[openstack-dev] [Neutron] SSL VPN Implemenatation

Clark, Robert Graham robert.clark at hp.com
Thu May 1 16:42:43 UTC 2014


Excuse me interrupting but couldn't you treat the key as largely
ephemeral, pull it down from Barbican, start the OpenVPN process and
then purge the key?  It would of course still be resident in the memory
of the OpenVPN process but should otherwise be protected against
filesystem disk-residency issues.


> -----Original Message-----
> From: Nachi Ueno [mailto:nachi at ntti3.com]
> Sent: 01 May 2014 17:36
> To: OpenStack Development Mailing List (not for usage questions)
> Subject: Re: [openstack-dev] [Neutron] SSL VPN Implemenatation
> 
> Hi Jarret
> 
> IMO, Zang point is the issue saving plain private key in the
filesystem for
> OpenVPN.
> Isn't this same even if we use Barbican?
> 
> 
> 
> 
> 
> 2014-05-01 2:56 GMT-07:00 Jarret Raim <jarret.raim at rackspace.com>:
> > Zang mentioned that part of the issue is that the private key has to
> > be stored in the OpenVPN config file. If the config files are
> > generated and can be stored, then storing the whole config file in
> > Barbican protects the private key (and any other settings) without
> > having to try to deliver the key to the OpenVPN endpoint in some
non-
> standard way.
> >
> >
> > Jarret
> >
> > On 4/30/14, 6:08 PM, "Nachi Ueno" <nachi at ntti3.com> wrote:
> >
> >>> Jarret
> >>
> >>Thanks!
> >>Currently, the config will be generated on demand by the agent.
> >>What's merit storing entire config in the Barbican?
> >>
> >>> Kyle
> >>Thanks!
> >>
> >>2014-04-30 7:05 GMT-07:00 Kyle Mestery
> <mestery at noironetworks.com>:
> >>> On Tue, Apr 29, 2014 at 6:11 PM, Nachi Ueno <nachi at ntti3.com>
> wrote:
> >>>> Hi Clint
> >>>>
> >>>> Thank you for your suggestion. Your point get taken :)
> >>>>
> >>>>> Kyle
> >>>> This is also a same discussion for LBaaS Can we discuss this in
> >>>> advanced service meeting?
> >>>>
> >>> Yes! I think we should definitely discuss this in the advanced
> >>> services meeting today. I've added it to the agenda [1].
> >>>
> >>> Thanks,
> >>> Kyle
> >>>
> >>> [1]
> >>>https://wiki.openstack.org/wiki/Meetings/AdvancedServices#Agenda_f
> or_
> >>>next
> >>>_meeting
> >>>
> >>>>> Zang
> >>>> Could you join the discussion?
> >>>>
> >>>>
> >>>>
> >>>> 2014-04-29 15:48 GMT-07:00 Clint Byrum <clint at fewbar.com>:
> >>>>> Excerpts from Nachi Ueno's message of 2014-04-29 10:58:53 -0700:
> >>>>>> Hi Kyle
> >>>>>>
> >>>>>> 2014-04-29 10:52 GMT-07:00 Kyle Mestery
> <mestery at noironetworks.com>:
> >>>>>> > On Tue, Apr 29, 2014 at 12:42 PM, Nachi Ueno
> <nachi at ntti3.com>
> >>>>>>wrote:
> >>>>>> >> Hi Zang
> >>>>>> >>
> >>>>>> >> Thank you for your contribution on this!
> >>>>>> >> The private key management is what I want to discuss in the
> >>>>>>summit.
> >>>>>> >>
> >>>>>> > Has the idea of using Barbican been discussed before? There
are
> >>>>>>many
> >>>>>> > reasons why using Barbican for this may be better than
> >>>>>> > developing
> >>>>>>key
> >>>>>> > management ourselves.
> >>>>>>
> >>>>>> No, however I'm +1 for using Barbican. Let's discuss this in
> >>>>>> certificate management topic in advanced service session.
> >>>>>>
> >>>>>
> >>>>> Just a suggestion: Don't defer that until the summit. Sounds
like
> >>>>>you've  already got some consensus, so you don't need the summit
> >>>>>just to rubber  stamp it. I suggest discussing as much as you can
> >>>>>right now on the mailing  list, and using the time at the summit
to
> >>>>>resolve any complicated issues  including any "a or b" things
that
> >>>>>need crowd-sourced idea making. You  can also use the summit time
> >>>>>to communicate your requirements to the  Barbican developers.
> >>>>>
> >>>>> Point is: just because you'll have face time, doesn't mean you
> >>>>> should use it for what can be done via the mailing list.
> >>>>>
> >>>>> _______________________________________________
> >>>>> OpenStack-dev mailing list
> >>>>> OpenStack-dev at lists.openstack.org
> >>>>>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >>>>
> >>>> _______________________________________________
> >>>> OpenStack-dev mailing list
> >>>> OpenStack-dev at lists.openstack.org
> >>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >>>
> >>> _______________________________________________
> >>> OpenStack-dev mailing list
> >>> OpenStack-dev at lists.openstack.org
> >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >>
> >>_______________________________________________
> >>OpenStack-dev mailing list
> >>OpenStack-dev at lists.openstack.org
> >>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
> > _______________________________________________
> > OpenStack-dev mailing list
> > OpenStack-dev at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6187 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140501/85c1ee49/attachment.bin>


More information about the OpenStack-dev mailing list