[openstack-dev] VPNaaS

Ilya Shakhat ishakhat at mirantis.com
Wed May 15 14:40:10 UTC 2013 

Hi Nachi,

Tatyana and me volunteer for work on UI for VPNaaS. The corresponding bp is
https://blueprints.launchpad.net/horizon/+spec/vpnaas-ui. We will start
filling the specification soon.

Thanks,
Ilya

2013/5/15 Nachi Ueno <nachi at ntti3.com>

> Hi Folks
>
> We had VPN meetings yesterday.
>
> Agenda :
> 1.  local_subnet vs local_cidr  --> Keep discussion
> 2.  Use cidr value or subnet_id?  --> Keep discussion
> 3.  Task assignment
>   -  move doc to wiki (Swami) Done
> https://wiki.openstack.org/wiki/Quantum/VPNaaS
>   -  Register BP and get approval by Mark (Swami) Done -> H2
>   -  check default value for lifetime value (Swami) Done
>   -  Implement Data Model (Swami will push code to the gerrit) by 5/20
>   -  CLI (python-quantum client) work (Swami will push code to the
> gerrit) by 5/20
>   -  Implement Driver (Nachi & PCM ) by 5/31
>      - Investigate strongswan
>      -  rpc (spec needed)
>      - Design driver archtecutre (spec needed)
>      - Write driver code
>   - Instation instructions on Wiki 5/31
>   -  Devstack support (nati) late June?
>   -  Write openstack network api document wiki (Sachin)
>   -  Horizon work (needs contributer)
>   -  Tempest (needs contributer)
>
> Next meeting is 5/16 Thursday at 3pm (PST) . On IRC #openstack-meetings
>
> Meeting ended Tue May 14 01:00:58 2013 UTC.  Information about MeetBot
> at http://wiki.debian.org/MeetBot . (v 0.1.4)
> Minutes:
>
> http://eavesdrop.openstack.org/meetings/openstack_networking_vpn/2013/openstack_networking_vpn.2013-05-14-00.06.html
> Minutes (text):
>
> http://eavesdrop.openstack.org/meetings/openstack_networking_vpn/2013/openstack_networking_vpn.2013-05-14-00.06.txt
> Log:
>
> http://eavesdrop.openstack.org/meetings/openstack_networking_vpn/2013/openstack_networking_vpn.2013-05-14-00.06.log.htm
>
> Thanks!
> Nachi Ueno
>
> 2013/5/10 Nachi Ueno <nachi at ntti3.com>:
> > Hi Paul
> >
> > Thanks for your contributions! :)
> >
> > Nachi
> >
> > 2013/5/10 Paul Michali <pcm at cisco.com>:
> >> Sure! Glad to work with you Nachi. Anything I can do to help out on the
> >> project!
> >>
> >> I'll start looking at strongswan and how to configure.
> >>
> >>
> >> Regards,
> >>
> >> PCM (Paul Michali)
> >>
> >>
> >> On May 10, 2013, at 12:35 PM, Nachi Ueno wrote:
> >>
> >> Hi Paul
> >>
> >> Sounds Great.
> >>
> >> The first driver will be strong-swan based.
> >> http://www.strongswan.org/
> >>
> >> How about work with me to implement strong-swan vpn driver?
> >> Honestly, i'm new to strong-swan, so I'm very appreciate if you
> >> could try strong-swan on ubuntu and share how to configure it based on
> >> current API model.
> >>
> >> Thanks
> >> Nachi
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> 2013/5/10 Paul Michali <pcm at cisco.com>:
> >>
> >> Naci, Mark, Swami, Sachin, et al,
> >>
> >>
> >> Any suggestions on where/how I can help on this? I'm new to OS (just
> working
> >>
> >> it for a few months), so no specific expertise area, but have bandwidth
> to
> >>
> >> contribute.
> >>
> >>
> >> Also, any pointers to information that will help me get up to speed on
> this
> >>
> >> would be appreciated (Mark gave me link to Amazon URL for info on what
> they
> >>
> >> provide for VPNaaS). I was going to look at LBaaS code next week and
> have
> >>
> >> been monitoring those discussions, as there seem to be some parallels
> there.
> >>
> >> If there are companion info that you think would help, let me know.
> >>
> >>
> >> Regards,
> >>
> >>
> >> PCM (Paul Michali)
> >>
> >>
> >> On May 9, 2013, at 9:12 PM, Nachi Ueno wrote:
> >>
> >>
> >> Hi Folks
> >>
> >>
> >> We have meeting about VPN today.
> >>
> >>
> >> #Conclusions
> >>
> >> 1. We agreed ipsec api
> >>
> >> https://blueprints.launchpad.net/quantum/+spec/vpnaas-python-apis
> >>
> >> 2. Swami will push api CRUD code to review (continue discussion on code)
> >>
> >>  https://blueprints.launchpad.net/quantum/+spec/vpnaas-python-apis
> >>
> >> 3. We agreed first implementation vpn architecture
> >>
> >> 4. Next meeting is 5/13 PST 5:00 PM on #openstack-meetings
> >>
> >>
> >> #Questions for IPSec API
> >>
> >> 1 psk_key -> psk (agreed)
> >>
> >> 2 For ipsecpolicy table, suggest to split lifetime into two parts
> >>
> >> lifetime_s(per seconds) and lifetime_b(per kilobytes)   ->  updated
> >>
> >> table (agreed)
> >>
> >> 3 change back "cidrs" from subnet (or network)  -> check marks's thought
> >>
> >> 4 For APIs, can we shorten the naming such as change  -> keep current
> >>
> >> longer style for reability
> >>
> >>
> >> #Project Management (Task)
> >>
> >> -  move doc to wiki (Swami)
> >>
> >> -  Register BP and get approval by Mark (Swami)
> >>
> >> -  check default value for lifetime value (Swami)
> >>
> >> -  Discuss Archtecture
> >>
> >> -  Implement Data Model (Swami will push code to the gerrit)
> >>
> >> -  Driver (Nachi?)
> >>
> >> -  CLI (python-quantum client) work (Swami will push code to the gerrit)
> >>
> >> -  Write openstack network api document wiki (Sachin)
> >>
> >> -  Devstack support
> >>
> >> -  Horizon work
> >>
> >> -  Tempest
> >>
> >>
> >>
> https://docs.google.com/a/ntti3.com/presentation/d/1J7k1eI13-3pQVwp5XgZDWPfzUvuSqczRdK0lEZKQOKk/edit#slide=id.p
> >>
> >> Nachi
> >>
> >>
> >>
> >> 2013/5/7 Qin Li <qili at vmware.com>:
> >>
> >>
> >> Hi Swami,
> >>
> >>
> >>
> >> Thanks for your comments. All look good to me except local_cidrs,
> >>
> >>
> >> peer_cidrs. "cidrs" may be clear for value type and validation, but it
> is
> >>
> >>
> >> unfamiliar for the existing VPN administrators. I think we might use
> >>
> >>
> >> subnets or networks to avoid introducing a new concept for users.
> >>
> >>
> >>
> >> Regards
> >>
> >>
> >> QinLi
> >>
> >>
> >>
> >> -----Original Message-----
> >>
> >>
> >> From: Vasudevan, Swaminathan (PNB Roseville)
> >>
> >>
> >> [mailto:swaminathan.vasudevan at hp.com]
> >>
> >>
> >> Sent: 2013年5月8日 1:25
> >>
> >>
> >> To: OpenStack Development Mailing List
> >>
> >>
> >> Subject: Re: [openstack-dev] VPNaaS
> >>
> >>
> >>
> >> Hi Qin Li,
> >>
> >>
> >> See my answers inline.
> >>
> >>
> >> Thanks.
> >>
> >>
> >>
> >> -----Original Message-----
> >>
> >>
> >> From: Qin Li [mailto:qili at vmware.com]
> >>
> >>
> >> Sent: Monday, May 06, 2013 8:37 PM
> >>
> >>
> >> To: OpenStack Development Mailing List
> >>
> >>
> >> Subject: Re: [openstack-dev] [Quantum] [Networking] VPNaaS
> >>
> >>
> >>
> >> I'd like to share some of my comments on data models, tables, APIs
> defined
> >>
> >>
> >> in link
> >>
> >>
> >>
> https://docs.google.com/a/ntti3.com/document/d/1Jphcvnn7PKxqFEFFZQ1_PYkEx5
> >>
> >>
> >> J4aO5J5Q74R_PwgV8/edit .
