Jump to: navigation, search

Neutron/LBaaS/SSL

< Neutron‎ | LBaaS
Revision as of 13:48, 28 May 2014 by Evgeny.fedoruk (talk | contribs) (SSL Policy)

Description

Terminating TLS connection on the load balancer and encrypting traffic back to the back end nodes, is a capabilities expected from modern load balancers and incorporated into many applications. This capability enables better certificate management and improved application based load balancing (ex: cookie based persistency, L7 Policies, etc.)

For giving LBaaS TLS termination ability, new extension called TLS will be added.

Rationale

The rational is giving user the ability to do TLS offload on LBaaS.

User should have the ability to configure the LBaaS to offload TLS traffic and encrypt it back while considering specific service ports (VIPs) and SNI

Following are top level requirements

1st phase:

  • Tenant should be able to manage his TLS policies
  • Tenant should be able to manage his certificates and private keys, preferably via Barbican project API.
  • Tenant should be able to apply TLS policy on specific service port (VIP listener)
  • Tenant should be able to associate TLS certificate/s to LBaaS' specific service port and to specific domain as well (SNI)
  • Tenant should be able to configure the LBaaS to re-encrypt the traffic to the back-end


2nd phase:

  • Support certificates chain for front-end certificates
  • Support front-end client authentication and back-end server authentication

User Experience

TLS Policies Managing

Default policy will be available. It will have front-end TLS termination disabled and back-end re-encryption disabled. It's Front-end and back-end supported protocols and cipher suites should have most convenient default values Tenant should be able to explore default policy details but should not be able to delete it.

Tenant will be able to "Add" (create), "Delete" (remove) and update TLS policies.

Cipher suites groups will be available: low, medium and high. A tenant will be able to choose one of them or to compile a customized list

On "Add", as usual, form pops-up with:
  • Name : text field
  • Description : text field
  • Enable Front-End termination : check box
  • Front-End supported protocols : multiple selector (at least one should be selected)
  • Front-End supported cipher suites : Radio button with 4 choices:
    • LOW (OpenSSL LOW ciphers, Hint should show them all)
    • MEDIUM (OpenSSL MEDIUM ciphers, Hint should show them all)
    • HIGH (OpenSSL HIGH ciphers, Hint should show them all)
    • All: (All cipher suites supported by the provider)
  • Enable Back-End encryption : check box
  • Back-End supported protocols : multiple selector (at least one should be selected)
  • Back-End supported cipher suites : Radio button with 4 choices:
    • LOW (OpenSSL LOW ciphers, Hint should show them all)
    • MEDIUM (OpenSSL MEDIUM ciphers, Hint should show them all)
    • HIGH (OpenSSL HIGH ciphers, Hint should show them all)
    • All: (All cipher suites supported by the provider)


Note: Front-End or Back-End or both must be configured to SAVE.
On "Delete", as usual, confirmation. Associated policies are deletion protected
Following fields may be modified on policy update:
  • all fields
Note: If changed policy is associated with one or more service ports (VIP listeners), each back-end service provider should perform any required changes

TLS Certificates Managing

Tenant will be able to create (add), delete (remove) and update TLS certificates

Following required for creation:
  • Name : text field
  • Description : text field
  • Certificate : PEM file name
  • Pass phrase : text field (optional)
On "Delete", as usual, confirmation. Associated certificates are deletion protected
Following may be changed for existing certificate:
  • name
  • description
Note: If changed certificate is associated with one or more service ports (listeners), each back-end service provider (driver) should make any required changes

Service Port (VIP listener) creation

  • If service port (VIP listener) is created with HTTP protocol - no TLS configuration required / available.

Plain traffic is into front-end, L7 rulling available, plain traffic out to back-end server


  • If service port (VIP listener) is created with HTTPS protocol - default TLS policy is attached to it.

Default TLS policy disables front-end termination and back-end re-encryption so no tenant's intervention required by default while creating service port with HTTPS protocol. Tenant may change the policy to different one.

TLS policy is actually defining the behavior of service port for incoming TLS traffic. If policy enables front-end termination - default TLS certificate will be required for offloading, other certificates association will be possible for SNI. 

Note: Exact way of supporting SNI to be defined.

