[openstack-dev] VPNaaS

Paul Michali pcm at cisco.com
Fri May 10 17:08:04 UTC 2013


Sure! Glad to work with you Nachi. Anything I can do to help out on the project!

I'll start looking at strongswan and how to configure.


Regards,

PCM (Paul Michali)


On May 10, 2013, at 12:35 PM, Nachi Ueno wrote:

> Hi Paul
> 
> Sounds Great.
> 
> The first driver will be strong-swan based.
> http://www.strongswan.org/
> 
> How about work with me to implement strong-swan vpn driver?
> Honestly, i'm new to strong-swan, so I'm very appreciate if you
> could try strong-swan on ubuntu and share how to configure it based on
> current API model.
> 
> Thanks
> Nachi
> 
> 
> 
> 
> 
> 
> 
> 2013/5/10 Paul Michali <pcm at cisco.com>:
>> Naci, Mark, Swami, Sachin, et al,
>> 
>> Any suggestions on where/how I can help on this? I'm new to OS (just working
>> it for a few months), so no specific expertise area, but have bandwidth to
>> contribute.
>> 
>> Also, any pointers to information that will help me get up to speed on this
>> would be appreciated (Mark gave me link to Amazon URL for info on what they
>> provide for VPNaaS). I was going to look at LBaaS code next week and have
>> been monitoring those discussions, as there seem to be some parallels there.
>> If there are companion info that you think would help, let me know.
>> 
>> Regards,
>> 
>> PCM (Paul Michali)
>> 
>> On May 9, 2013, at 9:12 PM, Nachi Ueno wrote:
>> 
>> Hi Folks
>> 
>> We have meeting about VPN today.
>> 
>> #Conclusions
>> 1. We agreed ipsec api
>> https://blueprints.launchpad.net/quantum/+spec/vpnaas-python-apis
>> 2. Swami will push api CRUD code to review (continue discussion on code)
>>  https://blueprints.launchpad.net/quantum/+spec/vpnaas-python-apis
>> 3. We agreed first implementation vpn architecture
>> 4. Next meeting is 5/13 PST 5:00 PM on #openstack-meetings
>> 
>> #Questions for IPSec API
>> 1 psk_key -> psk (agreed)
>> 2 For ipsecpolicy table, suggest to split lifetime into two parts
>> lifetime_s(per seconds) and lifetime_b(per kilobytes)   ->  updated
>> table (agreed)
>> 3 change back "cidrs" from subnet (or network)  -> check marks's thought
>> 4 For APIs, can we shorten the naming such as change  -> keep current
>> longer style for reability
>> 
>> #Project Management (Task)
>> -  move doc to wiki (Swami)
>> -  Register BP and get approval by Mark (Swami)
>> -  check default value for lifetime value (Swami)
>> -  Discuss Archtecture
>> -  Implement Data Model (Swami will push code to the gerrit)
>> -  Driver (Nachi?)
>> -  CLI (python-quantum client) work (Swami will push code to the gerrit)
>> -  Write openstack network api document wiki (Sachin)
>> -  Devstack support
>> -  Horizon work
>> -  Tempest
>> 
>> https://docs.google.com/a/ntti3.com/presentation/d/1J7k1eI13-3pQVwp5XgZDWPfzUvuSqczRdK0lEZKQOKk/edit#slide=id.p
>> Nachi
>> 
>> 
>> 2013/5/7 Qin Li <qili at vmware.com>:
>> 
>> Hi Swami,
>> 
>> 
>> Thanks for your comments. All look good to me except local_cidrs,
>> 
>> peer_cidrs. "cidrs" may be clear for value type and validation, but it is
>> 
>> unfamiliar for the existing VPN administrators. I think we might use
>> 
