From patchwork Mon Jul 2 21:50:04 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Qiuyu Xiao X-Patchwork-Id: 938253 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="hmipCmPX"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 41KLXv3Ctlz9s29 for ; Tue, 3 Jul 2018 07:50:54 +1000 (AEST) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id C8966CE9; Mon, 2 Jul 2018 21:50:51 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id D5C36CE2 for ; Mon, 2 Jul 2018 21:50:50 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pl0-f67.google.com (mail-pl0-f67.google.com [209.85.160.67]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 367F2334 for ; Mon, 2 Jul 2018 21:50:50 +0000 (UTC) Received: by mail-pl0-f67.google.com with SMTP id d10-v6so8538728plo.5 for ; Mon, 02 Jul 2018 14:50:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=K+9qvgAoZx4jUKwWf8TDhldukj+qIWDzCgDmEGfdwt4=; b=hmipCmPXNGntPQnPZ3mf36OuVunBtAZLJFKnVUW10J5Pbt8/Yxx2Eez9pSguvOT1Dc NjZ3KTSyH0sYeBKPhHCCHFLWIhv8nmSX7NzA1RbNqSuaxH/TCP5Nm9LmMAL7TIhD/1I1 YOEYFrKXwVm5TplNLXkDhcXz5i/xg9ZsCd/aT4B6TKyU4oJjnGTPgw12bQPPXGk/xCsA xtEbXYSndIFmH1ATldl/oXIfH4KDFgCj/kjKQa88z4iptpFrXQ+hHAWqLdP/kZCLfweT LjiBqRcHgKU7jykAibR1vXWq9Nf8a/Gf+jOfuwlG5rYueYLlClTERFOMn4NprVSL1nBZ I2sA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=K+9qvgAoZx4jUKwWf8TDhldukj+qIWDzCgDmEGfdwt4=; b=gvHLCCNTpxstoNAlOLJ7w/IKlnjKNZzVDQ/1uzV07icr90WMEYfyaBKEi9ybA4i2QP 4cZhWcHtCm+p5WwCvd0FXHnn/tWuNf8d0YXjjeaY1mawCzQxiBWSgBqAVjkWidGz4ZRs 9UFAj2NYeciQpr56IzMsYelIYnWPvIvOZnCsq74dkEEX0mz16CLcZLy7gOzWdNTgDCBp GrWyYOsra6zwG+akWjV50lDmiaRx0/uE3cYC8WjX0eZFXBIPeByscx6UpzIEiokitGCj vDVSiRfrRSxiYL36PgYl2fkr/0kbmPU7mPddnJNIiHXSGY2erdPpYOicAO07Rxn/H0FW gMvw== X-Gm-Message-State: APt69E3u4wL0SQaFOecEAKfoX94SoOwNGhNaQLjY2Uf9pIT17QV2foYs 27QXNfUnnLi0XbJPjmPE3oTp6Q== X-Google-Smtp-Source: ADUXVKKvdQBAZ1xmwcgxCSbAyWz8nK721iUURVBExHJbRPwIZewYFUO9ZbqvAr/e8FKk4Nx9N5ZDNg== X-Received: by 2002:a17:902:b58f:: with SMTP id a15-v6mr27651405pls.76.1530568248145; Mon, 02 Jul 2018 14:50:48 -0700 (PDT) Received: from vm1.eng.vmware.com ([66.170.99.1]) by smtp.gmail.com with ESMTPSA id t127-v6sm17943785pfb.139.2018.07.02.14.50.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 02 Jul 2018 14:50:47 -0700 (PDT) From: Qiuyu Xiao To: ovs-dev@openvswitch.org Date: Mon, 2 Jul 2018 14:50:04 -0700 Message-Id: <20180702215004.16311-1-qiuyu.xiao.qyx@gmail.com> X-Mailer: git-send-email 2.18.0 X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [RFC PATCH] OVN: native support for tunnel encryption X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org This patch adds IPsec support for OVN tunnel. Basically, OVN offers a binary option to its user for encryption configuration. If the IPsec option is turned on, all tunnels will be encrypted. Otherwise, no tunnel will be encrypted. The changes are summarized as below: 1) Added a ipsec column on the NB_Global table and SB_Global table. The value of ipsec column is propagated by ovn-northd from NB_Global to SB_Global. 2) ovn-controller monitors the ipsec column in SB_Global. If the ipsec value is true, ovn-controller sets options of the tunnel interface by specifying "options:pki=ca_auth options:local_name= options:remote_name=". If the ipsec value is false, ovn-controller removes these options. 