Message ID | 20180727204434.18525-1-qiuyu.xiao.qyx@gmail.com |
---|---|
Headers | show |
Series | IPsec support for tunneling | expand |
On Fri, Jul 27, 2018 at 01:44:28PM -0700, Qiuyu Xiao wrote: > This patch series reintroduce IPsec support for OVS tunneling and > enable OVN to use IPsec tunnels. GRE, VXLAN, GENEVE, and STT IPsec > tunnels are supported. StrongSwan and LibreSwan IKE daemons are > supported. Thank you. My first impression is that this is a really complete, high-quality series. I'll work on reviewing it in detail.
On Fri, Jul 27, 2018 at 04:32:32PM -0700, Ben Pfaff wrote: > On Fri, Jul 27, 2018 at 01:44:28PM -0700, Qiuyu Xiao wrote: > > This patch series reintroduce IPsec support for OVS tunneling and > > enable OVN to use IPsec tunnels. GRE, VXLAN, GENEVE, and STT IPsec > > tunnels are supported. StrongSwan and LibreSwan IKE daemons are > > supported. > > Thank you. > > My first impression is that this is a really complete, high-quality > series. I'll work on reviewing it in detail. I have a couple of overall questions about security here. What happens if IPsec is configured on a tunnel in OVS, but the OVS kernel module is too old to support IPsec? (Will traffic be sent and received in cleartext?) What about if IPsec is configured on a tunnel, but the OVS userspace is too old to support IPsec? Thanks, Ben.
In both cases, IPsec won't be correctly set up in the system. The traffic might be sent out in cleartext. Maybe we can let the ovs-monitor-ipsec daemon monitor whether IPsec tunnel is actually taking effect in the system and report it on the tunnel interface, so that user won't have wrong assumption about the IPsec tunnel state. -Qiuyu On Fri, Jul 27, 2018 at 4:52 PM, Ben Pfaff <blp@ovn.org> wrote: > On Fri, Jul 27, 2018 at 04:32:32PM -0700, Ben Pfaff wrote: >> On Fri, Jul 27, 2018 at 01:44:28PM -0700, Qiuyu Xiao wrote: >> > This patch series reintroduce IPsec support for OVS tunneling and >> > enable OVN to use IPsec tunnels. GRE, VXLAN, GENEVE, and STT IPsec >> > tunnels are supported. StrongSwan and LibreSwan IKE daemons are >> > supported. >> >> Thank you. >> >> My first impression is that this is a really complete, high-quality >> series. I'll work on reviewing it in detail. > > I have a couple of overall questions about security here. What happens > if IPsec is configured on a tunnel in OVS, but the OVS kernel module is > too old to support IPsec? (Will traffic be sent and received in > cleartext?) What about if IPsec is configured on a tunnel, but the OVS > userspace is too old to support IPsec? > > Thanks, > > Ben.