[openstack-dev] VPNaaS
Nachi Ueno
nachi at ntti3.com
Tue May 14 20:58:49 UTC 2013
Hi Folks
We had VPN meetings yesterday.
Agenda :
1. local_subnet vs local_cidr --> Keep discussion
2. Use cidr value or subnet_id? --> Keep discussion
3. Task assignment
- move doc to wiki (Swami) Done
https://wiki.openstack.org/wiki/Quantum/VPNaaS
- Register BP and get approval by Mark (Swami) Done -> H2
- check default value for lifetime value (Swami) Done
- Implement Data Model (Swami will push code to the gerrit) by 5/20
- CLI (python-quantum client) work (Swami will push code to the
gerrit) by 5/20
- Implement Driver (Nachi & PCM ) by 5/31
- Investigate strongswan
- rpc (spec needed)
- Design driver archtecutre (spec needed)
- Write driver code
- Instation instructions on Wiki 5/31
- Devstack support (nati) late June?
- Write openstack network api document wiki (Sachin)
- Horizon work (needs contributer)
- Tempest (needs contributer)
Next meeting is 5/16 Thursday at 3pm (PST) . On IRC #openstack-meetings
Meeting ended Tue May 14 01:00:58 2013 UTC. Information about MeetBot
at http://wiki.debian.org/MeetBot . (v 0.1.4)
Minutes:
http://eavesdrop.openstack.org/meetings/openstack_networking_vpn/2013/openstack_networking_vpn.2013-05-14-00.06.html
Minutes (text):
http://eavesdrop.openstack.org/meetings/openstack_networking_vpn/2013/openstack_networking_vpn.2013-05-14-00.06.txt
Log:
http://eavesdrop.openstack.org/meetings/openstack_networking_vpn/2013/openstack_networking_vpn.2013-05-14-00.06.log.htm
Thanks!
Nachi Ueno
2013/5/10 Nachi Ueno <nachi at ntti3.com>:
> Hi Paul
>
> Thanks for your contributions! :)
>
> Nachi
>
> 2013/5/10 Paul Michali <pcm at cisco.com>:
>> Sure! Glad to work with you Nachi. Anything I can do to help out on the
>> project!
>>
>> I'll start looking at strongswan and how to configure.
>>
>>
>> Regards,
>>
>> PCM (Paul Michali)
>>
>>
>> On May 10, 2013, at 12:35 PM, Nachi Ueno wrote:
>>
>> Hi Paul
>>
>> Sounds Great.
>>
>> The first driver will be strong-swan based.
>> http://www.strongswan.org/
>>
>> How about work with me to implement strong-swan vpn driver?
>> Honestly, i'm new to strong-swan, so I'm very appreciate if you
>> could try strong-swan on ubuntu and share how to configure it based on
>> current API model.
>>
>> Thanks
>> Nachi
>>
>>
>>
>>
>>
>>
>>
>> 2013/5/10 Paul Michali <pcm at cisco.com>:
>>
>> Naci, Mark, Swami, Sachin, et al,
>>
>>
>> Any suggestions on where/how I can help on this? I'm new to OS (just working
>>
>> it for a few months), so no specific expertise area, but have bandwidth to
>>
>> contribute.
>>
>>
>> Also, any pointers to information that will help me get up to speed on this
>>
>> would be appreciated (Mark gave me link to Amazon URL for info on what they
>>
>> provide for VPNaaS). I was going to look at LBaaS code next week and have
>>
>> been monitoring those discussions, as there seem to be some parallels there.
>>
>> If there are companion info that you think would help, let me know.
>>
>>
>> Regards,
>>
>>
>> PCM (Paul Michali)
>>
>>
>> On May 9, 2013, at 9:12 PM, Nachi Ueno wrote:
>>
>>
>> Hi Folks
>>
>>
>> We have meeting about VPN today.
>>
>>
>> #Conclusions
>>
>> 1. We agreed ipsec api
>>
>> https://blueprints.launchpad.net/quantum/+spec/vpnaas-python-apis
>>
>> 2. Swami will push api CRUD code to review (continue discussion on code)
>>
>> https://blueprints.launchpad.net/quantum/+spec/vpnaas-python-apis
>>
>> 3. We agreed first implementation vpn architecture
>>
>> 4. Next meeting is 5/13 PST 5:00 PM on #openstack-meetings
>>
>>
>> #Questions for IPSec API
>>
>> 1 psk_key -> psk (agreed)
>>
>> 2 For ipsecpolicy table, suggest to split lifetime into two parts
>>
>> lifetime_s(per seconds) and lifetime_b(per kilobytes) -> updated
>>
>> table (agreed)
>>
>> 3 change back "cidrs" from subnet (or network) -> check marks's thought
>>
>> 4 For APIs, can we shorten the naming such as change -> keep current
>>
>> longer style for reability
>>
>>
>> #Project Management (Task)
>>
>> - move doc to wiki (Swami)
>>
>> - Register BP and get approval by Mark (Swami)
>>
>> - check default value for lifetime value (Swami)
>>
>> - Discuss Archtecture
>>
>> - Implement Data Model (Swami will push code to the gerrit)
>>
>> - Driver (Nachi?)