3) ovs-monitor-ipsec daemon (https://mail.openvswitch.org/pipermail/ovs-dev/2018-June/348701.html) monitors the tunnel interface options and configures IKE daemon accordingly for IPsec encryption. --- ovn/controller/encaps.c | 14 +++++++++++--- ovn/controller/encaps.h | 5 ++++- ovn/controller/ovn-controller.c | 3 ++- ovn/northd/ovn-northd.c | 8 ++++++-- ovn/ovn-nb.ovsschema | 7 ++++--- ovn/ovn-nb.xml | 6 ++++++ ovn/ovn-sb.ovsschema | 7 ++++--- ovn/ovn-sb.xml | 6 ++++++ 8 files changed, 43 insertions(+), 13 deletions(-) diff --git a/ovn/controller/encaps.c b/ovn/controller/encaps.c index fde017586..d122e7c9b 100644 --- a/ovn/controller/encaps.c +++ b/ovn/controller/encaps.c @@ -79,7 +79,8 @@ tunnel_create_name(struct tunnel_ctx *tc, const char *chassis_id) } static void -tunnel_add(struct tunnel_ctx *tc, const char *new_chassis_id, +tunnel_add(struct tunnel_ctx *tc, const struct sbrec_sb_global *sbg, + const char *local_chassis_id, const char *new_chassis_id, const struct sbrec_encap *encap) { struct smap options = SMAP_INITIALIZER(&options); @@ -89,6 +90,12 @@ tunnel_add(struct tunnel_ctx *tc, const char *new_chassis_id, if (csum && (!strcmp(csum, "true") || !strcmp(csum, "false"))) { smap_add(&options, "csum", csum); } + /* Add auth info if ipsec is enabled. */ + if (sbg->ipsec) { + smap_add(&options, "pki", "ca_auth"); + smap_add(&options, "local_name", local_chassis_id); + smap_add(&options, "remote_name", new_chassis_id); + } /* If there's an existing chassis record that does not need any change, * keep it. Otherwise, create a new record (if there was an existing @@ -157,7 +164,8 @@ encaps_run(struct ovsdb_idl_txn *ovs_idl_txn, const struct ovsrec_bridge_table *bridge_table, const struct ovsrec_bridge *br_int, const struct sbrec_chassis_table *chassis_table, - const char *chassis_id) + const char *chassis_id, + const struct sbrec_sb_global *sbg) { if (!ovs_idl_txn || !br_int) { return; @@ -209,7 +217,7 @@ encaps_run(struct ovsdb_idl_txn *ovs_idl_txn, VLOG_INFO("No supported encaps for '%s'", chassis_rec->name); continue; } - tunnel_add(&tc, chassis_rec->name, encap); + tunnel_add(&tc, sbg, chassis_id, chassis_rec->name, encap); } } diff --git a/ovn/controller/encaps.h b/ovn/controller/encaps.h index 054bdfa78..da12bfc3b 100644 --- a/ovn/controller/encaps.h +++ b/ovn/controller/encaps.h @@ -23,13 +23,16 @@ struct ovsdb_idl_txn; struct ovsrec_bridge; struct ovsrec_bridge_table; struct sbrec_chassis_table; +struct sbrec_sb_global; void encaps_register_ovs_idl(struct ovsdb_idl *); void encaps_run(struct ovsdb_idl_txn *ovs_idl_txn, const struct ovsrec_bridge_table *, const struct ovsrec_bridge *br_int, const struct sbrec_chassis_table *, - const char *chassis_id); + const char *chassis_id, + const struct sbrec_sb_global *); + bool encaps_cleanup(struct ovsdb_idl_txn *ovs_idl_txn, const struct ovsrec_bridge *br_int); diff --git a/ovn/controller/ovn-controller.c b/ovn/controller/ovn-controller.c index 6ee72a9fa..10fbc879c 100644 --- a/ovn/controller/ovn-controller.c +++ b/ovn/controller/ovn-controller.c @@ -679,7 +679,8 @@ main(int argc, char *argv[]) chassis_id, br_int); encaps_run(ovs_idl_txn, ovsrec_bridge_table_get(ovs_idl_loop.idl), br_int, - sbrec_chassis_table_get(ovnsb_idl_loop.idl), chassis_id); + sbrec_chassis_table_get(ovnsb_idl_loop.idl), chassis_id, + sbrec_sb_global_first(ovnsb_idl_loop.idl)); bfd_calculate_active_tunnels(br_int, &active_tunnels); binding_run(ovnsb_idl_txn, ovs_idl_txn, sbrec_chassis_by_name, sbrec_datapath_binding_by_key, diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c index 74eefc6ca..51f1671cd 100644 --- a/ovn/northd/ovn-northd.c +++ b/ovn/northd/ovn-northd.c @@ -6606,8 +6606,8 @@ ovnnb_db_run(struct northd_context *ctx, } hmap_destroy(&ports); - /* Copy nb_cfg from northbound to southbound database. - * + /* Sync ipsec configuration. + * Copy nb_cfg from northbound to southbound database. * Also set up to update sb_cfg once our southbound transaction commits. */ const struct nbrec_nb_global *nb = nbrec_nb_global_first(ctx->ovnnb_idl); if (!nb) { @@ -6617,6 +6617,9 @@ ovnnb_db_run(struct northd_context *ctx, if (!sb) { sb = sbrec_sb_global_insert(ctx->ovnsb_txn); } + if (nb->ipsec != sb->ipsec) { + sbrec_sb_global_set_ipsec(sb, nb->ipsec); + } sbrec_sb_global_set_nb_cfg(sb, nb->nb_cfg); sb_loop->next_cfg = nb->nb_cfg; @@ -7120,6 +7123,7 @@ main(int argc, char *argv[]) ovsdb_idl_add_table(ovnsb_idl_loop.idl, &sbrec_table_sb_global); add_column_noalert(ovnsb_idl_loop.idl, &sbrec_sb_global_col_nb_cfg); + add_column_noalert(ovnsb_idl_loop.idl, &sbrec_sb_global_col_ipsec); ovsdb_idl_add_table(ovnsb_idl_loop.idl, &sbrec_table_logical_flow); add_column_noalert(ovnsb_idl_loop.idl, diff --git a/ovn/ovn-nb.ovsschema b/ovn/ovn-nb.ovsschema index 8e6ddec46..528614efa 100644 --- a/ovn/ovn-nb.ovsschema +++ b/ovn/ovn-nb.ovsschema @@ -1,7 +1,7 @@ { "name": "OVN_Northbound", - "version": "5.11.0", - "cksum": "1149260021 18713", + "version": "5.12.0", + "cksum": "3682343791 18759", "tables": { "NB_Global": { "columns": { @@ -19,7 +19,8 @@ "ssl": { "type": {"key": {"type": "uuid", "refTable": "SSL"}, - "min": 0, "max": 1}}}, + "min": 0, "max": 1}}, + "ipsec": {"type": "boolean"}}, "maxRows": 1, "isRoot": true}, "Logical_Switch": { diff --git a/ovn/ovn-nb.xml b/ovn/ovn-nb.xml index 6aed6102a..ddee98cd1 100644 --- a/ovn/ovn-nb.xml +++ b/ovn/ovn-nb.xml @@ -80,6 +80,12 @@ Global SSL configuration. + + + Tunnel encryption configuration. If this column is set to be true, all + OVN tunnels will be encrypted with IPsec. + + diff --git a/ovn/ovn-sb.ovsschema b/ovn/ovn-sb.ovsschema index 9e271d433..9c5c2ef29 100644 --- a/ovn/ovn-sb.ovsschema +++ b/ovn/ovn-sb.ovsschema @@ -1,7 +1,7 @@ { "name": "OVN_Southbound", - "version": "1.15.0", - "cksum": "1839738004 13639", + "version": "1.16.0", + "cksum": "3309568193 13685", "tables": { "SB_Global": { "columns": { @@ -17,7 +17,8 @@ "ssl": { "type": {"key": {"type": "uuid", "refTable": "SSL"}, - "min": 0, "max": 1}}}, + "min": 0, "max": 1}}, + "ipsec": {"type": "boolean"}}, "maxRows": 1, "isRoot": true}, "Chassis": { diff --git a/ovn/ovn-sb.xml b/ovn/ovn-sb.xml index b17110e48..4090581fc 100644 --- a/ovn/ovn-sb.xml +++ b/ovn/ovn-sb.xml @@ -174,6 +174,12 @@ Global SSL configuration. + + + Tunnel encryption configuration. If this column is set to be true, all + OVN tunnels will be encrypted with IPsec. + +