Difference between revisions of "Neutron/LBaaS/SSL"

Revision as of 15:03, 27 May 2014

Description

Terminating TLS connection on the load balancer and encrypting traffic back to the back end nodes, is a capabilities expected from modern load balancers and incorporated into many applications. This capability enables better certificate management and improved application based load balancing (ex: cookie based persistency, L7 Policies, etc.)

For giving LBaaS TLS termination ability, new extension called TLS will be added.

Rationale

The rational is giving user the ability to do TLS offload on LBaaS.

User should have the ability to configure the LBaaS to offload TLS traffic and encrypt it back while considering specific service ports (VIPs) and SNI

Following are top level requirements

1st phase:

• Tenant should be able to manage his TLS policies
• Tenant should be able to manage his certificates and private keys, preferably via Barbican project API.
• Tenant should be able to apply TLS policy on specific service port (VIP listener)
• Tenant should be able to associate TLS certificate/s to LBaaS' specific service port and to specific domain as well (SNI)
• Tenant should be able to configure the LBaaS to re-encrypt the traffic to the back-end

2nd phase:

• Forwarding the client certificate to the back-end server
• Support certificates chain for front-end certificates
• Support front-end client authentication and back-end server authentication

User Experience

TLS Policies Managing

Under Project tab->Manage Network->Load Balancers->TLS Policies (new tab), tenant will see a table of TLS policies with "Add" and "Delete" buttons, as usual.

Default policy will be available. It will have default set of protocols and cipher suites. Tenant should be able to explore default policy details but should not be able to delete it.

Cipher suites groups will be available: low, medium and high. A tenant will be able to choose one of them or to compile a customized list

On "Add", as usual, form pops-up with:

• Name : text field
• Description : text field
• Enable Front-End termination : check box
• Front-End supported protocols : multiple selector (at least one should be selected)
• Front-End supported cipher suites : Radio button with 4 choices:
  • LOW (OpenSSL LOW ciphers, Hint should show them all)
  • MEDIUM (OpenSSL MEDIUM ciphers, Hint should show them all)
  • HIGH (OpenSSL HIGH ciphers, Hint should show them all)
  • All: (All cipher suites supported by the provider)
• Enable Back-End encryption : check box
• Back-End supported protocols : multiple selector (at least one should be selected)
• Back-End supported cipher suites : Radio button with 4 choices:
  • LOW (OpenSSL LOW ciphers, Hint should show them all)
  • MEDIUM (OpenSSL MEDIUM ciphers, Hint should show them all)
  • HIGH (OpenSSL HIGH ciphers, Hint should show them all)
  • All: (All cipher suites supported by the provider)
• Pass info
  • Cipher : check box
  • Version : check box
  • Bits : check box
  • Frontend – add “Front-End-Https:” to headers : check box

Note: Front-End or Back-End or both must be configured to SAVE.

On "Delete", as usual, confirmation. Associated policies are deletion protected

On Actions->"Edit Policy" button, form opens-up with fields allowed to be changed:

• all fields

Note: If changed policy is associated with one or more VIPS (listeners), each VIP's provider should make any required changes on the LBaaS

On Actions column->"More" button contains delete option only

TLS Certificates Managing

Under Project tab->Manage Network->TLS Certificates (new), user will see a table of TLS certificates with "Add" and "Delete" buttons, as usual.

On "Add", as usual, form pops-up with:

• Name : text field
• Description : text field
• Certificate : text field
• Pass phrase : text field
• Certificate chain : text field
• Private key : text field

On "Delete", as usual, confirmation. Associated certificates are deletion protected

On Actions->"Edit Certificate" button, form opens-up with fields allowed to be changed:

• name
• description

Note: If changed certificate is associated with one or more VIPS (listeners), each VIP's provider should make any required changes on the LBaaS

On Actions column->"More" button contains delete option only

VIP creation

• VIP and Pool protocols are different

The behavior will remain as is. Customer can not create VIP with different front-end and back-end protocols. VIP creation will fail.

• VIP and Pool protocols are HTTP

VIP will be created with HTTP on front-end and HTTP on back-end. When SSL policy will be associated, VIP's and Pool's protocols will remain HTTP, the policy will define VIP's behavior.

• VIP and Pool protocols are HTTPS

VIP will be created with HTTPS on front-end and HTTPS on back-end. When SSL policy will be associated, VIP's and Pool's protocols will remain HTTPS, the policy will define VIP's behavior.

VIP (listener) TLS Association

Important Note: Associating and disassociating TLS for a VIP are atomic actions.
TLS disassociating of a VIP will remove all associations with policy and certificates. This is relevant for UI and CLI.

On Project->Load Balancers screen, For each pool, "More" button->VIP TLS association(new) option, new form opens-up.

Single TLS policy may be selected from policies table, containing selection check box and policy name. User will also be able to press the "Add New" button and get the TLS Policy addition form.

Depending on policy, if front-end termination is enabled, TLS certificates table will be enabled for choosing certificates.

TLS certificates table contains certificate name.

At least one certificate must be selected. Also, "Add New" button will present. Pressing it will open the TLS certificate form.

• To apply an association:

TLS policy must be selected. If front-end termination is enabled, at least one TLS certificate must be selected.

VIP (listener) TLS Disassociation

On disassociation of VIP and TLS, VIP and pool protocols will remain as is.

API change

• VIP (listener) CRUD API of the LBaaS plugin will not be changed.
• New extension named "tls" will be added, including TLS policies and certificates resources
• New db extension named "tls_db" will be added, including TLS policies and certificates DB handling
• Since TLS offload capability is a core LBaaS capability, TLS entities management API and Vip TLS association API should be added to the LBaaS plugin

Resources change

• VIP resource remains the same

• TLS policy (new)
  • front-end-termination : bool
  • front-end-protocols : list of comma-separated values from a list of allowed values (SSLv3, TLSv1, TLSv1.1, TLSv1.2), default=None
  • front-end-cipher_suites : list of coma-separated values from allowed values list.
    • Format - <key exchange algorithm>_<bulk encryption algorithm>_<message authentication code>_<pseudorandom function>
  • back-end-encryption : bool
  • back-end-protocols : list of comma-separated values from a list of allowed values (SSLv3, TLSv1, TLSv1.1, TLSv1.2), default=None
  • back-end-cipher_suites : list of coma-separated values from allowed values list.
    • Format - <key exchange algorithm>_<bulk encryption algorithm>_<message authentication code>_<pseudorandom function>
  • pass-info : list of coma-separated values from allowed values list (cipher, protocol, bits, front-end)

• TLS certificate (new)
  • certificate : PEM encoded X509 certificate
  • pass_phrase : not mandatory string
  • private_key : PEM encoded private key
  • certificate_chain : list of PEM-formatted x509 certificates, not mandatory

Data model change

• VIP (listener) entity will be associated with TLS policy and TLS certificate (s).

• tls_policy (new)

tls_policy_id (string 36)
tls_policy_name (string 64)
front_end_enabled (bool)
front_end_protocols (string 32)
front_end_cipher_suites (string 512)
back_end_enabled (bool)
back_end_protocols (string 32)
back_end_cipher_suites (string 512)
pass_info (string 64)

• tls_certificate (new)

tls-certificate_id (string 36)
tls-certificate-name (string 64)
certificate (string 4096)
pass_phrase (string 64)
certificate_chain (string 20480)
private_key (string 4096) (absent in Icehouse release)

• vip_tls_policy_assoc (new, one policy per vip)

vip_id (string 36)
tls_policy_id (string 36)
status (string 16)
desc (string 255)

• vip_tls_certificate_assoc (new, multiple certificates per vip. certificate may be associated with multiple vips)

vip_id (string 36)
tls_certificate_id (string 36)
status (string 16)
desc (string 255)

DB Migration

No DB migration is needed

CLI changes

SSL Policy

• neutron ssl-policy-create --front-end-termination type=dict enable=true protocols=SSLv3,TLSv1,TLSv1.1 cipher-suites=DES-CBC-SHA,EXP-DES-CBC-SHA --back-end-termination type=dict enabled=true protocols=SSLv3,TLSv1,TLSv1.1 cipher-suites=DES-CBC-SHA,EXP-DES-CBC-SHA --pass-info type=dict cipher=true bits=true policy name

• neutron ssl-policy-update --policy_id --front-end-termination type-dict protocols=TLSv1,TLSv1.1

• neutron ssl-policy-delete --policy_id

• neutron ssl-policy-list

• neutron ssl-policy-show --policy_id

SSL Certificate

• neutron ssl-certificate-create --cert CERTIFICATE-FILE <--private-key PRIVATE-KEY-FILE> <--passphrase PASSPHRASE> <--cert-chain INTERMEDIATE-CERT-FILE-1, INTERMEDIATE-CERT-FILE-2> certificate name

• neutron ssl-certificate-update --certificate-id --cert-chain INTERMEDIATE-CERT-FILE-1, INTERMEDIATE-CERT-FILE-2, INTERMEDIATE-CERT-FILE-3

• neutron ssl-certificate-delete --certificate_id

• neutron ssl-certificate-list

• neutron ssl-certificate-show --certificate_id

Vip SSL Association

• neutron vip-ssl-associate --vip-id VIP-ID --ssl-policy-id my_policy_id --ssl-certificate type=dict certificate-id=google_cert_id private-key=PRIVATE-KEY-FILE-1 --ssl-trusted-certificate type=dict cert-id=KEY-ID-1
• neutron vip-ssl-disassociate --vip-id VIP-ID

TODO: List of certificates and trusted certificates should be supported

Implementation Plan

• Creating new extension called "ssl" with new SSL entities
• Add new SSL entities CRUD API to the LBaaS Plugin
• Add new DB entities and associations
• Add unit testing for new SSL extension's resources
• Add unit testing for new SSL DB mixin
• Modifying LBaaS HA-Proxy driver to support SSL extension
• Update HA-Proxy to version 1.5 {TBD}

Support Matrix