[openstack-dev] [Neutron][LBaaS] Securing RPC channel between the server and the agent
enikanorov at mirantis.com
Mon Jan 27 14:37:16 UTC 2014
As we are going to add ssl implementation to lbaas which would be based on
well-known haproxy+stunnel combination, there is one problem that we need
to solve: securing communication channel between neutron-server and the
I see several approaches here:
1) Rely on secure messaging as described here:
pros: no or minor additional things to care of on neutron-server side and
cons: might be more complex to test. Also I'm not sure testing
infrastructure uses that.
We'll need to state that lbaas ssl is only secure when transpost security
2) Provide neutron server/agent with certificate for encrypting
keys/certificates that are dedicated to loadbalancers.
pros: doesn't depend on cloud-wide messaging security. We can say that 'ssl
works' in any case.
cons: more to implement, more complex deployment.
Unless I've missed some other obvious solution what do you think is the
best approach here?
(I'm not considering the usage of external secure store like barbican at
What do you think?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev