| Message ID | 20180919211558.13937-1-qiuyu.xiao.qyx@gmail.com |
|---|---|
| Headers | show |
| Series | IPsec support for tunneling | expand |
Hi Ansis. Do you plan to further review this series or should I take a look at it in hopes of merging it? Thanks, Ben. On Wed, Sep 19, 2018 at 05:15:52PM -0400, Qiuyu Xiao wrote: > This patch series reintroduce IPsec support for OVS tunneling and enable > OVN to > use IPsec tunnels. GRE, VXLAN, GENEVE, and STT IPsec tunnels are > supported. > StrongSwan and LibreSwan IKE daemons are supported. > > Changes from v1 to v2 > --------------------- > 1. Merge the ovs-monitor-ipsec code to a single patch. Add LibreSwan IKE > daemon support. > 2. Add ovs-monitor-ipsec to flake8 check. > 3. Use openssl to extract CN from certificate so that users don't need > to > specify the CN information in the configuration interface. > 4. Improve documentations as suggested. > > Changes from v2 to v3 > --------------------- > 1. Add scripts and rules to create ovs-ipsec RPM package. > 2. Add Documentation/tutorials/ipsec.rst which gives a step-by-step OVS > IPsec > tutorial. Modify Documentation/howto/ipsec.rst which gives a detailed > description on OVS IPsec configuration modes. > 3. Modify ovs-pki to generate x.509 version 3 certificate when do > self-sign. > 4. IPsec tunnel interface needs 'local_ip' information. Modify > ovn-controller > to add 'local_ip' when IPsec is enabled. > 5. Add a section on ovn/ovn-architecture.7.xml to introduce ovn IPsec. > > Changes from v3 to v4 > --------------------- > 1. Split the datapath patch to three patches (geneve, vxlan, stt). > 2. Add tutorial for OVN RBAC and OVN IPsec. > > Changes from v4 to v5 > --------------------- > 1. Fix coding style issues in ovs-monitor-ipsec. > 2. Improve IPsec and OVN-IPsec tutorials as suggested. > 3. Change the description of setting skb_mark in documentation to > reflect the > real situation. > > Changes from v5 to v6 > --------------------- > 1. Use wildcard IP address to match localhost IP in LibreSwan. Remove > the 'local_ip' requirement when setting IPsec tunnel interface. > 2. ovs-monitor-ipsec daemon accepts command line option to choose IKE > daemon, either LibreSwan or StrongSwan. The init script chooses which > IKE daemon to use. Currently, Debian init script chooses StrongSwan. > Fedora init script chooses LibreSwan. > 3. Check illegal name before removing a file in > '_import_local_certs_and_key()'. > 4. GRE IPsec tunnel was not activated properly when using LibreSwan. This > version fixes it. > 5. The plaintext policy syntax was wrong when using LibreSwan. This version > corrects it. > 6. Add comments and explanations about the 'remote_name' > check in '_is_valid_tunnel_conf()'. > 7. Replace 'ike_daemon_start()' with 'ike_daemon_restart()' to start IKE > daemon. > > Changes from v6 to v7 > --------------------- > 1. Use os.path.abspath to generate the path of the p12 file to make sure > the path is under '/tmp/'. > 2. When ovs-monitor-ipsec daemon restarts, check whether NSS database > has old certificates and private keys set by previous run. If so, delete > those old states. > > *** BLURB HERE *** > > Qiuyu Xiao (6): > datapath: add transport ports in route lookup for geneve > ipsec: reintroduce IPsec support for tunneling > debian and rhel: Create IPsec package. > Documentation: IPsec tunnel tutorial and documentation. > OVN: native support for tunnel encryption > Documentation: OVN RBAC and IPsec tutorial > > Documentation/automake.mk | 4 + > Documentation/howto/index.rst | 1 + > Documentation/howto/ipsec.rst | 194 ++++ > Documentation/index.rst | 5 +- > Documentation/tutorials/index.rst | 3 + > Documentation/tutorials/ipsec.rst | 347 ++++++ > Documentation/tutorials/ovn-ipsec.rst | 146 +++ > Documentation/tutorials/ovn-rbac.rst | 134 +++ > Makefile.am | 1 + > datapath/linux/compat/geneve.c | 29 +- > debian/automake.mk | 3 + > debian/control | 21 + > debian/openvswitch-ipsec.dirs | 1 + > debian/openvswitch-ipsec.init | 181 +++ > debian/openvswitch-ipsec.install | 1 + > ipsec/automake.mk | 10 + > ipsec/ovs-monitor-ipsec | 1223 ++++++++++++++++++++ > ovn/controller/encaps.c | 14 +- > ovn/controller/encaps.h | 6 +- > ovn/controller/ovn-controller.c | 3 +- > ovn/northd/ovn-northd.c | 8 +- > ovn/ovn-architecture.7.xml | 39 + > ovn/ovn-nb.ovsschema | 7 +- > ovn/ovn-nb.xml | 6 + > ovn/ovn-sb.ovsschema | 7 +- > ovn/ovn-sb.xml | 6 + > rhel/automake.mk | 1 + > rhel/openvswitch-fedora.spec.in | 19 +- > ...sr_lib_systemd_system_openvswitch-ipsec.service | 13 + > utilities/ovs-ctl.in | 27 + > vswitchd/vswitch.xml | 156 ++- > 31 files changed, 2581 insertions(+), 35 deletions(-) > create mode 100644 Documentation/howto/ipsec.rst > create mode 100644 Documentation/tutorials/ipsec.rst > create mode 100644 Documentation/tutorials/ovn-ipsec.rst > create mode 100644 Documentation/tutorials/ovn-rbac.rst > create mode 100644 debian/openvswitch-ipsec.dirs > create mode 100644 debian/openvswitch-ipsec.init > create mode 100644 debian/openvswitch-ipsec.install > create mode 100644 ipsec/automake.mk > create mode 100644 ipsec/ovs-monitor-ipsec > create mode 100644 rhel/usr_lib_systemd_system_openvswitch-ipsec.service > > -- > 2.14.4 > > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
On Wed, Sep 19, 2018 at 05:15:52PM -0400, Qiuyu Xiao wrote: > This patch series reintroduce IPsec support for OVS tunneling and enable > OVN to > use IPsec tunnels. GRE, VXLAN, GENEVE, and STT IPsec tunnels are > supported. > StrongSwan and LibreSwan IKE daemons are supported. I applied this series to master. Thank you!