-
Bug
-
Resolution: Done
-
Critical
-
None
-
4.13, 4.12, 4.11, 4.10
-
None
-
Quality / Stability / Reliability
-
False
-
-
3
-
None
-
No
-
None
-
None
-
None
-
OSDOCS Sprint 233
-
1
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Our IPsec implemenation uses Transport Mode which actually doens't do any kind of tunneling at all. It adds an ESP header to the original IP packet and then encrypts the data but leaves the original IP header intact. This is different than IPsec Tunnel Mode which wraps the original (now-encrypted) IP packet in completely new IP header, with the original IP packet now the new packet's data.
Some suggested changes:
– With IPsec enabled, all network traffic between nodes on the OVN-Kubernetes cluster network travels through an encrypted tunnel.
++ With IPsec enabled, all pod-to-pod network traffic between nodes on the OVN-Kubernetes cluster network is encryped with IPsec Transport Mode.
– Encryption protocol and tunnel mode for IPsec
++ Encryption protocol and IPsec mode
– The IPsec tunnel mode used is Transport mode, a mode that encrypts end-to-end communication.
++ The IPsec mode used is Transport mode which encrypts end-to-end communication by adding an ESP header to the original packet's IP header and encrypts the packet data. OpenShift does not currently use or support IPsec Tunnel Mode for pod-to-pod communication.