Service port (VIP listener) TLS Settings

  • TLS policy and certificates settings for service port are available for service ports having HTTPS as a protocol only
  • Removing TLS policy from HTTPS service port is impossible, tenant will only be allowed to replace a TLS policy.
  • When TLS policy enables front-end termination - default TLS certificate must be set for tenant being able to save the settings

API change

  • Service port (VIP listener) create/update API of the LBaaS plugin will be modified to have optional TLS policy, optional TLS default certificate and optional SNI certificates list
  • TLS policies CRUD will be added
  • Since TLS offload capability is a core LBaaS capability, service port TLS settings API should be added to the LBaaS plugin

Resources change

  • Service port (VIP listener) resource will be modified with new TLS policy and default TLS certificate
  • Service port (VIP listener) settings for SNI TLS certificates will be saved as associates
  • TLS policy (new)
Note: TLS policy may be stored in Barbican as well
    • front-end-termination : bool
    • front-end-protocols : list of comma-separated values from a list of allowed values (SSLv3, TLSv1, TLSv1.1, TLSv1.2), default=None
    • front-end-cipher_suites : list of coma-separated values from allowed values list.
      • Format - <key exchange algorithm>_<bulk encryption algorithm>_<message authentication code>_<pseudorandom function>
    • back-end-encryption : bool
    • back-end-protocols : list of comma-separated values from a list of allowed values (SSLv3, TLSv1, TLSv1.1, TLSv1.2), default=None
    • back-end-cipher_suites : list of coma-separated values from allowed values list.
      • Format - <key exchange algorithm>_<bulk encryption algorithm>_<message authentication code>_<pseudorandom function>

Data model change

  • Service port (VIP listener) entity will be modified with new optional TLS policy and TLS default certificate fields.
tls_policy_id (string 36)
default_tls-certificate_id (string 36) - Barbican certificate container id
  • tls_policy (new)
tls_policy_id (string 36)
tls_policy_name (string 64)
front_end_enabled (bool)
front_end_protocols (string 32)
front_end_cipher_suites (string 512)
back_end_enabled (bool)
back_end_protocols (string 32)
back_end_cipher_suites (string 512)
pass_info (string 64)


  • vip_tls_certificate_assoc (N:M)
service_port_id (string 36)
tls_certificate_id (string 36)
SNI_server_name_pattern (string 255)

DB Migration

DB migration is needed for:

  • Service port resource changes
  • Optionally, if TLS policies will be saved in neutron DB, new table for TLS policies
  • New table for TLS policies associations to service ports

CLI changes

SSL Policy
Note: In case when TLS policies will be neutron DB entities
  • neutron tls-policy-create --front-end-termination type=dict enable=true protocols=SSLv3,TLSv1,TLSv1.1 cipher-suites=DES-CBC-SHA,EXP-DES-CBC-SHA --back-end-termination type=dict enabled=true protocols=SSLv3,TLSv1,TLSv1.1 cipher-suites=DES-CBC-SHA,EXP-DES-CBC-SHA --pass-info type=dict cipher=true bits=true policy name
  • neutron tls-policy-update --policy_id --front-end-termination type-dict protocols=TLSv1,TLSv1.1
  • neutron tls-policy-delete --policy_id
  • neutron tls-policy-list
  • neutron tls-policy-show --policy_id
SSL Certificate
  • neutron ssl-certificate-create --cert CERTIFICATE-FILE <--private-key PRIVATE-KEY-FILE> <--passphrase PASSPHRASE> <--cert-chain INTERMEDIATE-CERT-FILE-1, INTERMEDIATE-CERT-FILE-2> certificate name
  • neutron ssl-certificate-update --certificate-id --cert-chain INTERMEDIATE-CERT-FILE-1, INTERMEDIATE-CERT-FILE-2, INTERMEDIATE-CERT-FILE-3
  • neutron ssl-certificate-delete --certificate_id
  • neutron ssl-certificate-list
  • neutron ssl-certificate-show --certificate_id
Vip SSL Association
  • neutron vip-ssl-associate --vip-id VIP-ID --ssl-policy-id my_policy_id --ssl-certificate type=dict certificate-id=google_cert_id private-key=PRIVATE-KEY-FILE-1 --ssl-trusted-certificate type=dict cert-id=KEY-ID-1
  • neutron vip-ssl-disassociate --vip-id VIP-ID
TODO: List of certificates and trusted certificates should be supported

Implementation Plan

  • Creating new extension called "ssl" with new SSL entities
  • Add new SSL entities CRUD API to the LBaaS Plugin
  • Add new DB entities and associations
  • Add unit testing for new SSL extension's resources
  • Add unit testing for new SSL DB mixin
  • Modifying LBaaS HA-Proxy driver to support SSL extension
  • Update HA-Proxy to version 1.5 {TBD}

Support Matrix

Provider Protocols Cipher Suites Certificate chain FE client auth. BE trusted cert. BE client cert. SNI
HAProxy 1.5 SSLv3, TLSv1 As OpenSSL Yes Yes No No Yes
Amazon EC2 SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2 As OpenSSL Yes No Yes No No
OpenStack SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2 As OpenSSL Yes No Yes No Yes
Retrieved from "https://wiki.openstack.org/w/index.php?title=Neutron/LBaaS/SSL&oldid=53928"