[openstack-dev] [Neutron][VPNaaS] Supporting OpenSwan or StrongSwan or Both?
Nachi Ueno
nachi at ntti3.com
Tue Aug 20 17:02:20 UTC 2013
Hi Paul
2013/8/20 Paul Michali <pcm at cisco.com>:
> Was the original reasoning to use StrongSwan over OpenSwan, only because of
> community support? I vaguely recall something mentioned about StrongSwan
> having additional capabilities or something. Can anyone confirm?
>
> As far as which option, it sounds like B or C-2 are the better choices, just
> because of the RHEL support. The two are very similar (from an end-user
> standpoint), so the added doc/help shouldn't be too bad. From a code
> perspective, much of the code can be shared, so the added testing
> requirements should also be minimal.
OK so C-2 has +3. (Salvatore, Paul and me)
> The only point to make about C-2 is it requires us to either take the extra
> time now to support multiple drivers (we will have to eventually - I'll be
> working on one), or do a refactoring later to support a hierarchy of
> drivers. I brought that point up in the review of the reference driver, and
> Nachi and I talked about this a bit yesterday. We both agreed that we could
> do the refactoring later, to support drivers that are different than the
> Swan family.
>
> Related to that, I did have some question about multiple drivers...
>
> How do we handle the case where the drivers support different capabilities?
> For example, say one driver supports an encryption mode that the other does
> not.
>
> Can we reject unsupported capabilities at configuration time? That seems
> cleaner, but I'm wondering how that would be done (I know we'll specify the
> provider, but wondering how we'll invoke driver specific verification
> routines - do we have that mechanism defined?).
There is two kind of drivers.
- service_drivers (server side)
Handle API request and dispatch request for agent side
#This is called plugin_driver in LBaaS, but I prefer service_driver
because it is more specific name)
- device_drivers (agent side)
Get request from API then apply config for agent
So regarding to the capabilities, we should write new service_drivers.
Best
Nachi
> Regards,
>
> PCM (Paul Michali)
>
> MAIL pcm at cisco.com
> IRC pcm_ (irc.freenode.net)
> TW @pmichali
>
> On Aug 19, 2013, at 6:15 PM, Nachi Ueno <nachi at ntti3.com> wrote:
>
> Hi folks
>
> I would like to discuss whether supporting OpenSwan or StrongSwan or Both
> for
> ipsec driver?
>
> We choose StrongSwan because of the community is active and plenty of docs.
> However It looks like RHEL is only supporting OpenSwan.
>
> so we should choose
>
> (A) Support StrongSwan
> (B) Support OpenSwan
> (C) Support both
> (C-1) Make StrongSwan default
> (C-2) Make OpenSwan default
>
> Actually, I'm working on C-2.
> The patch is still WIP https://review.openstack.org/#/c/42264/
>
> Besides the patch is small, supporting two driver may burden
> in H3 including docs or additional help.
> IMO, this is also a valid comment.
>
> Best
> Nachi
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
More information about the OpenStack-dev
mailing list