Neutron/VPNaaS

This wiki page is for development discussion

= Overview = VPNaaS (VPN-as-a-Service) is a Neutron extension that introduces VPN feature set.

The following is the proposed plan for design and implementation of the VPN as a Service feature in OpenStack Networking for the Havana release. While our long term goal for VPNaaS is to make it very feature rich and to support multiple tunneling,security protocols that supports both static and dynamic routing, but for the short term we would want to deliver a basic experimental reference implementation based on opensource for IPsec based VPNs using just static routing that will allow us to evaluate the API, resource model and usability of this feature. This will allow us to gather feedback, and make enhancements if required.

Also we would like to have a simple model such as the AWS for configuring the VPN. In AWS the IKE and IPsec Policies are pre-defined, but we would want to make it more user configurable rather than pre-defined templates.

Again for simplicity we will be just implementing IKE with “PSK” authentication mode rather than using certificates. In future we can extend to support certificate based authentication.

Current Proposed API for VPNaaS "Neutron/VPNaaS/API"
This section describes commands that will be introduced into python-neutronclient in order to support VPNaaS advanced service.

vpn-service-create     Create a VPNService vpn-service-delete     Delete a given VPNService vpn-service-list       List all VPNService for a given tenant. vpn-service-show       Show detailed information of a given VPNService. vpn-service-update     Update a given VPNservice. vpn-ikepolicy-create      Create an IKEPolicy vpn-ikepolicy-delete      Delete a given IKE Policy. vpn-ikepolicy-list        List IKEPolicies that belong to a given tenant. vpn-ikepolicy-show        Show detailed information of a given IKEPolicy. vpn-ikepolicy-update      Update a given IKE Policy. vpn-ipsecpolicy-create    Create an IPsec policy vpn-ipsecpolicy-delete    Delete a given IPsec Policy vpn-ipsecpolicy-list      List IPsecPolicies that belong to a given tenant    connection. vpn-ipsecpolicy-show      Show detailed information of a given IPsec Policy vpn-ipsecpolicy-update    Update a given IPsec Policy. ipsec-site-connection-create Create a ipsec-site-connection ipsec-site-connection-delete Delete a given ipsec-site-connection. ipsec-site-connection-list   List ipsec-site-connections that belong to a given tenant. ipsec-site-connection-show   Show information of a given ipsec-site-connection. ipsec-site-connection-update Update a given ipsec-site-connection.

= Command Specification =

vpn-service-create
Create a new vpnservice

neutron vpn-service-create [-h] [-f {shell,table}] [-c COLUMN] [--variable VARIABLE] [--prefix PREFIX] [--request-format {json,xml}] [--tenant-id TENANT_ID] [--admin-state-down] [--name NAME] [--description DESCRIPTION] ROUTER SUBNET


 * tenant-id: ID of the Tenant that owns the VPN Service.
 * router: Unique identifier of the Router (either 'name' or 'id')  to which the VPN will be attached to.
 * subnet: Unique identifier of the Subnet (either 'name' or 'id') to which the VPN will provide service. (*)

vpn-service-delete
Delete a given vpnservice object.

neutron vpn-service-delete [-h] [--request-format {json,xml}] VPNSERVICE


 * VPNSERVICE: Unique identifier that identifies the VPN Service to be deleted.

vpn-service-list
Show list of VPN Service objects available to tenant.

neutron vpn-service-list

vpn-service-show
Shows information about a given VPN Service object.

neutron vpn-service-show [-h] [-f {shell,table}] [-c COLUMN] [--variable VARIABLE] [--prefix PREFIX] [--request-format {json,xml}] [-D] [-F FIELD] VPNSERVICE

vpn-service-update
Update information of a given VPN Service Object.

neutron vpn-service-update [-h] [--request-format {json,xml}] VPNSERVICE

Note: Only can change when status is not PENDING_CREATE, PENDING_UPDATE, or PENDING_DELETE.

vpn-ikepolicy-create
Create a new ikepolicy object

neutron vpn-ikepolicy-create [-h] [-f {shell,table}] [-c COLUMN] [--variable VARIABLE] [--prefix PREFIX] [--request-format {json,xml}] [--tenant-id TENANT_ID] [--description DESCRIPTION] [--auth-algorithm AUTH-ALGORITHM] [--encryption-algorithm ENCRYPTION-ALGORITHM] [--phase1-negotiation-mode PHASE1-NEGOTIATION-MODE] [--ike-version IKE-VERSION] [--pfs PFS] [--lifetime unit=UNITS,value=VALUE] NAME


 * NAME: Friendly name of the IKEPolicy used in IPsec VPN Service Connections
 * description: Friendly description of the IKEPolicy used in IPsec VPN Service Connections
 * tenant-id: ID of the Tenant that owns the VPN Service.
 * auth-algorithm: Authentication algorithm used in the IKEPolicy.
 * encryption-algorithm: Encryption algorithm used in the IKEPolicy.
 * phase1-negotiation-mode: Phase1 negotiation mode for IKE either 'Main' or 'Aggressive'.
 * lifetime: String with lifetime specific parameters example: --lifetime "units=seconds,value=3600"
 * units: Units for lifetime ('seconds' or 'kilobytes')
 * value. Value for lifetime (non-negative integer).
 * ike-version: Specify the ike_version.
 * pfs: Specify the Perfect Forward Secrecy.

vpn-ikepolicy-delete
Delete a given IKEPolicy object.

neutron vpn-ikepolicy-delete [-h] [--request-format {json,xml}] IKEPOLICY


 * IKEPOLICY: Unique identifier that identifies the IKEPolicy to be deleted.

vpn-ikepolicy-list
Show list of IKEPolicy objects available to tenant.

neutron vpn-ikepolicy-list

vpn-ikepolicy-show
Shows information about a given IKEPolicy object.

neutron vpn-ikepolicy-show [-h] [-f {shell,table}] [-c COLUMN] [--variable VARIABLE] [--prefix PREFIX] [--request-format {json,xml}] [-D] [-F FIELD] IKEPOLICY

vpn-ikepolicy-update
Update information of a given IKEPolicy Object.

neutron vpn-ikepolicy-delete [-h] [--request-format {json,xml}] IKEPOLICY

vpn-ipsecpolicy-create
Create a new ipsecpolicy object

neutron vpn-ipsecpolicy-create [-h] [-f {shell,table}] [-c COLUMN] [--variable VARIABLE] [--prefix PREFIX] [--request-format {json,xml}] [--tenant-id TENANT_ID] [--description DESCRIPTION] --transform-protocol TRANSFORM-PROTOCOL [--auth-algorithm AUTH-ALGORITHM] [--encryption-algorithm ENCRYPTION-ALGORITHM] [--encapsulation-mode ENCAPSULATION-MODE] [--pfs PFS] [--lifetime units=UNITS,value=VALUE] NAME


 * NAME: Friendly name of the IPsecPolicy used in IPsec VPN Service Connections
 * description: Friendly description of the IPsecPolicy used in IPsec VPN Service Connections
 * tenant-id: ID of the Tenant that owns the VPN Service.
 * auth-algorithm: Authentication algorithm used in the IPsecPolicy.
 * encryption-algorithm: Encryption algorithm used in the IPsecPolicy.
 * encapsulation-mode: Encapsulation mode for IPsec tunnel either 'tunnel' or 'transport'.
 * transfrom-protocol: IPsec Transform Protocol either 'ESP' or 'AH'.
 * lifetime: String with lifetime specific parameters example: --lifetime "units=seconds,value=3600"
 * units: Units for lifetime ('seconds' or 'kilobytes')
 * value. Value for lifetime (non-negative integer).
 * pfs: Specify the Perfect Forward Secrecy.

vpn-ipsecpolicy-delete
Delete a given IPsecPolicy object.

neutron vpn-ipsecpolicy-delete [-h] [--request-format {json,xml}] IPSECPOLICY


 * IPSECPOLICY: Unique identifier that identifies the IPSECPolicy to be deleted.

vpn-ipsecpolicy-list
Show list of IPSECPolicy objects available to tenant.

neutron vpn-ipsecpolicy-list

vpn-ipsecpolicy-show
Shows information about a given IPsecPolicy object.

neutron vpn-ipsecpolicy-show [-h] [-f {shell,table}] [-c COLUMN] [--variable VARIABLE] [--prefix PREFIX] [--request-format {json,xml}] [-D] [-F FIELD] IPSECPOLICY

vpn-ipsecpolicy-update
Update information of a given IPsecPolicy Object.

neutron vpn-ipsecpolicy-delete [-h] [--request-format {json,xml}] IPSECPOLICY

ipsec-site-connection-create
Create a new ipsec-site-connection object

neutron ipsec-site-connection-create [-h] [-f {shell,table}] [-c COLUMN] [--variable VARIABLE] [--prefix PREFIX] [--request-format {json,xml}] [--tenant-id TENANT_ID] [--admin-state-down] --name NAME [--description DESCRIPTION] --peer-address PEER-ADDRESS --peer-id PEER-ID --peer_cidr PEER-CIDRS [--mtu MTU] [--psk PSK] [--initiator INITIATOR] [--dpd DPD] --vpnservice-id VPNSERVICE --ikepolicy-id IKEPOLICY --ipsecpolicy-id IPSECPOLICY


