Jump to: navigation, search

Difference between revisions of "Meetings/VPNaaS"

(Announcements)
(Important)
 
(29 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
= Meetings =
 
= Meetings =
  
* Weekly on-demand on Tuesdays at 1600 UTC
+
* On-demand on Tuesdays at 1600 UTC
 
* IRC channel: #openstack-meeting-3
 
* IRC channel: #openstack-meeting-3
 
* Chair: pc_m (Paul Michali)
 
* Chair: pc_m (Paul Michali)
  
 +
There currently are no planned VPNaaS meetings. If there is an important aspect to discuss, you can either add an on-demand topic to the Neutron IRC meeting, or hold an on-demand meeting in the above reserved channel. If doing the latter, please update the agenda, and next meeting date on this page, and post a notice on the openstack-dev mailing list with ample time for people to allocate time to attend (you may want to request a quorum).
  
If you want to hold a meeting. Update this wiki page with agenda modifications, date of meeting desired, date of update, and then post a notice on the openstack-dev mailing list, at least 24 hours prior to the meeting start time. We have reserved this (new) channel on the IRC for the time/day of week.
 
  
Next meeting: Tuesday, August 4th, 2015.
+
Next meeting: TBD
  
 
= Logs and Minutes=
 
= Logs and Minutes=
Line 14: Line 14:
  
 
= Agenda =
 
= Agenda =
Updated Aug 18th, 2015
+
Updated Oct 5th, 2015
  
* Endpoint groups
+
* Local multiple subnet
* VPN Functional tests
 
  
 
== Announcements ==
 
== Announcements ==
* Rename of VPN DevStack plugin for VPN upstreamed
+
* Endpoint group server and client code is upstreamed.
* Splitting model and database (216248)
+
* Devstack plugin for neutronclient commit to make voting.
* Working on endpoint-groups
+
* Multiple local subnet feature and CLI pushed for review.
* VPN DevStack plugin for neutron-client - pending decision
 
* Rally scenario tests under development
 
* MTU for StrongSwan is per service, versus OpenSwan (and others) is per connection.
 
* VPN APIs migrating to neutron-vpnaas repo
 
  
== Endpoint Groups ==
+
== Multiple Local Subnets ==
WIP out for review https://review.openstack.org/#/c/212692/2.
+
Server changes (#link https://review.openstack.org/#/c/230164) and Neutron client (#link https://review.openstack.org/#/c/231133) are out for review. Please look them over.
Polled operators and no-one indicated production deployment of VPNaaS.
 
Plan is to implement endpoint groups and multiple local subnets under existing v2 API, and to introduce as non-backward compatible change.
 
  
Ref: https://bugs.launchpad.net/neutron/+bug/1459423 (bug), https://review.openstack.org/#/c/191944(dev ref)
+
Will work on follow-up commits for functional tests, API documentation, and additional validation.
 
 
 
 
== VPN Functional Tests for Neutron Commits ==
 
No action on this currently. Awaiting resolution of more pressing issues.
 
  
 +
DevRef: https://review.openstack.org/#/c/191944
  
 
== Bugs under Review ==
 
== Bugs under Review ==
Line 49: Line 39:
  
 
== Bucket List ==
 
== Bucket List ==
 +
Here is a list of features/fixes/enhancements that could be done for VPNaaS, with a subjective assessment of the importance of each:
 +
 +
=== Very Important ===
 +
* Certificate support for IPSec (Barbican - see what LBaaS did to use certificate). - RFE created. VPNaaS isn't practical for production use with pre-shared keys, IMHO. (https://bugs.launchpad.net/neutron/+bug/1459427)
 +
* Removing direct dependency on Neutron, causing breakages occasionally (neutron-lib).
  
Here are some ideas for tasks that need to be done (feel free to work on them - put your name by any you choose)...
+
=== Important ===
* Could use python34 support added to neutron-vpnaas. Several tests are being disabled.
+
* Complete python34 support for test (see tox.ini for disabled tests) (https://bugs.launchpad.net/neutron/+bug/1480326). In review.
* Grenade work to support Advanced Services, so that plugin can be activated.
+
* Grenade work to support Advanced Services, so that plugin can be activated (partial implementation).
* Validation that peer IP for VPN connection is of same version as router's GW I/F.
+
* User documentation for Networking Guide for VPNaaS. (including limitations/restrictions)
* User documentation for Networking Guide. (including limitations/restrictions)
 
* Coverage, especially in database and device driver modules, is lacking.
 
* Need more functional tests for OpenSwan device driver (and StrongSwan driver). Identify what's needed (MTU check, connection delete, admin up/down?, non-default configs [API or unit?], IPv6).
 
* Refactor duplication out of device driver code (OpenSwan, StrongSwan, Cisco, Vyatta)
 
* The OpenSwan class should be separated from the ABC definition, and placed into a new module.
 
* Remove /n from execute method in utils.py so that duplicate code can be removed in VPN drivers.
 
 
* Documentation on how to use StrongSwan
 
* Documentation on how to use StrongSwan
* Developer Reference Documentation needed.
 
