Thanks for your comments! > For #1 and #2 you would not need skb mark at all. Are you considering these > two approaches as well?
My current proposal will implement #1. #2 is also a nice feature to have! To enable #2, the northbound and southbound database can include information that dictate which pair of transport nodes requires encryption. Then the OVN controller can set tunnel options accordingly. > I think you are proposing #3 here. It is the most fine grained. However, it > would require to use "opportunistic packet authentication" and expose Open > vSwitch code to potential attackers, because the IPsec stack will have to > let through packets that are not signed. Do you mean the IPsec stack in the sending side will let packets through without being signed? > In other words, instead of letting IPsec stack to drop malicious packets you > will require OpenFlow rule to do that. Probably based on skb mark in match > part. In the receiving side, if the IPsec stack can set skb mark for the decrypted packets from a logical network, then OpenFlow rules can be set to drop those packets without the mark. Do you know whether the IPsec stack can do this? -Qiuyu _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