>> subnets or networks to avoid introducing a new concept for users.
>> 
>> 
>> Regards
>> 
>> QinLi
>> 
>> 
>> -----Original Message-----
>> 
>> From: Vasudevan, Swaminathan (PNB Roseville)
>> 
>> [mailto:swaminathan.vasudevan at hp.com]
>> 
>> Sent: 2013年5月8日 1:25
>> 
>> To: OpenStack Development Mailing List
>> 
>> Subject: Re: [openstack-dev] VPNaaS
>> 
>> 
>> Hi Qin Li,
>> 
>> See my answers inline.
>> 
>> Thanks.
>> 
>> 
>> -----Original Message-----
>> 
>> From: Qin Li [mailto:qili at vmware.com]
>> 
>> Sent: Monday, May 06, 2013 8:37 PM
>> 
>> To: OpenStack Development Mailing List
>> 
>> Subject: Re: [openstack-dev] [Quantum] [Networking] VPNaaS
>> 
>> 
>> I'd like to share some of my comments on data models, tables, APIs defined
>> 
>> in link
>> 
>> https://docs.google.com/a/ntti3.com/document/d/1Jphcvnn7PKxqFEFFZQ1_PYkEx5
>> 
>> J4aO5J5Q74R_PwgV8/edit .
>> 
>> 
>> 1. For VPNServiceConnection table
>> 
>> a. suggest to remove psk(Boolean) key defined in VPNServiceConnection
>> 
>> table. There is already key auth_mode defined in ikepolicy table.
>> 
>> "auth_mode" can be "psk" or "certificate". By default, if not set, it is
>> 
>> psk mode for authentication. Still keeping psk_key inside
>> 
>> VPNServiceConnection since psk_key is different per remote peer.
>> 
>> Authentication mode is a part of IKE property.
>> 
>> 
>> Swami - Yes we had both the auth_mode and psk_key as part of the IKEPolicy
>> 
>> table.  We moved both the fields to the connection table since, we just
>> 
>> wanted to re-use the IKEPolicy for different connections if only the PSK
>> 
>> key changes or the auth_mode changes. Also in the document we make
>> 
>> necessary changes to the table definition, but I need to make the change
>> 
>> also in the datamodel table.
>> 
>> 
>> 
>> b. suggest to change local_cidrs and peer_cidrs to local_networks(or
>> 
>> local_subnets) and peer_networks(per_subnets) in VPNServiceConnection
>> 
>> table.   Cidrs is not a familiar keyword to users in IPSec industry. Some
>> 
>> IPSec VPN vendors use subnets, some use networks.
>> 
>> 
>> Swami - Yes we had initially defined it as peer_subnets and local_subnets,
>> 
>> but based on yesterday's discussion we moved it to "cidrs", since it would
>> 
>> be clear.
>> 
>> 
>> c. suggest to change psk_key to psk,  psk already means pre-shared key.
>> 
>> 
>> Swami - Accepted we will change this.
>> 
>> 
>> 2. For ipsecpolicy table, suggest to split lifetime into two parts
>> 
>> lifetime_s(per seconds) and lifetime_b(per kilobytes).
>> 
>> 
>> Swami - Yes we can discuss about this in Thursday's meeting.
>> 
>> 
>> 3. Can we shorten the naming of keywords? Such as change
>> 
>> 
>> Swami - We can discuss about this in Thursday's meeting. The reason we
>> 
>> don't want to have abbreviated keys is for people to understand the keys
>> 
>> properly.
>> 
>> 
>> 
>>  In vpnserviceconnections table
>> 
>>  vpnservice_ipsecpolicy_id  to  ipsecpolicy_id
>> 
>>  vpnservice_ikepolicy_id    to  ikepolicy_id
>> 
>>  vpnservice_certificiate_id to  certificate_id
>> 
>> 
>> 
>>  In ikepolicys table
>> 
>>  auth_algorithm           to auth_alg
>> 
>>  encryption_algorithm     to enc_alg
>> 
