From patchwork Tue Jul 31 21:08:45 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Qiuyu Xiao X-Patchwork-Id: 951825 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="MmzUMbhG"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 41g8Fd6rCGz9rxx for ; Wed, 1 Aug 2018 07:09:25 +1000 (AEST) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 188F9FD2; Tue, 31 Jul 2018 21:09:22 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 6130BCF1 for ; Tue, 31 Jul 2018 21:09:21 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pl0-f66.google.com (mail-pl0-f66.google.com [209.85.160.66]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 1E5DD7AA for ; Tue, 31 Jul 2018 21:09:20 +0000 (UTC) Received: by mail-pl0-f66.google.com with SMTP id j8-v6so7704099pll.12 for ; Tue, 31 Jul 2018 14:09:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=hiUJtmPqmewW+8e+mm32RLqU8cwBIILdzauHu55NdC4=; b=MmzUMbhGx8BIw07WUAjKv6BotFebtxsn/tLdOsK5zAGd3EXDmpALta7dg9QS0zk36l hmFHdNroMbbAPXU1q2NTviRt+cW8kBaRL7jId6vdckUZEOWn07EATWBfolhTXXMWce2c IISx5o4NZQXYouWd53oTUCXa2WTbAHK3CBU47Ul3Ov62Kh8dtUBWbpAutE0jVx+VwdfR pInFJNfe0cVlfJt6bjbFDICmJjClCiQSCQRkNOXVAaXfcem05eJ5VpFFY3uETb3YsrtW 9q/DXFPoJOEKTe73mrsF6muDokwTsLob5NGK3Hz1c841YFw8i189aCl3F4LEW4i7SCQc m8MQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=hiUJtmPqmewW+8e+mm32RLqU8cwBIILdzauHu55NdC4=; b=ciW38Euv/UEa/1ewdDOHGAvQVfqHQZG6NcTd7EzeyQO1Q6jv2c2mYG1Q6gehX/SMre pelV3TEI2WPFJprOJpkrJXM37/vPXD24tRe0eJHgNND0DJXTrZTOVgjLCdio0KmcuTsj RFm05BLSQLE5alnKGYPNBpLLL0c5RVesBFy1d4ZomdHFRKUveeGQsZmpZLQiX5orjZoj k71kJCVduxoyjwFmg0ugoLcB5x+0K05zryirWSjy4XN2MRkxbxAVI4Dev4k2Z3qT53OK nrNW/ScgsteFB11CjzOEDZd5nppgKf1FKBSbfzQpFsOwGxnpI4regwfJDKO7Yj8Ofj5p ZI9w== X-Gm-Message-State: AOUpUlEfgpxMMCynJALNz5siTBzUYEm0jlWg6A/S0FgD7UwMZM+ERCBo MX851wcdKsaPMZhVVFj+KGRfXxAC X-Google-Smtp-Source: AAOMgpdE16dAjQOe5aInjAVxsmTjnPupUhszMrY0apGCysUoVwJ5vaBjnZh86xLrzS/ZPwCOPpW1Gg== X-Received: by 2002:a17:902:3a2:: with SMTP id d31-v6mr22426023pld.287.1533071358935; Tue, 31 Jul 2018 14:09:18 -0700 (PDT) Received: from vm1.eng.vmware.com ([66.170.99.1]) by smtp.gmail.com with ESMTPSA id s66-v6sm40894996pfe.53.2018.07.31.14.09.17 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 31 Jul 2018 14:09:18 -0700 (PDT) From: Qiuyu Xiao To: ovs-dev@openvswitch.org Date: Tue, 31 Jul 2018 14:08:45 -0700 Message-Id: <20180731210854.31682-1-qiuyu.xiao.qyx@gmail.com> X-Mailer: git-send-email 2.18.0 X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH v4 0/9] IPsec support for tunneling X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org This patch series reintroduce IPsec support for OVS tunneling and enable OVN to use IPsec tunnels. GRE, VXLAN, GENEVE, and STT IPsec tunnels are supported. StrongSwan and LibreSwan IKE daemons are supported. Changes from v1 to v2 --------------------- 1. Merge the ovs-monitor-ipsec code to a single patch. Add LibreSwan IKE daemon support. 2. Add ovs-monitor-ipsec to flake8 check. 