[openstack-dev] [Neutron] SSL VPN Implemenatation

Nachi Ueno nachi at ntti3.com
Thu May 1 16:35:51 UTC 2014


Hi Jarret

IMO, Zang point is the issue saving plain private key in the
filesystem for OpenVPN.
Isn't this same even if we use Barbican?





2014-05-01 2:56 GMT-07:00 Jarret Raim <jarret.raim at rackspace.com>:
> Zang mentioned that part of the issue is that the private key has to be
> stored in the OpenVPN config file. If the config files are generated and
> can be stored, then storing the whole config file in Barbican protects the
> private key (and any other settings) without having to try to deliver the
> key to the OpenVPN endpoint in some non-standard way.
>
>
> Jarret
>
> On 4/30/14, 6:08 PM, "Nachi Ueno" <nachi at ntti3.com> wrote:
>
>>> Jarret
>>
>>Thanks!
>>Currently, the config will be generated on demand by the agent.
>>What's merit storing entire config in the Barbican?
>>
>>> Kyle
>>Thanks!
>>
>>2014-04-30 7:05 GMT-07:00 Kyle Mestery <mestery at noironetworks.com>:
>>> On Tue, Apr 29, 2014 at 6:11 PM, Nachi Ueno <nachi at ntti3.com> wrote:
>>>> Hi Clint
>>>>
>>>> Thank you for your suggestion. Your point get taken :)
>>>>
>>>>> Kyle
>>>> This is also a same discussion for LBaaS
>>>> Can we discuss this in advanced service meeting?
>>>>
>>> Yes! I think we should definitely discuss this in the advanced
>>> services meeting today. I've added it to the agenda [1].
>>>
>>> Thanks,
>>> Kyle
>>>
>>> [1]
>>>https://wiki.openstack.org/wiki/Meetings/AdvancedServices#Agenda_for_next
>>>_meeting
>>>
>>>>> Zang
>>>> Could you join the discussion?
>>>>
>>>>
>>>>
>>>> 2014-04-29 15:48 GMT-07:00 Clint Byrum <clint at fewbar.com>:
>>>>> Excerpts from Nachi Ueno's message of 2014-04-29 10:58:53 -0700:
>>>>>> Hi Kyle
>>>>>>
>>>>>> 2014-04-29 10:52 GMT-07:00 Kyle Mestery <mestery at noironetworks.com>:
>>>>>> > On Tue, Apr 29, 2014 at 12:42 PM, Nachi Ueno <nachi at ntti3.com>
>>>>>>wrote:
>>>>>> >> Hi Zang
>>>>>> >>
>>>>>> >> Thank you for your contribution on this!
>>>>>> >> The private key management is what I want to discuss in the
>>>>>>summit.
>>>>>> >>
>>>>>> > Has the idea of using Barbican been discussed before? There are
>>>>>>many
>>>>>> > reasons why using Barbican for this may be better than developing
>>>>>>key
>>>>>> > management ourselves.
>>>>>>
>>>>>> No, however I'm +1 for using Barbican. Let's discuss this in
>>>>>> certificate management topic in advanced service session.
>>>>>>
>>>>>
>>>>> Just a suggestion: Don't defer that until the summit. Sounds like
>>>>>you've
>>>>> already got some consensus, so you don't need the summit just to
>>>>>rubber
>>>>> stamp it. I suggest discussing as much as you can right now on the
>>>>>mailing
>>>>> list, and using the time at the summit to resolve any complicated
>>>>>issues
>>>>> including any "a or b" things that need crowd-sourced idea making. You
>>>>> can also use the summit time to communicate your requirements to the
>>>>> Barbican developers.
>>>>>
>>>>> Point is: just because you'll have face time, doesn't mean you should
>>>>> use it for what can be done via the mailing list.
>>>>>
>>>>> _______________________________________________
>>>>> OpenStack-dev mailing list
>>>>> OpenStack-dev at lists.openstack.org
>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>
>>>> _______________________________________________
>>>> OpenStack-dev mailing list
>>>> OpenStack-dev at lists.openstack.org
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>> _______________________________________________
>>> OpenStack-dev mailing list
>>> OpenStack-dev at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>_______________________________________________
>>OpenStack-dev mailing list
>>OpenStack-dev at lists.openstack.org
>>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>



More information about the OpenStack-dev mailing list