 * peer-address: Remote Peer IP Address for the VPN Connection.
 * tenant-id: ID of the Tenant that owns the VPN Service.
 * peer-id: Peer identifier string.
 * peer_cidr: Remote Peer Subnet with mask in CIDR format.
 * mtu: MTU for fragmentation
 * dpd: String with the dpd attributes. Example: --dpd "action=hold,interval=30,timeout=120"
 * action: Dead peer detection actions (action=hold, restart etc.,).
 * interval: Dead peer detection interval.(interval=30)
 * timeout: Dead peer detection timeout.(timeout=120)
 * route-mode: Routing mode either 'static' or 'dynamic' - for first release only 'static supported.
 * auth-mode: Authentication mode either 'PSK' or 'CERTS'
 * psk: Peer identifier string.
 * initiator: Initiator mode either 'bi-directional' or 'responder'.
 * vpnservice-id: Unique Identifier to the VPN Service Object.
 * ikepolicy-id: Unique Identifier to the IKE Policy Object.
 * ipsecpolicy-id: Unique Identifier to the IPsec Policy Object.

ipsec-site-connection-delete
Delete a given ipsec-site-connection object.

neutron ipsec-site-connection-delete [-h] [--request-format {json,xml}] ipsec-site-connection


 * ipsec-site-connection: Unique identifier that identifies the VPN Connection to be deleted.

ipsec-site-connection-list
Show list of VPN Connection objects available to tenant.

neutron ipsec-site-connection-list

ipsec-site-connection-show
Shows information about a given VPN Connection object.

neutron ipsec-site-connection-show [-h] [-f {shell,table}] [-c COLUMN] [--variable VARIABLE] [--prefix PREFIX] [--request-format {json,xml}] [-D] [-F FIELD] ipsec-site-connection

ipsec-site-connection-update
Update information of a given VPN Connection Object.

neutron ipsec-site-connection-update [-h] [--request-format {json,xml}] ipsec-site-connection

Note: Only can change when status is not PENDING_CREATE, PENDING_UPDATE, or PENDING_DELETE.

= REST API =

High-Level Task Flow
The high-level task flow for using VPNaaS API to configure IPsec VPN is as follows:


 * The tenant creates a VPNService, without any connections.
 * The tenant creates one or more IKEPolicies.
 * The tenant creates one or more IPsecPolicies.
 * The tenant creates one or more ipsec-site-connections and associates with the VPNService id, IKEPolicy id and IPsecPolicy id.

VPNService APIs
GET /v1.0/vpnservices/ GET /v1.0/vpnservices/vpnservice-id POST /v1.0/vpnservices UPDATE /v1.0/vpnservices/vpnservice-id DELETE /v1.0/vpnservices/vpnservice-id

JSON Request
POST /v1.0/vpnservices Content-Type: application/json Accept: application/json X-Auth-Token:xyz Content-Length: abc
 * 1) !highlight javascript numbers=disable

{ "vpnservice": { "tenant_id": "310df60f-2a10-4ee5-9554-98393092194c", "name": "cloud_vpn", "subnet": "96a4386a-f8c3-42ed-afce-d7954eee77b3", "router": "8acda86a-f8c3-42ed-afce-d7954eee77b3", } }

JSON Response
HTTP/1.1 202 Accepted Content-Type: application/json Content-Length: abc
 * 1) !highlight javascript numbers=disable

{ "vpnservice": { "id": "02b1fef7-16f5-4917-bf19-c40a9af805ed", "tenant-id": "310df60f-2a10-4ee5-9554-98393092194c", "name": "cloud_vpn", "subnet-id": "96a4386a-f8c3-42ed-afce-d7954eee77b3", "router-id": "8acda86a-f8c3-42ed-afce-d7954eee77b3", "admin_state_up": true, "status": "PENDING_CREATE" } }

IKEPolicy APIs
GET /v1.0/ikepolicies/ POST /v1.0/ikepolicies GET /v1.0/ikepolicies/ikepolicy-id UPDATE /v1.0/ikepolicies/ikepolicy-id DELETE /v1.0/ikepolicies/ikepolicy-id

JSON Request
POST /v1.0/ikepolicies Accept: application/json Content-Type: application/json X-Auth-Token:xyz Content-Length: abc
 * 1) !highlight javascript numbers=disable

