mbox series

[ovs-dev,v5,0/9] IPsec support for tunneling

Message ID 20180806180439.16559-1-qiuyu.xiao.qyx@gmail.com
Headers show
Series IPsec support for tunneling | expand

Message

Qiuyu Xiao Aug. 6, 2018, 6:04 p.m. UTC
This patch series reintroduce IPsec support for OVS tunneling and enable OVN to
use IPsec tunnels. GRE, VXLAN, GENEVE, and STT IPsec tunnels are supported.
StrongSwan and LibreSwan IKE daemons are supported.

Changes from v1 to v2
---------------------
1. Merge the ovs-monitor-ipsec code to a single patch. Add LibreSwan IKE
daemon support.
2. Add ovs-monitor-ipsec to flake8 check.
3. Use openssl to extract CN from certificate so that users don't need to
specify the CN information in the configuration interface.
4. Improve documentations as suggested.

Changes from v2 to v3
---------------------
1. Add scripts and rules to create ovs-ipsec RPM package.
2. Add Documentation/tutorials/ipsec.rst which gives a step-by-step OVS IPsec
tutorial. Modify Documentation/howto/ipsec.rst which gives a detailed
description on OVS IPsec configuration modes.
3. Modify ovs-pki to generate x.509 version 3 certificate when do self-sign.
4. IPsec tunnel interface needs 'local_ip' information. Modify ovn-controller
to add 'local_ip' when IPsec is enabled.
5. Add a section on ovn/ovn-architecture.7.xml to introduce ovn IPsec.

Changes from v3 to v4
---------------------
1. Split the datapath patch to three patches (geneve, vxlan, stt).
2. Add tutorial for OVN RBAC and OVN IPsec.

Changes from v4 to v5
---------------------
1. Fix coding style issues in ovs-monitor-ipsec.
2. Improve IPsec and OVN-IPsec tutorials as suggested.

Qiuyu Xiao (9):
  datapath: add transport ports in route lookup for geneve
  datapath: add transport ports in route lookup for vxlan
  datapath: add transport ports in route lookup for stt
  ipsec: reintroduce IPsec support for tunneling
  debian and rhel: Create IPsec package.
  Documentation: IPsec tunnel tutorial and documentation.
  ovs-pki: generate x.509 v3 certificate
  OVN: native support for tunnel encryption
  Documentation: OVN RBAC and IPsec tutorial

 Documentation/automake.mk                     |    4 +
 Documentation/howto/index.rst                 |    1 +
 Documentation/howto/ipsec.rst                 |  200 +++
 Documentation/index.rst                       |    5 +-
 Documentation/tutorials/index.rst             |    3 +
 Documentation/tutorials/ipsec.rst             |  353 +++++
 Documentation/tutorials/ovn-ipsec.rst         |  146 ++
 Documentation/tutorials/ovn-rbac.rst          |  134 ++
 Makefile.am                                   |    1 +
 NEWS                                          |    3 +
 datapath/linux/compat/geneve.c                |   29 +-
 datapath/linux/compat/stt.c                   |   15 +-
 datapath/linux/compat/vxlan.c                 |   14 +-
 debian/automake.mk                            |    3 +
 debian/control                                |   21 +
 debian/openvswitch-ipsec.dirs                 |    1 +
 debian/openvswitch-ipsec.init                 |  181 +++
 debian/openvswitch-ipsec.install              |    1 +
 ipsec/automake.mk                             |   10 +
 ipsec/ovs-monitor-ipsec                       | 1173 +++++++++++++++++
 ovn/controller/encaps.c                       |   31 +-
 ovn/controller/encaps.h                       |    7 +-
 ovn/controller/ovn-controller.c               |    4 +-
 ovn/northd/ovn-northd.c                       |    8 +-
 ovn/ovn-architecture.7.xml                    |   39 +
 ovn/ovn-nb.ovsschema                          |    7 +-
 ovn/ovn-nb.xml                                |    6 +
 ovn/ovn-sb.ovsschema                          |    7 +-
 ovn/ovn-sb.xml                                |    6 +
 rhel/automake.mk                              |    1 +
 rhel/openvswitch-fedora.spec.in               |   19 +-
 ...b_systemd_system_openvswitch-ipsec.service |   12 +
 utilities/ovs-ctl.in                          |   18 +
 utilities/ovs-pki.in                          |   25 +-
 vswitchd/vswitch.xml                          |  153 ++-
 35 files changed, 2595 insertions(+), 46 deletions(-)
 create mode 100644 Documentation/howto/ipsec.rst
 create mode 100644 Documentation/tutorials/ipsec.rst
 create mode 100644 Documentation/tutorials/ovn-ipsec.rst
 create mode 100644 Documentation/tutorials/ovn-rbac.rst
 create mode 100644 debian/openvswitch-ipsec.dirs
 create mode 100644 debian/openvswitch-ipsec.init
 create mode 100644 debian/openvswitch-ipsec.install
 create mode 100644 ipsec/automake.mk
 create mode 100755 ipsec/ovs-monitor-ipsec
 create mode 100644 rhel/usr_lib_systemd_system_openvswitch-ipsec.service

Comments

Ben Pfaff Aug. 6, 2018, 10:52 p.m. UTC | #1
On Mon, Aug 06, 2018 at 11:04:30AM -0700, Qiuyu Xiao wrote:
> This patch series reintroduce IPsec support for OVS tunneling and enable OVN to
> use IPsec tunnels. GRE, VXLAN, GENEVE, and STT IPsec tunnels are supported.
> StrongSwan and LibreSwan IKE daemons are supported.
> 
> Changes from v1 to v2
> ---------------------
> 1. Merge the ovs-monitor-ipsec code to a single patch. Add LibreSwan IKE
> daemon support.
> 2. Add ovs-monitor-ipsec to flake8 check.
> 3. Use openssl to extract CN from certificate so that users don't need to
> specify the CN information in the configuration interface.
> 4. Improve documentations as suggested.
> 
> Changes from v2 to v3
> ---------------------
> 1. Add scripts and rules to create ovs-ipsec RPM package.
> 2. Add Documentation/tutorials/ipsec.rst which gives a step-by-step OVS IPsec
> tutorial. Modify Documentation/howto/ipsec.rst which gives a detailed
> description on OVS IPsec configuration modes.
> 3. Modify ovs-pki to generate x.509 version 3 certificate when do self-sign.
> 4. IPsec tunnel interface needs 'local_ip' information. Modify ovn-controller
> to add 'local_ip' when IPsec is enabled.
> 5. Add a section on ovn/ovn-architecture.7.xml to introduce ovn IPsec.
> 
> Changes from v3 to v4
> ---------------------
> 1. Split the datapath patch to three patches (geneve, vxlan, stt).
> 2. Add tutorial for OVN RBAC and OVN IPsec.
> 
> Changes from v4 to v5
> ---------------------
> 1. Fix coding style issues in ovs-monitor-ipsec.
> 2. Improve IPsec and OVN-IPsec tutorials as suggested.

Thanks for posting a new version.

It looks like this version of the series still includes patches that
have already been applied to master.  They should be dropped now that
they are in OVS.  Would you mind rebasing against master and then
reposting the series?

I do not know how much you have used Git.  One way to do the above is
with:

git fetch
git rebase origin/master