Meetings/VPNaaS

= Meetings =


 * On-demand on Tuesdays at 1600 UTC
 * IRC channel: #openstack-meeting-3
 * Chair: pc_m (Paul Michali)

There currently are no planned VPNaaS meetings. If there is an important aspect to discuss, you can either add an on-demand topic to the Neutron IRC meeting, or hold an on-demand meeting in the above reserved channel. If doing the latter, please update the agenda, and next meeting date on this page, and post a notice on the openstack-dev mailing list with ample time for people to allocate time to attend (you may want to request a quorum).

Next meeting: TBD

= Logs and Minutes= Meetings, with their notes and logs, will be found under http://eavesdrop.openstack.org/meetings/vpnaas/

= Agenda = Updated Oct 5th, 2015


 * Local multiple subnet

Announcements

 * Endpoint group server and client code is upstreamed.
 * Devstack plugin for neutronclient commit to make voting.
 * Multiple local subnet feature and CLI pushed for review.

Multiple Local Subnets
Server changes (#link https://review.openstack.org/#/c/230164) and Neutron client (#link https://review.openstack.org/#/c/231133) are out for review. Please look them over.

Will work on follow-up commits for functional tests, API documentation, and additional validation.

DevRef: https://review.openstack.org/#/c/191944

Bugs under Review
Current bugs: VPN bugs

Current reviews: VPNaaS reviews

Bucket List
Here is a list of features/fixes/enhancements that could be done for VPNaaS, with a subjective assessment of the importance of each:

Very Important

 * Certificate support for IPSec (Barbican - see what LBaaS did to use certificate). - RFE created. VPNaaS isn't practical for production use with pre-shared keys, IMHO. (https://bugs.launchpad.net/neutron/+bug/1459427)
 * Removing direct dependency on Neutron, causing breakages occasionally (neutron-lib).

Important

 * Complete python34 support for test (see tox.ini for disabled tests) (https://bugs.launchpad.net/neutron/+bug/1480326). In review.
 * Grenade work to support Advanced Services, so that plugin can be activated (partial implementation).
 * User documentation for Networking Guide for VPNaaS. (including limitations/restrictions)
 * Documentation on how to use StrongSwan
 * Documentation on the differences between StrongSwan and OpenSwan (and any limitations/restrictions of each - e.g. mixing IPv4/v6)
 * Break out new endpoint-group and multiple local subnet API logic into separate extension(?) so that Horizon can detect when feature is available (Akihiro mentioned).
 * Complete move of API tests to neutron-vpnaas repo (https://bugs.launchpad.net/neutron/+bug/1483417), and add tests for endpoint-group and multiple local subnet APIs. In review.
 * Modify neutron-client so that Horizon can detect multiple local subnet capabilities (https://bugs.launchpad.net/neutron/+bug/1515670).
 * Check whether or not IPv6 works with *Swan. Likely will need proposed change. (https://bugs.launchpad.net/neutron/+bug/1436864).
 * Refactor functional jobs (https://bugs.launchpad.net/neutron/+bug/1495584). In review.
 * Temp workaround for cross project breakage would be to run VPN function job during Neutron tests. Can be follow-on steps to https://bugs.launchpad.net/neutron/+bug/1495584 work.
 * Deprecate OpenSwan and transition to StrongSwan. May still need Libreswan for Redhat.

Nice to Have

 * Check when removing/changing GW I/F that is not used by VPNaaS (may be bug for this).
 * Improve coverage in UTs.
 * Checking various sync cases: router w/o VPN running on it any more; router with VPN running, but no longer a service configured; process running VPN, but no longer VPN configured.
 * Verification of reported status for various cases: connections (active, down, pending create), service (created, deleted, admin down).
 * Refactor the rest of the database tests and remove round trip test cases once similar tests in place.
 * Need more functional tests for OpenSwan device driver (and StrongSwan driver). Identify what's needed (MTU check, connection delete, admin up/down?, non-default configs [API or unit?], IPv6). Referenced by https://bugs.launchpad.net/neutron/+bug/1416427
 * Refactor duplication out of device driver code (OpenSwan, StrongSwan, Cisco, Vyatta). Some is covered under https://bugs.launchpad.net/neutron/+bug/1414253.
 * The OpenSwan class should be separated from the ABC definition, and placed into a new module.
 * Remove /n from execute method in utils.py so that duplicate code can be removed in VPN drivers.
 * Developer Reference Documentation needed.
 * Migrate to using neutronclient extension for VPN (and create job).
 * StrongSwan execute_with_mount to allow configurable rootwrap config file (hard coded currently).
 * Check interop of StrongSwan and OpenSwan (https://bugs.launchpad.net/neutron/+bug/1441789).

Pie in the Sky Items

 * Explore leveraging off of endpoint group mechanism for other VPN flavors.
 * Drivers for other VPN types (e.g. something similar to AWS DirectConnect and Azure ExpressRoute) DMVPN, SSLVPN?

Interested People
List of people w/IRC that are interested in participating (coding, reviewing, testing, and/or documenting):


 * Paul Michali (pc_m)
 * Sridhar Ramaswamy (sridha_ram)
 * Al Miller (ajmiller)
 * Victor Howard (vichoward)

Charter
VPNaaS Team Charter

Meeting Commands
/join #openstack-meeting-3


 * 1) startmeeting vpnaas


 * 1) topic Announcements


 * 1) undo

...


 * 1) endmeeting