Difference between revisions of "Neutron/VPNaaS"
< Neutron
Nachi Ueno (talk | contribs) (→vpn-vpnservice-create) |
|||
| Line 8: | Line 8: | ||
Again for simplicity we will be just implementing IKE with “PSK” authentication mode rather than using certificates. In future we can extend to support certificate based authentication. | Again for simplicity we will be just implementing IKE with “PSK” authentication mode rather than using certificates. In future we can extend to support certificate based authentication. | ||
| + | == DataModel == | ||
| + | |||
| + | ===VPNServices Table=== | ||
| + | |||
| + | {| class="wikitable" | ||
| + | |- | ||
| + | ! Attribute !! Type !! Required !! CRUD !! DefaultValue !! Validation Constraint !! Notes | ||
| + | |- | ||
| + | | id || uuid-str || N/A || R || generated || N/A || UUID for VPNService Object | ||
| + | |- | ||
| + | | tenant_id || uuid-str || Yes || CR || None || valid tenant_id || UUID of the tenant for the vpn service | ||
| + | |- | ||
| + | | name||string||no||CRU||None||N/A||name of the VPN Service | ||
| + | |- | ||
| + | | description||string||no||CRU||None||N/A||Description of the VPN Service | ||
| + | |- | ||
| + | | vpn_type||string||yes||CRU||None||ipsec||Service type - Defines the services type. | ||
| + | |- | ||
| + | | status||string||N/A||R||N/A||N/A||Indicates whether ipsec vpnservice is currently operational. Possible values include: | ||
| + | ACTIVE | ||
| + | DOWN | ||
| + | BUILD | ||
| + | ERROR | ||
| + | |- | ||
| + | | admin_state_up||bool||N/A||CRU||TRUE||true/false||Administrative state of vpnservice. If false (down), port does not forward packets | ||
| + | |- | ||
| + | |subnet_id||uuid||yes*( subnet_id or port_id is needed)||CR||N/A||Valid subnet id||Subnet id in which the tenant wants the vpn service | ||
| + | |- | ||
| + | |router_id||uuid||yes||CR||N/A||Valid router id||Router id to which the vpn service is inserted | ||
| + | |- | ||
| + | | port_id||uuid||yes*( subnet_id or port_id is needed) ||CR||N/A||Valid Port id||Port id to which the service is associated in the subnet | ||
| + | |} | ||
| + | <pre><nowiki> | ||
| + | +----------------+--------------+------+-----+---------+-------+ | ||
| + | | Field | Type | Null | Key | Default | Extra | | ||
| + | +----------------+--------------+------+-----+---------+-------+ | ||
| + | | tenant_id | varchar(255) | YES | | NULL | | | ||
| + | | id | varchar(36) | NO | PRI | NULL | | | ||
| + | | name | varchar(255) | YES | | NULL | | | ||
| + | | description | varchar(255) | YES | | NULL | | | ||
| + | | vpn_type | varchar(36) | NO | | NULL | | | ||
| + | | status | varchar(16) | NO | | NULL | | | ||
| + | | admin_state_up| tinyint(1) | NO | | NULL | | | ||
| + | | subnet_id | varchar(36) | NO | | NULL | | | ||
| + | | router_id | varchar(36) | NO | | NULL | | | ||
| + | | port_id | varchar(36) | YES | MUL | NULL | | | ||
| + | +----------------+--------------+------+-----+---------+-------+ | ||
| + | </nowiki></pre> | ||
| + | |||
| + | ===IKEPolicy Table=== | ||
| + | |||
| + | |||
| + | {| class="wikitable" | ||
| + | |- | ||
| + | ! Attribute !! Type !! Required !! CRUD !! DefaultValue !! Validation Constraint !! Notes | ||
| + | |- | ||
| + | | id||uuid-str||N/A||R||generated||N/A||UUID for the IKEPolicy | ||
| + | |- | ||
| + | | tenant_id||uuid-str||Yes||CR||None||valid tenant_id||UUID for owner of the vpn service | ||
| + | |- | ||