{ "ikepolicy" : { "name": "ikepolicy_1", "auth-algorithm" : "sha1", "encryption-algorithm" : "aes-256", "phase1-negotiation-mode" : "main", "lifetime": "units=seconds,value=28800", "ike-version" : "v1", "pfs": " Group5", } }

JSON Response
HTTP/1.1 202 Accepted Content-Type: application/json Content-Length: abc
 * 1) !highlight javascript numbers=disable

{ "ikepolicy" : { "id":"cfc6589d-f949-4c66-99d2-c2da56ef3764", "tenant_id": "310df60f-2a10-4ee5-9554-98393092194c", "name": "ikepolicy_1", "auth-algorithm" : "sha1", "encryption-algorithm" : "aes-256", "phase1-negotiation-mode" : "main", "lifetime": { "units" : "seconds" "value" : 28800, }           "ike-version" : "v1", "pfs": "Group5", } }

IPsecPolicy APIs
GET /v1.0/ipsecpolicies/ POST /v1.0/ipsecpolicies GET /v1.0/ipsecpolicies/ipsecpolicy-id UPDATE /v1.0/ipsecpolicies/ipsecpolicy-id DELETE /v1.0/ipsecpolicies/ipsecpolicy-id

JSON Request
POST /v1.0/ipsecpolicies Accept: application/json Content-Type: application/json X-Auth-Token:xyz Content-Length: abc
 * 1) !highlight javascript numbers=disable

{ "ipsecpolicy" : { "name": "ipsecpolicy_1", "transform-protocol": "esp", "auth-algorithm" : "sha1", "encryption-algorithm" : "aes-256", "encapsulation-mode" : "tunnel", "lifetime": "units=seconds,value=28800", "pfs": "Group5" } }

JSON Response
HTTP/1.1 202 Accepted Content-Type: application/json Content-Length: abc
 * 1) !highlight javascript numbers=disable

{ "ipsecpolicy" : { "id":"cfc6589d-f949-4c66-99d2-c2da56ef3764", "tenant-id": "310df60f-2a10-4ee5-9554-98393092194c", "name": "ipsecpolicy_1", "transform-protocol": "esp", "auth-algorithm" : "sha1", "encryption-algorithm" : "aes-256", "encapsulation-mode" : "tunnel", "lifetime": { "units" : "seconds" "value" : 28800, }           "pfs": "Group5" } }

ipsec-site-connection

ipsec-site-connection APIs
GET /v1.0/ipsec-site-connections/ POST /v1.0/ipsec-site-connections GET /v1.0/ipsec-site-connections/ipsec-site-connection-id UPDATE /v1.0/ipsec-site-connections/ipsec-site-connection-id DELETE /v1.0/ipsec-site-connections/ipsec-site-connection-id

JSON Request
POST /v1.0/ipsec-site-connections Accept: application/json Content-Type: application/json X-Auth-Token:xyz Content-Length: abc
 * 1) !highlight javascript numbers=disable

{ "ipsec_site_connection" : { "name": "ipsec_connection_1", "peer-address": "192.168.2.255", "peer-id" : "192.168.2.255", "peer-cidr" : "10.30.2.0/24", "dpd": "action=hold,interval=20,timeout=120", "mtu": "1500", "psk": "bla_bla_bla", "initiator": "bi-directional", "vpnservice-id": "02b1fef7-16f5-4917-bf19-c40a9af805ed", "ikepolicy-id": "03299abc-16f5-4917-bf19-c40a9af805ed", "ipsecpolicy-id": "0dbc1234-16f5-4917-bf19-c40a9af805ed" } }

JSON Response
HTTP/1.1 202 Accepted Content-Type: application/json Content-Length: abc
 * 1) !highlight javascript numbers=disable

{ "ipsec_site_connection" : { "id":"cfc6589d-f949-4c66-99d2-c2da56ef3764", "tenant-id": "310df60f-2a10-4ee5-9554-98393092194c", "name": "ipsec_connection_1", "peer-address": "192.168.2.255", "peer-id" : "192.168.2.255", "peer-cidr" : "10.30.2.0/24", "dpd": { "action" : "hold" "interval" : 20, "timeout" : 120, }          "mtu": "1500", "psk": "bla_bla_bla", "initiator": "bi-directional", "vpnservice-id": "02b1fef7-16f5-4917-bf19-c40a9af805ed", "ikepolicy-id": "03299abc-16f5-4917-bf19-c40a9af805ed", "ipsecpolicy-id": "0dbc1234-16f5-4917-bf19-c40a9af805ed", "admin_state_up": true, "status": "PENDING_CREATE" } }

= Blueprints = | VPN as a Service ( VPNaaS) APIs, DataModel and Use Cases

= Havana Plan =