systemd_system_openvswitch-ipsec.service -- 2.18.0 ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH v3 1/6] datapath: add transport ports in route lookup to enable IPsec policy match.
Greg gave me Reviewed-by and Tested-by tags. I will add those to commit messages. Thanks, Qiuyu On Mon, Jul 30, 2018 at 9:49 AM, Ben Pfaff wrote: > On Fri, Jul 27, 2018 at 01:44:29PM -0700, Qiuyu Xiao wrote: >> This patch adds transport ports information for route lookup so that IPsec >> can select tunnel traffic (geneve, stt, vxlan) to do encryption. >> >> The patch was tested for geneve, stt, and vxlan tunnel and the results >> show that IPsec policy can be set to only match the corresponding tunnel >> traffic. >> >> Signed-off-by: Qiuyu Xiao > > I think that this patch should probably be broken up into three: > > 1. Geneve changes. These changes need to go to upstream Linux before >we commit them to the OVS repo. > > 2. VXLAN changes. As I understand it, similar changes are already >upstream, so we can put them into OVS right away. > > 3. STT changes. STT is not in upstream Linux, so we can put these into >OVS right away too. > > I think that Greg has already positively reviewed this. Did he give you > an Acked-by tag? If he did, then you should add it to the commit > message. ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH v3 0/6] IPsec support for tunneling
In both cases, IPsec won't be correctly set up in the system. The traffic might be sent out in cleartext. Maybe we can let the ovs-monitor-ipsec daemon monitor whether IPsec tunnel is actually taking effect in the system and report it on the tunnel interface, so that user won't have wrong assumption about the IPsec tunnel state. -Qiuyu On Fri, Jul 27, 2018 at 4:52 PM, Ben Pfaff wrote: > On Fri, Jul 27, 2018 at 04:32:32PM -0700, Ben Pfaff wrote: >> On Fri, Jul 27, 2018 at 01:44:28PM -0700, Qiuyu Xiao wrote: >> > This patch series reintroduce IPsec support for OVS tunneling and >> > enable OVN to use IPsec tunnels. GRE, VXLAN, GENEVE, and STT IPsec >> > tunnels are supported. StrongSwan and LibreSwan IKE daemons are >> > supported. >> >> Thank you. >> >> My first impression is that this is a really complete, high-quality >> series. I'll work on reviewing it in detail. > > I have a couple of overall questions about security here. What happens > if IPsec is configured on a tunnel in OVS, but the OVS kernel module is > too old to support IPsec? (Will traffic be sent and received in > cleartext?) What about if IPsec is configured on a tunnel, but the OVS > userspace is too old to support IPsec? > > Thanks, > > Ben. ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH v3 6/6] OVN: native support for tunnel encryption
This patch adds IPsec support for OVN tunnel. Basically, OVN offers a binary option to its user for encryption configuration. If the IPsec option is turned on, all tunnels will be encrypted. Otherwise, no tunnel will be encrypted. The changes are summarized as below: 1) Added a ipsec column on the NB_Global table and SB_Global table. The value of ipsec column is propagated by ovn-northd from NB_Global to SB_Global. 2) ovn-controller monitors the ipsec column in SB_Global. If the ipsec value is true, ovn-controller sets options of the tunnel interface by specifying "options:remote_name=". If the ipsec value is false, ovn-controller removes these options. 3) ovs-monitor-ipsec daemon (https://mail.openvswitch.org/pipermail/ovs-dev/2018-June/348701.html) monitors the tunnel interface options and configures IKE daemon accordingly for IPsec encryption. Signed-off-by: Qiuyu Xiao --- ovn/controller/encaps.c | 31 ++ ovn/controller/encaps.h | 7 +- ovn/controller/ovn-controller.c | 4 +++- ovn/northd/ovn-northd.c | 8 +-- ovn/ovn-architecture.7.xml | 39 + ovn/ovn-nb.ovsschema| 7 +++--- ovn/ovn-nb.xml | 6 + ovn/ovn-sb.ovsschema| 7 +++--- ovn/ovn-sb.xml | 6 + 9 files changed, 101 insertions(+), 14 deletions(-) diff --git a/ovn/controller/encaps.c b/ovn/controller/encaps.c index fde017586..2169920ba 100644 --- a/ovn/controller/encaps.c +++ b/ovn/controller/encaps.c @@ -79,8 +79,9 @@ tunnel_create_name(struct tunnel_ctx *tc, const char *chassis_id) } static void -tunnel_add(struct tunnel_ctx *tc, const char *new_chassis_id, - const struct sbrec_encap *encap) +tunnel_add(struct tunnel_ctx *tc, const struct sbrec_sb_global *sbg, + const char *new_chassis_id, const struct sbrec_encap *encap, + const char *local_ip) { struct smap options = SMAP_INITIALIZER(); smap_add(, "remote_ip", encap->ip); @@ -90,6 +91,16 @@ tunnel_add(struct tunnel_ctx *tc, const char *new_chassis_id, smap_add(, "csum", csum); } +/* Add auth info if ipsec is enabled. */ +if (sbg->ipsec) { +smap_add(, "remote_name", new_chassis_id); +if (local_ip) { +smap_add(, "local_ip", local_ip); +} else { +VLOG_INFO("Need to specify encap ip for IPsec tunnels."); +} +} + /* If there's an existing chassis record that does not need any change, * keep it. Otherwise, create a new record (if there was an existing * record, the new record will supplant it and encaps_run() will delete @@ -157,7 +168,9 @@ encaps_run(struct ovsdb_idl_txn *ovs_idl_txn, const struct ovsrec_bridge_table *bridge_table, const struct ovsrec_bridge *br_int, const struct sbrec_chassis_table *chassis_table, - const char *chassis_id) + const char *chassis_id, + const struct sbrec_sb_global *sbg, + const struct ovsrec_open_vswitch_table *ovs_table) { if (!ovs_idl_txn || !br_int) { return; @@ -201,6 +214,16 @@ encaps_run(struct ovsdb_idl_txn *ovs_idl_txn, } } +/* Get IP address of local chassis. */ +const char *chassis_ip; +const struct ovsrec_open_vswitch *cfg; +cfg = ovsrec_open_vswitch_table_first(ovs_table); +if (cfg) { +chassis_ip = smap_get(>external_ids, "ovn-encap-ip"); +} else { +chassis_ip = NULL; +} + SBREC_CHASSIS_TABLE_FOR_EACH (chassis_rec, chassis_table) { if (strcmp(chassis_rec->name, chassis_id)) { /* Create tunnels to the other chassis. */ @@ -209,7 +232,7 @@ encaps_run(struct ovsdb_idl_txn *ovs_idl_txn, VLOG_INFO("No supported encaps for '%s'", chassis_rec->name); continue; } -tunnel_add(, chassis_rec->name, encap); +tunnel_add(, sbg, chassis_rec->name, encap, chassis_ip); } } diff --git a/ovn/controller/encaps.h b/ovn/controller/encaps.h index 054bdfa78..680b62df7 100644 --- a/ovn/controller/encaps.h +++ b/ovn/controller/encaps.h @@ -23,13 +23,18 @@ struct ovsdb_idl_txn; struct ovsrec_bridge; struct ovsrec_bridge_table; struct sbrec_chassis_table; +struct sbrec_sb_global; +struct ovsrec_open_vswitch_table; void encaps_register_ovs_idl(struct ovsdb_idl *); void encaps_run(struct ovsdb_idl_txn *ovs_idl_txn, const struct ovsrec_bridge_table *, const struct ovsrec_bridge *br_int, const struct sbrec_chassis_table *, -const char *chassis_id); +const char *chassis_id, +const struct sbrec_sb_global *, +const struct ovsrec_open_vswitch_table *); + bool encaps_cleanup(struct ovsdb_idl_txn
[ovs-dev] [PATCH v3 4/6] Documentation: IPsec tunnel tutorial and documentation.
tutorials/index.rst gives a step-by-setp guide to set up OVS IPsec tunnel. tutorials/ipsec.rst gives detailed explanation on the IPsec tunnel configuration methods and forwarding modes. Signed-off-by: Ansis Atteka Signed-off-by: Qiuyu Xiao Co-authored-by: Ansis Atteka Co-authored-by: Qiuyu Xiao --- Documentation/automake.mk | 2 + Documentation/howto/index.rst | 1 + Documentation/howto/ipsec.rst | 193 + Documentation/tutorials/index.rst | 1 + Documentation/tutorials/ipsec.rst | 340 ++ vswitchd/vswitch.xml | 122 ++- 6 files changed, 650 insertions(+), 9 deletions(-) create mode 100644 Documentation/howto/ipsec.rst create mode 100644 Documentation/tutorials/ipsec.rst diff --git a/Documentation/automake.mk b/Documentation/automake.mk index 2202df45b..262fa20db 100644 --- a/Documentation/automake.mk +++ b/Documentation/automake.mk @@ -28,6 +28,7 @@ DOC_SOURCE = \ Documentation/tutorials/ovn-openstack.rst \ Documentation/tutorials/ovn-sandbox.rst \ Documentation/tutorials/ovs-conntrack.rst \ + Documentation/tutorials/ipsec.rst \ Documentation/topics/index.rst \ Documentation/topics/bonding.rst \ Documentation/topics/idl-compound-indexes.rst \ @@ -59,6 +60,7 @@ DOC_SOURCE = \ Documentation/howto/docker.rst \ Documentation/howto/dpdk.rst \ Documentation/howto/firewalld.rst \ + Documentation/howto/ipsec.rst \ Documentation/howto/kvm.rst \ Documentation/howto/libvirt.rst \ Documentation/howto/selinux.rst \ diff --git a/Documentation/howto/index.rst b/Documentation/howto/index.rst index 201d6936b..9a3487be3 100644 --- a/Documentation/howto/index.rst +++ b/Documentation/howto/index.rst @@ -37,6 +37,7 @@ OVS :maxdepth: 2 kvm + ipsec selinux libvirt ssl diff --git a/Documentation/howto/ipsec.rst b/Documentation/howto/ipsec.rst new file mode 100644 index 0..17dead501 --- /dev/null +++ b/Documentation/howto/ipsec.rst @@ -0,0 +1,193 @@ +.. + Licensed under the Apache License, Version 2.0 (the "License"); you may + not use this file except in compliance with the License. You may obtain + a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + License for the specific language governing permissions and limitations + under the License. + + Convention for heading levels in Open vSwitch documentation: + + === Heading 0 (reserved for the title in a document) + --- Heading 1 + ~~~ Heading 2 + +++ Heading 3 + ''' Heading 4 + + Avoid deeper levels because they do not render well. + +=== +Encrypt Open vSwitch Tunnels with IPsec +=== + +This document gives detailed description on the OVS IPsec tunnel and its +configuration modes. If you want to follow a step-by-step guide to run and +test IPsec tunnel, please refer to :doc:`/tutorials/ipsec`. + +Overview + + +Why do encryption? +~~ + +OVS tunnel packets are transported from one machine to another. Along the path, +the packets are processed by physical routers and physical switches. There are +risks that these physical devices might read or write the contents of the +tunnel packets. IPsec encrypts IP payload and prevents the malicious party +sniffing or manipulating the tunnel traffic. + +OVS IPsec +~ + +OVS IPsec aims to provide a simple interface for user to add encryption on OVS +tunnels. It supports GRE, GENEVE, VXLAN, and STT tunnel. The IPsec +configuration is done by setting options of the tunnel interface and +other_config of Open_vSwitch. You can choose different authentication methods +and fowarding modes based on your system requirement. + +Configuration +- + +Authentication Methods +~~ + +Hosts of the IPsec tunnel need to authenticate each other to build a secure +channel. There are three authentication methods: + +1) You can use pre-shared key (PSK) to do authentication. In both hosts, set + the same PSK value. This PSK is like your password. You should never reveal + it to untrusted parties. This method is easier to use but less secure than + the certificate-based methods:: + + $ ovs-vsctl add-port br0 ipsec_gre0 -- \ + set interface ipsec_gre0 type=gre \ + options:local_ip=1.1.1.1 \ + options:remote_ip=2.2.2.2 \ + options:psk=swordfish + + .. note:: + + The local_ip field is required for th
[ovs-dev] [PATCH v3 5/6] ovs-pki: generate x.509 v3 certificate
This patch modifies ovs-pki to generate x.509 version 3 certificate. Compared with the x.509 v1 certificate generated by ovs-pki, version 3 certificate adds subjectAltName field and sets its value the same as common name (CN). The main reason for this change is to enable strongSwan IKE daemon to extract certificate identity string from the subjectAltName field, which makes OVN IPsec implementation easier. Signed-off-by: Qiuyu Xiao --- NEWS | 3 +++ utilities/ovs-pki.in | 25 + 2 files changed, 24 insertions(+), 4 deletions(-) diff --git a/NEWS b/NEWS index 7f6589a46..c30919a8d 100644 --- a/NEWS +++ b/NEWS @@ -44,6 +44,9 @@ Post-v2.9.0 both kernel datapath and userspace datapath. * Added port-based and flow-based ERSPAN tunnel port support, added OpenFlow rules matching ERSPAN fields. See ovs-fields(7). + - ovs-pki + * ovs-pki now generates x.509 version 3 certificate. The new format adds + subjectAltName field and sets its value the same as common name (CN). v2.9.0 - 19 Feb 2018 diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in index 4f6941865..e0ba910f9 100755 --- a/utilities/ovs-pki.in +++ b/utilities/ovs-pki.in @@ -284,7 +284,7 @@ policy = policy# default policy email_in_dn= no# Don't add the email into cert DN name_opt = ca_default# Subject name display option cert_opt = ca_default# Certificate display option -copy_extensions = none # Don't copy extensions from request +copy_extensions = copy # Copy extensions from request unique_subject = no# Allow certs with duplicate subjects # For the CA policy @@ -295,6 +295,13 @@ organizationName= match organizationalUnitName = optional commonName = supplied emailAddress= optional + +# For the x509v3 extension +[ ca_cert ] +basicConstraints=CA:true + +[ usr_cert ] +basicConstraints=CA:false EOF fi @@ -307,7 +314,8 @@ EOF openssl req -config ca.cnf -nodes \ -newkey $newkey -keyout private/cakey.pem -out careq.pem \ 1>&3 2>&3 -openssl ca -config ca.cnf -create_serial -out cacert.pem \ +openssl ca -config ca.cnf -create_serial \ +-extensions ca_cert -out cacert.pem \ -days 3650 -batch -keyfile private/cakey.pem -selfsign \ -infiles careq.pem 1>&3 2>&3 chmod 0700 private/cakey.pem @@ -445,6 +453,7 @@ make_request() { [ req ] prompt = no distinguished_name = req_distinguished_name +req_extensions = v3_req [ req_distinguished_name ] C = US @@ -453,6 +462,9 @@ L = Palo Alto O = Open vSwitch OU = Open vSwitch certifier CN = $cn + +[ v3_req ] +subjectAltName = DNS:$cn EOF if test $keytype = rsa; then (umask 077 && openssl genrsa -out "$1-privkey.pem" $bits) 1>&3 2>&3 \ @@ -481,7 +493,7 @@ sign_request() { esac (cd "$pkidir/${type}ca" && - openssl ca -config ca.cnf -batch -in "$request_file") \ + openssl ca -config ca.cnf -extensions usr_cert -batch -in "$request_file") \ > "$2.tmp$$" 2>&3 mv "$2.tmp$$" "$2" } @@ -529,11 +541,16 @@ elif test "$command" = self-sign; then must_exist "$arg1-req.pem" must_exist "$arg1-privkey.pem" must_not_exist "$arg1-cert.pem" +make_tmpdir +cat > "$TMP/v3.ext" <&3 || exit $? + -signkey "$arg1-privkey.pem" -req -days 3650 -text \ + -extfile $TMP/v3.ext) 2>&3 || exit $? # Reset the permissions on the certificate to the user's default. cat "$arg1-cert.pem.tmp" > "$arg1-cert.pem" -- 2.18.0 ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH v3 3/6] debian and rhel: Create IPsec package.
Added rules and files to create debian and rpm ovs-ipsec packages. Signed-off-by: Ansis Atteka Signed-off-by: Qiuyu Xiao Co-authored-by: Ansis Atteka Co-authored-by: Qiuyu Xiao --- debian/automake.mk| 3 + debian/control| 21 ++ debian/openvswitch-ipsec.dirs | 1 + debian/openvswitch-ipsec.init | 181 ++ debian/openvswitch-ipsec.install | 1 + rhel/automake.mk | 1 + rhel/openvswitch-fedora.spec.in | 19 +- ...b_systemd_system_openvswitch-ipsec.service | 12 ++ utilities/ovs-ctl.in | 18 ++ 9 files changed, 256 insertions(+), 1 deletion(-) create mode 100644 debian/openvswitch-ipsec.dirs create mode 100644 debian/openvswitch-ipsec.init create mode 100644 debian/openvswitch-ipsec.install create mode 100644 rhel/usr_lib_systemd_system_openvswitch-ipsec.service diff --git a/debian/automake.mk b/debian/automake.mk index 4d8e204bb..8a8d43c9f 100644 --- a/debian/automake.mk +++ b/debian/automake.mk @@ -20,6 +20,9 @@ EXTRA_DIST += \ debian/openvswitch-datapath-source.copyright \ debian/openvswitch-datapath-source.dirs \ debian/openvswitch-datapath-source.install \ + debian/openvswitch-ipsec.dirs \ + debian/openvswitch-ipsec.init \ + debian/openvswitch-ipsec.install \ debian/openvswitch-pki.dirs \ debian/openvswitch-pki.postinst \ debian/openvswitch-pki.postrm \ diff --git a/debian/control b/debian/control index a4c031d85..9443e91c9 100644 --- a/debian/control +++ b/debian/control @@ -320,3 +320,24 @@ Description: Open vSwitch development package 1000V. . This package provides openvswitch headers and libopenvswitch for developers. + +Package: openvswitch-ipsec +Architecture: linux-any +Depends: iproute2, + openvswitch-common (= ${binary:Version}), + openvswitch-switch (= ${binary:Version}), + python, + python-openvswitch (= ${source:Version}), + strongswan, + ${misc:Depends}, + ${shlibs:Depends} +Description: Open vSwitch IPsec tunneling support + Open vSwitch is a production quality, multilayer, software-based, + Ethernet virtual switch. It is designed to enable massive network + automation through programmatic extension, while still supporting + standard management interfaces and protocols (e.g. NetFlow, IPFIX, + sFlow, SPAN, RSPAN, CLI, LACP, 802.1ag). In addition, it is designed + to support distribution across multiple physical servers similar to + VMware's vNetwork distributed vswitch or Cisco's Nexus 1000V. + . + This package provides IPsec tunneling support for OVS tunnels. diff --git a/debian/openvswitch-ipsec.dirs b/debian/openvswitch-ipsec.dirs new file mode 100644 index 0..fca44aa7b --- /dev/null +++ b/debian/openvswitch-ipsec.dirs @@ -0,0 +1 @@ +usr/share/openvswitch/scripts \ No newline at end of file diff --git a/debian/openvswitch-ipsec.init b/debian/openvswitch-ipsec.init new file mode 100644 index 0..8488beccf --- /dev/null +++ b/debian/openvswitch-ipsec.init @@ -0,0 +1,181 @@ +#!/bin/sh +# +# Copyright (c) 2007, 2009 Javier Fernandez-Sanguino +# +# This is free software; you may redistribute it and/or modify +# it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2, +# or (at your option) any later version. +# +# This is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License with +# the Debian operating system, in /usr/share/common-licenses/GPL; if +# not, write to the Free Software Foundation, Inc., 59 Temple Place, +# Suite 330, Boston, MA 02111-1307 USA +# +### BEGIN INIT INFO +# Provides: openvswitch-ipsec +# Required-Start:$network $local_fs $remote_fs openvswitch-switch +# Required-Stop: $remote_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Open vSwitch GRE-over-IPsec daemon +# Description: The ovs-monitor-ipsec script provides support for +#encrypting GRE tunnels with IPsec. +### END INIT INFO + +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin + +DAEMON=/usr/share/openvswitch/scripts/ovs-monitor-ipsec # Daemon's location +NAME=ovs-monitor-ipsec # Introduce the short server's name here +LOGDIR=/var/log/openvswitch # Log directory to use +DATADIR=/usr/share/openvswitch + +PIDFILE=/var/run/openvswitch/$NAME.pid + +test -x $DAEMON || exit 0 + +. /lib/lsb/init-functions + +DODTIME=10 # Time to wait for the server to die, in seconds +# If this value is set too low you might
[ovs-dev] [PATCH v3 2/6] ipsec: reintroduce IPsec support for tunneling
This patch reintroduces ovs-monitor-ipsec daemon that was previously removed by commit 2b02d770 ("openvswitch: Allow external IPsec tunnel management.") After this patch, there are no IPsec flavored tunnels anymore. IPsec is enabled by setting up the right values in: 1. OVSDB:Interface:options column; 2. OVSDB:Open_vSwitch:other_config column; 3. OpenFlow pipeline. GRE, VXLAN, GENEVE, and STT IPsec tunnels are supported. LibreSwan and StrongSwan IKE daemons are supported. User can choose pre-shared key, self-signed peer certificate, or CA-signed certificate as authentication method. Signed-off-by: Ansis Atteka Signed-off-by: Qiuyu Xiao Co-authored-by: Ansis Atteka Co-authored-by: Qiuyu Xiao --- Makefile.am |1 + ipsec/automake.mk | 10 + ipsec/ovs-monitor-ipsec | 1158 +++ 3 files changed, 1169 insertions(+) create mode 100644 ipsec/automake.mk create mode 100755 ipsec/ovs-monitor-ipsec diff --git a/Makefile.am b/Makefile.am index e02799a90..c0fef11fd 100644 --- a/Makefile.am +++ b/Makefile.am @@ -480,6 +480,7 @@ include tests/automake.mk include include/automake.mk include third-party/automake.mk include debian/automake.mk +include ipsec/automake.mk include vswitchd/automake.mk include ovsdb/automake.mk include rhel/automake.mk diff --git a/ipsec/automake.mk b/ipsec/automake.mk new file mode 100644 index 0..1e530cb42 --- /dev/null +++ b/ipsec/automake.mk @@ -0,0 +1,10 @@ +# Copyright (C) 2017 Nicira, Inc. +# +# Copying and distribution of this file, with or without modification, +# are permitted in any medium without royalty provided the copyright +# notice and this notice are preserved. This file is offered as-is, +# without warranty of any kind. + +EXTRA_DIST += \ +ipsec/ovs-monitor-ipsec +FLAKE8_PYFILES += ipsec/ovs-monitor-ipsec diff --git a/ipsec/ovs-monitor-ipsec b/ipsec/ovs-monitor-ipsec new file mode 100755 index 0..faff89947 --- /dev/null +++ b/ipsec/ovs-monitor-ipsec @@ -0,0 +1,1158 @@ +#!/usr/bin/env python +# Copyright (c) 2017 Nicira, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import argparse +import glob +import os +import re +import subprocess +import sys +import copy +from string import Template + +from ovs.db import error +from ovs.db import types +import ovs.daemon +import ovs.db.idl +import ovs.dirs +import ovs.unixctl +import ovs.unixctl.server +import ovs.util +import ovs.vlog + + +FILE_HEADER = "# Generated by ovs-monitor-ipsec...do not modify by hand!\n\n" +SHUNT_POLICY = """conn prevent_unencrypted_gre +type=drop +leftprotoport=gre +mark={0} + +conn prevent_unencrypted_geneve +type=drop +leftprotoport=udp/6081 +mark={0} + +conn prevent_unencrypted_stt +type=drop +leftprotoport=tcp/7471 +mark={0} + +conn prevent_unencrypted_vxlan +type=drop +leftprotoport=udp/4789 +mark={0} + +""" +transp_tmpl = {"gre" : Template("""\ +conn $ifname-$version +$auth_section +leftprotoport=gre +rightprotoport=gre + +"""), "gre64" : Template("""\ +conn $ifname-$version +$auth_section +leftprotoport=gre +rightprotoport=gre + +"""), "geneve" : Template("""\ +conn $ifname-in-$version +$auth_section +leftprotoport=udp/6081 +rightprotoport=udp + +conn $ifname-out-$version +$auth_section +leftprotoport=udp +rightprotoport=udp/6081 + +"""), "stt" : Template("""\ +conn $ifname-in-$version +$auth_section +leftprotoport=tcp/7471 +rightprotoport=tcp + +conn $ifname-out-$version +$auth_section +leftprotoport=tcp +rightprotoport=tcp/7471 + +"""), "vxlan" : Template("""\ +conn $ifname-in-$version +$auth_section +leftprotoport=udp/4789 +rightprotoport=udp + +conn $ifname-out-$version +$auth_section +leftprotoport=udp +rightprotoport=udp/4789 + +""")} +vlog = ovs.vlog.Vlog("ovs-monitor-ipsec") +exiting = False +monitor = None +xfrm = None + +class XFRM(object): +"""This class is a simple wrapper around ip-xfrm (8) command line +utility. We are using this class only for informational purposes +so that ovs-monitor-ipsec could verify that IKE keying daemon has +installed IPsec policies
[ovs-dev] [PATCH v3 0/6] IPsec support for tunneling