>>
>> - CLI (python-quantum client) work (Swami will push code to the gerrit)
>>
>> - Write openstack network api document wiki (Sachin)
>>
>> - Devstack support
>>
>> - Horizon work
>>
>> - Tempest
>>
>>
>> https://docs.google.com/a/ntti3.com/presentation/d/1J7k1eI13-3pQVwp5XgZDWPfzUvuSqczRdK0lEZKQOKk/edit#slide=id.p
>>
>> Nachi
>>
>>
>>
>> 2013/5/7 Qin Li <qili at vmware.com>:
>>
>>
>> Hi Swami,
>>
>>
>>
>> Thanks for your comments. All look good to me except local_cidrs,
>>
>>
>> peer_cidrs. "cidrs" may be clear for value type and validation, but it is
>>
>>
>> unfamiliar for the existing VPN administrators. I think we might use
>>
>>
>> subnets or networks to avoid introducing a new concept for users.
>>
>>
>>
>> Regards
>>
>>
>> QinLi
>>
>>
>>
>> -----Original Message-----
>>
>>
>> From: Vasudevan, Swaminathan (PNB Roseville)
>>
>>
>> [mailto:swaminathan.vasudevan at hp.com]
>>
>>
>> Sent: 2013年5月8日 1:25
>>
>>
>> To: OpenStack Development Mailing List
>>
>>
>> Subject: Re: [openstack-dev] VPNaaS
>>
>>
>>
>> Hi Qin Li,
>>
>>
>> See my answers inline.
>>
>>
>> Thanks.
>>
>>
>>
>> -----Original Message-----
>>
>>
>> From: Qin Li [mailto:qili at vmware.com]
>>
>>
>> Sent: Monday, May 06, 2013 8:37 PM
>>
>>
>> To: OpenStack Development Mailing List
>>
>>
>> Subject: Re: [openstack-dev] [Quantum] [Networking] VPNaaS
>>
>>
>>
>> I'd like to share some of my comments on data models, tables, APIs defined
>>
>>
>> in link
>>
>>
>> https://docs.google.com/a/ntti3.com/document/d/1Jphcvnn7PKxqFEFFZQ1_PYkEx5
>>
>>
>> J4aO5J5Q74R_PwgV8/edit .
>>
>>
>>
>> 1. For VPNServiceConnection table
>>
>>
>> a. suggest to remove psk(Boolean) key defined in VPNServiceConnection
>>
>>
>> table. There is already key auth_mode defined in ikepolicy table.
>>
>>
>> "auth_mode" can be "psk" or "certificate". By default, if not set, it is
>>
>>
>> psk mode for authentication. Still keeping psk_key inside
>>
>>
>> VPNServiceConnection since psk_key is different per remote peer.
>>
>>
>> Authentication mode is a part of IKE property.
>>
>>
>>
>> Swami - Yes we had both the auth_mode and psk_key as part of the IKEPolicy
>>
>>
>> table. We moved both the fields to the connection table since, we just
>>
>>
>> wanted to re-use the IKEPolicy for different connections if only the PSK
>>
>>
>> key changes or the auth_mode changes. Also in the document we make
>>
>>
>> necessary changes to the table definition, but I need to make the change
>>
>>
>> also in the datamodel table.
>>
>>
>>
>>
>> b. suggest to change local_cidrs and peer_cidrs to local_networks(or
>>
>>
>> local_subnets) and peer_networks(per_subnets) in VPNServiceConnection
>>
>>
>> table. Cidrs is not a familiar keyword to users in IPSec industry. Some
>>
>>
>> IPSec VPN vendors use subnets, some use networks.
>>
>>
>>
>> Swami - Yes we had initially defined it as peer_subnets and local_subnets,
>>
>>
>> but based on yesterday's discussion we moved it to "cidrs", since it would
>>
>>
>> be clear.
>>
>>
>>
>> c. suggest to change psk_key to psk, psk already means pre-shared key.
>>
>>
>>
>> Swami - Accepted we will change this.
>>
>>
>>
>> 2. For ipsecpolicy table, suggest to split lifetime into two parts
>>
>>
>> lifetime_s(per seconds) and lifetime_b(per kilobytes).