>>  phraseI_negotiation_mode to phraseI_mode
>> 
>> 
>>  In ipsecpolicys table
>> 
>>  transform_protocol       to protocol
>> 
>>  auth_algorithm           to auth_alg
>> 
>>  encryption_algorithm     to enc_alg
>> 
>>  encapsulation_mode       to mode or encap_mode
>> 
>> 
>> 4. There might be some updates to set proper length for each value in the
>> 
>> tables. Such as change
>> 
>>  auth_algorithm VARCHAR2(255)       to auth_alg  VARCHAR2(8)   ; for
>> 
>> example "sha1" etc.
>> 
>>  encryption_algorithm VARCHAR2(255) to enc_alg   VARCHAR2(16)   ; for
>> 
>> example "aes128-cbc", "aes256-cbc" etc.
>> 
>>  name VARCHAR2(255)                 to name      VARCHAR2(64)
>> 
>> 
>> Swami - Yes we will make the necessary changes in the table.
>> 
>> 
>> 5. What do "dh" and "tls" keywords mean in table vpnservicecertficates?
>> 
>> 
>> Swami - This was mainly included in the certificate table to address the
>> 
>> "Openvpn" certificate requirements. This will be dropped for now. Also we
>> 
>> are not considering to implement the certificates for this release. We
>> 
>> will clean up the tables.
>> 
>> 
>> 6. For APIs, can we shorten the naming such as change
>> 
>>  /v1.0/vpnservicecertificates/vpnservice_certificate_id  to
>> 
>> /v1.0/vpncerts/certificate_id
>> 
>>  /v1.0/vpnserviceconnections/vpnservice_conn_id          to
>> 
>> /v1.0/vpnsrvconns/conn_id
>> 
>> 
>> Swami: We can discuss in Thursday's meeting.
>> 
>> 
>> Thanks & Regards
>> 
>> Qin
>> 
>> 
>> 
>> -----Original Message-----
>> 
>> From: Nachi Ueno [mailto:nachi at ntti3.com]
>> 
>> Sent: 2013年5月7日 9:07
>> 
>> To: OpenStack Development Mailing List
>> 
>> Subject: Re: [openstack-dev] [Quantum] [Networking] VPNaaS
>> 
>> 
>> Hi folks
>> 
>> 
>> In today's meeting, we are almost finished to define data models.
>> 
>> https://docs.google.com/a/ntti3.com/document/d/1Jphcvnn7PKxqFEFFZQ1_PYkEx5
>> 
>> J4aO5J5Q74R_PwgV8/edit
>> 
>> 
>> If you have any concerns, please commet it on the doc or question on the
>> 
>> mailing list.
>> 
>> 
>> We will have meeting at
>> 
>> 5/9 (Thu) 5:00 (PST)
>> 
>> 
>> In the next meeting, we will discuss more project management oriented
>> 
>> discussion.
>> 
>> 
>> Thanks
>> 
>> Nachi
>> 
>> 
>> 2013/5/6 Nachi Ueno <nachi at ntti3.com>:
>> 
>> Hi folks
>> 
>> 
>> Here is note from the meeting at 2nd meeting on VPN # sorry I thought
>> 
>> I have sent it to the mailing list, but it looks not delivery.
>> 
>> 
>> 1) FirstStep  SSL-VPN or IPSec?  -> IPSec
>> 
>> 
>> - all atenndes agrees with IPSec first step
>> 
>> - IPSec is widely used so, this is big win to the community
>> 
>> - IPSec can support remote user use case
>> 
>> - SSL-VPN (CloudPipe) can be supported by OpenVPN VM with floating ips
>> 
>> 
>> 2) GenricService API -> Agreed
>> 
>> 
>> -id
>> 
>> -name
>> 
>> -tenant_id
>> 
>> -type (VPN type)
>> 
>> type has namespace (should be flat)
>> 
>> l2 vpn -> l2.*** (l2.l2tp)
>> 
>> l3 vpn -> l3.** (l3.ipsec)
>> 
>> 
>> 3) IPSec API set
>> 
>> Start discussion for IPSec api on the google doc
>> 
>> https://docs.google.com/a/ntti3.com/document/d/1Jphcvnn7PKxqFEFFZQ1_PY
>> 
>> kEx5J4aO5J5Q74R_PwgV8/edit
>> 
>> 