 
* Documentation on the differences between StrongSwan and OpenSwan (and any limitations/restrictions of each - e.g. mixing IPv4/v6)
 
* Documentation on the differences between StrongSwan and OpenSwan (and any limitations/restrictions of each - e.g. mixing IPv4/v6)
* StrongSwan execute_with_mount() to allow configurable rootwrap config file.
+
* Break out new endpoint-group and multiple local subnet API logic into separate extension(?) so that Horizon can detect when feature is available (Akihiro mentioned).
* Support for BGP/MPLS VPN? DM VPN? OpenVPN (road-warrior)? Can/should they be integrated into VPNaaS?
+
* Complete move of API tests to neutron-vpnaas repo (https://bugs.launchpad.net/neutron/+bug/1483417), and add tests for endpoint-group and multiple local subnet APIs. In review.
* Certificate support for IPSec (Barbican - see what LBaaS did to use certificate). - RFE created.
+
* Modify neutron-client so that Horizon can detect multiple local subnet capabilities (https://bugs.launchpad.net/neutron/+bug/1515670).
* There is interest by some on other VPN types (e.g. something similar to AWS DirectConnect and Azure ExpressRoute).
+
* Check whether or not IPv6 works with *Swan. Likely will need proposed change. (https://bugs.launchpad.net/neutron/+bug/1436864).
* Should enhance/add unit test cases for:
+
* Refactor functional jobs (https://bugs.launchpad.net/neutron/+bug/1495584). In review.
 +
* Temp workaround for cross project breakage would be to run VPN function job during Neutron tests. Can be follow-on steps to https://bugs.launchpad.net/neutron/+bug/1495584 work.
 +
* Deprecate OpenSwan and transition to StrongSwan. May still need Libreswan for Redhat.
 +
 
 +
=== Nice to Have ===
 +
* Check when removing/changing GW I/F that is not used by VPNaaS (may be bug for this).
 +
* Improve coverage in UTs.
 
** Checking various sync() cases: router w/o VPN running on it any more; router with VPN running, but no longer a service configured; process running VPN, but no longer VPN configured.
 
** Checking various sync() cases: router w/o VPN running on it any more; router with VPN running, but no longer a service configured; process running VPN, but no longer VPN configured.
** Verification of contents of configuration files created for StrongSwan and OpenSwan.
 
 
** Verification of reported status for various cases: connections (active, down, pending create), service (created, deleted, admin down).
 
** Verification of reported status for various cases: connections (active, down, pending create), service (created, deleted, admin down).
 +
* Refactor the rest of the database tests and remove round trip test cases once similar tests in place.
 +
* Need more functional tests for OpenSwan device driver (and StrongSwan driver). Identify what's needed (MTU check, connection delete, admin up/down?, non-default configs [API or unit?], IPv6). Referenced by https://bugs.launchpad.net/neutron/+bug/1416427
 +
* Refactor duplication out of device driver code (OpenSwan, StrongSwan, Cisco, Vyatta). Some is covered under https://bugs.launchpad.net/neutron/+bug/1414253.
 +
* The OpenSwan class should be separated from the ABC definition, and placed into a new module.
 +
* Remove /n from execute method in utils.py so that duplicate code can be removed in VPN drivers.
 +
* Developer Reference Documentation needed.
 +
* Migrate to using neutronclient extension for VPN (and create job).
 +
* StrongSwan execute_with_mount() to allow configurable rootwrap config file (hard coded currently).
 +
* Check interop of StrongSwan and OpenSwan (https://bugs.launchpad.net/neutron/+bug/1441789).
  
 
+
=== Pie in the Sky Items ===
== BGP/MPLS and Edge VPN ==
+
* Explore leveraging off of endpoint group mechanism for other VPN flavors.
 
+
* Drivers for other VPN types (e.g. something similar to AWS DirectConnect and Azure ExpressRoute) DMVPN, SSLVPN?
Info:
 
 
 
* Edge-VPN http://git.openstack.org/cgit/stackforge/networking-edge-vpn/ with specs:
 
** Edge VPN service provisioning APIs: https://review.openstack.org/#/c/201378
 
** Neutron extension for edge VPN: https://review.openstack.org/#/c/201381
 
* BGP VPN https://github.com/stackforge/networking-bgpvpn with API proposal https://review.openstack.org/#/c/177740
 
 
 
  
 
== Interested People ==
 
== Interested People ==
Line 90: Line 85:
 
* Sridhar Ramaswamy (sridha_ram)
 
* Sridhar Ramaswamy (sridha_ram)
 
* Al Miller (ajmiller)
 
* Al Miller (ajmiller)
 
+
* Victor Howard (vichoward)
  
 
== Charter ==
 
== Charter ==

Latest revision as of 17:15, 13 November 2015

Meetings

  • On-demand on Tuesdays at 1600 UTC
  • IRC channel: #openstack-meeting-3
  • Chair: pc_m (Paul Michali)

There currently are no planned VPNaaS meetings. If there is an important aspect to discuss, you can either add an on-demand topic to the Neutron IRC meeting, or hold an on-demand meeting in the above reserved channel. If doing the latter, please update the agenda, and next meeting date on this page, and post a notice on the openstack-dev mailing list with ample time for people to allocate time to attend (you may want to request a quorum).