> >>
> >>
> >>
> >> 1. For VPNServiceConnection table
> >>
> >>
> >> a. suggest to remove psk(Boolean) key defined in VPNServiceConnection
> >>
> >>
> >> table. There is already key auth_mode defined in ikepolicy table.
> >>
> >>
> >> "auth_mode" can be "psk" or "certificate". By default, if not set, it is
> >>
> >>
> >> psk mode for authentication. Still keeping psk_key inside
> >>
> >>
> >> VPNServiceConnection since psk_key is different per remote peer.
> >>
> >>
> >> Authentication mode is a part of IKE property.
> >>
> >>
> >>
> >> Swami - Yes we had both the auth_mode and psk_key as part of the
> IKEPolicy
> >>
> >>
> >> table.  We moved both the fields to the connection table since, we just
> >>
> >>
> >> wanted to re-use the IKEPolicy for different connections if only the PSK
> >>
> >>
> >> key changes or the auth_mode changes. Also in the document we make
> >>
> >>
> >> necessary changes to the table definition, but I need to make the change
> >>
> >>
> >> also in the datamodel table.
> >>
> >>
> >>
> >>
> >> b. suggest to change local_cidrs and peer_cidrs to local_networks(or
> >>
> >>
> >> local_subnets) and peer_networks(per_subnets) in VPNServiceConnection
> >>
> >>
> >> table.   Cidrs is not a familiar keyword to users in IPSec industry.
> Some
> >>
> >>
> >> IPSec VPN vendors use subnets, some use networks.
> >>
> >>
> >>
> >> Swami - Yes we had initially defined it as peer_subnets and
> local_subnets,
> >>
> >>
> >> but based on yesterday's discussion we moved it to "cidrs", since it
> would
> >>
> >>
> >> be clear.
> >>
> >>
> >>
> >> c. suggest to change psk_key to psk,  psk already means pre-shared key.
> >>
> >>
> >>
> >> Swami - Accepted we will change this.
> >>
> >>
> >>
> >> 2. For ipsecpolicy table, suggest to split lifetime into two parts
> >>
> >>
> >> lifetime_s(per seconds) and lifetime_b(per kilobytes).
> >>
> >>
> >>
> >> Swami - Yes we can discuss about this in Thursday's meeting.
> >>
> >>
> >>
> >> 3. Can we shorten the naming of keywords? Such as change
> >>
> >>
> >>
> >> Swami - We can discuss about this in Thursday's meeting. The reason we
> >>
> >>
> >> don't want to have abbreviated keys is for people to understand the keys
> >>
> >>
> >> properly.
> >>
> >>
> >>
> >>
> >>  In vpnserviceconnections table
> >>
> >>
> >>  vpnservice_ipsecpolicy_id  to  ipsecpolicy_id
> >>
> >>
> >>  vpnservice_ikepolicy_id    to  ikepolicy_id
> >>
> >>
> >>  vpnservice_certificiate_id to  certificate_id
> >>
> >>
> >>
> >>
> >>  In ikepolicys table
> >>
> >>
> >>  auth_algorithm           to auth_alg
> >>
> >>
> >>  encryption_algorithm     to enc_alg
> >>
> >>
> >>  phraseI_negotiation_mode to phraseI_mode
> >>
> >>
> >>
> >>  In ipsecpolicys table
> >>
> >>
> >>  transform_protocol       to protocol
> >>
> >>
> >>  auth_algorithm           to auth_alg
> >>
> >>
> >>  encryption_algorithm     to enc_alg
> >>
> >>
> >>  encapsulation_mode       to mode or encap_mode
> >>
> >>
> >>
> >> 4. There might be some updates to set proper length for each value in
> the
> >>
> >>
> >> tables. Such as change
> >>
> >>
> >>  auth_algorithm VARCHAR2(255)       to auth_alg  VARCHAR2(8)   ; for
> >>
> >>
> >> example "sha1" etc.
> >>
> >>
> >>  encryption_algorithm VARCHAR2(255) to enc_alg   VARCHAR2(16)   ; for
> >>
> >>
> >> example "aes128-cbc", "aes256-cbc" etc.
> >>
> >>
> >>  name VARCHAR2(255)                 to name      VARCHAR2(64)
> >>
> >>
> >>
> >> Swami - Yes we will make the necessary changes in the table.
> >>
> >>
> >>
> >> 5. What do "dh" and "tls" keywords mean in table vpnservicecertficates?
> >>
> >>
> >>
> >> Swami - This was mainly included in the certificate table to address the
> >>
> >>
> >> "Openvpn" certificate requirements. This will be dropped for now. Also
> we
> >>
> >>
> >> are not considering to implement the certificates for this release. We
> >>
> >>
> >> will clean up the tables.
> >>
> >>
> >>
> >> 6. For APIs, can we shorten the naming such as change
> >>
> >>
> >>  /v1.0/vpnservicecertificates/vpnservice_certificate_id  to
> >>
> >>
> >> /v1.0/vpncerts/certificate_id
> >>
> >>
> >>  /v1.0/vpnserviceconnections/vpnservice_conn_id          to
> >>
> >>
> >> /v1.0/vpnsrvconns/conn_id
> >>
> >>
> >>
> >> Swami: We can discuss in Thursday's meeting.
> >>
> >>
> >>
> >> Thanks & Regards
> >>
> >>
> >> Qin
> >>
> >>
> >>
> >>
> >> -----Original Message-----
> >>
> >>
> >> From: Nachi Ueno [mailto:nachi at ntti3.com]
> >>
> >>
> >> Sent: 2013年5月7日 9:07
> >>
> >>
> >> To: OpenStack Development Mailing List
> >>
> >>
> >> Subject: Re: [openstack-dev] [Quantum] [Networking] VPNaaS
> >>
> >>
> >>
> >> Hi folks
> >>
> >>
> >>
> >> In today's meeting, we are almost finished to define data models.
> >>
> >>
> >>
> https://docs.google.com/a/ntti3.com/document/d/1Jphcvnn7PKxqFEFFZQ1_PYkEx5
> >>
> >>
> >> J4aO5J5Q74R_PwgV8/edit
> >>
> >>
> >>
> >> If you have any concerns, please commet it on the doc or question on the
> >>
> >>
> >> mailing list.
> >>
> >>
> >>
> >> We will have meeting at
> >>
> >>
> >> 5/9 (Thu) 5:00 (PST)
> >>
> >>
> >>
> >> In the next meeting, we will discuss more project management oriented
> >>
> >>
> >> discussion.
> >>
> >>
> >>
> >> Thanks
> >>
> >>
> >> Nachi
> >>
> >>
> >>
> >> 2013/5/6 Nachi Ueno <nachi at ntti3.com>:
> >>
> >>
> >> Hi folks
> >>
> >>
> >>
> >> Here is note from the meeting at 2nd meeting on VPN # sorry I thought
> >>
> >>
> >> I have sent it to the mailing list, but it looks not delivery.
> >>
> >>
> >>
> >> 1) FirstStep  SSL-VPN or IPSec?  -> IPSec
> >>
> >>
> >>
> >> - all atenndes agrees with IPSec first step
> >>
> >>
> >> - IPSec is widely used so, this is big win to the community
> >>
> >>
> >> - IPSec can support remote user use case
> >>
> >>
> >> - SSL-VPN (CloudPipe) can be supported by OpenVPN VM with floating ips
> >>
> >>
> >>
> >> 2) GenricService API -> Agreed
> >>
> >>
> >>
> >> -id
> >>
> >>
> >> -name
> >>
> >>
> >> -tenant_id
> >>
> >>
> >> -type (VPN type)
> >>
> >>
> >> type has namespace (should be flat)
> >>
> >>
> >> l2 vpn -> l2.*** (l2.l2tp)
> >>
> >>
> >> l3 vpn -> l3.** (l3.ipsec)
> >>
> >>
> >>
> >> 3) IPSec API set
> >>
> >>
> >> Start discussion for IPSec api on the google doc
> >>
> >>
> >> https://docs.google.com/a/ntti3.com/document/d/1Jphcvnn7PKxqFEFFZQ1_PY
> >>
> >>
> >> kEx5J4aO5J5Q74R_PwgV8/edit
> >>
> >>
> >>
> >> 4) Next meeting time
> >>
> >>
> >> PST Monday 5PM (Sactin at VMWare will reserve conf-call)
> >>
> >>
> >>
> >> Meeting Agenda and Note
> >>
> >>
> >> https://docs.google.com/presentation/d/1J7k1eI13-3pQVwp5XgZDWPfzUvuSqc
> >>
> >>
> >> zRdK0lEZKQOKk/edit#slide=id.p
> >>
> >>
> >>
> >> Thanks!
