[openstack-dev] [Neutron][LBaaS] Securing RPC channel between the server and the agent

Eugene Nikanorov enikanorov at mirantis.com
Mon Jan 27 14:37:16 UTC 2014


Hi folks,

As we are going to add ssl implementation to lbaas which would be based on
well-known haproxy+stunnel combination, there is one problem that we need
to solve: securing communication channel between neutron-server and the
agent.

I see several approaches here:
1) Rely on secure messaging as described here:
http://docs.openstack.org/security-guide/content/ch038_transport-security.html

pros: no or minor additional things to care of on neutron-server side and
client side
cons: might be more complex to test. Also I'm not sure testing
infrastructure uses that.
We'll need to state that lbaas ssl is only secure when transpost security
is enabled.

2) Provide neutron server/agent with certificate for encrypting
keys/certificates that are dedicated to loadbalancers.

pros: doesn't depend on cloud-wide messaging security. We can say that 'ssl
works' in any case.
cons: more to implement, more complex deployment.

Unless I've missed some other obvious solution what do you think is the
best approach here?
(I'm not considering the usage of external secure store like barbican at
this point)

What do you think?

Thanks,
Eugene.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140127/1b1250d8/attachment.html>


More information about the OpenStack-dev mailing list