>> 4) Next meeting time
>> 
>> PST Monday 5PM (Sactin at VMWare will reserve conf-call)
>> 
>> 
>> Meeting Agenda and Note
>> 
>> https://docs.google.com/presentation/d/1J7k1eI13-3pQVwp5XgZDWPfzUvuSqc
>> 
>> zRdK0lEZKQOKk/edit#slide=id.p
>> 
>> 
>> Thanks!
>> 
>> 
>> 2013/5/1 Sachin Thakkar <sthakkar at vmware.com>:
>> 
>> Thanks folks for joining today. We've made some good progress on the
>> 
>> IPsec VPN object model. Nachi has sent out the meeting notes to the
>> 
>> alias as well.
>> 
>> 
>> We'll need another follow up to continue the discussion. The meeting
>> 
>> will be at 5pm Pacific time on Monday, May 6.
>> 
>> 
>> The same bridge below will be used.
>> 
>> 
>> Thanks,
>> 
>> Sachin
>> 
>> 
>> ________________________________
>> 
>> From: "Sachin Thakkar" <sthakkar at vmware.com>
>> 
>> To: "OpenStack Development Mailing List (openstack-dev at lists.openstack.
>> 
>> org)"
>> 
>> <openstack-dev at lists.openstack.org>
>> 
>> Sent: Thursday, April 25, 2013 11:43:30 PM
>> 
>> Subject: [openstack-dev] [Quantum] [Networking] VPNaaS
>> 
>> 
>> 
>> Trying the new Networking tag in the subject :)
>> 
>> 
>> Anyway, we have a kickoff call for VPNaaS scheduled next Wednesday @
>> 
>> 5pm Pacific time. We will be discussing over the phone:
>> 
>> 
>> Participant Passcode: 697 737 3510
>> 
>> Call-in toll-free number (Premiere): 1-866-715-6501 (US) Additional
>> 
>> International Numbers:
>> 
>> http://pages.pgi-email.com/page.aspx?qs=5c591a8916642e738e03c25585184
>> 
>> f841174bd68edc7b376f211065726f20c4087d2dbd294c95628953b9ebd93c298f8a5
>> 
>> 9d287357f683bc937b0420662c826d43f873082e5033f476121c74d72cc5ed151c4b3
>> 
>> 0a31fa1b2
>> 
>> 
>> To all interested, hope to see you there.
>> 
>> 
>> Cheers,
>> 
>> Sachin
>> 
>> 
>> _______________________________________________
>> 
>> OpenStack-dev mailing list
>> 
>> OpenStack-dev at lists.openstack.org
>> 
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> 
>> 
>> 
>> _______________________________________________
>> 
>> OpenStack-dev mailing list
>> 
>> OpenStack-dev at lists.openstack.org
>> 
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> 
>> 
>> 
>> _______________________________________________
>> 
>> OpenStack-dev mailing list
>> 
>> OpenStack-dev at lists.openstack.org
>> 
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> 
>> 
>> _______________________________________________
>> 
>> OpenStack-dev mailing list
>> 
>> OpenStack-dev at lists.openstack.org
>> 
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> 
>> 
>> _______________________________________________
>> 
>> OpenStack-dev mailing list
>> 
>> OpenStack-dev at lists.openstack.org
>> 
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> 
>> 
>> _______________________________________________
>> 
>> OpenStack-dev mailing list
>> 
>> OpenStack-dev at lists.openstack.org
>> 
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> 
>> 
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> 
>> 
>> 
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> 
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130510/39761786/attachment.html>


More information about the OpenStack-dev mailing list