[openstack-dev] [NEUTRON] [IPv6] [VPNaaS] - IPSec "by default" on each Tenant router, the beginning of the Opportunistic Encryption era (rfc4322 ?)...
Carl Baldwin
carl at ecbaldwin.net
Tue Apr 22 14:43:35 UTC 2014
Keys are distributed via dns records.
https://tools.ietf.org/html/rfc4322
Carl
On Apr 21, 2014 5:35 PM, "Kevin Benton" <blak111 at gmail.com> wrote:
> This is interesting. How is key distribution handled when I want to use OE
> with someone like Google.com for example?
>
>
> On Thu, Apr 17, 2014 at 12:07 PM, Martinx - ジェームズ <
> thiagocmartinsc at gmail.com> wrote:
>
>> Guys,
>>
>> I here thinking about IPSec when with IPv6 and, one of the first
>> ideas/wishes of IPv6 scientists, was to always deploy it with IPSec
>> enabled, always (I've heard). But, this isn't well diffused by now. Who is
>> actually using IPv6 Opportunistic Encryption?!
>>
>> For example: With O.E., we'll be able to make a IPv6 IPSec VPN with
>> Google, so we can "ping6 google.com" safely... Or with Twitter,
>> Facebook! Or whatever! That is the purpose of Opportunistic Encryption, am
>> I right?!
>>
>> Then, with OpenStack, we might have a muiti-Region or even a multi-AZ
>> cloud, based on the topology "Per-Tenant Routers with Private Networks",
>> for example, so, how hard it will be to deploy the Namespace routers with
>> "IPv6+IPSec O.E." just enabled by default?
>>
>> I'm thinking about this:
>>
>>
>> * "IPv6 Tenant 1 subnet A" <-> "IPv6 Router + IPSec O.E." <-> *"Internet
>> IPv6"* <-> "IPv6 Router + IPSec O.E." <-> "IPv6 Tenant 1 subnet B"
>>
>>
>> So, with O.E., it will be simpler (from the tenant's point of view) to
>> safely interconnect multiple tenant's subnets, don't you guys think?!
>>
>> Amazon in the other hand, for example, provides things like "VPC
>> Peering", or "VPN Instances", or "NAT instances", as a "solution" to
>> interconnect creepy IPv4 networks... We don't need none of this kind of
>> solutions when with IPv6... Right?!
>>
>> Basically, the OpenStack VPNaaS (O.E.) will come enabled at the Namespace
>> Router by default, without the tenant even knowing it is there, but of
>> course, we can still show that IPv6-IPSec-VPN at the Horizon Dashboard,
>> when established, just for fun... But tenants will never need to think
>> about it... =)
>>
>> And to share the IPSec keys, the stuff required for Opportunistic
>> Encryption to gracefully works, each OpenStack in the wild, can become a
>> *"pod"*, which will form a network of *"pods"*, I mean, independently
>> owned *pods* which interoperate to form the "*Opportunistic Encrypt
>> Network of OpenStack Clouds*".
>>
>> I'll try to make a comparison here, as an analogy, do you guys have ever
>> heard about the DIASPORA* Project? No, take a look:
>> http://en.wikipedia.org/wiki/Diaspora_(social_network)
>>
>> I think that, OpenStack might be for the Opportunistic Encryption, what
>> DIASPORA* Project is for Social Networks!
>>
>> If OpenStack can share its keys (O.E. stuff) in someway, with each other,
>> we can easily build a huge network of OpenStacks, and then, each one will
>> "naturally" talk with each other, using a secure connection.
>>
>> I would love to hear some insights from you guys!
>>
>> Please, keep in mind that I never deployed a IPSec O.E. before, this is
>> just an idea I had... If I'm wrong, ignore this e-mail.
>>
>>
>> References:
>>
>> https://tools.ietf.org/html/rfc4322
>>
>> https://groups.google.com/d/msg/ipv6hackers/3LCTBJtr-eE/Om01uHUcf9UJ
>>
>> http://www.inrialpes.fr/planete/people/chneuman/OE.html
>>
>>
>> Best!
>> Thiago
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
>
> --
> Kevin Benton
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140422/70697fd9/attachment.html>
More information about the OpenStack-dev
mailing list