[openstack-dev] [Neutron] SSL VPN Implemenatation

Nachi Ueno nachi at ntti3.com
Tue Apr 29 17:58:53 UTC 2014


Hi Kyle

2014-04-29 10:52 GMT-07:00 Kyle Mestery <mestery at noironetworks.com>:
> On Tue, Apr 29, 2014 at 12:42 PM, Nachi Ueno <nachi at ntti3.com> wrote:
>> Hi Zang
>>
>> Thank you for your contribution on this!
>> The private key management is what I want to discuss in the summit.
>>
> Has the idea of using Barbican been discussed before? There are many
> reasons why using Barbican for this may be better than developing key
> management ourselves.

No, however I'm +1 for using Barbican. Let's discuss this in
certificate management topic in advanced service session.

> Thanks,
> Kyle
>
>> [1] We are depending DB security, anyway
>> When we get stolen the private key in the DB, it means we are also
>> stolen ID/PW for DB.
>> If we stolen the key, even if we keep the private key secret, the
>> attacker can connect the NW for anywhere.
>>
>> [2] How we manage a passcode for encrypting private key?
>> so even if openvpn supports encripted keys, when we input the passcode?
>> Vpn process will be launched automatically by neutron-server, so we
>> need to store it in the memory.
>> This is same security with plain private key.
>> For example, most of apache servers using plain private key, I guess.
>>
>> so the security of ssl-vpn impl depends on db, rpc trasport, file
>> system security even if we encrypt the private key or not.
>> may be, we have better way, but I think current design isn't so bad to
>> prevent get merged.
>>
>> Best
>> Nachi
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> 2014-04-28 23:02 GMT-07:00 Zang MingJie <zealot0630 at gmail.com>:
>>> Hi all:
>>>
>>> Currently I'm working on ssl vpn, based on patchsets by Nachi[1] and Rajesh[2]
>>>
>>> There are secure issues pointed by mark, that ssl private keys are
>>> stored plain in database and in config files of vpn-agents. As
>>> Barbican is incubated, we can store certs and their private keys in
>>> Barbican. But after checking openvpn configurations, I don't think
>>> there is any way to prevent storing private key in openvpn config
>>> files without modify the openvpn implementation.
>>>
>>> I have also made several changes, added a optional port field to
>>> sslvpn-connection table, integrated with service plugin framework
>>> (I'll follow service flavor framework when it is ready), and completed
>>> the neutronclient part. It is already developed in our testing
>>> environment, I'll upload my patch sooner or later.
>>>
>>> [1] https://review.openstack.org/#/c/58897/
>>> [2] https://review.openstack.org/#/c/70274/
>>>
>>> _______________________________________________
>>> OpenStack-dev mailing list
>>> OpenStack-dev at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



More information about the OpenStack-dev mailing list