On Thu, Sep 22, 2016 at 11:59 AM, Ansis Atteka <ansisatt...@gmail.com> wrote: > > > On 20 September 2016 at 20:52, Pravin B Shelar <pshe...@ovn.org> wrote: >> >> OVS IPsec tunnel support has issues: >> 1. It only works for GRE. >> >> 2. only works on Debian. >> >> 3. It does not allow user to match on packet-mark >> on packet received on tunnel ports. >> >> >> >> >> Therefore following patch provide alternative to completely >> disable ipsec-tunnel support by vswitchd command line option. >> This way user can use external daemon to manage IPsec tunnel >> traffic and stir it using skb-mark match action in OVS bridge. >> >> >> This patch deprecates support for IPsec tunnel port. > > > There are other alternative solutions worth to mention: > 1) remove the special meaning of skb_mark bit #0 and update > ovs-monitor-ipsec not to depend on harcoded skb_mark value at all (I think > this can be done with some trickery);
I am not sure what does this mean. How are you going match on IPsec traffic? > 2) allow users to chose OVS mode where OVS can be explicitly told to either > use skb_mark for its own needs (e.g. IPsec) OR to pass skb_mark to OpenFlow > pipeline as-is; This was basically this patch does but I have sent another patch to just deprecate IPsec support. I have mentioned reasoning for the change there. http://openvswitch.org/pipermail/dev/2016-September/079770.html > 3) leave bit #0 assigned to IPsec and let OpenFlow to match only on bits > #1-32. > > Your solutions is kinda like 2), except it discourages uses to configure OVS > in a way where it consumes skb_mark for itself. > > I think solutions 1) could be implemented even after your patch. Except, > maybe then we should not mention that IPsec will be deprecated in the next > release. Also, I would need to think how to address corner cases if > ovs-monitor-ipsec can't use skb_mark anymore. > > Solution 3) would be great from ovs-monitor-ipsec perspective because it > would not need to change. However, it possibly would make OpenFlow skb_mark > matching look weird compared to other fields that OVS can match on. > I do not like solution 3. It does not allows OVS user to use all bits of skb-mark even when there is no IPSEC involved which is what linux networking stack provide. _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev