- Weekly on-demand on Tuesdays at 1600 UTC
- IRC channel: #openstack-meeting-3
- Chair: pc_m (Paul Michali)
If you want to hold a meeting. Update this wiki page with agenda modifications, date of meeting desired, date of update, and then post a notice on the openstack-dev mailing list, at least 24 hours prior to the meeting start time. We have reserved this (new) channel on the IRC for the time/day of week.
Next meeting: Tuesday, June 16nd, 2015.
Logs and Minutes
Meetings, with their notes and logs, will be found under http://eavesdrop.openstack.org/meetings/vpnaas/
Updated June 15th, 2015
- Multiple local subnet enhancement
- Certificates for IPSec VPN
- Discuss DMVPN spec for Liberty (https://review.openstack.org/#/c/181563/)
- BGP/MPLS VPN and Edge VPN discussion
Multiple Local Subnets on VPN connection
Team agreed, to restrict subnets (local and peer) to the same IP version.
Will start on dev ref (design) and implementation. One question: should we break the API up into two, as part of this effort? Currently, the thought is to move the local "subnet" attribute from the service to the connection, and extend it to allow multiple local subnets. An alternative approach would be the following...
We could break the connection API into two. One would specify the "endpoints" of the connection (what is connected). The networks/subnets involved in the VPN connection. The second would be IPSec specific and have the details of the connection (how the connection is made). Something like:
vpn-endpoints-create --local-cidrs <list> --peer-cidrs <list> ipsec-site-connection --vpnserice-id <uuid> --ikepolicy-id <uuid> --ipsecpolicy-id <uuid> --psk <string> --dpd ... --endpoints <uuid>
The thought here is that this could be extended to other VPN types. Thoughts?
Certificates for IPSec VPN
This is ready for dev ref documentation and implementation. Some questions are:
- What types of certificates are (or should be) supported for *Swan implementations other than X.509?
- Should we create a new API for authentication credentials?
- If create credentials, how should the API look?
I was thinking that we could have a CRUD API to allow credentials (PSK or X.509) to be created, and then the IPSec connection could reference the credential by UUID. This would allow the credentials to be used for other VPN types as well. If we do that, we'd need to decide (quickly) on the API/dbase (some suggestions in the LP bug).
The alternative, is to add an optional X.509 certificate UUID and passphrase field to the connection (and if other types this would get more complex). This doesn't scale well and prevents reuse.
Discussion on https://review.openstack.org/#/c/181563/
BGP/MPLS and Edge VPN
From last meeting, please contribute use cases to https://etherpad.openstack.org/p/vpn-flavors, so that we can better understand the VPN variants that are being discussed.
Let's try to get the use cases and workflows documented on the etherpad, so we have a shared understanding of the different proposals out there. Can continue discussing the designs here.
Here's some info from the summit:
- Edge-VPN http://git.openstack.org/cgit/stackforge/networking-edge-vpn/ with spec https://review.openstack.org/#/c/152377/
- BGP VPN https://github.com/stackforge/networking-bgpvpn with API proposa https://review.openstack.org/#/c/177740
Bugs under Review
Current bugs: VPN bugs
Current reviews: VPNaaS reviews
Need resolution of gate issues for: https://review.openstack.org/#/c/159746
Here are some ideas for tasks that need to be done (feel free to work on them - put your name by any you choose)...
- User documentation for Networking Guide. (including limitations/restrictions)
- Coverage, especially in database and device driver modules, is lacking.
- Need functional tests for OpenSwan device driver (and StrongSwan driver). Identify what's needed (MTU check, connection delete, admin up/down?, non-default configs).
- Refactor duplication out of device driver code (OpenSwan, StrongSwan, Cisco, Vyatta)
- The OpenSwan class should be separated from the ABC definition, and placed into a new module.
- Remove /n from execute method in utils.py so that duplicate code can be removed in VPN drivers.
- Documentation on how to use StrongSwan
- Developer Reference Documentation needed. (pc_m adding empty DevRef doc sections).
- Looks like StrongSwan is missing some configuration settings in template, so can only do defaults. Bug filed.
- Documentation on the differences between StrongSwan and OpenSwan (and any limitations/restrictions of each - e.g. mixing IPv4/v6)
- StrongSwan execute_with_mount() to allow configurable rootwrap config file.
- Support for BGP/MPLS VPN? DM VPN? OpenVPN (road-warrior)? Can they be integrated into VPNaaS?
- Certificate support for IPSec (Barbican - see what LBaaS did to use certificate). - RFE created. Will investigate pc_m
- Devstack support for VPNaaS (see LBaaS including devstack setup in their repo).
- Multiple local subnet support for IPSec. - RFE created. pc_m
- There is interest by some on other VPN types (e.g. something similar to AWS DirectConnect and Azure ExpressRoute).
- Should enhance/add unit test cases for:
- Checking various sync() cases: router w/o VPN running on it any more; router with VPN running, but no longer a service configured; process running VPN, but no longer VPN configured.
- Verification of contents of configuration files created for StrongSwan and OpenSwan.
- Verification of reported status for various cases: connections (active, down, pending create), service (created, deleted, admin down).
List of people w/IRC that are interested in participating (coding, reviewing, testing, and/or documenting):
- Paul Michali (pc_m)
- Sridhar Ramaswamy (sridha_ram)
- Al Miller (ajmiller)