>>
>>
>>
>> Swami - Yes we can discuss about this in Thursday's meeting.
>>
>>
>>
>> 3. Can we shorten the naming of keywords? Such as change
>>
>>
>>
>> Swami - We can discuss about this in Thursday's meeting. The reason we
>>
>>
>> don't want to have abbreviated keys is for people to understand the keys
>>
>>
>> properly.
>>
>>
>>
>>
>> In vpnserviceconnections table
>>
>>
>> vpnservice_ipsecpolicy_id to ipsecpolicy_id
>>
>>
>> vpnservice_ikepolicy_id to ikepolicy_id
>>
>>
>> vpnservice_certificiate_id to certificate_id
>>
>>
>>
>>
>> In ikepolicys table
>>
>>
>> auth_algorithm to auth_alg
>>
>>
>> encryption_algorithm to enc_alg
>>
>>
>> phraseI_negotiation_mode to phraseI_mode
>>
>>
>>
>> In ipsecpolicys table
>>
>>
>> transform_protocol to protocol
>>
>>
>> auth_algorithm to auth_alg
>>
>>
>> encryption_algorithm to enc_alg
>>
>>
>> encapsulation_mode to mode or encap_mode
>>
>>
>>
>> 4. There might be some updates to set proper length for each value in the
>>
>>
>> tables. Such as change
>>
>>
>> auth_algorithm VARCHAR2(255) to auth_alg VARCHAR2(8) ; for
>>
>>
>> example "sha1" etc.
>>
>>
>> encryption_algorithm VARCHAR2(255) to enc_alg VARCHAR2(16) ; for
>>
>>
>> example "aes128-cbc", "aes256-cbc" etc.
>>
>>
>> name VARCHAR2(255) to name VARCHAR2(64)
>>
>>
>>
>> Swami - Yes we will make the necessary changes in the table.
>>
>>
>>
>> 5. What do "dh" and "tls" keywords mean in table vpnservicecertficates?
>>
>>
>>
>> Swami - This was mainly included in the certificate table to address the
>>
>>
>> "Openvpn" certificate requirements. This will be dropped for now. Also we
>>
>>
>> are not considering to implement the certificates for this release. We
>>
>>
>> will clean up the tables.
>>
>>
>>
>> 6. For APIs, can we shorten the naming such as change
>>
>>
>> /v1.0/vpnservicecertificates/vpnservice_certificate_id to
>>
>>
>> /v1.0/vpncerts/certificate_id
>>
>>
>> /v1.0/vpnserviceconnections/vpnservice_conn_id to
>>
>>
>> /v1.0/vpnsrvconns/conn_id
>>
>>
>>
>> Swami: We can discuss in Thursday's meeting.
>>
>>
>>
>> Thanks & Regards
>>
>>
>> Qin
>>
>>
>>
>>
>> -----Original Message-----
>>
>>
>> From: Nachi Ueno [mailto:nachi at ntti3.com]
>>
>>
>> Sent: 2013年5月7日 9:07
>>
>>
>> To: OpenStack Development Mailing List
>>
>>
>> Subject: Re: [openstack-dev] [Quantum] [Networking] VPNaaS
>>
>>
>>
>> Hi folks
>>
>>
>>
>> In today's meeting, we are almost finished to define data models.
>>
>>
>> https://docs.google.com/a/ntti3.com/document/d/1Jphcvnn7PKxqFEFFZQ1_PYkEx5
>>
>>
>> J4aO5J5Q74R_PwgV8/edit
>>
>>
>>
>> If you have any concerns, please commet it on the doc or question on the
>>
>>
>> mailing list.
>>
>>
>>
>> We will have meeting at
>>
>>
>> 5/9 (Thu) 5:00 (PST)
>>
>>
>>
>> In the next meeting, we will discuss more project management oriented
>>
>>
>> discussion.
>>
>>
>>
>> Thanks
>>
>>
>> Nachi
>>
>>
>>
>> 2013/5/6 Nachi Ueno <nachi at ntti3.com>:
>>
>>
>> Hi folks
>>
>>
>>
>> Here is note from the meeting at 2nd meeting on VPN # sorry I thought
>>
>>
>> I have sent it to the mailing list, but it looks not delivery.
>>
>>
>>
>> 1) FirstStep SSL-VPN or IPSec? -> IPSec
>>
>>
>>
>> - all atenndes agrees with IPSec first step
>>
>>
>> - IPSec is widely used so, this is big win to the community
>>
>>
>> - IPSec can support remote user use case
>>
>>
>> - SSL-VPN (CloudPipe) can be supported by OpenVPN VM with floating ips
>>
>>
>>
>> 2) GenricService API -> Agreed
>>
>>
>>
>> -id
>>
>>
>> -name
>>
>>
>> -tenant_id
>>
>>
>> -type (VPN type)
>>
>>
>> type has namespace (should be flat)
>>
>>
>> l2 vpn -> l2.*** (l2.l2tp)
>>
>>
>> l3 vpn -> l3.** (l3.ipsec)
>>
>>
>>
>> 3) IPSec API set
>>
>>
>> Start discussion for IPSec api on the google doc
>>
>>
>> https://docs.google.com/a/ntti3.com/document/d/1Jphcvnn7PKxqFEFFZQ1_PY
>>
>>
>> kEx5J4aO5J5Q74R_PwgV8/edit
>>
>>
>>
>> 4) Next meeting time
>>
>>
>> PST Monday 5PM (Sactin at VMWare will reserve conf-call)
>>
>>
>>
>> Meeting Agenda and Note
>>
>>
>> https://docs.google.com/presentation/d/1J7k1eI13-3pQVwp5XgZDWPfzUvuSqc
>>
>>
>> zRdK0lEZKQOKk/edit#slide=id.p
>>
>>
>>
>> Thanks!
>>
>>
>>
>> 2013/5/1 Sachin Thakkar <sthakkar at vmware.com>:
>>
>>
>> Thanks folks for joining today. We've made some good progress on the
>>
>>
>> IPsec VPN object model. Nachi has sent out the meeting notes to the
>>
>>
>> alias as well.
>>
>>
>>
>> We'll need another follow up to continue the discussion. The meeting
>>
>>
>> will be at 5pm Pacific time on Monday, May 6.
>>
>>
>>
>> The same bridge below will be used.
>>
>>
>>
>> Thanks,
>>
>>
>> Sachin
>>
>>
>>
>> ________________________________
>>
>>
>> From: "Sachin Thakkar" <sthakkar at vmware.com>
>>
>>
>> To: "OpenStack Development Mailing List (openstack-dev at lists.openstack.
>>
>>
>> org)"
>>
>>
>> <openstack-dev at lists.openstack.org>
>>
>>
>> Sent: Thursday, April 25, 2013 11:43:30 PM
>>
>>
>> Subject: [openstack-dev] [Quantum] [Networking] VPNaaS
>>
>>
>>
>>
>> Trying the new Networking tag in the subject :)
>>
>>
>>
>> Anyway, we have a kickoff call for VPNaaS scheduled next Wednesday @
>>
>>
>> 5pm Pacific time. We will be discussing over the phone:
>>
>>
>>
>> Participant Passcode: 697 737 3510
>>
>>
>> Call-in toll-free number (Premiere): 1-866-715-6501 (US) Additional
>>
>>
>> International Numbers:
>>
>>
>> http://pages.pgi-email.com/page.aspx?qs=5c591a8916642e738e03c25585184
>>
>>
>> f841174bd68edc7b376f211065726f20c4087d2dbd294c95628953b9ebd93c298f8a5
>>
>>
>> 9d287357f683bc937b0420662c826d43f873082e5033f476121c74d72cc5ed151c4b3
>>
>>
>> 0a31fa1b2
>>
>>
>>
>> To all interested, hope to see you there.
>>
>>
>>
>> Cheers,
>>
>>
>> Sachin
>>
>>
>>
>> _______________________________________________
>>
>>
>> OpenStack-dev mailing list
>>
>>
>> OpenStack-dev at lists.openstack.org
>>
>>
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>>
>>
>> _______________________________________________
>>
>>
>> OpenStack-dev mailing list
>>
>>
>> OpenStack-dev at lists.openstack.org
>>
>>
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>>
>>
>> _______________________________________________
>>
>>
>> OpenStack-dev mailing list
>>
>>
>> OpenStack-dev at lists.openstack.org
>>
>>
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>>
>> _______________________________________________
>>
>>
>> OpenStack-dev mailing list
>>
>>
>> OpenStack-dev at lists.openstack.org
>>
>>
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>>
>> _______________________________________________
>>
>>
>> OpenStack-dev mailing list
>>
>>
>> OpenStack-dev at lists.openstack.org
>>
>>
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>>
>> _______________________________________________
>>
>>
>> OpenStack-dev mailing list
>>
>>
>> OpenStack-dev at lists.openstack.org
>>
>>
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>>
>> _______________________________________________
>>
>> OpenStack-dev mailing list
>>
>> OpenStack-dev at lists.openstack.org
>>
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>>
>>
>> _______________________________________________
>>
>> OpenStack-dev mailing list
>>
>> OpenStack-dev at lists.openstack.org
>>
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
More information about the OpenStack-dev
mailing list