[openstack-dev] [NEUTRON] [IPv6] [VPNaaS] - IPSec "by default" on each Tenant router, the beginning of the Opportunistic Encryption era (rfc4322 ?)...

Kevin Benton blak111 at gmail.com
Mon Apr 21 23:33:30 UTC 2014


This is interesting. How is key distribution handled when I want to use OE
with someone like Google.com for example?


On Thu, Apr 17, 2014 at 12:07 PM, Martinx - ジェームズ <thiagocmartinsc at gmail.com
> wrote:

> Guys,
>
> I here thinking about IPSec when with IPv6 and, one of the first
> ideas/wishes of IPv6 scientists, was to always deploy it with IPSec
> enabled, always (I've heard). But, this isn't well diffused by now. Who is
> actually using IPv6 Opportunistic Encryption?!
>
> For example: With O.E., we'll be able to make a IPv6 IPSec VPN with
> Google, so we can "ping6 google.com" safely... Or with Twitter, Facebook!
> Or whatever! That is the purpose of Opportunistic Encryption, am I right?!
>
> Then, with OpenStack, we might have a muiti-Region or even a multi-AZ
> cloud, based on the topology "Per-Tenant Routers with Private Networks",
> for example, so, how hard it will be to deploy the Namespace routers with
> "IPv6+IPSec O.E." just enabled by default?
>
> I'm thinking about this:
>
>
> * "IPv6 Tenant 1 subnet A" <-> "IPv6 Router + IPSec O.E." <-> *"Internet
> IPv6"* <-> "IPv6 Router + IPSec O.E." <-> "IPv6 Tenant 1 subnet B"
>
>
> So, with O.E., it will be simpler (from the tenant's point of view) to
> safely interconnect multiple tenant's subnets, don't you guys think?!
>
> Amazon in the other hand, for example, provides things like "VPC Peering",
> or "VPN Instances", or "NAT instances", as a "solution" to interconnect
> creepy IPv4 networks... We don't need none of this kind of solutions when
> with IPv6... Right?!
>
> Basically, the OpenStack VPNaaS (O.E.) will come enabled at the Namespace
> Router by default, without the tenant even knowing it is there, but of
> course, we can still show that IPv6-IPSec-VPN at the Horizon Dashboard,
> when established, just for fun... But tenants will never need to think
> about it...   =)
>
> And to share the IPSec keys, the stuff required for Opportunistic
> Encryption to gracefully works, each OpenStack in the wild, can become a
> *"pod"*, which will form a network of *"pods"*, I mean, independently
> owned *pods* which interoperate to form the "*Opportunistic Encrypt
> Network of OpenStack Clouds*".
>
> I'll try to make a comparison here, as an analogy, do you guys have ever
> heard about the DIASPORA* Project? No, take a look:
> http://en.wikipedia.org/wiki/Diaspora_(social_network)
>
> I think that, OpenStack might be for the Opportunistic Encryption, what
> DIASPORA* Project is for Social Networks!
>
> If OpenStack can share its keys (O.E. stuff) in someway, with each other,
> we can easily build a huge network of OpenStacks, and then, each one will
> "naturally" talk with each other, using a secure connection.
>
> I would love to hear some insights from you guys!
>
> Please, keep in mind that I never deployed a IPSec O.E. before, this is
> just an idea I had... If I'm wrong, ignore this e-mail.
>
>
> References:
>
> https://tools.ietf.org/html/rfc4322
>
> https://groups.google.com/d/msg/ipv6hackers/3LCTBJtr-eE/Om01uHUcf9UJ
>
> http://www.inrialpes.fr/planete/people/chneuman/OE.html
>
>
> Best!
> Thiago
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
Kevin Benton
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140421/32ec2c71/attachment.html>


More information about the OpenStack-dev mailing list