On Mon, Sep 26, 2016 at 11:49 AM, Ansis Atteka <ansisatt...@gmail.com> wrote: > > > On 26 September 2016 at 03:48, Pravin B Shelar <pshe...@ovn.org> wrote: >> >> OVS GRE IPsec tunnel support has multiple issues, Therefore > > s/issues,/issues. >> >> it was deprecated in OVS 2.6. >> >> Following patch removes support GRE IPsec and allow external > > s/support/support for > s/allow/allows >> >> IPsec tunnel management for any type of tunnel not just GRE. >> >> e.g. user can encrpt Geneve or VxLan traffic. > > s/encrpt/encrypt >> >> >> It can be done by using openflow pipeline to set skb-mark >> and using xfrm to implement IPsec tunnels. xfrm can match >> on the skb-mark to encrypt selective tunnel traffic. > > > Some folks may misinterpret the paragraph above that we are recommending > them to use XFRM *directly* as an alternative. XFRM is just NetLink > interface to linux kernel to install IPsec keys after these keys have been > negotiated by IPsec keying daemon, such as strongSwan, openSwan/libreswan or > racoon. > > Instead I would recommend users to use one of the IPsec keying daemons > rather than XFRM directly. > ok, sounds good, I will update commit msg.
>> VMware-BZ: 1710701 >> Signed-off-by: Pravin B Shelar <pshe...@ovn.org> >> --- >> This is targeted for OVS master branch only. >> --- >> NEWS | 1 + >> README.md | 2 +- >> >> debian/automake.mk | 7 - >> debian/control | 24 -- >> debian/openvswitch-ipsec.dirs | 1 - >> debian/openvswitch-ipsec.init | 203 ---------------- >> debian/openvswitch-ipsec.install | 1 - >> debian/ovs-monitor-ipsec | 507 >> --------------------------------------- >> lib/netdev-vport.c | 67 +----- >> lib/netdev.h | 1 - >> ofproto/ofproto-dpif-ipfix.c | 15 -- >> ofproto/ofproto-dpif-sflow.c | 7 - >> ofproto/tunnel.c | 13 - >> tests/automake.mk | 1 - >> tests/ofproto-macros.at | 49 ---- >> tests/ovn-controller.at | 2 +- >> tests/ovs-monitor-ipsec.at | 271 --------------------- >> tests/testsuite.at | 1 - >> tests/tunnel-push-pop-ipv6.at | 2 +- >> tests/tunnel-push-pop.at | 2 +- >> tests/tunnel.at | 87 +------ >> utilities/bugtool/ovs-bugtool.in | 2 +- >> utilities/ovs-appctl.8.in | 4 +- >> vswitchd/vswitch.xml | 57 +---- >> 24 files changed, 23 insertions(+), 1304 deletions(-) >> delete mode 100644 debian/openvswitch-ipsec.dirs >> delete mode 100755 debian/openvswitch-ipsec.init >> delete mode 100644 debian/openvswitch-ipsec.install >> delete mode 100755 debian/ovs-monitor-ipsec >> delete mode 100644 tests/ovs-monitor-ipsec.at > > > Assuming you were able to build all other debian packages with "fakeroot > debian/rules binary" after removing and editing those files, then > Acked-by: Ansis Atteka <aatt...@ovn.org> > Thanks for review. > Let me know, if you want me to independently verify that as well? I will test this but it will be nice if you verify it independently. _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