This patch series reintroduce IPsec support for OVS tunneling and enable OVN to use IPsec tunnels. GRE, VXLAN, GENEVE, and STT IPsec tunnels are supported. StrongSwan and LibreSwan IKE daemons are supported. Changes from v1 to v2 - 1. Merged the ovs-monitor-ipsec code to a single patch. Added LibreSwan IKE daemon support. 2. Added ovs-monitor-ipsec to flake8 check. 3. Used openssl to extract CN from certificate so that users don't need to specify the CN information in the configuration interface. 4. Improved documentations as suggested. Changes from v2 to v3 - 1. Added scripts and rules to create ovs-ipsec RPM package. 2. Added Documentation/tutorials/ipsec.rst which gives a step-by-step OVS IPsec tutorial. Modified Documentation/howto/ipsec.rst which gives a detailed description on OVS IPsec configuration modes. 3. Modified ovs-pki to generate x.509 version 3 certificate when do self-sign. 4. IPsec tunnel interface needs 'local_ip' information. Modified ovn-controller to add 'local_ip' when IPsec is enabled. 5. Added a section on ovn/ovn-architecture.7.xml to introduce ovn IPsec. Qiuyu Xiao (6): datapath: add transport ports in route lookup to enable IPsec policy match. ipsec: reintroduce IPsec support for tunneling debian and rhel: Create IPsec package. Documentation: IPsec tunnel tutorial and documentation. ovs-pki: generate x.509 v3 certificate OVN: native support for tunnel encryption Documentation/automake.mk |2 + Documentation/howto/index.rst |1 + Documentation/howto/ipsec.rst | 193 +++ Documentation/tutorials/index.rst |1 + Documentation/tutorials/ipsec.rst | 340 + Makefile.am |1 + NEWS |3 + datapath/linux/compat/geneve.c| 29 +- datapath/linux/compat/stt.c | 15 +- datapath/linux/compat/vxlan.c | 14 +- debian/automake.mk|3 + debian/control| 21 + debian/openvswitch-ipsec.dirs |1 + debian/openvswitch-ipsec.init | 181 +++ debian/openvswitch-ipsec.install |1 + ipsec/automake.mk | 10 + ipsec/ovs-monitor-ipsec | 1158 + ovn/controller/encaps.c | 31 +- ovn/controller/encaps.h |7 +- ovn/controller/ovn-controller.c |4 +- ovn/northd/ovn-northd.c |8 +- ovn/ovn-architecture.7.xml| 39 + ovn/ovn-nb.ovsschema |7 +- ovn/ovn-nb.xml|6 + ovn/ovn-sb.ovsschema |7 +- ovn/ovn-sb.xml|6 + rhel/automake.mk |1 + rhel/openvswitch-fedora.spec.in | 19 +- ...b_systemd_system_openvswitch-ipsec.service | 12 + utilities/ovs-ctl.in | 18 + utilities/ovs-pki.in | 25 +- vswitchd/vswitch.xml | 122 +- 32 files changed, 2241 insertions(+), 45 deletions(-) create mode 100644 Documentation/howto/ipsec.rst create mode 100644 Documentation/tutorials/ipsec.rst create mode 100644 debian/openvswitch-ipsec.dirs create mode 100644 debian/openvswitch-ipsec.init create mode 100644 debian/openvswitch-ipsec.install create mode 100644 ipsec/automake.mk create mode 100755 ipsec/ovs-monitor-ipsec create mode 100644 rhel/usr_lib_systemd_system_openvswitch-ipsec.service -- 2.18.0 ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH v3 1/6] datapath: add transport ports in route lookup to enable IPsec policy match.
This patch adds transport ports information for route lookup so that IPsec can select tunnel traffic (geneve, stt, vxlan) to do encryption. The patch was tested for geneve, stt, and vxlan tunnel and the results show that IPsec policy can be set to only match the corresponding tunnel traffic. Signed-off-by: Qiuyu Xiao --- datapath/linux/compat/geneve.c | 29 +++-- datapath/linux/compat/stt.c| 15 ++- datapath/linux/compat/vxlan.c | 14 -- 3 files changed, 41 insertions(+), 17 deletions(-) diff --git a/datapath/linux/compat/geneve.c b/datapath/linux/compat/geneve.c index 435a23fb7..95a665ddd 100644 --- a/datapath/linux/compat/geneve.c +++ b/datapath/linux/compat/geneve.c @@ -836,7 +836,8 @@ free_dst: static struct rtable *geneve_get_v4_rt(struct sk_buff *skb, struct net_device *dev, struct flowi4 *fl4, - struct ip_tunnel_info *info) + struct ip_tunnel_info *info, + __be16 dport, __be16 sport) { bool use_cache = ip_tunnel_dst_cache_usable(skb, info); struct geneve_dev *geneve = netdev_priv(dev); @@ -850,6 +851,8 @@ static struct rtable *geneve_get_v4_rt(struct sk_buff *skb, memset(fl4, 0, sizeof(*fl4)); fl4->flowi4_mark = skb->mark; fl4->flowi4_proto = IPPROTO_UDP; + fl4->fl4_dport = dport; + fl4->fl4_sport = sport; if (info) { fl4->daddr = info->key.u.ipv4.dst; @@ -895,7 +898,8 @@ static struct rtable *geneve_get_v4_rt(struct sk_buff *skb, static struct dst_entry *geneve_get_v6_dst(struct sk_buff *skb, struct net_device *dev, struct flowi6 *fl6, - struct ip_tunnel_info *info) + struct ip_tunnel_info *info, + __be16 dport, __be16 sport) { bool use_cache = ip_tunnel_dst_cache_usable(skb, info); struct geneve_dev *geneve = netdev_priv(dev); @@ -911,6 +915,8 @@ static struct dst_entry *geneve_get_v6_dst(struct sk_buff *skb, memset(fl6, 0, sizeof(*fl6)); fl6->flowi6_mark = skb->mark; fl6->flowi6_proto = IPPROTO_UDP; + fl6->fl6_dport = dport; + fl6->fl6_sport = sport; if (info) { fl6->daddr = info->key.u.ipv6.dst; @@ -1005,13 +1011,13 @@ static netdev_tx_t geneve_xmit_skb(struct sk_buff *skb, struct net_device *dev, goto tx_error; } - rt = geneve_get_v4_rt(skb, dev, , info); + sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); + rt = geneve_get_v4_rt(skb, dev, , info, geneve->dst_port, sport); if (IS_ERR(rt)) { err = PTR_ERR(rt); goto tx_error; } - sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); skb_reset_mac_header(skb); iip = ip_hdr(skb); @@ -1097,13 +1103,13 @@ static netdev_tx_t geneve6_xmit_skb(struct sk_buff *skb, struct net_device *dev, } } - dst = geneve_get_v6_dst(skb, dev, , info); + sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); + dst = geneve_get_v6_dst(skb, dev, , info, geneve->dst_port, sport); if (IS_ERR(dst)) { err = PTR_ERR(dst); goto tx_error; } - sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); skb_reset_mac_header(skb); iip = ip_hdr(skb); @@ -1232,13 +1238,17 @@ int ovs_geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb) struct geneve_dev *geneve = netdev_priv(dev); struct rtable *rt; struct flowi4 fl4; + __be16 sport; #if IS_ENABLED(CONFIG_IPV6) struct dst_entry *dst; struct flowi6 fl6; #endif + sport = udp_flow_src_port(geneve->net, skb, +1, USHRT_MAX, true); + if (ip_tunnel_info_af(info) == AF_INET) { - rt = geneve_get_v4_rt(skb, dev, , info); + rt = geneve_get_v4_rt(skb, dev, , info, geneve->dst_port, sport); if (IS_ERR(rt)) return PTR_ERR(rt); @@ -1246,7 +1256,7 @@ int ovs_geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb) info->key.u.ipv4.src = fl4.saddr; #if IS_ENABLED(CONFIG_IPV6) } else if (ip_tunnel_info_af(info) == AF_INET6) { - dst = geneve_get_v6_dst(skb, dev, , info); + dst = geneve_get_v6_dst(skb, dev, , info, geneve->dst_port, sport); if (IS_ERR(dst)) return PTR_ERR(dst); @@ -1257,8 +12
[ovs-dev] [PATCH v2 4/4] OVN: native support for tunnel encryption
This patch adds IPsec support for OVN tunnel. Basically, OVN offers a binary option to its user for encryption configuration. If the IPsec option is turned on, all tunnels will be encrypted. Otherwise, no tunnel will be encrypted. The changes are summarized as below: 1) Added a ipsec column on the NB_Global table and SB_Global table. The value of ipsec column is propagated by ovn-northd from NB_Global to SB_Global. 2) ovn-controller monitors the ipsec column in SB_Global. If the ipsec value is true, ovn-controller sets options of the tunnel interface by specifying "options:remote_name=". If the ipsec value is false, ovn-controller removes these options. 3) ovs-monitor-ipsec daemon (https://mail.openvswitch.org/pipermail/ovs-dev/2018-June/348701.html) monitors the tunnel interface options and configures IKE daemon accordingly for IPsec encryption. Signed-off-by: Qiuyu Xiao --- ovn/controller/encaps.c | 33 ovn/controller/encaps.h | 7 +- ovn/controller/ovn-controller.c | 4 +++- ovn/northd/ovn-northd.c | 8 +-- ovn/ovn-architecture.7.xml | 39 + ovn/ovn-nb.ovsschema| 7 +++--- ovn/ovn-nb.xml | 6 + ovn/ovn-sb.ovsschema| 7 +++--- ovn/ovn-sb.xml | 6 + 9 files changed, 103 insertions(+), 14 deletions(-) diff --git a/ovn/controller/encaps.c b/ovn/controller/encaps.c index fde017586..115c36411 100644 --- a/ovn/controller/encaps.c +++ b/ovn/controller/encaps.c @@ -79,8 +79,9 @@ tunnel_create_name(struct tunnel_ctx *tc, const char *chassis_id) } static void -tunnel_add(struct tunnel_ctx *tc, const char *new_chassis_id, - const struct sbrec_encap *encap) +tunnel_add(struct tunnel_ctx *tc, const struct sbrec_sb_global *sbg, + const char *new_chassis_id, const struct sbrec_encap *encap, + const char *local_ip) { struct smap options = SMAP_INITIALIZER(); smap_add(, "remote_ip", encap->ip); @@ -90,6 +91,17 @@ tunnel_add(struct tunnel_ctx *tc, const char *new_chassis_id, smap_add(, "csum", csum); } +/* Add auth info if ipsec is enabled. */ +if (sbg->ipsec) { +smap_add(, "remote_name", new_chassis_id); +if (local_ip) { +smap_add(, "local_ip", local_ip); +} +else { +VLOG_INFO("Need to specify encap ip for IPsec tunnels."); +} +} + /* If there's an existing chassis record that does not need any change, * keep it. Otherwise, create a new record (if there was an existing * record, the new record will supplant it and encaps_run() will delete @@ -157,7 +169,9 @@ encaps_run(struct ovsdb_idl_txn *ovs_idl_txn, const struct ovsrec_bridge_table *bridge_table, const struct ovsrec_bridge *br_int, const struct