Difference between revisions of "Meetings/VPNaaS"
Paul Michali (talk | contribs) (→Agenda) |
Paul Michali (talk | contribs) (→Bucket List) |
||
Line 39: | Line 39: | ||
== Bucket List == | == Bucket List == | ||
+ | Here is a list of features/fixes/enhancements that could be done for VPNaaS, with a subjective assessment of the importance of each: | ||
− | + | === Very Important === | |
− | * | + | * Certificate support for IPSec (Barbican - see what LBaaS did to use certificate). - RFE created. VPNaaS isn't practical for production use with pre-shared keys, IMHO. |
− | * Grenade work to support Advanced Services, so that plugin can be activated. | + | * Removing direct dependency on Neutron, causing breakages occasionally (neutron-lib). |
− | * | + | |
− | * Check when removing/changing GW I/F that is not used by VPNaaS. | + | === Important === |
− | * | + | * Complete python34 support for test (see tox.ini for disabled tests). |
− | * | + | * Grenade work to support Advanced Services, so that plugin can be activated (partial implementation). |
− | * | + | * User documentation for Networking Guide for VPNaaS. (including limitations/restrictions) |
+ | * Documentation on how to use StrongSwan | ||
+ | * Documentation on the differences between StrongSwan and OpenSwan (and any limitations/restrictions of each - e.g. mixing IPv4/v6) | ||
+ | |||
+ | === Nice to Have === | ||
+ | * Check when removing/changing GW I/F that is not used by VPNaaS (may be bug for this). | ||
+ | * Improve coverage in UTs. | ||
+ | ** Checking various sync() cases: router w/o VPN running on it any more; router with VPN running, but no longer a service configured; process running VPN, but no longer VPN configured. | ||
+ | ** Verification of reported status for various cases: connections (active, down, pending create), service (created, deleted, admin down). | ||
+ | * Refactor the rest of the database tests and remove round trip test cases once similar tests in place. | ||
* Need more functional tests for OpenSwan device driver (and StrongSwan driver). Identify what's needed (MTU check, connection delete, admin up/down?, non-default configs [API or unit?], IPv6). | * Need more functional tests for OpenSwan device driver (and StrongSwan driver). Identify what's needed (MTU check, connection delete, admin up/down?, non-default configs [API or unit?], IPv6). | ||
* Refactor duplication out of device driver code (OpenSwan, StrongSwan, Cisco, Vyatta) | * Refactor duplication out of device driver code (OpenSwan, StrongSwan, Cisco, Vyatta) | ||
* The OpenSwan class should be separated from the ABC definition, and placed into a new module. | * The OpenSwan class should be separated from the ABC definition, and placed into a new module. | ||
* Remove /n from execute method in utils.py so that duplicate code can be removed in VPN drivers. | * Remove /n from execute method in utils.py so that duplicate code can be removed in VPN drivers. | ||
− | |||
* Developer Reference Documentation needed. | * Developer Reference Documentation needed. | ||
* Migrate to using neutronclient extension for VPN (and create job). | * Migrate to using neutronclient extension for VPN (and create job). | ||
− | + | * StrongSwan execute_with_mount() to allow configurable rootwrap config file (hard coded currently). | |
− | * StrongSwan execute_with_mount() to allow configurable rootwrap config file. | + | |
− | * | + | === Pie in the Sky Items === |
− | * | + | * Explore leveraging off of endpoint group mechanism for other VPN flavors. |
− | + | * Drivers for other VPN types (e.g. something similar to AWS DirectConnect and Azure ExpressRoute) DMVPN, SSLVPN? | |
− | |||
− | |||
− | |||
== Interested People == | == Interested People == |
Revision as of 13:56, 12 November 2015
Contents
Meetings
- Weekly on-demand on Tuesdays at 1600 UTC
- IRC channel: #openstack-meeting-3
- Chair: pc_m (Paul Michali)
If you want to hold a meeting. Update this wiki page with agenda modifications, date of meeting desired, date of update, and then post a notice on the openstack-dev mailing list, at least 24 hours prior to the meeting start time. We have reserved this (new) channel on the IRC for the time/day of week.
Next meeting: Tuesday, October 6th, 2015.
Logs and Minutes
Meetings, with their notes and logs, will be found under http://eavesdrop.openstack.org/meetings/vpnaas/
Agenda
Updated Oct 5th, 2015
- Local multiple subnet
Announcements
- Endpoint group server and client code is upstreamed.
- Devstack plugin for neutronclient commit to make voting.
- Multiple local subnet feature and CLI pushed for review.
Multiple Local Subnets
Server changes (#link https://review.openstack.org/#/c/230164) and Neutron client (#link https://review.openstack.org/#/c/231133) are out for review. Please look them over.
Will work on follow-up commits for functional tests, API documentation, and additional validation.
DevRef: https://review.openstack.org/#/c/191944
Bugs under Review
Current bugs: VPN bugs
Current reviews: VPNaaS reviews
Open Discussion
Bucket List
Here is a list of features/fixes/enhancements that could be done for VPNaaS, with a subjective assessment of the importance of each:
Very Important
- Certificate support for IPSec (Barbican - see what LBaaS did to use certificate). - RFE created. VPNaaS isn't practical for production use with pre-shared keys, IMHO.
- Removing direct dependency on Neutron, causing breakages occasionally (neutron-lib).
Important
- Complete python34 support for test (see tox.ini for disabled tests).
- Grenade work to support Advanced Services, so that plugin can be activated (partial implementation).
- User documentation for Networking Guide for VPNaaS. (including limitations/restrictions)
- Documentation on how to use StrongSwan
- Documentation on the differences between StrongSwan and OpenSwan (and any limitations/restrictions of each - e.g. mixing IPv4/v6)
Nice to Have
- Check when removing/changing GW I/F that is not used by VPNaaS (may be bug for this).
- Improve coverage in UTs.
- Checking various sync() cases: router w/o VPN running on it any more; router with VPN running, but no longer a service configured; process running VPN, but no longer VPN configured.
- Verification of reported status for various cases: connections (active, down, pending create), service (created, deleted, admin down).
- Refactor the rest of the database tests and remove round trip test cases once similar tests in place.
- Need more functional tests for OpenSwan device driver (and StrongSwan driver). Identify what's needed (MTU check, connection delete, admin up/down?, non-default configs [API or unit?], IPv6).
- Refactor duplication out of device driver code (OpenSwan, StrongSwan, Cisco, Vyatta)
- The OpenSwan class should be separated from the ABC definition, and placed into a new module.
- Remove /n from execute method in utils.py so that duplicate code can be removed in VPN drivers.
- Developer Reference Documentation needed.
- Migrate to using neutronclient extension for VPN (and create job).
- StrongSwan execute_with_mount() to allow configurable rootwrap config file (hard coded currently).
Pie in the Sky Items
- Explore leveraging off of endpoint group mechanism for other VPN flavors.
- Drivers for other VPN types (e.g. something similar to AWS DirectConnect and Azure ExpressRoute) DMVPN, SSLVPN?
Interested People
List of people w/IRC that are interested in participating (coding, reviewing, testing, and/or documenting):
- Paul Michali (pc_m)
- Sridhar Ramaswamy (sridha_ram)
- Al Miller (ajmiller)
- Victor Howard (vichoward)
Charter
Meeting Commands
/join #openstack-meeting-3
#startmeeting vpnaas
#topic Announcements
#undo
...
#endmeeting