On Mon, Jan 18, 2016 at 10:16 AM, mostafa uddin <mud...@cs.odu.edu> wrote: > I have a clarification question, > > Does the IPSec packet processing is done before the OVS datapath, in the > network stack?
For incoming packets IPsec is done before reaching OVS datapath. For egressing packets IPsec is done after the packet has already left OVS datapath. See http://inai.de/images/nf-packet-flow.png for more details where of "local process" you could think as if it was OVS datapath that owns tunneling socket. And IPsec is done in"XFRM" boxes. > > > Is it possible to bring the IPSec packet processing inside the OVS Datapath? > That means all the packet header formation, and encryption algorithm will be > called when the packet is in the process path of OVS datapath module. I haven't thought too much about this, but I am afraid that this might get a little bit intrusive for Linux IP stack, because you would have to get ESP packets somehow to OVS kernel module which means that OVS would need to intercept *all* the ESP traffic that would otherwise have went to XFRM boxes in that diagram. If you have an idea how to do this in elegant way please propose. Regards, Ansis _______________________________________________ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