| + | | name||string||no||CRU||None||N/A||friendly name for the ikepolicy | ||
| + | |- | ||
| + | | description||string||no||CRU||None||N/A||Description of the ikepolicy | ||
| + | |- | ||
| + | | auth_algorithm||string||yes||CRU||sha1||N/A||Authentication Hash algorithms“sha1”/”md5”. | ||
| + | |- | ||
| + | | encryption_algorithm||string||yes||CRU||aes-128||N/A||Encryption Algorithms des, 3des, aes-128, aes-256, aes-192 etc., | ||
| + | |- | ||
| + | | phase1_negotiation_mode||string||yes||CRU||Main Mode||N/A||IKE mode either Main mode or Aggressive Mode | ||
| + | |- | ||
| + | |lifetime_units||string||no||CRU||seconds||"seconds / kilobytes"||Lifetime of the SA unit in ‘seconds’ or ‘kilobytes’ | ||
| + | |- | ||
| + | |lifetime_value||integer||yes||CRU||3600 for seconds OR 1843200 for kilobytes||Integer||Lifetime value in seconds or kilobytes | ||
| + | |- | ||
| + | |pfs||string||yes||CRU||Group2||N/A||Perfect Forward Secrecy (Group1, Group2, Group5, Group14) | ||
| + | |- | ||
| + | |ike_version||string||yes||CRU||IKEv1||N/A||IKEv1 or IKEv2 version | ||
| + | |- | ||
| + | |vpnservice_conn_id||uuid||yes||CR||N/A||uuid of vpnserviceconnection||uuid id of vpnserviceconnection | ||
| + | |} | ||
| + | <pre><nowiki> | ||
| + | +-------------------------+--------------+------+-----+---------+-------+ | ||
| + | | Field | Type | Null | Key | Default | Extra | | ||
| + | +-------------------------+--------------+------+-----+---------+-------+ | ||
| + | | tenant_id | varchar(255) | YES | | NULL | | | ||
| + | | id | varchar(36) | NO | PRI | NULL | | | ||
| + | | name | varchar(255) | YES | | NULL | | | ||
| + | | description | varchar(255) | YES | | NULL | | | ||
| + | | auth_algorithm | varchar(8) | NO | | NULL | | | ||
| + | | encryption_algorithm | varchar(16) | NO | | NULL | | | ||
| + | | phase1_negotiation_mode | varchar(16) | NO | | NULL | | | ||
| + | | lifetime_units | varchar(16) | NO | | NULL | | | ||
| + | | lifetime_value | int(11) | NO | | NULL | | | ||
| + | | pfs | varchar(8) | NO | | NULL | | | ||
| + | +-------------------------+--------------+------+-----+---------+-------+ | ||
| + | </nowiki></pre> | ||
| + | |||
| + | |||
| + | ===IPsecPolicys Table=== | ||
| + | |||
| + | |||
| + | {| class="wikitable" | ||
| + | |- | ||
| + | ! Attribute !! Type !! Required !! CRUD !! DefaultValue !! Validation Constraint !! Notes | ||
| + | |- | ||
| + | | id||uuid-str||N/A||R||generated||N/A||UUID for the IPsecPolicy | ||
| + | |- | ||
| + | | tenant_id||uuid-str||Yes||CR||None||valid tenant_id||UUID for owner of the vpn service | ||
| + | |- | ||
| + | | name||string||no||CRU||None||N/A||friendly name for the IPsecPolicy | ||
| + | |- | ||
| + | | description||string||no||CRU||None||N/A||Description of the policy | ||
| + | |- | ||
| + | | transform_protocol||string||yes||CRU||ESP||N/A||Tranform Protocol used such as ESP or AH or AH-ESP | ||
| + | |- | ||
| + | | encapsulation_mode||string||yes||CRU||tunnel||N/A||Encapsulation mode either Tunnel mode or transport mode | ||
| + | |- | ||
| + | | auth_algorithm||string||yes||CRU||sha1||N/A||Authentication algorithms md5 and sha1 | ||
| + | |- | ||
| + | |encryption_algorithm||string||yes||CRU||aes-128||N/A||Encryption Algorithms3des, aes-128, aes-256, aes-192, des | ||
| + | |- | ||
| + | |lifetime_units||string||no||CRU||seconds||"seconds / kilobytes"||Lifetime of the SA unit in ‘seconds’ or ‘kilobytes’ | ||
| + | |- | ||
| + | |lifetime_value||integer||yes||CRU||3600 for seconds OR 1843200 for kilobytes||Integer||Lifetime value in seconds or kilobytes | ||
| + | |- | ||
| + | |pfs||string||yes||CRU||Group2||N/A||Perfect Forward Secrecy (Group1, Group2, Group5, Group14) | ||
| + | |- | ||
| + | |vpnservice_conn_id||uuid||yes||CR||N/A||uuid of vpnserviceconnection||uuid id of vpnserviceconnection | ||
| + | |} | ||
| + | |||
| + | <pre><nowiki> | ||
| + | +----------------------+--------------+------+-----+---------+-------+ | ||
| + | | Field | Type | Null | Key | Default | Extra | | ||
| + | +----------------------+--------------+------+-----+--------+-------+ | ||
| + | | tenant_id | varchar(255) | YES | | NULL | | | ||
| + | | id | varchar(36) | NO | PRI | NULL | | | ||
| + | | name | varchar(255) | YES | | NULL | | | ||
| + | | description | varchar(255) | YES | | NULL | | | ||
| + | | transform_protocol | varchar(8) | NO | | NULL | | | ||
| + | | auth_algorithm | varchar(8) | NO | | NULL | | | ||
| + | | encryption_algorithm | varchar(16) | NO | | NULL | | | ||
| + | | encapsulation_mode | varchar(16) | NO | | NULL| | | ||
| + | | lifetime_units | varchar(16) | NO | | NULL | | | ||
| + | | lifetime_value | int(11) | NO | | NULL | | | ||
| + | | pfs | varchar(8) | NO | | NULL | | | ||
| + | +----------------------+--------------+------+-----+---------+-------+ | ||
| + | </nowiki></pre> | ||
| + | |||
| + | ===VPNServiceConnections Table === | ||
| + | |||
| + | |||
| + | {| class="wikitable" | ||
| + | |- | ||
| + | ! Attribute !! Type !! Required !! CRUD !! DefaultValue !! Validation Constraint !! Notes | ||
| + | |- | ||
| + | | id||uuid-str||N/A||R||generated||N/A||UUID for the vpns connection | ||
| + | |- | ||
| + | | tenant_id||uuid-str||Yes||CR||None||valid tenant_id||UUID for owner of the vpn service | ||
| + | |- | ||
| + | | name||string||no||CRU||None||N/A||name for vpnconnection | ||
| + | |- | ||
| + | | description||string||no||CRU||None||N/A||Description of the vpnconnection | ||
| + | |- | ||
| + | | peer_address||ipaddress(v4 or v6)||yes||CRU||N/A||valid ip address (v4 or v6)||peer vpn gateway public address or FQDN | ||
| + | |- | ||
| + | | peer_id||string||yes||CRU||N/A||N/A||Peer identifier ( Can be name, string or FQDN ) | ||
| + | |- | ||
| + | | peer_cidrs||list[string]||yes||CRU||N/A||list of valid cidr in the form <network_address>/<prefix>||Peer private cidrs | ||
| + | |- | ||
| + | | local_cidrs||list[string]||yes||CRU||N/A||list of valid cidr in the form <network_address>/<prefix>||local cidrs | ||
| + | |- | ||
| + | | route_mode||string||yes||R||static||static||Static | ||
| + | |- | ||
| + | | mtu||integer||no||CRU||1500||Integer||mtu - maximum transmission unit to address fragmentation | ||
| + | |- | ||
| + | | dpd_actions||string||no||CRU||hold||"hold / clear / disabled /restart /restart_by_peer"||DPD actions controls the use of Dead Peer Detection Protocol. ( clear, hold, restart, disabled, restart_by_peer) | ||
| + | |- | ||
| + | | dpd_interval||integer||no||CRU||30||> 0||sec for DPD delay | ||
| + | |- | ||
| + | | dpd_timeout||integer||no||CRU||120||> 0 & > dpd_interval||sec for DPD timeout | ||
| + | |- | ||
| + | | auth_mode||string||no||R||psk||psk/certs||Authentication mode, either PSK or certificate | ||
| + | |- | ||
| + | | psk||string||yes||CRU||N/A||NO||Pre-shared-key any string. | ||
| + | |- | ||
| + | | initiator||string||no||CRU||bidirectional||"bidirectional / response_only"||Whether this VPN can only respond to connections or can initiate as well | ||
| + | |- | ||
| + | | admin_status_up||bool||N/A||CRU||TRUE||"true / false"||Administrative state of vpn connection. If false (down), vpn concd nection does not forward packets | ||
| + | |- | ||
| + | | status||string||N/A||R||N/A||N/A||Indicates whether vpn connection is currently operational. Possible values include:ACTIVE,DOWN,BUILD,ERROR | ||
| + | |- | ||
| + | | vpnservice_ikepolicy_id||uuid||yes||CR||N/A||uuid of vpnservice_ikepolicy||uuid id of vpnservice_ikepolicy | ||
| + | |- | ||
| + | | vpnservice_ipsecpolicy_id||uuid||yes||CR||N/A||uuid of vpnservice_ipsecpolicy||uuid id of vpnservice_ipsecpolicy | ||
| + | |- | ||
| + | | vpnservice_id||uuid||yes||CR||N/A||uuid of vpnservice||service id of vpnservice | ||
| + | |} | ||
| + | |||
| + | <pre><nowiki> | ||
| + | |||
| + | +---------------------------+--------------+------+-----+---------+-------+ | ||
| + | | Field | Type | Null | Key | Default | Extra | | ||
| + | +---------------------------+--------------+------+-----+---------+-------+ | ||
| + | | tenant_id | varchar(255) | YES | | NULL | | | ||
| + | | id | varchar(36) | NO | PRI | NULL | | | ||
| + | | name | varchar(255) | YES | | NULL | | | ||
| + | | description | varchar(255) | YES | | NULL | | | ||
| + | | peer_address | varchar(64) | NO | | NULL | | | ||
| + | | peer_id | varchar(255) | NO | | NULL | | | ||
| + | | peer_cidrs | varchar(64) | NO | | NULL | | | ||
| + | | local_cidrs | varchar(64) | NO | | NULL | | | ||
| + | | route_mode | varchar(8) | NO | | NULL | | | ||
| + | | mtu | int(11) | NO | | NULL | | | ||
| + | | initiator | varchar(16) | NO | | NULL | | | ||
| + | | auth_mode | varchar(16) | NO | | NULL | | | ||
| + | | psk | varchar(255) | NO | | NULL | | | ||
| + | | dpd_action | varchar(16) | NO | | NULL | | | ||
| + | | dpd_interval | int(11) | NO | | NULL | | | ||
| + | | dpd_timeout | int(11) | NO | | NULL | | | ||
| + | | status | varchar(16) | NO | | NULL | | | ||
| + | | admin_state_up | tinyint(1) | NO | | NULL | | | ||
| + | | vpnservice_id | varchar(36) | NO | MUL | NULL | | | ||
| + | | vpnservice_ipsecpolicy_id | varchar(36) | NO | MUL | NULL | | | ||
| + | | vpnservice_ikepolicy_id | varchar(36) | NO | MUL | NULL | | | ||
| + | +---------------------------+--------------+------+-----+---------+-------+ | ||
| + | |||
| + | </nowiki></pre> | ||
== Current Proposed API for VPNaaS "[[Quantum/VPNaaS/API]]"== | == Current Proposed API for VPNaaS "[[Quantum/VPNaaS/API]]"== | ||
Revision as of 04:22, 15 May 2013
Contents
- 1 Overview
- 2 Command Specification
- 2.1 vpn-vpnservice-create
- 2.2 vpn-vpnservice-delete
- 2.3 vpn-vpnservice-list
- 2.4 vpn-vpnservice-show
- 2.5 vpn-vpnservice-update
- 2.6 vpn-ikepolicy-create
- 2.7 vpn-ikepolicy-delete
- 2.8 vpn-ikepolicy-list
- 2.9 vpn-ikepolicy-show
- 2.10 vpn-ikepolicy-update
- 2.11 vpn-ipsecpolicy-create
- 2.12 vpn-ipsecpolicy-delete
- 2.13 vpn-ipsecpolicy-list
- 2.14 vpn-ipsecpolicy-show
- 2.15 vpn-ipsecpolicy-update
- 2.16 vpn-vpnserviceconnection-create
- 2.17 vpn-vpnserviceconnection-delete
- 2.18 vpn-vpnserviceconnection-list
- 2.19 vpn-vpnserviceconnection-show
- 2.20 vpn-vpnserviceconnection-update
- 3 REST API
- 4 Blueprints
- 5 Havana Plan
Overview
VPNaaS (VPN-as-a-Service) is a Quantum extension that introduces VPN feature set.