3. Use openssl to extract CN from certificate so that users don't need to specify the CN information in the configuration interface. 4. Improve documentations as suggested. Changes from v2 to v3 --------------------- 1. Add scripts and rules to create ovs-ipsec RPM package. 2. Add Documentation/tutorials/ipsec.rst which gives a step-by-step OVS IPsec tutorial. Modify Documentation/howto/ipsec.rst which gives a detailed description on OVS IPsec configuration modes. 3. Modify ovs-pki to generate x.509 version 3 certificate when do self-sign. 4. IPsec tunnel interface needs 'local_ip' information. Modify ovn-controller to add 'local_ip' when IPsec is enabled. 5. Add a section on ovn/ovn-architecture.7.xml to introduce ovn IPsec. Changes from v3 to v4 --------------------- 1. Split the datapath patch to three patches (geneve, vxlan, stt). 2. Add tutorial for OVN RBAC and OVN IPsec. Qiuyu Xiao (9): datapath: add transport ports in route lookup for geneve datapath: add transport ports in route lookup for vxlan datapath: add transport ports in route lookup for stt ipsec: reintroduce IPsec support for tunneling debian and rhel: Create IPsec package. Documentation: IPsec tunnel tutorial and documentation. ovs-pki: generate x.509 v3 certificate OVN: native support for tunnel encryption Documentation: OVN RBAC and IPsec tutorial Documentation/automake.mk | 4 + Documentation/howto/index.rst | 1 + Documentation/howto/ipsec.rst | 193 +++ Documentation/tutorials/index.rst | 3 + Documentation/tutorials/ipsec.rst | 342 +++++ Documentation/tutorials/ovn-ipsec.rst | 144 ++ Documentation/tutorials/ovn-rbac.rst | 134 ++ Makefile.am | 1 + NEWS | 3 + datapath/linux/compat/geneve.c | 29 +- datapath/linux/compat/stt.c | 15 +- datapath/linux/compat/vxlan.c | 14 +- debian/automake.mk | 3 + debian/control | 21 + debian/openvswitch-ipsec.dirs | 1 + debian/openvswitch-ipsec.init | 181 +++ debian/openvswitch-ipsec.install | 1 + ipsec/automake.mk | 10 + ipsec/ovs-monitor-ipsec | 1158 +++++++++++++++++ ovn/controller/encaps.c | 31 +- ovn/controller/encaps.h | 7 +- ovn/controller/ovn-controller.c | 4 +- ovn/northd/ovn-northd.c | 8 +- ovn/ovn-architecture.7.xml | 39 + ovn/ovn-nb.ovsschema | 7 +- ovn/ovn-nb.xml | 6 + ovn/ovn-sb.ovsschema | 7 +- ovn/ovn-sb.xml | 6 + rhel/automake.mk | 1 + rhel/openvswitch-fedora.spec.in | 19 +- ...b_systemd_system_openvswitch-ipsec.service | 12 + utilities/ovs-ctl.in | 18 + utilities/ovs-pki.in | 25 +- vswitchd/vswitch.xml | 122 +- 34 files changed, 2525 insertions(+), 45 deletions(-) create mode 100644 Documentation/howto/ipsec.rst create mode 100644 Documentation/tutorials/ipsec.rst create mode 100644 Documentation/tutorials/ovn-ipsec.rst create mode 100644 Documentation/tutorials/ovn-rbac.rst create mode 100644 debian/openvswitch-ipsec.dirs create mode 100644 debian/openvswitch-ipsec.init create mode 100644 debian/openvswitch-ipsec.install create mode 100644 ipsec/automake.mk create mode 100755 ipsec/ovs-monitor-ipsec create mode 100644 rhel/usr_lib_systemd_system_openvswitch-ipsec.service