sbrec_chassis_table *chassis_table, - const char *chassis_id) + const char *chassis_id, + const struct sbrec_sb_global *sbg, + const struct ovsrec_open_vswitch_table *ovs_table) { if (!ovs_idl_txn || !br_int) { return; @@ -201,6 +215,17 @@ encaps_run(struct ovsdb_idl_txn *ovs_idl_txn, } } +/* Get IP address of local chassis. */ +const char *chassis_ip; +const struct ovsrec_open_vswitch *cfg; +cfg = ovsrec_open_vswitch_table_first(ovs_table); +if (cfg) { +chassis_ip = smap_get(>external_ids, "ovn-encap-ip"); +} +else { +chassis_ip = NULL; +} + SBREC_CHASSIS_TABLE_FOR_EACH (chassis_rec, chassis_table) { if (strcmp(chassis_rec->name, chassis_id)) { /* Create tunnels to the other chassis. */ @@ -209,7 +234,7 @@ encaps_run(struct ovsdb_idl_txn *ovs_idl_txn, VLOG_INFO("No supported encaps for '%s'", chassis_rec->name); continue; } -tunnel_add(, chassis_rec->name, encap); +tunnel_add(, sbg, chassis_rec->name, encap, chassis_ip); } } diff --git a/ovn/controller/encaps.h b/ovn/controller/encaps.h index 054bdfa78..680b62df7 100644 --- a/ovn/controller/encaps.h +++ b/ovn/controller/encaps.h @@ -23,13 +23,18 @@ struct ovsdb_idl_txn; struct ovsrec_bridge; struct ovsrec_bridge_table; struct sbrec_chassis_table; +struct sbrec_sb_global; +struct ovsrec_open_vswitch_table; void encaps_register_ovs_idl(struct ovsdb_idl *); void encaps_run(struct ovsdb_idl_txn *ovs_idl_txn, const struct ovsrec_bridge_table *, const struct ovsrec_bridge *br_int, const struct sbrec_chassis_table *, -const char *chassis_id); +const char *chassis_id, +const struct sbrec_sb_global *, +const struct ovsrec_open_vswitch_table *); + bool encaps_cleanup(stru
[ovs-dev] [PATCH v2 2/4] ipsec: reintroduce IPsec support for tunneling
This patch reintroduces ovs-monitor-ipsec daemon that was previously removed by commit 2b02d770 ("openvswitch: Allow external IPsec tunnel management.") After this patch, there are no IPsec flavored tunnels anymore. IPsec is enabled by setting up the right values in: 1. OVSDB:Interface:options column; 2. OVSDB:Open_vSwitch:other_config column; 3. OpenFlow pipeline. GRE, VXLAN, GENEVE, and STT IPsec tunnels are supported. LibreSwan and StrongSwan IKE daemons are supported. User can choose pre-shared key, self-signed peer certificate, or CA-signed certificate as authentication method. Signed-off-by: Ansis Atteka Signed-off-by: Qiuyu Xiao --- Documentation/automake.mk|1 + Documentation/howto/index.rst|1 + Documentation/howto/ipsec.rst| 256 +++ Makefile.am |1 + debian/automake.mk |3 + debian/control | 21 + debian/openvswitch-ipsec.dirs|1 + debian/openvswitch-ipsec.init| 189 + debian/openvswitch-ipsec.install |1 + ipsec/automake.mk| 10 + ipsec/ovs-monitor-ipsec | 1152 ++ vswitchd/vswitch.xml | 124 +++- 12 files changed, 1751 insertions(+), 9 deletions(-) create mode 100644 Documentation/howto/ipsec.rst create mode 100644 debian/openvswitch-ipsec.dirs create mode 100644 debian/openvswitch-ipsec.init create mode 100644 debian/openvswitch-ipsec.install create mode 100644 ipsec/automake.mk create mode 100755 ipsec/ovs-monitor-ipsec diff --git a/Documentation/automake.mk b/Documentation/automake.mk index 2202df45b..3a505924a 100644 --- a/Documentation/automake.mk +++ b/Documentation/automake.mk @@ -59,6 +59,7 @@ DOC_SOURCE = \ Documentation/howto/docker.rst \ Documentation/howto/dpdk.rst \ Documentation/howto/firewalld.rst \ + Documentation/howto/ipsec.rst \ Documentation/howto/kvm.rst \ Documentation/howto/libvirt.rst \ Documentation/howto/selinux.rst \ diff --git a/Documentation/howto/index.rst b/Documentation/howto/index.rst index 201d6936b..9a3487be3 100644 --- a/Documentation/howto/index.rst +++ b/Documentation/howto/index.rst @@ -37,6 +37,7 @@ OVS :maxdepth: 2 kvm + ipsec selinux libvirt ssl diff --git a/Documentation/howto/ipsec.rst b/Documentation/howto/ipsec.rst new file mode 100644 index 0..67f0f4a00 --- /dev/null +++ b/Documentation/howto/ipsec.rst @@ -0,0 +1,256 @@ +.. + Licensed under the Apache License, Version 2.0 (the "License"); you may + not use this file except in compliance with the License. You may obtain + a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + License for the specific language governing permissions and limitations + under the License. + + Convention for heading levels in Open vSwitch documentation: + + === Heading 0 (reserved for the title in a document) + --- Heading 1 + ~~~ Heading 2 + +++ Heading 3 + ''' Heading 4 + + Avoid deeper levels because they do not render well. + +=== +Encrypt Open vSwitch Tunnels with IPsec +=== + +This document describes how to use Open vSwitch to provide IPsec security for +STT, GENEVE, GRE and VXLAN tunnels. This document assumes that you have +already installed Open vSwitch. + +Setup +- + +Install strongSwan and openvswitch-ipsec debian packages:: + + $ apt-get install strongswan + $ dpkg -i openvswitch-ipsec__amd64.deb + + +Configuration +- + +The IPsec configuration is done by setting options of the tunnel interface. +ovs-monitor-ipsec configures IKE daemom accordingly based on the tunnel options. + +Authentication Methods +~~ + +Hosts of the IPsec tunnel need to authenticate each other to build a secure +channel. There are three authentication methods: + +1) You can set a pre-shared key in both hosts to do authentication. This + method is easier to use but less secure:: + + % ovs-vsctl add-port br0 ipsec_gre0 -- \ + set interface ipsec_gre0 type=gre \ + options:local_ip=1.1.1.1 \ + options:remote_ip=2.2.2.2 \ + options:psk=swordfish]) + +2) You can use the certificate of remote host to do authentication. First, + generate certificate and private key in each host. The certificate could be + self-signed. Refer to the ovs-pki(8) man page for more information regarding + certificate and key generation. Then, copy the remote cert
[ovs-dev] [PATCH v2 3/4] ovs-pki: generate x.509 v3 certificate
This patch modifies ovs-pki to generate x.509 version 3 certificate. Compared with the x.509 v1 certificate generated by ovs-pki, version 3 certificate adds subjectAltName field and sets its value the same as common name (CN). The main reason for this change is to enable strongSwan IKE daemon to extract certificate identity string from the subjectAltName field, which makes OVN IPsec implementation easier. Signed-off-by: Qiuyu Xiao --- NEWS | 3 +++ utilities/ovs-pki.in | 18 +++--- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/NEWS b/NEWS index 7f6589a46..c30919a8d 100644 --- a/NEWS +++ b/NEWS @@ -44,6 +44,9 @@ Post-v2.9.0 both kernel datapath and userspace datapath. * Added port-based and flow-based ERSPAN tunnel port support, added OpenFlow rules matching ERSPAN fields. See ovs-fields(7). + - ovs-pki + * ovs-pki now generates x.509 version 3 certificate. The new format adds + subjectAltName field and sets its value the same as common name (CN). v2.9.0 - 19 Feb 2018 diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in index 4f6941865..1b6681d3a 100755 --- a/utilities/ovs-pki.in +++ b/utilities/ovs-pki.in @@ -284,7 +284,7 @@ policy = policy# default policy email_in_dn= no# Don't add the email into cert DN name_opt = ca_default# Subject name display option cert_opt = ca_default# Certificate display option -copy_extensions = none # Don't copy extensions from request +copy_extensions = copy # Copy extensions from request unique_subject = no# Allow certs with duplicate subjects # For the CA policy @@ -295,6 +295,13 @@ organizationName= match organizationalUnitName = optional commonName = supplied emailAddress= optional + +# For the x509v3 extension +[ ca_cert ] +basicConstraints=CA:true + +[ usr_cert ] +basicConstraints=CA:false EOF fi @@ -307,7 +314,8 @@ EOF openssl req -config ca.cnf -nodes \ -newkey $newkey -keyout private/cakey.pem -out careq.pem \ 1>&3 2>&3 -openssl ca -config ca.cnf -create_serial -out cacert.pem \ +openssl ca -config ca.cnf -create_serial \ +-extensions ca_cert -out cacert.pem \ -days 3650 -batch -keyfile private/cakey.pem -selfsign \ -infiles careq.pem 1>&3 2>&3 chmod 0700 private/cakey.pem @@ -445,6 +453,7 @@ make_request() { [ req ] prompt = no distinguished_name = req_distinguished_name +req_extensions = v3_req [ req_distinguished_name ] C = US @@ -453,6 +462,9 @@ L = Palo Alto O = Open vSwitch OU = Open vSwitch certifier CN = $cn + +[ v3_req ] +subjectAltName = DNS:$cn EOF if test $keytype = rsa; then (umask 077 && openssl genrsa -out "$1-privkey.pem" $bits) 1>&3 2>&3 \ @@ -481,7 +493,7 @@ sign_request() { esac (cd "$pkidir/${type}ca" && - openssl ca -config ca.cnf -batch -in "$request_file") \ + openssl ca -config ca.cnf -extensions usr_cert -batch -in "$request_file") \ > "$2.tmp$$" 2>&3 mv "$2.tmp$$" "$2" } -- 2.18.0 ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH v2 1/4] datapath: add transport ports in route lookup to enable IPsec policy match.
