On 29 May 2024, at 19:53, Jim C via discuss wrote:
> Thanks Ilya. I have another followup question. For strongswan, does OVS > have it included in the OVS packages, or will OVS just use the strongSwan > lib that is installed on the OS? How do OVS and strongSwan set up the > dependencies? It will use the distribution’s version of LibreSwan or StrongSwan. For more details see the tutorial here; https://docs.openvswitch.org/en/latest/tutorials/ipsec/ //Eelco > Thanks, > Jim > > On Thu, May 16, 2024 at 11:11 AM Ilya Maximets <i.maxim...@ovn.org> wrote: > >> On 5/16/24 19:51, Jim C wrote: >>> Thanks Ilya. I think there are 2 things we are interested in: >>> 1) If the crypto is done with a FIPS validated module >>> 2) Are the crypto algorithms all FIPS approved >>> >>> For 2), I think we can choose the encryption algorithms we use in IPSec >> (Please correct me if I was wrong). >>> For 1), do you have more information on that? >> >> Maybe I also need to clarify that OVS itself doesn't perform any >> crypto operations on traffic it forwards. That is entirely handled >> outside of OVS by Libreswan or StrongSwan in case of IPSec. >> >> The only crypto operations OVS does are operations on SSL/TLS >> connections that control ovs-vswitchd daemon and ovsdb-server. >> These are performed fully by OpenSSL. So, again, not OVS itself. >> By default whatever algorithms are in the OpenSSL's default list >> will be used. You can choose a subset with --ssl-cyphers command >> line argument or equivalent database configuration. But I would >> expect that compliant OpenSSL build will not contain non-compliant >> algorithms. >> >> Best regards, Ilya Maximets. >> >>> >>> On Mon, May 13, 2024 at 2:39 AM Ilya Maximets <i.maxim...@ovn.org >> <mailto:i.maxim...@ovn.org>> wrote: >>> >>> On 5/12/24 08:17, Jim C via discuss wrote: >>> > We want to use Open vSwitch to build our network and enable IPSec >>> > for encryption in-transit. I wonder if there is a document that >>> > describes if the OVS package itself is FIPS compliant? >>> >>> Hi, Jim. >>> >>> If I'm not mistaken, FIPS compliant can only be a built binary and >>> Open vSwitch project doesn't release binaries. You need to ask >>> the distribution where you get your binary packages from. >>> >>> However, all the important crypto in OVS is performed by OpenSSL, >>> so it should be compliant as long as you're linking with compliant >>> version of OpenSSL. But again, you need to ask your distribution. >>> >>> Best regards, Ilya Maximets. >>> >>> > >>> > Maybe my question is not described accurately. Please let me know >>> > what more information is needed. >>> > >>> > Thanks. >>> >> >> > _______________________________________________ > discuss mailing list > disc...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss _______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
