[openstack-dev] [Neutron] SSL VPN Implemenatation

Nachi Ueno nachi at ntti3.com
Thu May 1 17:15:26 UTC 2014 

Hi Robert

Thank you for your suggestion.
so your suggestion is let OpenVPN process download key to memory
directly from Babican?



2014-05-01 9:42 GMT-07:00 Clark, Robert Graham <robert.clark at hp.com>:
> Excuse me interrupting but couldn't you treat the key as largely
> ephemeral, pull it down from Barbican, start the OpenVPN process and
> then purge the key?  It would of course still be resident in the memory
> of the OpenVPN process but should otherwise be protected against
> filesystem disk-residency issues.
>
>
>> -----Original Message-----
>> From: Nachi Ueno [mailto:nachi at ntti3.com]
>> Sent: 01 May 2014 17:36
>> To: OpenStack Development Mailing List (not for usage questions)
>> Subject: Re: [openstack-dev] [Neutron] SSL VPN Implemenatation
>>
>> Hi Jarret
>>
>> IMO, Zang point is the issue saving plain private key in the
> filesystem for
>> OpenVPN.
>> Isn't this same even if we use Barbican?
>>
>>
>>
>>
>>
>> 2014-05-01 2:56 GMT-07:00 Jarret Raim <jarret.raim at rackspace.com>:
>> > Zang mentioned that part of the issue is that the private key has to
>> > be stored in the OpenVPN config file. If the config files are
>> > generated and can be stored, then storing the whole config file in
>> > Barbican protects the private key (and any other settings) without
>> > having to try to deliver the key to the OpenVPN endpoint in some
> non-
>> standard way.
>> >
>> >
>> > Jarret
>> >
>> > On 4/30/14, 6:08 PM, "Nachi Ueno" <nachi at ntti3.com> wrote:
>> >
>> >>> Jarret
>> >>
>> >>Thanks!
>> >>Currently, the config will be generated on demand by the agent.
>> >>What's merit storing entire config in the Barbican?
>> >>
>> >>> Kyle
>> >>Thanks!
>> >>
>> >>2014-04-30 7:05 GMT-07:00 Kyle Mestery
>> <mestery at noironetworks.com>:
>> >>> On Tue, Apr 29, 2014 at 6:11 PM, Nachi Ueno <nachi at ntti3.com>
>> wrote:
>> >>>> Hi Clint
>> >>>>
>> >>>> Thank you for your suggestion. Your point get taken :)
>> >>>>
>> >>>>> Kyle
>> >>>> This is also a same discussion for LBaaS Can we discuss this in
>> >>>> advanced service meeting?
>> >>>>
>> >>> Yes! I think we should definitely discuss this in the advanced
>> >>> services meeting today. I've added it to the agenda [1].
>> >>>
>> >>> Thanks,
>> >>> Kyle
>> >>>
>> >>> [1]
>> >>>https://wiki.openstack.org/wiki/Meetings/AdvancedServices#Agenda_f
>> or_
>> >>>next
>> >>>_meeting
>> >>>
>> >>>>> Zang
>> >>>> Could you join the discussion?
>> >>>>
>> >>>>
>> >>>>
>> >>>> 2014-04-29 15:48 GMT-07:00 Clint Byrum <clint at fewbar.com>:
>> >>>>> Excerpts from Nachi Ueno's message of 2014-04-29 10:58:53 -0700:
>> >>>>>> Hi Kyle
>> >>>>>>
>> >>>>>> 2014-04-29 10:52 GMT-07:00 Kyle Mestery
>> <mestery at noironetworks.com>:
>> >>>>>> > On Tue, Apr 29, 2014 at 12:42 PM, Nachi Ueno
>> <nachi at ntti3.com>
>> >>>>>>wrote:
>> >>>>>> >> Hi Zang
>> >>>>>> >>
>> >>>>>> >> Thank you for your contribution on this!
>> >>>>>> >> The private key management is what I want to discuss in the
>> >>>>>>summit.
>> >>>>>> >>
>> >>>>>> > Has the idea of using Barbican been discussed before? There
> are
>> >>>>>>many
>> >>>>>> > reasons why using Barbican for this may be better than
>> >>>>>> > developing
>> >>>>>>key
>> >>>>>> > management ourselves.
>> >>>>>>
>> >>>>>> No, however I'm +1 for using Barbican. Let's discuss this in
>> >>>>>> certificate management topic in advanced service session.
>> >>>>>>
>> >>>>>
>> >>>>> Just a suggestion: Don't defer that until the summit. Sounds
> like
>> >>>>>you've  already got some consensus, so you don't need the summit
>> >>>>>just to rubber  stamp it. I suggest discussing as much as you can
>> >>>>>right now on the mailing  list, and using the time at the summit
> to
>> >>>>>resolve any complicated issues  including any "a or b" things
> that
>> >>>>>need crowd-sourced idea making. You  can also use the summit time
>> >>>>>to communicate your requirements to the  Barbican developers.
>> >>>>>
>> >>>>> Point is: just because you'll have face time, doesn't mean you
>> >>>>> should use it for what can be done via the mailing list.
>> >>>>>
>> >>>>> _______________________________________________
>> >>>>> OpenStack-dev mailing list
>> >>>>> OpenStack-dev at lists.openstack.org
>> >>>>>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> >>>>
>> >>>> _______________________________________________
>> >>>> OpenStack-dev mailing list
>> >>>> OpenStack-dev at lists.openstack.org
>> >>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> >>>
>> >>> _______________________________________________
>> >>> OpenStack-dev mailing list
>> >>> OpenStack-dev at lists.openstack.org
>> >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> >>
>> >>_______________________________________________
>> >>OpenStack-dev mailing list
>> >>OpenStack-dev at lists.openstack.org
>> >>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> >
>> > _______________________________________________
>> > OpenStack-dev mailing list
>> > OpenStack-dev at lists.openstack.org
>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> >
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>

More information about the OpenStack-dev mailing list