This patch adds transport ports information for route lookup so that IPsec can select tunnel traffic (geneve, stt, vxlan) to do encryption. The patch was tested for geneve, stt, and vxlan tunnel and the results show that IPsec policy can be set to only match the corresponding tunnel traffic. Signed-off-by: Qiuyu Xiao --- datapath/linux/compat/geneve.c | 29 +++-- datapath/linux/compat/stt.c| 15 ++- datapath/linux/compat/vxlan.c | 14 -- 3 files changed, 41 insertions(+), 17 deletions(-) diff --git a/datapath/linux/compat/geneve.c b/datapath/linux/compat/geneve.c index 435a23fb7..95a665ddd 100644 --- a/datapath/linux/compat/geneve.c +++ b/datapath/linux/compat/geneve.c @@ -836,7 +836,8 @@ free_dst: static struct rtable *geneve_get_v4_rt(struct sk_buff *skb, struct net_device *dev, struct flowi4 *fl4, - struct ip_tunnel_info *info) + struct ip_tunnel_info *info, + __be16 dport, __be16 sport) { bool use_cache = ip_tunnel_dst_cache_usable(skb, info); struct geneve_dev *geneve = netdev_priv(dev); @@ -850,6 +851,8 @@ static struct rtable *geneve_get_v4_rt(struct sk_buff *skb, memset(fl4, 0, sizeof(*fl4)); fl4->flowi4_mark = skb->mark; fl4->flowi4_proto = IPPROTO_UDP; + fl4->fl4_dport = dport; + fl4->fl4_sport = sport; if (info) { fl4->daddr = info->key.u.ipv4.dst; @@ -895,7 +898,8 @@ static struct rtable *geneve_get_v4_rt(struct sk_buff *skb, static struct dst_entry *geneve_get_v6_dst(struct sk_buff *skb, struct net_device *dev, struct flowi6 *fl6, - struct ip_tunnel_info *info) + struct ip_tunnel_info *info, + __be16 dport, __be16 sport) { bool use_cache = ip_tunnel_dst_cache_usable(skb, info); struct geneve_dev *geneve = netdev_priv(dev); @@ -911,6 +915,8 @@ static struct dst_entry *geneve_get_v6_dst(struct sk_buff *skb, memset(fl6, 0, sizeof(*fl6)); fl6->flowi6_mark = skb->mark; fl6->flowi6_proto = IPPROTO_UDP; + fl6->fl6_dport = dport; + fl6->fl6_sport = sport; if (info) { fl6->daddr = info->key.u.ipv6.dst; @@ -1005,13 +1011,13 @@ static netdev_tx_t geneve_xmit_skb(struct sk_buff *skb, struct net_device *dev, goto tx_error; } - rt = geneve_get_v4_rt(skb, dev, , info); + sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); + rt = geneve_get_v4_rt(skb, dev, , info, geneve->dst_port, sport); if (IS_ERR(rt)) { err = PTR_ERR(rt); goto tx_error; } - sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); skb_reset_mac_header(skb); iip = ip_hdr(skb); @@ -1097,13 +1103,13 @@ static netdev_tx_t geneve6_xmit_skb(struct sk_buff *skb, struct net_device *dev, } } - dst = geneve_get_v6_dst(skb, dev, , info); + sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); + dst = geneve_get_v6_dst(skb, dev, , info, geneve->dst_port, sport); if (IS_ERR(dst)) { err = PTR_ERR(dst); goto tx_error; } - sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); skb_reset_mac_header(skb); iip = ip_hdr(skb); @@ -1232,13 +1238,17 @@ int ovs_geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb) struct geneve_dev *geneve = netdev_priv(dev); struct rtable *rt; struct flowi4 fl4; + __be16 sport; #if IS_ENABLED(CONFIG_IPV6) struct dst_entry *dst; struct flowi6 fl6; #endif + sport = udp_flow_src_port(geneve->net, skb, +1, USHRT_MAX, true); + if (ip_tunnel_info_af(info) == AF_INET) { - rt = geneve_get_v4_rt(skb, dev, , info); + rt = geneve_get_v4_rt(skb, dev, , info, geneve->dst_port, sport); if (IS_ERR(rt)) return PTR_ERR(rt); @@ -1246,7 +1256,7 @@ int ovs_geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb) info->key.u.ipv4.src = fl4.saddr; #if IS_ENABLED(CONFIG_IPV6) } else if (ip_tunnel_info_af(info) == AF_INET6) { - dst = geneve_get_v6_dst(skb, dev, , info); + dst = geneve_get_v6_dst(skb, dev, , info, geneve->dst_port, sport); if (IS_ERR(dst)) return PTR_ERR(dst); @@ -1257,8 +12
[ovs-dev] [PATCH v2 0/4] IPsec support for tunneling
This patch series reintroduce IPsec support for OVS tunneling and enable OVN to use IPsec tunnels. GRE, VXLAN, GENEVE, and STT IPsec tunnels are supported. StrongSwan and LibreSwan IKE daemons are supported. Changes from v1 to v2: 1) Merged the ovs-monitor-ipsec code to a single patch. Added LibreSwan IKE daemon support. 2) Use openssl to extract CN from certificate so that users don't need to specify the CN information in the configuration interface. 3) Improved documentations as suggested. Qiuyu Xiao (4): datapath: add transport ports in route lookup to enable IPsec policy match. ipsec: reintroduce IPsec support for tunneling ovs-pki: generate x.509 v3 certificate OVN: native support for tunnel encryption Documentation/automake.mk|1 + Documentation/howto/index.rst|1 + Documentation/howto/ipsec.rst| 256 +++ Makefile.am |1 + NEWS |3 + datapath/linux/compat/geneve.c | 29 +- datapath/linux/compat/stt.c | 15 +- datapath/linux/compat/vxlan.c| 14 +- debian/automake.mk |3 + debian/control | 21 + debian/openvswitch-ipsec.dirs|1 + debian/openvswitch-ipsec.init| 189 + debian/openvswitch-ipsec.install |1 + ipsec/automake.mk| 10 + ipsec/ovs-monitor-ipsec | 1152 ++ ovn/controller/encaps.c | 33 +- ovn/controller/encaps.h |7 +- ovn/controller/ovn-controller.c |4 +- ovn/northd/ovn-northd.c |8 +- ovn/ovn-architecture.7.xml | 39 + ovn/ovn-nb.ovsschema |7 +- ovn/ovn-nb.xml |6 + ovn/ovn-sb.ovsschema |7 +- ovn/ovn-sb.xml |6 + utilities/ovs-pki.in | 18 +- vswitchd/vswitch.xml | 124 +++- 26 files changed, 1913 insertions(+), 43 deletions(-) create mode 100644 Documentation/howto/ipsec.rst create mode 100644 debian/openvswitch-ipsec.dirs create mode 100644 debian/openvswitch-ipsec.init create mode 100644 debian/openvswitch-ipsec.install create mode 100644 ipsec/automake.mk create mode 100755 ipsec/ovs-monitor-ipsec -- 2.18.0 ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH 2/3] ipsec: add CA-cert based authentication
Thanks for your review! On Tue, Jul 10, 2018 at 6:16 PM, Ansis Atteka wrote: > On Wed, 27 Jun 2018 at 10:59, Qiuyu Xiao wrote: >> >> This patch adds CA-cert based authentication to the ovs-monitor-ipsec >> daemon. With CA-cert based authentication enabled, OVS approves IPsec >> tunnel if the peer has a cert signed by a trusted CA and the identity of >> the peer cert is as expected. Belows are the major changes and the >> reasons: >> >> 1) Added CA-cert based authentication. Compared with peer-cert based >> authentication, this one doesn't need to import peer cert to the local >> host to do configuration. This is especially beneficial if host has >> mutiple peers and peers frequently update their certs. This feature is >> required for the upcoming OVN IPsec support. >> >> 2) Changed the host cert and private key configuration interface. >> Previously, the host's cert and private key can be configured in either >> Open_vSwitch's SSL column or the SSL table. Now, the host certificate >> and private key can be only configured in the Open_vSwitch table's >> other_config column. Since it is not SSL cert and key, we'd better not >> to confuse users by saying so. >> >> 3) Changed the peer cert configuration interface. Previously, the peer >> cert is configured by setting the interface's options column as the >> content of the peer cert. It's changed to setting the column as the path >> of the peer cert. This is easier to be configured by the command line >> tool, and is consistent with other cert and key configuration interface >> which is better from a usability point of view. >> > > Would you mind creating a patch ovs/poc/ipsec ansible+vagrant recipe > that deploys two VMs, installs strongswan, openvswitch and then > configure IPsec between them? > Current tests use mocked strongSwan's ipsec utility. This sounds a more solid test compared to the simulated one. I will try to create such test. > > >> Signed-off-by: Qiuyu Xiao >> --- >> Documentation/howto/ipsec.rst | 78 --- >> ipsec/ovs-monitor-ipsec | 138 +- >> 2 files changed, 156 insertions(+), 60 deletions(-) >> >> diff --git a/Documentation/howto/ipsec.rst b/Documentation/howto/ipsec.rst >> index 4e4f4d211..b42312da5 100644 >> --- a/Documentation/howto/ipsec.rst >> +++ b/Documentation/howto/ipsec.rst >> @@ -21,9 +21,9 @@ >> >>Avoid deeper levels because they do not render well. >> >> -== >> -How to Encrypt Open vSwitch Tunnels with IPsec >> -== >> +=== >> +Encrypt Open vSwitch Tunnels with IPsec >> +=== >> >> This document describes how to use Open vSwitch integration with strongSwan >> 5.1 or later to provide IPsec security for STT, GENEVE, GRE and VXLAN >> tunnels. >> @@ -77,6 +77,67 @@ Install strongSwan and openvswitch-ipsec debian packages:: >> Configuration >> - >> >> +The IPsec configuration is done by setting options of the tunnel interface. >> +ovs-monitor-ipsec configures strongSwan accordingly based on the tunnel >> options. >> + >> +Authentication Methods >> +~~ >> + >> +Hosts of the IPsec tunnel need to authenticate each other to build a secure >> +channel. There are three authentication methods: >> + >> +1) You can set a pre-shared key in both hosts to do authentication. This >> + method is easier to use but less secure:: >> + >> + % ovs-vsctl add-port br0 ipsec_gre0 -- \ >> + set interface ipsec_gre0 type=gre \ >> + options:remote_ip=1.2.3.4 \ >> + options:psk=swordfish]) >> + >> +2) You can use peer certificates to do authentication. First, generate >> + certificate and private key in each host. The certificate could be >> + self-signed. Refer to the ovs-pki(8) man page for more information >> + regarding certificate and key generation. Then, copy the peer certificate >> + to the local host and type:: >> + >> + % ovs-vsctl set Open_vSwitch . \ >> + other_config:certificate=/path/to/local_cert.pem \ >> + other_config:private_key=/path/to/priv_key.pem >> + % ovs-vsctl add-port br0 ipsec_gre0 -- \ >> + set interface ipsec_gre0 type=gre \ >> +
Re: [ovs-dev] [PATCH 0/3] IPsec support for tunneling
Hi Ian, If my understanding is correct, your are asking whether we should add a specific IPsec tunnel interface instead of using "options" column to indicate IPsec tunnel. I think a new IPsec tunnel interface should work fine with my current patch. All I need to change is to tell the ovs-monitor-ipsec daemon to get the certificate and key information from the IPsec tunnel interface. And from OVS kernel datapath's point of view, this IPsec tunnel interface is just a normal tunnel interface. I agree that it's important to make a unified IPsec tunnel configuration interface. The configuration interface in my patch allows user to choose from three authentication methods which are peer-cert, CA-cert, and PSK based authentication. Do you plan to support the similar configuration on DPDK IPsec? Thanks, Qiuyu On Thu, Jul 5, 2018 at 2:29 PM, Stokes, Ian wrote: >> On Thu, Jul 05, 2018 at 09:29:12PM +0100, Ian Stokes wrote: >> > On 6/27/2018 6:58 PM, Qiuyu Xiao wrote: >> > >This patch series reintroduce IPsec support for OVS tunneling and >> > >adds new features to prepare for the OVN IPsec support. The new >> features are: >> > > >> > >1) Add CA-cert based authentication support to ovs-monitor-ipsec. >> > >2) Enable ovs-pki to generate x.509 version 3 certificate. >> > > >> > >> > Thanks for working on the series. >> > >> > Just had a general query as regards IPsec in userspace. >> > >> > I had previously looked at implementing a *rough* IPsec Tunnel >> > interface for userspace last year for OVS DPDK. I had put the work on >> > hold as DPDK has begun working on a general IPsec library which would >> > make implementation simpler and cleaner/simpler to maintain in the >> > future. Targeted for DPDK >> > 18.11 (November this year). >> > >> > Would the introduction of a specific IPsec tunnel interface still be >> > acceptable in light of this patch? >> > >> > There are other libraries such as macsec that DPDK has libraries for >> > as well that could be introduced in the future for user space. >> > >> > I'm just aware of the divergence of approaches between whats available >> > in kernel vs userspace so thought it was worth raising for discussion >> > at this point? >> >> Qiuyu probably doesn't have the context for this so let me respond. >> >> Ideally, I'd like to have a single IPsec tunnel configuration interface >> that works well with all datapaths. The one that Qiuyu is (re)introducing >> works for the kernel datapath. I don't know IPsec or DPDK well enough to >> guess whether changes would be needed to better adapt it to a userspace >> datapath. Do you see weaknesses in that area? >> It'd be great to get it right now, if we can. > > Ok, Cc'ing Declan who is heading up the IPsec library for DPDK. > > From the userspace POV I guess we would have to do the IPsec processing > (encryption/decryption, SA lookup/selection/installation) from when a packet > is received on the datapath (if certs had not been setup previously). This is > why I had suggested using a new tunnel type previously. The encap/decap > action can be associated with the SA actions ideally. > > We also have to think of the ofproto layer, I was thinking of the case an esp > packet is received. It would have to be classified and recirculated to be > decapped for IPsec or dropped if no SA existed. This should be fleshed out > more for sure, just wanted to highlight the broad strokes of what's involved > in userspace. > > Ian ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [RFC PATCH] OVN: native support for tunnel encryption
