[openstack-dev] [VPNaaS] Support for Stronger hashes and combined mode ciphers

Paul Michali pc at michali.net
Tue Jun 14 17:27:06 UTC 2016

Certainly the ciphers and hashes could be enhanced for VPNaaS. This would
require converting the user selections into options for the underlying
device driver, modifying the neutron client (OSC) to allow entry of the new
selections, updating unit tests, and likely adding some validators to
reject these options on drivers that may not support them (e.g. if OpenSwan
doesn't support an option, you'll want to reject it).

There is not an active VPNaaS team any more, so, if this is something that
you'd like to see, you'll need to provide some sweat equity to make it
happen. There are still some people that can core review changes, but don't
expect much community support for VPNaaS at this time. In fact, I think the
plan is to archive/mothball/whatever VPNaaS in a few months (it's on double
secret probation :)), if there is no-one actively supporting it (I'll leave
to the PTL to define what "support" means - not sure what the
qualifications will be to maintain this project).



On Wed, Jun 8, 2016 at 5:19 PM Mark Fenwick <mark.fenwick at oracle.com> wrote:

> Hi,
> I was wondering if there are any plans to extend support for IPsec and
> IKE algorithms. Looks like only AES-CBC mode and SHA1 are supported.
> It would be nice to see:
> SHA256, SHA384, SHA512
> As well as the combined mode ciphers:
> StrongSWAN already supports all of these ciphers and hashes.
> Thanks
> Mark
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160614/ae957a80/attachment.html>

More information about the OpenStack-dev mailing list