Jump to: navigation, search

Difference between revisions of "Meetings/VPNaaS"

m (Meeting Commands)
Line 106: Line 106:
== Meeting Commands ==
== Meeting Commands ==
<nowiki>/join #openstack-meeting-4</nowiki><br />
<nowiki>/join #openstack-meeting-3</nowiki><br />
<nowiki>#startmeeting vpnaas</nowiki><br />
<nowiki>#startmeeting vpnaas</nowiki><br />
<nowiki>#topic Announcements</nowiki><br />
<nowiki>#topic Announcements</nowiki><br />

Revision as of 16:04, 9 June 2015


  • Weekly on-demand on Tuesdays at 1600 UTC
  • IRC channel: #openstack-meeting-3
  • Chair: pc_m (Paul Michali)

If you want to hold a meeting. Update this wiki page with agenda modifications, date of meeting desired, date of update, and then post a notice on the openstack-dev mailing list, at least 24 hours prior to the meeting start time. We have reserved this (new) channel on the IRC for the time/day of week.

Next meeting: Tuesday, June 9nd, 2015.

Logs and Minutes

Meetings, with their notes and logs, will be found under http://eavesdrop.openstack.org/meetings/vpnaas/


Updated June 8th, 2015


  • Anything?

Bugs under Review

Current bugs: VPN bugs

Current reviews: VPNaaS reviews

Need resolution of gate issues for: https://review.openstack.org/#/c/159746

Multiple Local Subnets on VPN connection

Waiting for Drivers Team to review RFE. One question, should we add a (new) restriction that requires the local and peer subnets to be the same IP version? Currently, with the 1:N (local:peer) subnets, there is no check that the peer and local subnets are using the same IP versioning. Should they be required to both be IPv4 or IPv6 and not mixed?

Certificates for IPSec VPN

Researching into Barbican and use of certificates for IPSec site-to-site connections. What types of certificates are (or should be) supported for *Swan implementations? X.509, others? Should we just add Barbican certificate ID field to connection table for now, and then later consider splitting out authentication info to a new table, so it can be reused for other VPN variants?


Discussion on https://review.openstack.org/#/c/181563/


From last meeting, please contribute use cases to https://etherpad.openstack.org/p/vpn-flavors, so that we can better understand the VPN variants that are being discussed.

Let's try to get the use cases and workflows documented on the etherpad, so we have a shared understanding of the different proposals out there. Can continue discussing the designs here.

Here's some info from the summit:

Open Discussion

Bucket List

Here are some ideas for tasks that need to be done (feel free to work on them - put your name by any you choose)...

  • User documentation for Networking Guide. (including limitations/restrictions)
  • Coverage, especially in database and device driver modules, is lacking.
  • Need functional tests for OpenSwan device driver (and StrongSwan driver). Identify what's needed (MTU check, connection delete, admin up/down?, non-default configs).
  • Refactor duplication out of device driver code (OpenSwan, StrongSwan, Cisco, Vyatta)
  • The OpenSwan class should be separated from the ABC definition, and placed into a new module.
  • Remove /n from execute method in utils.py so that duplicate code can be removed in VPN drivers.
  • Documentation on how to use StrongSwan
  • Developer Reference Documentation needed. (pc_m adding empty DevRef doc sections).
  • Looks like StrongSwan is missing some configuration settings in template, so can only do defaults. Bug filed.
  • Documentation on the differences between StrongSwan and OpenSwan (and any limitations/restrictions of each - e.g. mixing IPv4/v6)
  • StrongSwan execute_with_mount() to allow configurable rootwrap config file.
  • Support for BGP/MPLS VPN? DM VPN? OpenVPN (road-warrior)? Can they be integrated into VPNaaS?
  • Certificate support for IPSec (Barbican - see what LBaaS did to use certificate). - RFE created. Will investigate pc_m
  • Devstack support for VPNaaS (see LBaaS including devstack setup in their repo).
  • Multiple local subnet support for IPSec. - RFE created. pc_m
  • There is interest by some on other VPN types (e.g. something similar to AWS DirectConnect and Azure ExpressRoute).
  • Should enhance/add unit test cases for:
    • Checking various sync() cases: router w/o VPN running on it any more; router with VPN running, but no longer a service configured; process running VPN, but no longer VPN configured.
    • Verification of contents of configuration files created for StrongSwan and OpenSwan.
    • Verification of reported status for various cases: connections (active, down, pending create), service (created, deleted, admin down).

Interested People

List of people w/IRC that are interested in participating (coding, reviewing, testing, and/or documenting):

  • Paul Michali (pc_m)
  • Sridhar Ramaswamy (sridha_ram)
  • Al Miller (ajmiller)


VPNaaS Team Charter

Meeting Commands

/join #openstack-meeting-3
#startmeeting vpnaas
#topic Announcements