Sure. I will document this. "ip xfrm state" also shows whether encryption is taking effect in the kernel. -Qiuyu On Thu, Jul 5, 2018 at 11:11 AM, Ben Pfaff wrote: > On Tue, Jul 03, 2018 at 01:13:05PM -0700, Ben Pfaff wrote: >> On Mon, Jul 02, 2018 at 02:50:04PM -0700, Qiuyu Xiao wrote: >> > This patch adds IPsec support for OVN tunnel. Basically, OVN offers a >> > binary option to its user for encryption configuration. If the IPsec >> > option is turned on, all tunnels will be encrypted. Otherwise, no tunnel >> > will be encrypted. >> > >> > The changes are summarized as below: >> > 1) Added a ipsec column on the NB_Global table and SB_Global table. The >> > value of ipsec column is propagated by ovn-northd from NB_Global to >> > SB_Global. >> > >> > 2) ovn-controller monitors the ipsec column in SB_Global. If the ipsec >> > value is true, ovn-controller sets options of the tunnel interface by >> > specifying "options:pki=ca_auth options:local_name= >> > options:remote_name=". If the ipsec value is false, >> > ovn-controller removes these options. >> > >> > 3) ovs-monitor-ipsec daemon >> > (https://mail.openvswitch.org/pipermail/ovs-dev/2018-June/348701.html) >> > monitors the tunnel interface options and configures IKE daemon >> > accordingly for IPsec encryption. >> >> This is much simpler than I expected. Great. >> >> Would you mind adding something, probably to the ovn-architecture >> document, that explains the purpose for encrypted tunnels and the >> threat model? You posted a document earlier that might be a good place >> to start. >> >> The ovn-architecture document is in ovn/ovn-architecture.7.xml. > > There was a new suggestion in the OVN meeting morning, which is that it > would be valuable to document good ways to verify that encryption is > actually working and in use. I suggested using tcpdump or wireshark to > see that IPSEC traffic is really flowing, but there may be other or > better ways. ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH 1/3] ipsec: reintroduce IPsec support for tunneling
Thanks! I will improve the patch based on the suggestions and will post it soon. -Qiuyu On Tue, Jul 3, 2018 at 1:00 PM, Ben Pfaff wrote: > On Wed, Jun 27, 2018 at 10:58:42AM -0700, Qiuyu Xiao wrote: >> From: Ansis Atteka >> >> This patch reintroduces ovs-monitor-ipsec daemon that >> was previously removed by commit 2b02d770 ("openvswitch: >> Allow external IPsec tunnel management.") >> >> The reason for removal at the time was that there were IPsec >> flavoured tunnel types, like ipsec_gre, that consumed for >> themselves the least significant bit of SKB mark irrelevant >> whether Open vSwitch users were using IPsec or not. >> >> After this patch, there are no IPsec flavored tunnels anymore. >> IPsec is enabled by setting up the right values in: >> 1. OVSDB:Interface:options column; >> 2. OVSDB:Open_vSwitch:other_config column; >> 3. OpenFlow pipeline. >> >> Signed-off-by: Ansis Atteka > > Thanks for working on this. > > You should add your own Signed-off-by line just after Ansis's. > > Aaron gave some helpful comments. I hope you will consider them. > > The documentation has some odd ... paragraphs in it. Do you > think that there is missing documentation? Maybe they can just be > deleted. ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [RFC PATCH] OVN: native support for tunnel encryption
Thanks for the review! I will on adding this documentation soon. -Qiuyu On Tue, Jul 3, 2018 at 1:13 PM, Ben Pfaff wrote: > On Mon, Jul 02, 2018 at 02:50:04PM -0700, Qiuyu Xiao wrote: >> This patch adds IPsec support for OVN tunnel. Basically, OVN offers a >> binary option to its user for encryption configuration. If the IPsec >> option is turned on, all tunnels will be encrypted. Otherwise, no tunnel >> will be encrypted. >> >> The changes are summarized as below: >> 1) Added a ipsec column on the NB_Global table and SB_Global table. The >> value of ipsec column is propagated by ovn-northd from NB_Global to >> SB_Global. >> >> 2) ovn-controller monitors the ipsec column in SB_Global. If the ipsec >> value is true, ovn-controller sets options of the tunnel interface by >> specifying "options:pki=ca_auth options:local_name= >> options:remote_name=". If the ipsec value is false, >> ovn-controller removes these options. >> >> 3) ovs-monitor-ipsec daemon >> (https://mail.openvswitch.org/pipermail/ovs-dev/2018-June/348701.html) >> monitors the tunnel interface options and configures IKE daemon >> accordingly for IPsec encryption. > > This is much simpler than I expected. Great. > > Would you mind adding something, probably to the ovn-architecture > document, that explains the purpose for encrypted tunnels and the > threat model? You posted a document earlier that might be a good place > to start. > > The ovn-architecture document is in ovn/ovn-architecture.7.xml. ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [RFC PATCH] OVN: native support for tunnel encryption
This patch adds IPsec support for OVN tunnel. Basically, OVN offers a binary option to its user for encryption configuration. If the IPsec option is turned on, all tunnels will be encrypted. Otherwise, no tunnel will be encrypted. The changes are summarized as below: 1) Added a ipsec column on the NB_Global table and SB_Global table. The value of ipsec column is propagated by ovn-northd from NB_Global to SB_Global. 2) ovn-controller monitors the ipsec column in SB_Global. If the ipsec value is true, ovn-controller sets options of the tunnel interface by specifying "options:pki=ca_auth options:local_name= options:remote_name=". If the ipsec value is false, ovn-controller removes these options. 3) ovs-monitor-ipsec daemon (https://mail.openvswitch.org/pipermail/ovs-dev/2018-June/348701.html) monitors the tunnel interface options and configures IKE daemon accordingly for IPsec encryption. --- ovn/controller/encaps.c | 14 +++--- ovn/controller/encaps.h | 5 - ovn/controller/ovn-controller.c | 3 ++- ovn/northd/ovn-northd.c | 8 ++-- ovn/ovn-nb.ovsschema| 7 --- ovn/ovn-nb.xml | 6 ++ ovn/ovn-sb.ovsschema| 7 --- ovn/ovn-sb.xml | 6 ++ 8 files changed, 43 insertions(+), 13 deletions(-) diff --git a/ovn/controller/encaps.c b/ovn/controller/encaps.c index fde017586..d122e7c9b 100644 --- a/ovn/controller/encaps.c +++ b/ovn/controller/encaps.c @@ -79,7 +79,8 @@ tunnel_create_name(struct tunnel_ctx *tc, const char *chassis_id) } static void -tunnel_add(struct tunnel_ctx *tc, const char *new_chassis_id, +tunnel_add(struct tunnel_ctx *tc, const struct sbrec_sb_global *sbg, + const char *local_chassis_id, const char *new_chassis_id, const struct sbrec_encap *encap) { struct smap options = SMAP_INITIALIZER(); @@ -89,6 +90,12 @@ tunnel_add(struct tunnel_ctx *tc, const char *new_chassis_id, if (csum && (!strcmp(csum, "true") || !strcmp(csum, "false"))) { smap_add(, "csum", csum); } +/* Add auth info if ipsec is enabled. */ +if (sbg->ipsec) { +smap_add(, "pki", "ca_auth"); +smap_add(, "local_name", local_chassis_id); +smap_add(, "remote_name", new_chassis_id); +} /* If there's an existing chassis record that does not need any change, * keep it. Otherwise, create a new record (if there was an existing @@ -157,7 +164,8 @@ encaps_run(struct ovsdb_idl_txn *ovs_idl_txn, const struct ovsrec_bridge_table *bridge_table, const struct ovsrec_bridge *br_int, const struct sbrec_chassis_table *chassis_table, - const char *chassis_id) + const char *chassis_id, + const struct sbrec_sb_global *sbg) { if (!ovs_idl_txn || !br_int) { return; @@ -209,7 +217,7 @@ encaps_run(struct ovsdb_idl_txn *ovs_idl_txn, VLOG_INFO("No supported encaps for '%s'", chassis_rec->name); continue; } -tunnel_add(, chassis_rec->name, encap); +tunnel_add(, sbg, chassis_id, chassis_rec->name, encap); } } diff --git a/ovn/controller/encaps.h b/ovn/controller/encaps.h index 054bdfa78..da12bfc3b 100644 --- a/ovn/controller/encaps.h +++ b/ovn/controller/encaps.h @@ -23,13 +23,16 @@ struct ovsdb_idl_txn; struct ovsrec_bridge; struct ovsrec_bridge_table; struct sbrec_chassis_table; +struct sbrec_sb_global; void encaps_register_ovs_idl(struct ovsdb_idl *); void encaps_run(struct ovsdb_idl_txn *ovs_idl_txn, const struct ovsrec_bridge_table *, const struct ovsrec_bridge *br_int, const struct sbrec_chassis_table *, -const char *chassis_id); +const char *chassis_id, +const struct sbrec_sb_global *); + bool encaps_cleanup(struct ovsdb_idl_txn *ovs_idl_txn, const struct ovsrec_bridge *br_int); diff --git a/ovn/controller/ovn-controller.c b/ovn/controller/ovn-controller.c index 6ee72a9fa..10fbc879c 100644 --- a/ovn/controller/ovn-controller.c +++ b/ovn/controller/ovn-controller.c @@ -679,7 +679,8 @@ main(int argc, char *argv[]) chassis_id, br_int); encaps_run(ovs_idl_txn, ovsrec_bridge_table_get(ovs_idl_loop.idl), br_int, - sbrec_chassis_table_get(ovnsb_idl_loop.idl), chassis_id); + sbrec_chassis_table_get(ovnsb_idl_loop.idl), chassis_id, + sbrec_sb_global_first(ovnsb_idl_loop.idl)); bfd_calculate_active_tunnels(br_int, _tunnels); binding_run(ovnsb_idl_txn, ovs_idl_txn, sbrec_chassis_by_name, sbrec_datapath_binding_by_key, diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c index 74eefc6ca..51f1671cd 100644 --- a/ovn/northd/ovn-northd.c +++
Re: [ovs-dev] [PATCH 2/3] ipsec: add CA-cert based authentication
Hi Aaron, Thanks for your comments! On Wed, Jun 27, 2018 at 1:12 PM, Aaron Conole wrote: > > Qiuyu Xiao writes: > > > This patch adds CA-cert based authentication to the ovs-monitor-ipsec > > daemon. With CA-cert based authentication enabled, OVS approves IPsec > > tunnel if the peer has a cert signed by a trusted CA and the identity of > > the peer cert is as expected. Belows are the major changes and the > > reasons: > > > > 1) Added CA-cert based authentication. Compared with peer-cert based > > authentication, this one doesn't need to import peer cert to the local > > host to do configuration. This is especially beneficial if host has > > mutiple peers and peers frequently update their certs. This feature is > > required for the upcoming OVN IPsec support. > > > > 2) Changed the host cert and private key configuration interface. > > Previously, the host's cert and private key can be configured in either > > Open_vSwitch's SSL column or the SSL table. Now, the host certificate > > and private key can be only configured in the Open_vSwitch table's > > other_config column. Since it is not SSL cert and key, we'd better not > > to confuse users by saying so. > > > > 3) Changed the peer cert configuration interface. Previously, the peer > > cert is configured by setting the interface's options column as the > > content of the peer cert. It's changed to setting the column as the path > > of the peer cert. This is easier to be configured by the command line > > tool, and is consistent with other cert and key configuration interface > > which is better from a usability point of view. > > > > Signed-off-by: Qiuyu Xiao > > --- > > Documentation/howto/ipsec.rst | 78 --- > > ipsec/ovs-monitor-ipsec | 138 +- > > 2 files changed, 156 insertions(+), 60 deletions(-) > > > > diff --git a/Documentation/howto/ipsec.rst b/Documentation/howto/ipsec.rst > > index 4e4f4d211..b42312da5 100644 > > --- a/Documentation/howto/ipsec.rst > > +++ b/Documentation/howto/ipsec.rst > > @@ -21,9 +21,9 @@ > > > >Avoid deeper levels because they do not render well. > > > > -== > > -How to Encrypt Open vSwitch Tunnels with IPsec > > -== > > +=== > > +Encrypt Open vSwitch Tunnels with IPsec > > +=== > > It seems odd to introduce something and then cut it in the very next > patch. Please don't do this. Most of the diffs in this file can be > folded into patch 1/3 - please do that instead of fixing things later in > the series. Patch 1/3 is from Ansis. I separated the patches so he will know the changes I made. But it makes sense to make 1/3 and 2/3 a single patch. I will change that in the next version. > > > > This document describes how to use Open vSwitch integration with strongSwan > > 5.1 or later to provide IPsec security for STT, GENEVE, GRE and VXLAN > > tunnels. > > @@ -77,6 +77,67 @@ Install strongSwan and openvswitch-ipsec debian > > packages:: > > Configuration > > - > > > > +The IPsec configuration is done by setting options of the tunnel interface. > > +ovs-monitor-ipsec configures strongSwan accordingly based on the tunnel > > options. > > + > > +Authentication Methods > > +~~ > > + > > +Hosts of the IPsec tunnel need to authenticate each other to build a secure > > +channel. There are three authentication methods: > > + > > +1) You can set a pre-shared key in both hosts to do authentication. This > > + method is easier to use but less secure:: > > + > > + % ovs-vsctl add-port br0 ipsec_gre0 -- \ > > + set interface ipsec_gre0 type=gre \ > > + options:remote_ip=1.2.3.4 \ > > + options:psk=swordfish]) > > + > > +2) You can use peer certificates to do authentication. First, generate > > + certificate and private key in each host. The certificate could be > > + self-signed. Refer to the ovs-pki(8) man page for more information > > + regarding certificate and key generation. Then, copy the peer > > certificate > > + to the local host and type:: > > + > > + % ovs-vsctl set Open_vSwitch . \ > > + other_config:certificate=/path/to/local_cert.pem \ > > + other_config:private_key=/path/to/priv_key.pem > >
