On Wed, Dec 11, 2019 at 1:21 PM Pavel Nakonechnyi <pavel@gremwell.com> wrote:

Dear oVirt Community,

From my understanding oVirt does not support Open vSwitch IPSEC tunneling for GENEVE traffic (which is described on pages http://docs.openvswitch.org/en/latest/howto/ipsec/ and http://docs.openvswitch.org/en/latest/tutorials/ipsec/).

Correct, currently this is not supported.

Are there plans to introduce such support? (or explicitly not to..)

The feature is tracked in

https://bugzilla.redhat.com/1782056

If you would comment on the bug about your use case and why the feature would be helpful in your scenario, this might help to push the feature.

Is it possible to somehow manually configure such tunneling for existing virtual networks? (even in a limited way)

I would be interested to know, how far we are away from the flow described in

http://docs.openvswitch.org/en/stable/tutorials/ovn-ipsec/ .

I expect that the openvswitch-ipsec package is missing. Any input on this is welcome.

Alternatively, is it possible to deploy oVirt on top of the tunneled (i.e. via VXLAN, IPSec) interfaces? This will allow to encrypt all management traffic.

Such requirement arises when using oVirt deployment on third-party premises with untrusted network.

Thank in advance for any clarifications. :)

--
WBR, Pavel
+32478910884

_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/PBLO4AQYZQQM2PO5IIFHEFJHPR6DZR63/