Next meeting: TBD

Logs and Minutes

Meetings, with their notes and logs, will be found under http://eavesdrop.openstack.org/meetings/vpnaas/

Agenda

Updated Oct 5th, 2015

  • Local multiple subnet

Announcements

  • Endpoint group server and client code is upstreamed.
  • Devstack plugin for neutronclient commit to make voting.
  • Multiple local subnet feature and CLI pushed for review.

Multiple Local Subnets

Server changes (#link https://review.openstack.org/#/c/230164) and Neutron client (#link https://review.openstack.org/#/c/231133) are out for review. Please look them over.

Will work on follow-up commits for functional tests, API documentation, and additional validation.

DevRef: https://review.openstack.org/#/c/191944

Bugs under Review

Current bugs: VPN bugs

Current reviews: VPNaaS reviews

Open Discussion

Bucket List

Here is a list of features/fixes/enhancements that could be done for VPNaaS, with a subjective assessment of the importance of each:

Very Important

  • Certificate support for IPSec (Barbican - see what LBaaS did to use certificate). - RFE created. VPNaaS isn't practical for production use with pre-shared keys, IMHO. (https://bugs.launchpad.net/neutron/+bug/1459427)
  • Removing direct dependency on Neutron, causing breakages occasionally (neutron-lib).

Important

  • Complete python34 support for test (see tox.ini for disabled tests) (https://bugs.launchpad.net/neutron/+bug/1480326). In review.
  • Grenade work to support Advanced Services, so that plugin can be activated (partial implementation).
  • User documentation for Networking Guide for VPNaaS. (including limitations/restrictions)
  • Documentation on how to use StrongSwan
  • Documentation on the differences between StrongSwan and OpenSwan (and any limitations/restrictions of each - e.g. mixing IPv4/v6)
  • Break out new endpoint-group and multiple local subnet API logic into separate extension(?) so that Horizon can detect when feature is available (Akihiro mentioned).
  • Complete move of API tests to neutron-vpnaas repo (https://bugs.launchpad.net/neutron/+bug/1483417), and add tests for endpoint-group and multiple local subnet APIs. In review.
  • Modify neutron-client so that Horizon can detect multiple local subnet capabilities (https://bugs.launchpad.net/neutron/+bug/1515670).
  • Check whether or not IPv6 works with *Swan. Likely will need proposed change. (https://bugs.launchpad.net/neutron/+bug/1436864).
  • Refactor functional jobs (https://bugs.launchpad.net/neutron/+bug/1495584). In review.
  • Temp workaround for cross project breakage would be to run VPN function job during Neutron tests. Can be follow-on steps to https://bugs.launchpad.net/neutron/+bug/1495584 work.
  • Deprecate OpenSwan and transition to StrongSwan. May still need Libreswan for Redhat.

Nice to Have

  • Check when removing/changing GW I/F that is not used by VPNaaS (may be bug for this).
  • Improve coverage in UTs.
    • Checking various sync() cases: router w/o VPN running on it any more; router with VPN running, but no longer a service configured; process running VPN, but no longer VPN configured.
    • Verification of reported status for various cases: connections (active, down, pending create), service (created, deleted, admin down).
  • Refactor the rest of the database tests and remove round trip test cases once similar tests in place.
  • Need more functional tests for OpenSwan device driver (and StrongSwan driver). Identify what's needed (MTU check, connection delete, admin up/down?, non-default configs [API or unit?], IPv6). Referenced by https://bugs.launchpad.net/neutron/+bug/1416427
  • Refactor duplication out of device driver code (OpenSwan, StrongSwan, Cisco, Vyatta). Some is covered under https://bugs.launchpad.net/neutron/+bug/1414253.
  • The OpenSwan class should be separated from the ABC definition, and placed into a new module.
  • Remove /n from execute method in utils.py so that duplicate code can be removed in VPN drivers.
  • Developer Reference Documentation needed.
  • Migrate to using neutronclient extension for VPN (and create job).
  • StrongSwan execute_with_mount() to allow configurable rootwrap config file (hard coded currently).
  • Check interop of StrongSwan and OpenSwan (https://bugs.launchpad.net/neutron/+bug/1441789).

Pie in the Sky Items

  • Explore leveraging off of endpoint group mechanism for other VPN flavors.
  • Drivers for other VPN types (e.g. something similar to AWS DirectConnect and Azure ExpressRoute) DMVPN, SSLVPN?

Interested People

List of people w/IRC that are interested in participating (coding, reviewing, testing, and/or documenting):

  • Paul Michali (pc_m)
  • Sridhar Ramaswamy (sridha_ram)
  • Al Miller (ajmiller)
  • Victor Howard (vichoward)

Charter

VPNaaS Team Charter


Meeting Commands

/join #openstack-meeting-3
#startmeeting vpnaas
#topic Announcements
#undo

...

#endmeeting