[openstack-dev] [Neutron] SSL VPN Implemenatation
Kyle Mestery
mestery at noironetworks.com
Tue Apr 29 18:01:53 UTC 2014
On Tue, Apr 29, 2014 at 12:58 PM, Nachi Ueno <nachi at ntti3.com> wrote:
> Hi Kyle
>
> 2014-04-29 10:52 GMT-07:00 Kyle Mestery <mestery at noironetworks.com>:
>> On Tue, Apr 29, 2014 at 12:42 PM, Nachi Ueno <nachi at ntti3.com> wrote:
>>> Hi Zang
>>>
>>> Thank you for your contribution on this!
>>> The private key management is what I want to discuss in the summit.
>>>
>> Has the idea of using Barbican been discussed before? There are many
>> reasons why using Barbican for this may be better than developing key
>> management ourselves.
>
> No, however I'm +1 for using Barbican. Let's discuss this in
> certificate management topic in advanced service session.
>
Agreed, this will be good to nail down in Atlanta in a few weeks.
>> Thanks,
>> Kyle
>>
>>> [1] We are depending DB security, anyway
>>> When we get stolen the private key in the DB, it means we are also
>>> stolen ID/PW for DB.
>>> If we stolen the key, even if we keep the private key secret, the
>>> attacker can connect the NW for anywhere.
>>>
>>> [2] How we manage a passcode for encrypting private key?
>>> so even if openvpn supports encripted keys, when we input the passcode?
>>> Vpn process will be launched automatically by neutron-server, so we
>>> need to store it in the memory.
>>> This is same security with plain private key.
>>> For example, most of apache servers using plain private key, I guess.
>>>
>>> so the security of ssl-vpn impl depends on db, rpc trasport, file
>>> system security even if we encrypt the private key or not.
>>> may be, we have better way, but I think current design isn't so bad to
>>> prevent get merged.
>>>
>>> Best
>>> Nachi
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> 2014-04-28 23:02 GMT-07:00 Zang MingJie <zealot0630 at gmail.com>:
>>>> Hi all:
>>>>
>>>> Currently I'm working on ssl vpn, based on patchsets by Nachi[1] and Rajesh[2]
>>>>
>>>> There are secure issues pointed by mark, that ssl private keys are
>>>> stored plain in database and in config files of vpn-agents. As
>>>> Barbican is incubated, we can store certs and their private keys in
>>>> Barbican. But after checking openvpn configurations, I don't think
>>>> there is any way to prevent storing private key in openvpn config
>>>> files without modify the openvpn implementation.
>>>>
>>>> I have also made several changes, added a optional port field to
>>>> sslvpn-connection table, integrated with service plugin framework
>>>> (I'll follow service flavor framework when it is ready), and completed
>>>> the neutronclient part. It is already developed in our testing
>>>> environment, I'll upload my patch sooner or later.
>>>>
>>>> [1] https://review.openstack.org/#/c/58897/
>>>> [2] https://review.openstack.org/#/c/70274/
>>>>
>>>> _______________________________________________
>>>> OpenStack-dev mailing list
>>>> OpenStack-dev at lists.openstack.org
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>> _______________________________________________
>>> OpenStack-dev mailing list
>>> OpenStack-dev at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
More information about the OpenStack-dev
mailing list