Using encreypted GRE tunnels

asked 2014-04-01 09:19:32 -0600

Krist gravatar image


We are using neutron with open-vswitch and GRE tunnels. I have been asked to investigate whether it is possible to have these tunnels encrypted.

So far I've found some information hinting at ipsec capabilities in openvswitch. Is this something we could use?


edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2014-04-01 09:44:50 -0600

SamYaple gravatar image

The GRE tunnels you are talking about should have been setup in a secured network, possibly with a dedicated switch or an isolated vlan. I believe some guides call it the "Data" network. It is supposed to be segregated so that only the openvswitch traffic communicates over it, and it has not access to the outside world. This is pretty much the only security it provides. Swift operates with a "Data" network in the same manner as well.

Proper network security is the way to keep everything secure in this case.

IPsec is used in neutron for vpn connections externally, not internally.

edit flag offensive delete link more


There is a seperate VLAN.for Tenant traffic. However this does not provide enough security to satisfy our security department. We were looking in to encrypting everything on L2, but our networking hardware doesn't allow it. So I'm looking at other alternatives.

Krist gravatar imageKrist ( 2014-04-10 07:03:09 -0600 )edit

If it helps in your search, openvswitch _DOES_ allow for encrpyted traffic in the way that you are asking. I do not believe Openstack supports it for a number of reasons. Perhaps looking into openvswitch more directly will help you find an answer.

SamYaple gravatar imageSamYaple ( 2014-04-10 08:10:33 -0600 )edit

I did indeed read in a feature list that openvswitch is suposed to support ipsec+gre. However I can't find any documentation that explains me how to do it. Can you give me a few pointers?

Krist gravatar imageKrist ( 2014-04-10 08:50:53 -0600 )edit

It appears to me that it already is encrypted as the ovsbd-server on the network node is started with the appropriate ssl options by default. But beyond that, I am just not sure about that particular component.

SamYaple gravatar imageSamYaple ( 2014-04-10 13:07:55 -0600 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools


Asked: 2014-04-01 09:19:32 -0600

Seen: 206 times

Last updated: Apr 01 '14