- Weekly on-demand on Tuesdays at 1600 UTC
- IRC channel: #openstack-meeting-3
- Chair: pc_m (Paul Michali)
If you want to hold a meeting. Update this wiki page with agenda modifications, date of meeting desired, date of update, and then post a notice on the openstack-dev mailing list, at least 24 hours prior to the meeting start time. We have reserved this (new) channel on the IRC for the time/day of week.
Next meeting: Tuesday, June 9nd, 2015.
Logs and Minutes
Meetings, with their notes and logs, will be found under http://eavesdrop.openstack.org/meetings/vpnaas/
Updated June 8th, 2015
- Questions on multiple local subnet enhancement
- Certificates for IPSec VPN
- Discuss DMVPN spec for Liberty (https://review.openstack.org/#/c/181563/)
- BGP/MPLS VPN and Edge VPN discussion
Bugs under Review
Current bugs: VPN bugs
Current reviews: VPNaaS reviews
Need resolution of gate issues for: https://review.openstack.org/#/c/159746
Multiple Local Subnets on VPN connection
Waiting for Drivers Team to review RFE. One question, should we add a (new) restriction that requires the local and peer subnets to be the same IP version? Currently, with the 1:N (local:peer) subnets, there is no check that the peer and local subnets are using the same IP versioning. Should they be required to both be IPv4 or IPv6 and not mixed?
Certificates for IPSec VPN
Researching into Barbican and use of certificates for IPSec site-to-site connections. What types of certificates are (or should be) supported for *Swan implementations? X.509, others? Should we just add Barbican certificate ID field to connection table for now, and then later consider splitting out authentication info to a new table, so it can be reused for other VPN variants?
Discussion on https://review.openstack.org/#/c/181563/
BGP/MPLS and Edge VPN
From last meeting, please contribute use cases to https://etherpad.openstack.org/p/vpn-flavors, so that we can better understand the VPN variants that are being discussed.
Let's try to get the use cases and workflows documented on the etherpad, so we have a shared understanding of the different proposals out there. Can continue discussing the designs here.
Here's some info from the summit:
- Edge-VPN http://git.openstack.org/cgit/stackforge/networking-edge-vpn/ with spec https://review.openstack.org/#/c/152377/
- BGP VPN https://github.com/stackforge/networking-bgpvpn with API proposa https://review.openstack.org/#/c/177740
Here are some ideas for tasks that need to be done (feel free to work on them - put your name by any you choose)...
- User documentation for Networking Guide. (including limitations/restrictions)
- Coverage, especially in database and device driver modules, is lacking.
- Need functional tests for OpenSwan device driver (and StrongSwan driver). Identify what's needed (MTU check, connection delete, admin up/down?, non-default configs).
- Refactor duplication out of device driver code (OpenSwan, StrongSwan, Cisco, Vyatta)
- The OpenSwan class should be separated from the ABC definition, and placed into a new module.
- Remove /n from execute method in utils.py so that duplicate code can be removed in VPN drivers.
- Documentation on how to use StrongSwan
- Developer Reference Documentation needed. (pc_m adding empty DevRef doc sections).
- Looks like StrongSwan is missing some configuration settings in template, so can only do defaults. Bug filed.
- Documentation on the differences between StrongSwan and OpenSwan (and any limitations/restrictions of each - e.g. mixing IPv4/v6)
- StrongSwan execute_with_mount() to allow configurable rootwrap config file.
- Support for BGP/MPLS VPN? DM VPN? OpenVPN (road-warrior)? Can they be integrated into VPNaaS?
- Certificate support for IPSec (Barbican - see what LBaaS did to use certificate). - RFE created. Will investigate pc_m
- Devstack support for VPNaaS (see LBaaS including devstack setup in their repo).
- Multiple local subnet support for IPSec. - RFE created. pc_m
- There is interest by some on other VPN types (e.g. something similar to AWS DirectConnect and Azure ExpressRoute).
- Should enhance/add unit test cases for:
- Checking various sync() cases: router w/o VPN running on it any more; router with VPN running, but no longer a service configured; process running VPN, but no longer VPN configured.
- Verification of contents of configuration files created for StrongSwan and OpenSwan.
- Verification of reported status for various cases: connections (active, down, pending create), service (created, deleted, admin down).
List of people w/IRC that are interested in participating (coding, reviewing, testing, and/or documenting):
- Paul Michali (pc_m)
- Sridhar Ramaswamy (sridha_ram)
- Al Miller (ajmiller)