Re: [ovs-dev] [PATCH 0/3] IPsec support for tunneling
Hi Aaron, I made some changes to the interface of the ovs-monitor-ipsec configuration, that is why the tests all failed. I am waiting for Ansis' review for the patch. If he agrees the change, I will change the test script as well. That will fix this. BTW, 0-day robot is really cool! Sorry to trigger so many complaints. Regards, Qiuyu On Wed, Jun 27, 2018 at 12:41 PM, Aaron Conole wrote: > Qiuyu Xiao writes: > > > This patch series reintroduce IPsec support for OVS tunneling and adds > new > > features to prepare for the OVN IPsec support. The new features are: > > > > 1) Add CA-cert based authentication support to ovs-monitor-ipsec. > > 2) Enable ovs-pki to generate x.509 version 3 certificate. > > > > Ansis Atteka (1): > > ipsec: reintroduce IPsec support for tunneling > > > > Qiuyu Xiao (2): > > ipsec: add CA-cert based authentication > > ovs-pki: generate x.509 v3 certificate > > When the bot tested this, all of the IPSec tests failed. I had disabled > the bot's report to the list. > > ovs-monitor-ipsec (XFRM) > > 876: Parse "ip xfrm policy" output FAILED ( > ovs-monitor-ipsec.at:145) > 877: Parse "ip xfrm state" outputFAILED ( > ovs-monitor-ipsec.at:175) > > ovs-monitor-ipsec (strongSwan) > > 878: Ignore non-IPsec tunnelsFAILED ( > ovs-monitor-ipsec.at:195) > 879: Parse "ipsec status" output FAILED ( > ovs-monitor-ipsec.at:226) > 880: ipsec_gre with PSK authentication FAILED ( > ovs-monitor-ipsec.at:243) > 881: ipsec_stt with PSK authentication FAILED ( > ovs-monitor-ipsec.at:317) > 882: ipsec_geneve with PSK authenticationFAILED ( > ovs-monitor-ipsec.at:400) > 883: ipsec_vxlan with PSK authentication FAILED ( > ovs-monitor-ipsec.at:483) > 884: ipsec_gre with PKI authentication (use_ssl_cert) FAILED ( > ovs-monitor-ipsec.at:570) > 885: ipsec_gre with PKI authentication FAILED ( > ovs-monitor-ipsec.at:649) > 886: ipsec_gre and ipsec_stt to two different hosts FAILED ( > ovs-monitor-ipsec.at:727) > 887: ipsec_gre and ipsec_stt to the same hostFAILED ( > ovs-monitor-ipsec.at:816) > 888: Sequence of IPsec tunnel reconfiguration events FAILED ( > ovs-monitor-ipsec.at:907) > > I have the complete dist directory saved off (which includes the > testsuite.dir) if you'd like to see it. > > > Documentation/automake.mk|1 + > > Documentation/howto/index.rst|1 + > > Documentation/howto/ipsec.rst| 259 +++ > > Makefile.am |1 + > > debian/automake.mk |3 + > > debian/control | 21 + > > debian/openvswitch-ipsec.dirs|1 + > > debian/openvswitch-ipsec.init| 189 ++ > > debian/openvswitch-ipsec.install |1 + > > ipsec/automake.mk|9 + > > ipsec/ovs-monitor-ipsec | 763 + > > tests/automake.mk|1 + > > tests/ovs-monitor-ipsec.at | 1076 ++ > > tests/testsuite.at |1 + > > utilities/ovs-pki.in | 18 +- > > vswitchd/vswitch.xml | 83 ++- > > 16 files changed, 2421 insertions(+), 7 deletions(-) > > create mode 100644 Documentation/howto/ipsec.rst > > create mode 100644 debian/openvswitch-ipsec.dirs > > create mode 100644 debian/openvswitch-ipsec.init > > create mode 100644 debian/openvswitch-ipsec.install > > create mode 100644 ipsec/automake.mk > > create mode 100755 ipsec/ovs-monitor-ipsec > > create mode 100644 tests/ovs-monitor-ipsec.at > ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH 3/3] ovs-pki: generate x.509 v3 certificate
This patch modifies ovs-pki to generate x.509 version 3 certificate. Compared with the x.509 v1 certificate generated by ovs-pki, version 3 certificate adds subjectAltName field and sets its value the same as common name (CN). The main reason for this change is to enable strongSwan IKE daemon to extract certificate identity string from the subjectAltName field, which makes OVN IPsec implementation easier. Signed-off-by: Qiuyu Xiao --- utilities/ovs-pki.in | 18 +++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in index 4f6941865..1b6681d3a 100755 --- a/utilities/ovs-pki.in +++ b/utilities/ovs-pki.in @@ -284,7 +284,7 @@ policy = policy# default policy email_in_dn= no# Don't add the email into cert DN name_opt = ca_default# Subject name display option cert_opt = ca_default# Certificate display option -copy_extensions = none # Don't copy extensions from request +copy_extensions = copy # Copy extensions from request unique_subject = no# Allow certs with duplicate subjects # For the CA policy @@ -295,6 +295,13 @@ organizationName= match organizationalUnitName = optional commonName = supplied emailAddress= optional + +# For the x509v3 extension +[ ca_cert ] +basicConstraints=CA:true + +[ usr_cert ] +basicConstraints=CA:false EOF fi @@ -307,7 +314,8 @@ EOF openssl req -config ca.cnf -nodes \ -newkey $newkey -keyout private/cakey.pem -out careq.pem \ 1>&3 2>&3 -openssl ca -config ca.cnf -create_serial -out cacert.pem \ +openssl ca -config ca.cnf -create_serial \ +-extensions ca_cert -out cacert.pem \ -days 3650 -batch -keyfile private/cakey.pem -selfsign \ -infiles careq.pem 1>&3 2>&3 chmod 0700 private/cakey.pem @@ -445,6 +453,7 @@ make_request() { [ req ] prompt = no distinguished_name = req_distinguished_name +req_extensions = v3_req [ req_distinguished_name ] C = US @@ -453,6 +462,9 @@ L = Palo Alto O = Open vSwitch OU = Open vSwitch certifier CN = $cn + +[ v3_req ] +subjectAltName = DNS:$cn EOF if test $keytype = rsa; then (umask 077 && openssl genrsa -out "$1-privkey.pem" $bits) 1>&3 2>&3 \ @@ -481,7 +493,7 @@ sign_request() { esac (cd "$pkidir/${type}ca" && - openssl ca -config ca.cnf -batch -in "$request_file") \ + openssl ca -config ca.cnf -extensions usr_cert -batch -in "$request_file") \ > "$2.tmp$$" 2>&3 mv "$2.tmp$$" "$2" } -- 2.17.1 ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH 2/3] ipsec: add CA-cert based authentication
This patch adds CA-cert based authentication to the ovs-monitor-ipsec daemon. With CA-cert based authentication enabled, OVS approves IPsec tunnel if the peer has a cert signed by a trusted CA and the identity of the peer cert is as expected. Belows are the major changes and the reasons: 1) Added CA-cert based authentication. Compared with peer-cert based authentication, this one doesn't need to import peer cert to the local host to do configuration. This is especially beneficial if host has mutiple peers and peers frequently update their certs. This feature is required for the upcoming OVN IPsec support. 2) Changed the host cert and private key configuration interface. Previously, the host's cert and private key can be configured in either Open_vSwitch's SSL column or the SSL table. Now, the host certificate and private key can be only configured in the Open_vSwitch table's other_config column. Since it is not SSL cert and key, we'd better not to confuse users by saying so. 3) Changed the peer cert configuration interface. Previously, the peer cert is configured by setting the interface's options column as the content of the peer cert. It's changed to setting the column as the path of the peer cert. This is easier to be configured by the command line tool, and is consistent with other cert and key configuration interface which is better from a usability point of view. Signed-off-by: Qiuyu Xiao --- Documentation/howto/ipsec.rst | 78 --- ipsec/ovs-monitor-ipsec | 138 +- 2 files changed, 156 insertions(+), 60 deletions(-) diff --git a/Documentation/howto/ipsec.rst b/Documentation/howto/ipsec.rst index 4e4f4d211..b42312da5 100644 --- a/Documentation/howto/ipsec.rst +++ b/Documentation/howto/ipsec.rst @@ -21,9 +21,9 @@ Avoid deeper levels because they do not render well. -== -How to Encrypt Open vSwitch Tunnels with IPsec -== +=== +Encrypt Open vSwitch Tunnels with IPsec +=== This document describes how to use Open vSwitch integration with strongSwan 5.1 or later to provide IPsec security for STT, GENEVE, GRE and VXLAN tunnels. @@ -77,6 +77,67 @@ Install strongSwan and openvswitch-ipsec debian packages:: Configuration - +The IPsec configuration is done by setting options of the tunnel interface. +ovs-monitor-ipsec configures strongSwan accordingly based on the tunnel options. + +Authentication Methods +~~ + +Hosts of the IPsec tunnel need to authenticate each other to build a secure +channel. There are three authentication methods: + +1) You can set a pre-shared key in both hosts to do authentication. This + method is easier to use but less secure:: + + % ovs-vsctl add-port br0 ipsec_gre0 -- \ + set interface ipsec_gre0 type=gre \ + options:remote_ip=1.2.3.4 \ + options:psk=swordfish]) + +2) You can use peer certificates to do authentication. First, generate + certificate and private key in each host. The certificate could be + self-signed. Refer to the ovs-pki(8) man page for more information + regarding certificate and key generation. Then, copy the peer certificate + to the local host and type:: + + % ovs-vsctl set Open_vSwitch . \ + other_config:certificate=/path/to/local_cert.pem \ + other_config:private_key=/path/to/priv_key.pem + % ovs-vsctl add-port br0 ipsec_gre0 -- \ + set interface ipsec_gre0 type=gre \ + options:remote_ip=1.2.3.4 \ + options:pki=peer_auth \ + options:peer_cert=/path/to/peer_cert.pem + + `local_cert.pem` is the certificate of the local host. `priv_key.pem` + is the private key of the local host. `priv_key.pem` needs to be stored in + a secure location. `peer_cert.pem` is the certificate of the remote host. + +3) You can also use CA certificate to do authentication. First, you need to + establish your public key infrastructure. The certificate of each host + needs to be signed by the CA certificate. Refer to the ovs-pki(8) man page + for more information regarding PKI establishment. Then, copy the CA + certificate to the local host and type:: + + % ovs-vsctl set Open_vSwitch . \ + other_config:certificate=/path/to/local_cert.pem \ + other_config:private_key=/path/to/priv_key.pem \ + other_config:ca_cert=/path/to/ca_cert.pem + % ovs-vsctl add-port br0 ipsec_gre0 -- \ + set interface ipsec_gre0 type=gre \ + options:remote_ip=1.2.3.4 \ + options:pki=ca_auth
[ovs-dev] [PATCH 1/3] ipsec: reintroduce IPsec support for tunneling
