| Message ID | 20180727204434.18525-1-qiuyu.xiao.qyx@gmail.com |
|---|---|
| Headers | show |
| Series | IPsec support for tunneling | expand |
On Fri, Jul 27, 2018 at 01:44:28PM -0700, Qiuyu Xiao wrote: > This patch series reintroduce IPsec support for OVS tunneling and > enable OVN to use IPsec tunnels. GRE, VXLAN, GENEVE, and STT IPsec > tunnels are supported. StrongSwan and LibreSwan IKE daemons are > supported. Thank you. My first impression is that this is a really complete, high-quality series. I'll work on reviewing it in detail.
On Fri, Jul 27, 2018 at 04:32:32PM -0700, Ben Pfaff wrote: > On Fri, Jul 27, 2018 at 01:44:28PM -0700, Qiuyu Xiao wrote: > > This patch series reintroduce IPsec support for OVS tunneling and > > enable OVN to use IPsec tunnels. GRE, VXLAN, GENEVE, and STT IPsec > > tunnels are supported. StrongSwan and LibreSwan IKE daemons are > > supported. > > Thank you. > > My first impression is that this is a really complete, high-quality > series. I'll work on reviewing it in detail. I have a couple of overall questions about security here. What happens if IPsec is configured on a tunnel in OVS, but the OVS kernel module is too old to support IPsec? (Will traffic be sent and received in cleartext?) What about if IPsec is configured on a tunnel, but the OVS userspace is too old to support IPsec? Thanks, Ben.
In both cases, IPsec won't be correctly set up in the system. The traffic might be sent out in cleartext. Maybe we can let the ovs-monitor-ipsec daemon monitor whether IPsec tunnel is actually taking effect in the system and report it on the tunnel interface, so that user won't have wrong assumption about the IPsec tunnel state. -Qiuyu On Fri, Jul 27, 2018 at 4:52 PM, Ben Pfaff <blp@ovn.org> wrote: > On Fri, Jul 27, 2018 at 04:32:32PM -0700, Ben Pfaff wrote: >> On Fri, Jul 27, 2018 at 01:44:28PM -0700, Qiuyu Xiao wrote: >> > This patch series reintroduce IPsec support for OVS tunneling and >> > enable OVN to use IPsec tunnels. GRE, VXLAN, GENEVE, and STT IPsec >> > tunnels are supported. StrongSwan and LibreSwan IKE daemons are >> > supported. >> >> Thank you. >> >> My first impression is that this is a really complete, high-quality >> series. I'll work on reviewing it in detail. > > I have a couple of overall questions about security here. What happens > if IPsec is configured on a tunnel in OVS, but the OVS kernel module is > too old to support IPsec? (Will traffic be sent and received in > cleartext?) What about if IPsec is configured on a tunnel, but the OVS > userspace is too old to support IPsec? > > Thanks, > > Ben.
This patch series reintroduce IPsec support for OVS tunneling and enable OVN to use IPsec tunnels. GRE, VXLAN, GENEVE, and STT IPsec tunnels are supported. StrongSwan and LibreSwan IKE daemons are supported. Changes from v1 to v2 --------------------- 1. Merged the ovs-monitor-ipsec code to a single patch. Added LibreSwan IKE daemon support. 2. Added ovs-monitor-ipsec to flake8 check. 3. Used openssl to extract CN from certificate so that users don't need to specify the CN information in the configuration interface. 4. Improved documentations as suggested. Changes from v2 to v3 --------------------- 1. Added scripts and rules to create ovs-ipsec RPM package. 2. Added Documentation/tutorials/ipsec.rst which gives a step-by-step OVS IPsec tutorial. Modified Documentation/howto/ipsec.rst which gives a detailed description on OVS IPsec configuration modes. 3. Modified ovs-pki to generate x.509 version 3 certificate when do self-sign. 4. IPsec tunnel interface needs 'local_ip' information. Modified ovn-controller to add 'local_ip' when IPsec is enabled. 5. Added a section on ovn/ovn-architecture.7.xml to introduce ovn IPsec. Qiuyu Xiao (6): datapath: add transport ports in route lookup to enable IPsec policy match. ipsec: reintroduce IPsec support for tunneling debian and rhel: Create IPsec package. Documentation: IPsec tunnel tutorial and documentation. ovs-pki: generate x.509 v3 certificate OVN: native support for tunnel encryption Documentation/automake.mk | 2 + Documentation/howto/index.rst | 1 + Documentation/howto/ipsec.rst | 193 +++ Documentation/tutorials/index.rst | 1 + Documentation/tutorials/ipsec.rst | 340 +++++ Makefile.am | 1 + NEWS | 3 + datapath/linux/compat/geneve.c | 29 +- datapath/linux/compat/stt.c | 15 +- datapath/linux/compat/vxlan.c | 14 +- debian/automake.mk | 3 + debian/control | 21 + debian/openvswitch-ipsec.dirs | 1 + debian/openvswitch-ipsec.init | 181 +++ debian/openvswitch-ipsec.install | 1 + ipsec/automake.mk | 10 + ipsec/ovs-monitor-ipsec | 1158 +++++++++++++++++ ovn/controller/encaps.c | 31 +- ovn/controller/encaps.h | 7 +- ovn/controller/ovn-controller.c | 4 +- ovn/northd/ovn-northd.c | 8 +- ovn/ovn-architecture.7.xml | 39 + ovn/ovn-nb.ovsschema | 7 +- ovn/ovn-nb.xml | 6 + ovn/ovn-sb.ovsschema | 7 +- ovn/ovn-sb.xml | 6 + rhel/automake.mk | 1 + rhel/openvswitch-fedora.spec.in | 19 +- ...b_systemd_system_openvswitch-ipsec.service | 12 + utilities/ovs-ctl.in | 18 + utilities/ovs-pki.in | 25 +- vswitchd/vswitch.xml | 122 +- 32 files changed, 2241 insertions(+), 45 deletions(-) create mode 100644 Documentation/howto/ipsec.rst create mode 100644 Documentation/tutorials/ipsec.rst create mode 100644 debian/openvswitch-ipsec.dirs create mode 100644 debian/openvswitch-ipsec.init create mode 100644 debian/openvswitch-ipsec.install create mode 100644 ipsec/automake.mk create mode 100755 ipsec/ovs-monitor-ipsec create mode 100644 rhel/usr_lib_systemd_system_openvswitch-ipsec.service