Thanks Ilya. I have another followup question. For strongswan, does OVS have it included in the OVS packages, or will OVS just use the strongSwan lib that is installed on the OS? How do OVS and strongSwan set up the dependencies?
Thanks, Jim On Thu, May 16, 2024 at 11:11 AM Ilya Maximets <i.maxim...@ovn.org> wrote: > On 5/16/24 19:51, Jim C wrote: > > Thanks Ilya. I think there are 2 things we are interested in: > > 1) If the crypto is done with a FIPS validated module > > 2) Are the crypto algorithms all FIPS approved > > > > For 2), I think we can choose the encryption algorithms we use in IPSec > (Please correct me if I was wrong). > > For 1), do you have more information on that? > > Maybe I also need to clarify that OVS itself doesn't perform any > crypto operations on traffic it forwards. That is entirely handled > outside of OVS by Libreswan or StrongSwan in case of IPSec. > > The only crypto operations OVS does are operations on SSL/TLS > connections that control ovs-vswitchd daemon and ovsdb-server. > These are performed fully by OpenSSL. So, again, not OVS itself. > By default whatever algorithms are in the OpenSSL's default list > will be used. You can choose a subset with --ssl-cyphers command > line argument or equivalent database configuration. But I would > expect that compliant OpenSSL build will not contain non-compliant > algorithms. > > Best regards, Ilya Maximets. > > > > > On Mon, May 13, 2024 at 2:39 AM Ilya Maximets <i.maxim...@ovn.org > <mailto:i.maxim...@ovn.org>> wrote: > > > > On 5/12/24 08:17, Jim C via discuss wrote: > > > We want to use Open vSwitch to build our network and enable IPSec > > > for encryption in-transit. I wonder if there is a document that > > > describes if the OVS package itself is FIPS compliant? > > > > Hi, Jim. > > > > If I'm not mistaken, FIPS compliant can only be a built binary and > > Open vSwitch project doesn't release binaries. You need to ask > > the distribution where you get your binary packages from. > > > > However, all the important crypto in OVS is performed by OpenSSL, > > so it should be compliant as long as you're linking with compliant > > version of OpenSSL. But again, you need to ask your distribution. > > > > Best regards, Ilya Maximets. > > > > > > > > Maybe my question is not described accurately. Please let me know > > > what more information is needed. > > > > > > Thanks. > > > >
_______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
