Message ID | 20180829141334.18089-1-qiuyu.xiao.qyx@gmail.com |
---|---|
Headers | show |
Series | IPsec support for tunneling | expand |
Two main issues remain to be resolved. 1) The GENEVE and VXLAN IPsec tunnel configuration don't work in LibreSwan. I reported this bug to the LibreSwan mailing list, which is confirmed by the maintainer. (https://lists.libreswan.org/pipermail/swan/2018/002700.html). 2) In order to match XFRM policies in the kernel, L4 port information needs to be added before route lookup. The upstream VXLAN kernel module already had this patch since 4.10. The upstream GENEVE module is not patched, so the GENEVE IPsec tunnel doesn't work in OVS. Some other minor issues: 3) When a StrongSwan daemon interoperates with a LibreSwan daemon, the IKE connection can be only initiated from LibreSwan to StrongSwan but not the other way around. 4) In LibreSwan, the plaintext policy cannot be installed without restarting the LibreSwan daemon. But restarting the daemon lost existing IKE connections. A quick solution to 1), 3), and 4) is using StrongSwan in Fedora. The interface is a little bit different from StrongSwan in Debian, but hopefully, these problems will go away. Any feedbacks are welcomed! -Qiuyu On Wed, Aug 29, 2018 at 10:14 AM Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com> wrote: > > This patch series reintroduce IPsec support for OVS tunneling and enable > OVN to > use IPsec tunnels. GRE, VXLAN, GENEVE, and STT IPsec tunnels are > supported. > StrongSwan and LibreSwan IKE daemons are supported. > > Changes from v1 to v2 > --------------------- > 1. Merge the ovs-monitor-ipsec code to a single patch. Add LibreSwan IKE > daemon support. > 2. Add ovs-monitor-ipsec to flake8 check. > 3. Use openssl to extract CN from certificate so that users don't need > to > specify the CN information in the configuration interface. > 4. Improve documentations as suggested. > > Changes from v2 to v3 > --------------------- > 1. Add scripts and rules to create ovs-ipsec RPM package. > 2. Add Documentation/tutorials/ipsec.rst which gives a step-by-step OVS > IPsec > tutorial. Modify Documentation/howto/ipsec.rst which gives a detailed > description on OVS IPsec configuration modes. > 3. Modify ovs-pki to generate x.509 version 3 certificate when do > self-sign. > 4. IPsec tunnel interface needs 'local_ip' information. Modify > ovn-controller > to add 'local_ip' when IPsec is enabled. > 5. Add a section on ovn/ovn-architecture.7.xml to introduce ovn IPsec. > > Changes from v3 to v4 > --------------------- > 1. Split the datapath patch to three patches (geneve, vxlan, stt). > 2. Add tutorial for OVN RBAC and OVN IPsec. > > Changes from v4 to v5 > --------------------- > 1. Fix coding style issues in ovs-monitor-ipsec. > 2. Improve IPsec and OVN-IPsec tutorials as suggested. > 3. Change the description of setting skb_mark in documentation to > reflect the > real situation. > > Changes from v5 to v6 > --------------------- > 1. Use wildcard IP address to match localhost IP in LibreSwan. Remove > the 'local_ip' requirement when setting IPsec tunnel interface. > 2. ovs-monitor-ipsec daemon accepts command line option to choose IKE > daemon, either LibreSwan or StrongSwan. The init script chooses which > IKE daemon to use. Currently, Debian init script chooses StrongSwan. > Fedora init script chooses LibreSwan. > 3. Check illegal name before removing a file in > '_import_local_certs_and_key()'. > 4. GRE IPsec tunnel was not activated properly when using LibreSwan. This > version fixes it. > 5. The plaintext policy syntax was wrong when using LibreSwan. This version > corrects it. > 6. Add comments and explanations about the 'remote_name' > check in '_is_valid_tunnel_conf()'. > 7. Replace 'ike_daemon_start()' with 'ike_daemon_restart()' to start IKE > daemon. > > *** BLURB HERE *** > > Qiuyu Xiao (6): > datapath: add transport ports in route lookup for geneve > ipsec: reintroduce IPsec support for tunneling > debian and rhel: Create IPsec package. > Documentation: IPsec tunnel tutorial and documentation. > OVN: native support for tunnel encryption > Documentation: OVN RBAC and IPsec tutorial > > Documentation/automake.mk | 4 + > Documentation/howto/index.rst | 1 + > Documentation/howto/ipsec.rst | 194 ++++ > Documentation/index.rst | 5 +- > Documentation/tutorials/index.rst | 3 + > Documentation/tutorials/ipsec.rst | 347 ++++++ > Documentation/tutorials/ovn-ipsec.rst | 146 +++ > Documentation/tutorials/ovn-rbac.rst | 134 +++ > Makefile.am | 1 + > datapath/linux/compat/geneve.c | 29 +- > debian/automake.mk | 3 + > debian/control | 21 + > debian/openvswitch-ipsec.dirs | 1 + > debian/openvswitch-ipsec.init | 181 +++ > debian/openvswitch-ipsec.install | 1 + > ipsec/automake.mk | 10 + > ipsec/ovs-monitor-ipsec | 1211 ++++++++++++++++++++ > ovn/controller/encaps.c | 14 +- > ovn/controller/encaps.h | 6 +- > ovn/controller/ovn-controller.c | 3 +- > ovn/northd/ovn-northd.c | 8 +- > ovn/ovn-architecture.7.xml | 39 + > ovn/ovn-nb.ovsschema | 7 +- > ovn/ovn-nb.xml | 6 + > ovn/ovn-sb.ovsschema | 7 +- > ovn/ovn-sb.xml | 6 + > rhel/automake.mk | 1 + > rhel/openvswitch-fedora.spec.in | 19 +- > ...sr_lib_systemd_system_openvswitch-ipsec.service | 13 + > utilities/ovs-ctl.in | 27 + > vswitchd/vswitch.xml | 156 ++- > 31 files changed, 2569 insertions(+), 35 deletions(-) > create mode 100644 Documentation/howto/ipsec.rst > create mode 100644 Documentation/tutorials/ipsec.rst > create mode 100644 Documentation/tutorials/ovn-ipsec.rst > create mode 100644 Documentation/tutorials/ovn-rbac.rst > create mode 100644 debian/openvswitch-ipsec.dirs > create mode 100644 debian/openvswitch-ipsec.init > create mode 100644 debian/openvswitch-ipsec.install > create mode 100644 ipsec/automake.mk > create mode 100755 ipsec/ovs-monitor-ipsec > create mode 100644 rhel/usr_lib_systemd_system_openvswitch-ipsec.service > > -- > 2.14.4 >