Uploaded image for project: 'Fast Datapath Product'
  1. Fast Datapath Product
  2. FDP-3001

[RFE] Allow configuring custom ipsec connection options

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • OVN
    • None
    • [RFE] Allow configuring custom ipsec connection options
    • 3
    • False
    • False
    • Hide

      Please mark each item below with ( / ) if completed or ( x ) if incomplete:

      ( ) The acceptance criteria defined below are met.

      Given IPsec is enabled on OVN,
      When an administrator sets a custom option in NB_Global,
      Then the option appears on the OVS tunnel interface and is processed by ovs-monitor-ipsec into the ipsec.conf connection profile.

      ( ) The epics work is available in a downstream build (nightly/async or other)

      ( ) Test coverage is available in downstream CI if applicable

      ( ) All cards under the epic have been moved to Done

      ( ) Failed Test Plans have bugs added as children to the epic/feature.

      Show
      Please mark each item below with ( / ) if completed or ( x ) if incomplete: ( ) The acceptance criteria defined below are met. Given IPsec is enabled on OVN, When an administrator sets a custom option in NB_Global, Then the option appears on the OVS tunnel interface and is processed by ovs-monitor-ipsec into the ipsec.conf connection profile. ( ) The epics work is available in a downstream build (nightly/async or other) ( ) Test coverage is available in downstream CI if applicable ( ) All cards under the epic have been moved to Done ( ) Failed Test Plans have bugs added as children to the epic/feature.
    • rhel-9
    • None
    • rhel-net-ovn
    • 100% To Do, 0% In Progress, 0% Done
    • ssg_networking
    • Important

      This epic tracks all the effort needed to deliver the solution related to the feature request described below.

      What's the feature?

      Allow setting custom ipsec_<key>=<value> options in northbound db, so they can be passed down to OVS as tunnel ipsec configuration options and end up as part of connection specification in ipsec.conf for OVN tunnels.

      Why is it needed?

      Today OVN allows setting ipsec_encapsulation/ipsec_forceencaps for the tunnels when ipsec is enabled. But it doesn't allow any other options that may be required for the connection to work properly in a particular environment. For example, in an environment where a higher than standard packet reordering is expected it may be necessary to specify a replay-window size. It may also be useful to try different options while debugging ipsec issues. Some of this can be mitigated by setting %default connection options in a separate config file included from ipsec.conf, but it's not always possible, e.g. if ovs-monitor-ipsec owns the root ipsec.conf. It may also be desired to change configuration for OVN tunnels only without affecting N-S ipsec configuration on the node.
       

      Who will benefit?

      Users that require specific configuration for ipsec to work in their environment. Support and developers will be able to try different configuration changes easily while debugging complex ipsec issues like FDP-2940.

              rh-ee-moloings Mairtin Lynch
              imaximet@redhat.com Ilya Maximets
              OVN QE OVN QE
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: