[openstack-dev] [NEUTRON] [IPv6] [VPNaaS] - IPSec "by default" on each Tenant router, the beginning of the Opportunistic Encryption era (rfc4322 ?)...

Martinx - ジェームズ thiagocmartinsc at gmail.com
Thu Apr 17 19:07:05 UTC 2014


Guys,

I here thinking about IPSec when with IPv6 and, one of the first
ideas/wishes of IPv6 scientists, was to always deploy it with IPSec
enabled, always (I've heard). But, this isn't well diffused by now. Who is
actually using IPv6 Opportunistic Encryption?!

For example: With O.E., we'll be able to make a IPv6 IPSec VPN with Google,
so we can "ping6 google.com" safely... Or with Twitter, Facebook! Or
whatever! That is the purpose of Opportunistic Encryption, am I right?!

Then, with OpenStack, we might have a muiti-Region or even a multi-AZ
cloud, based on the topology "Per-Tenant Routers with Private Networks",
for example, so, how hard it will be to deploy the Namespace routers with
"IPv6+IPSec O.E." just enabled by default?

I'm thinking about this:


* "IPv6 Tenant 1 subnet A" <-> "IPv6 Router + IPSec O.E." <-> *"Internet
IPv6"* <-> "IPv6 Router + IPSec O.E." <-> "IPv6 Tenant 1 subnet B"


So, with O.E., it will be simpler (from the tenant's point of view) to
safely interconnect multiple tenant's subnets, don't you guys think?!

Amazon in the other hand, for example, provides things like "VPC Peering",
or "VPN Instances", or "NAT instances", as a "solution" to interconnect
creepy IPv4 networks... We don't need none of this kind of solutions when
with IPv6... Right?!

Basically, the OpenStack VPNaaS (O.E.) will come enabled at the Namespace
Router by default, without the tenant even knowing it is there, but of
course, we can still show that IPv6-IPSec-VPN at the Horizon Dashboard,
when established, just for fun... But tenants will never need to think
about it...   =)

And to share the IPSec keys, the stuff required for Opportunistic
Encryption to gracefully works, each OpenStack in the wild, can become a
*"pod"*, which will form a network of *"pods"*, I mean, independently owned
*pods* which interoperate to form the "*Opportunistic Encrypt Network of
OpenStack Clouds*".

I'll try to make a comparison here, as an analogy, do you guys have ever
heard about the DIASPORA* Project? No, take a look:
http://en.wikipedia.org/wiki/Diaspora_(social_network)

I think that, OpenStack might be for the Opportunistic Encryption, what
DIASPORA* Project is for Social Networks!

If OpenStack can share its keys (O.E. stuff) in someway, with each other,
we can easily build a huge network of OpenStacks, and then, each one will
"naturally" talk with each other, using a secure connection.

I would love to hear some insights from you guys!

Please, keep in mind that I never deployed a IPSec O.E. before, this is
just an idea I had... If I'm wrong, ignore this e-mail.


References:

https://tools.ietf.org/html/rfc4322

https://groups.google.com/d/msg/ipv6hackers/3LCTBJtr-eE/Om01uHUcf9UJ

http://www.inrialpes.fr/planete/people/chneuman/OE.html


Best!
Thiago
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140417/8745f315/attachment.html>


More information about the OpenStack-dev mailing list