Open Stack

Providing some comments and (a ton of) questions on the wiki for the model/CLI/API. Great document, BTW.

https://wiki.openstack.org/wiki/Quantum/VPNaaS

DataModel

VPNServices Table

Looking at strongswan, it looks like they have a lifetime_units of packets. Do we want to add that, in addition to time/kilobytes?


IKEPolicy and IPsecPolicys Tables

Should these table names be plural or singular (I'm guessing plural)? If so, should be IPsecPolicies.

Are these two tables mutually exclusive?
    If so, should they be combined as there is much in common?

Whether exclusive or not, should some of the comment fields be extracted to another table (e.g. algorithm, lifetime, pas)?

Can you elaborate on the pas field? Looking at strongswan, they said this (which was a bit confusing to me):
"IKEv2 always uses
PFS for IKE_SA rekeying whereas for CHILD_SA rekeying PFS is enforced by defining a Diffie-Hellman dhgroup
in the esp parameter. Since 5.0.0 the latter also applies to IKEv1 and this parameter has no effect anymore."


VPNServiceConnections Table

Should dpd_interval be did_delay?
Should a value of zero be allowed? Strongswan indicated that zero meant no info messages sent and relied on packets, like rekey messages to determine peer health.

Is the intent to only support additional auth_mode later (strongswan shows a few more)?


CLI

Do the vpn-vpnservice-* and vpn-vpnserviceconnection-* commands need the second "vpn"?

How is the "-c COLUMN" argument used on create commands?

What is the "shell" options for the -f option (format?) on create, list, and show commands? Why no json/xml/etc?

Should the update commands have argument to specify the fields to update? Is that supposed to be the "--variable VARIABLE" argument?


REST

Is it the OS convention to have the version in the URI or to use version less for the most recent version and aliases for that version (e.g. /v1.0/vpnservices and /v1/vpnservices would be an alias to /vpnservices)? No intent to start a debate, just wondering what's the approach being used and curious as to how this is handled over time.

/ikepolicys => /ikepolicies

/ipsecpolicys => /ipsecpolicies


Regards,

PCM (Paul Michali)


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130515/2ab67bab/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130515/2ab67bab/attachment.pgp>