From: Ansis Atteka This patch reintroduces ovs-monitor-ipsec daemon that was previously removed by commit 2b02d770 ("openvswitch: Allow external IPsec tunnel management.") The reason for removal at the time was that there were IPsec flavoured tunnel types, like ipsec_gre, that consumed for themselves the least significant bit of SKB mark irrelevant whether Open vSwitch users were using IPsec or not. After this patch, there are no IPsec flavored tunnels anymore. IPsec is enabled by setting up the right values in: 1. OVSDB:Interface:options column; 2. OVSDB:Open_vSwitch:other_config column; 3. OpenFlow pipeline. Signed-off-by: Ansis Atteka --- Documentation/automake.mk|1 + Documentation/howto/index.rst|1 + Documentation/howto/ipsec.rst| 199 ++ Makefile.am |1 + debian/automake.mk |3 + debian/control | 21 + debian/openvswitch-ipsec.dirs|1 + debian/openvswitch-ipsec.init| 189 ++ debian/openvswitch-ipsec.install |1 + ipsec/automake.mk|9 + ipsec/ovs-monitor-ipsec | 727 tests/automake.mk|1 + tests/ovs-monitor-ipsec.at | 1076 ++ tests/testsuite.at |1 + vswitchd/vswitch.xml | 83 ++- 15 files changed, 2310 insertions(+), 4 deletions(-) create mode 100644 Documentation/howto/ipsec.rst create mode 100644 debian/openvswitch-ipsec.dirs create mode 100644 debian/openvswitch-ipsec.init create mode 100644 debian/openvswitch-ipsec.install create mode 100644 ipsec/automake.mk create mode 100755 ipsec/ovs-monitor-ipsec create mode 100644 tests/ovs-monitor-ipsec.at diff --git a/Documentation/automake.mk b/Documentation/automake.mk index 2202df45b..3a505924a 100644 --- a/Documentation/automake.mk +++ b/Documentation/automake.mk @@ -59,6 +59,7 @@ DOC_SOURCE = \ Documentation/howto/docker.rst \ Documentation/howto/dpdk.rst \ Documentation/howto/firewalld.rst \ + Documentation/howto/ipsec.rst \ Documentation/howto/kvm.rst \ Documentation/howto/libvirt.rst \ Documentation/howto/selinux.rst \ diff --git a/Documentation/howto/index.rst b/Documentation/howto/index.rst index 201d6936b..9a3487be3 100644 --- a/Documentation/howto/index.rst +++ b/Documentation/howto/index.rst @@ -37,6 +37,7 @@ OVS :maxdepth: 2 kvm + ipsec selinux libvirt ssl diff --git a/Documentation/howto/ipsec.rst b/Documentation/howto/ipsec.rst new file mode 100644 index 0..4e4f4d211 --- /dev/null +++ b/Documentation/howto/ipsec.rst @@ -0,0 +1,199 @@ +.. + Licensed under the Apache License, Version 2.0 (the "License"); you may + not use this file except in compliance with the License. You may obtain + a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + License for the specific language governing permissions and limitations + under the License. + + Convention for heading levels in Open vSwitch documentation: + + === Heading 0 (reserved for the title in a document) + --- Heading 1 + ~~~ Heading 2 + +++ Heading 3 + ''' Heading 4 + + Avoid deeper levels because they do not render well. + +== +How to Encrypt Open vSwitch Tunnels with IPsec +== + +This document describes how to use Open vSwitch integration with strongSwan +5.1 or later to provide IPsec security for STT, GENEVE, GRE and VXLAN tunnels. +This document assumes that you have already installed Open vSwitch. + + +Limitations +--- + +There are several limitations: + +1) Currently only Debian-based platforms are supported. + +2) There is no backwards compatibility with the old IPsec implementation + that uses Racoon instead of strongSwan for IKE keying. + +3) Some older Open vSwitch datapath kernel modules (in Linux Kernel tree) + do not support route lookups with transport L4 ports properly. In + this case Ethernet over L4 tunneling protocols (e.g. STT, GENEVE) + would not work. However, GRE would still work because it does not + have concept of L4 ports. + +4) Some strongSwan versions might not support certain features. For + example: + + a) AES GCM ciphers that improve performance. + b) xfrm_acq_expires setting in strongSwan configuration file. + This setting tells strongSwan how aggressively to retry + establishing tunnel, if peer did not respond to previous keying + request. + c) set_proto_port_transport_sa in charon configuration file that tells + Linux Kernel to filter
[ovs-dev] [PATCH 0/3] IPsec support for tunneling
This patch series reintroduce IPsec support for OVS tunneling and adds new features to prepare for the OVN IPsec support. The new features are: 1) Add CA-cert based authentication support to ovs-monitor-ipsec. 2) Enable ovs-pki to generate x.509 version 3 certificate. Ansis Atteka (1): ipsec: reintroduce IPsec support for tunneling Qiuyu Xiao (2): ipsec: add CA-cert based authentication ovs-pki: generate x.509 v3 certificate Documentation/automake.mk|1 + Documentation/howto/index.rst|1 + Documentation/howto/ipsec.rst| 259 +++ Makefile.am |1 + debian/automake.mk |3 + debian/control | 21 + debian/openvswitch-ipsec.dirs|1 + debian/openvswitch-ipsec.init| 189 ++ debian/openvswitch-ipsec.install |1 + ipsec/automake.mk|9 + ipsec/ovs-monitor-ipsec | 763 + tests/automake.mk|1 + tests/ovs-monitor-ipsec.at | 1076 ++ tests/testsuite.at |1 + utilities/ovs-pki.in | 18 +- vswitchd/vswitch.xml | 83 ++- 16 files changed, 2421 insertions(+), 7 deletions(-) create mode 100644 Documentation/howto/ipsec.rst create mode 100644 debian/openvswitch-ipsec.dirs create mode 100644 debian/openvswitch-ipsec.init create mode 100644 debian/openvswitch-ipsec.install create mode 100644 ipsec/automake.mk create mode 100755 ipsec/ovs-monitor-ipsec create mode 100644 tests/ovs-monitor-ipsec.at -- 2.17.1 ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] encrypting only some traffic (was: OVN: Encrypt tunnel traffic with IPsec)
Thanks for your comments! > For #1 and #2 you would not need skb mark at all. Are you considering these > two approaches as well? My current proposal will implement #1. #2 is also a nice feature to have! To enable #2, the northbound and southbound database can include information that dictate which pair of transport nodes requires encryption. Then the OVN controller can set tunnel options accordingly. > I think you are proposing #3 here. It is the most fine grained. However, it > would require to use "opportunistic packet authentication" and expose Open > vSwitch code to potential attackers, because the IPsec stack will have to > let through packets that are not signed. Do you mean the IPsec stack in the sending side will let packets through without being signed? > In other words, instead of letting IPsec stack to drop malicious packets you > will require OpenFlow rule to do that. Probably based on skb mark in match > part. In the receiving side, if the IPsec stack can set skb mark for the decrypted packets from a logical network, then OpenFlow rules can be set to drop those packets without the mark. Do you know whether the IPsec stack can do this? -Qiuyu ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] OVN: Encrypt tunnel traffic with IPsec
Hi everyone, I am writing this email to propose adding encryption support to OVN tunnel. The plan is described as below. Any feedbacks and suggestions are appreciated! Regards, Qiuyu Xiao Motivation -- OVN tunnel traffic goes through physical routers and switches. These physical devices could be untrusted (devices in public network) or might be compromised. Adding encryption support to the tunnel traffic can prevent the traffic data from being monitored and manipulated. Design -- OVN gives an option to the Cloud Management System (CMS) to indicate whether tunnel encryption should be enforced or not. If tunnel encryption is set, all tunnel traffic between chassis is encrypted. IPsec is used to encrypt tunnel traffic. IPsec policy can be set to match traffic based on L4 protocol and port information, so we can set policy to only encrypt GENEVE, STT, and VXLAN tunnel traffic without introducing extra overhead. The authentication between chassis is done by using PKI. Role-based access control for southbound DB already requires installing certificate and private key for each chassis. The same certificate and private key can be used by IPsec IKE daemon. Implementation plan --- 1) database In the northbound DB NB_Global table and the southbound DB SB_Global table, add an "ipsec" column of boolean type to record the tunnel encryption setting. 2) ovn-northd ovn-northd monitors the state of the "ipsec" column in NB_Global and populates the change to the "ipsec" column in SB_Global. 3) ovn-controller Based on the "ipsec" column in SB_Global, ovn-controller sets options of the tunnel interface to indicate whether the tunnel traffic should be encrypted or not. 4) ovs-monitor-ipsec daemon ovs-monitor-ipsec (https://mail.openvswitch.org/pipermail/ovs-dev/2015-June/299669.html) was used to configure StrongSwan IKE keying daemon by monitoring the tunnel options. It configures StrongSwan to do authentication based on peer certificate. A preferable solution is to enable CA-based authentication so that each chassis only needs to store its own certificate and the CA's certificate. 5) ovs-pki Change ovs-pki to generate x509v3 certificate of which the subjectAltName field contains the chassis name. StrongSwan extracts the certificate identity string from the Distinguished Name (DN) field or the subjectAltName field. DN includes other information besides the chassis name (in the Common Name field). By using subjectAltName to store the chassis name, we don't need to populate other information from DN to the southbound DB. Discussion --- The current proposal only allows CMS to choose either encrypting all tunnel traffic or not. A more flexible design allows CMS to define that only the tunnel traffic from certain logical networks should be encrypted. To enable this, the IPsec stack needs to differentiate tunnel traffic from different logical networks. The kernel IPsec module cannot match packets based on the tunnel header. In the sending side, OVS can use skb mark to tag the tunnel traffic and the IPsec module can decide whether to encrypt the packet based on the mark. I am not so sure whether the skb mark information will be carried and transmitted to the receiving side or not. If not, an adversary can inject unencrypted fake packets to the protected flow without being detected by the IPsec module. ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH] datapath: add transport ports in route lookup to enable IPsec policy match.
This patch adds transport ports information for route lookup so that IPsec can select tunnel traffic (geneve, stt, vxlan) to do encryption. The patch was tested for geneve, stt, and vxlan tunnel and the results show that IPsec policy can be set to only match the corresponding tunnel traffic. Signed-off-by: Qiuyu Xiao --- datapath/linux/compat/geneve.c | 29 +++-- datapath/linux/compat/stt.c| 15 ++- datapath/linux/compat/vxlan.c | 14 -- 3 files changed, 41 insertions(+), 17 deletions(-) diff --git a/datapath/linux/compat/geneve.c b/datapath/linux/compat/geneve.c index 435a23f..95a665d 100644 --- a/datapath/linux/compat/geneve.c +++ b/datapath/linux/compat/geneve.c @@ -836,7 +836,8 @@ free_dst: static struct rtable *geneve_get_v4_rt(struct sk_buff *skb, struct net_device *dev, struct flowi4 *fl4, - struct ip_tunnel_info *info) + struct ip_tunnel_info *info, + __be16 dport, __be16 sport) { bool use_cache = ip_tunnel_dst_cache_usable(skb, info); struct geneve_dev *geneve = netdev_priv(dev); @@ -850,6 +851,8 @@ static struct rtable *geneve_get_v4_rt(struct sk_buff *skb, memset(fl4, 0, sizeof(*fl4)); fl4->flowi4_mark = skb->mark; fl4->flowi4_proto = IPPROTO_UDP; + fl4->fl4_dport = dport; + fl4->fl4_sport = sport; if (info) { fl4->daddr = info->key.u.ipv4.dst; @@ -895,7 +898,8 @@ static struct rtable *geneve_get_v4_rt(struct sk_buff *skb, static struct dst_entry *geneve_get_v6_dst(struct sk_buff *skb, struct net_device *dev, struct flowi6 *fl6, - struct ip_tunnel_info *info) + struct ip_tunnel_info *info, + __be16 dport, __be16 sport) { bool use_cache = ip_tunnel_dst_cache_usable(skb, info); struct geneve_dev *geneve = netdev_priv(dev); @@ -911,6 +915,8 @@ static struct dst_entry *geneve_get_v6_dst(struct sk_buff *skb, memset(fl6, 0, sizeof(*fl6)); fl6->flowi6_mark = skb->mark; fl6->flowi6_proto = IPPROTO_UDP; + fl6->fl6_dport = dport; + fl6->fl6_sport = sport; if (info) { fl6->daddr = info->key.u.ipv6.dst; @@ -1005,13 +1011,13 @@ static netdev_tx_t geneve_xmit_skb(struct sk_buff *skb, struct net_device *dev, goto tx_error; } - rt = geneve_get_v4_rt(skb, dev, , info); + sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); + rt = geneve_get_v4_rt(skb, dev, , info, geneve->dst_port, sport); if (IS_ERR(rt)) { err = PTR_ERR(rt); goto tx_error; } - sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); skb_reset_mac_header(skb); iip = ip_hdr(skb); @@ -1097,13 +1103,13 @@ static netdev_tx_t geneve6_xmit_skb(struct sk_buff *skb, struct net_device *dev, } } - dst = geneve_get_v6_dst(skb, dev, , info); + sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); + dst = geneve_get_v6_dst(skb, dev, , info, geneve->dst_port, sport); if (IS_ERR(dst)) { err = PTR_ERR(dst); goto tx_error; } - sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); skb_reset_mac_header(skb); iip = ip_hdr(skb); @@ -1232,13 +1238,17 @@ int ovs_geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb) struct geneve_dev *geneve = netdev_priv(dev); struct rtable *rt; struct flowi4 fl4; + __be16 sport; #if IS_ENABLED(CONFIG_IPV6) struct dst_entry *dst; struct flowi6 fl6; #endif + sport = udp_flow_src_port(geneve->net, skb, +1, USHRT_MAX, true); + if (ip_tunnel_info_af(info) == AF_INET) { - rt = geneve_get_v4_rt(skb, dev, , info); + rt = geneve_get_v4_rt(skb, dev, , info, geneve->dst_port, sport); if (IS_ERR(rt)) return PTR_ERR(rt); @@ -1246,7 +1256,7 @@ int ovs_geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb) info->key.u.ipv4.src = fl4.saddr; #if IS_ENABLED(CONFIG_IPV6) } else if (ip_tunnel_info_af(info) == AF_INET6) { - dst = geneve_get_v6_dst(skb, dev, , info); + dst = geneve_get_v6_dst(skb, dev, , info, geneve->dst_port, sport); if (IS_ERR(dst)) return PTR_ERR(dst); @@ -1257,8 +1267,7 @@