> >>
> >>
> >>
> >> 2013/5/1 Sachin Thakkar <sthakkar at vmware.com>:
> >>
> >>
> >> Thanks folks for joining today. We've made some good progress on the
> >>
> >>
> >> IPsec VPN object model. Nachi has sent out the meeting notes to the
> >>
> >>
> >> alias as well.
> >>
> >>
> >>
> >> We'll need another follow up to continue the discussion. The meeting
> >>
> >>
> >> will be at 5pm Pacific time on Monday, May 6.
> >>
> >>
> >>
> >> The same bridge below will be used.
> >>
> >>
> >>
> >> Thanks,
> >>
> >>
> >> Sachin
> >>
> >>
> >>
> >> ________________________________
> >>
> >>
> >> From: "Sachin Thakkar" <sthakkar at vmware.com>
> >>
> >>
> >> To: "OpenStack Development Mailing List (openstack-dev at lists.openstack.
> >>
> >>
> >> org)"
> >>
> >>
> >> <openstack-dev at lists.openstack.org>
> >>
> >>
> >> Sent: Thursday, April 25, 2013 11:43:30 PM
> >>
> >>
> >> Subject: [openstack-dev] [Quantum] [Networking] VPNaaS
> >>
> >>
> >>
> >>
> >> Trying the new Networking tag in the subject :)
> >>
> >>
> >>
> >> Anyway, we have a kickoff call for VPNaaS scheduled next Wednesday @
> >>
> >>
> >> 5pm Pacific time. We will be discussing over the phone:
> >>
> >>
> >>
> >> Participant Passcode: 697 737 3510
> >>
> >>
> >> Call-in toll-free number (Premiere): 1-866-715-6501 (US) Additional
> >>
> >>
> >> International Numbers:
> >>
> >>
> >> http://pages.pgi-email.com/page.aspx?qs=5c591a8916642e738e03c25585184
> >>
> >>
> >> f841174bd68edc7b376f211065726f20c4087d2dbd294c95628953b9ebd93c298f8a5
> >>
> >>
> >> 9d287357f683bc937b0420662c826d43f873082e5033f476121c74d72cc5ed151c4b3
> >>
> >>
> >> 0a31fa1b2
> >>
> >>
> >>
> >> To all interested, hope to see you there.
> >>
> >>
> >>
> >> Cheers,
> >>
> >>
> >> Sachin
> >>
> >>
> >>
> >> _______________________________________________
> >>
> >>
> >> OpenStack-dev mailing list
> >>
> >>
> >> OpenStack-dev at lists.openstack.org
> >>
> >>
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >>
> >>
> >> OpenStack-dev mailing list
> >>
> >>
> >> OpenStack-dev at lists.openstack.org
> >>
> >>
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >>
> >>
> >> OpenStack-dev mailing list
> >>
> >>
> >> OpenStack-dev at lists.openstack.org
> >>
> >>
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >>
> >>
> >>
> >> _______________________________________________
> >>
> >>
> >> OpenStack-dev mailing list
> >>
> >>
> >> OpenStack-dev at lists.openstack.org
> >>
> >>
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >>
> >>
> >>
> >> _______________________________________________
> >>
> >>
> >> OpenStack-dev mailing list
> >>
> >>
> >> OpenStack-dev at lists.openstack.org
> >>
> >>
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >>
> >>
> >>
> >> _______________________________________________
> >>
> >>
> >> OpenStack-dev mailing list
> >>
> >>
> >> OpenStack-dev at lists.openstack.org
> >>
> >>
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >>
> >>
> >>
> >> _______________________________________________
> >>
> >> OpenStack-dev mailing list
> >>
> >> OpenStack-dev at lists.openstack.org
> >>
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >>
> >> OpenStack-dev mailing list
> >>
> >> OpenStack-dev at lists.openstack.org
> >>
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >>
> >>
> >>
> >> _______________________________________________
> >> OpenStack-dev mailing list
> >> OpenStack-dev at lists.openstack.org
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >>
> >>
> >>
> >> _______________________________________________
> >> OpenStack-dev mailing list
> >> OpenStack-dev at lists.openstack.org
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130515/5f9f5222/attachment.html>

More information about the OpenStack-dev mailing list