The following is the proposed plan for design and implementation of the VPN as a Service feature in OpenStack Networking for the Havana release. While our long term goal for VPNaaS is to make it very feature rich and to support multiple tunneling,security protocols that supports both static and dynamic routing, but for the short term we would want to deliver a basic experimental reference implementation based on opensource for IPsec based VPNs using just static routing that will allow us to evaluate the API, resource model and usability of this feature. This will allow us to gather feedback, and make enhancements if required.
Also we would like to have a simple model such as the AWS for configuring the VPN. In AWS the IKE and IPsec Policies are pre-defined, but we would want to make it more user configurable rather than pre-defined templates.
Again for simplicity we will be just implementing IKE with “PSK” authentication mode rather than using certificates. In future we can extend to support certificate based authentication.
DataModel
VPNServices Table
| Attribute | Type | Required | CRUD | DefaultValue | Validation Constraint | Notes |
|---|---|---|---|---|---|---|
| id | uuid-str | N/A | R | generated | N/A | UUID for VPNService Object |
| tenant_id | uuid-str | Yes | CR | None | valid tenant_id | UUID of the tenant for the vpn service |
| name | string | no | CRU | None | N/A | name of the VPN Service |
| description | string | no | CRU | None | N/A | Description of the VPN Service |
| vpn_type | string | yes | CRU | None | ipsec | Service type - Defines the services type. |
| status | string | N/A | R | N/A | N/A | Indicates whether ipsec vpnservice is currently operational. Possible values include:
ACTIVE DOWN BUILD ERROR |
| admin_state_up | bool | N/A | CRU | TRUE | true/false | Administrative state of vpnservice. If false (down), port does not forward packets |
| subnet_id | uuid | yes*( subnet_id or port_id is needed) | CR | N/A | Valid subnet id | Subnet id in which the tenant wants the vpn service |
| router_id | uuid | yes | CR | N/A | Valid router id | Router id to which the vpn service is inserted |
| port_id | uuid | yes*( subnet_id or port_id is needed) | CR | N/A | Valid Port id | Port id to which the service is associated in the subnet |
+----------------+--------------+------+-----+---------+-------+ | Field | Type | Null | Key | Default | Extra | +----------------+--------------+------+-----+---------+-------+ | tenant_id | varchar(255) | YES | | NULL | | | id | varchar(36) | NO | PRI | NULL | | | name | varchar(255) | YES | | NULL | | | description | varchar(255) | YES | | NULL | | | vpn_type | varchar(36) | NO | | NULL | | | status | varchar(16) | NO | | NULL | | | admin_state_up| tinyint(1) | NO | | NULL | | | subnet_id | varchar(36) | NO | | NULL | | | router_id | varchar(36) | NO | | NULL | | | port_id | varchar(36) | YES | MUL | NULL | | +----------------+--------------+------+-----+---------+-------+
IKEPolicy Table
| Attribute | Type | Required | CRUD | DefaultValue | Validation Constraint | Notes |
|---|---|---|---|---|---|---|
| id | uuid-str | N/A | R | generated | N/A | UUID for the IKEPolicy |
| tenant_id | uuid-str | Yes | CR | None | valid tenant_id | UUID for owner of the vpn service |
| name | string | no | CRU | None | N/A | friendly name for the ikepolicy |
| description | string | no | CRU | None | N/A | Description of the ikepolicy |
| auth_algorithm | string | yes | CRU | sha1 | N/A | Authentication Hash algorithms“sha1”/”md5”. |
| encryption_algorithm | string | yes | CRU | aes-128 | N/A | Encryption Algorithms des, 3des, aes-128, aes-256, aes-192 etc., |
| phase1_negotiation_mode | string | yes | CRU | Main Mode | N/A | IKE mode either Main mode or Aggressive Mode |
| lifetime_units | string | no | CRU | seconds | "seconds / kilobytes" | Lifetime of the SA unit in ‘seconds’ or ‘kilobytes’ |
| lifetime_value | integer | yes | CRU | 3600 for seconds OR 1843200 for kilobytes | Integer | Lifetime value in seconds or kilobytes |
| pfs | string | yes | CRU | Group2 | N/A | Perfect Forward Secrecy (Group1, Group2, Group5, Group14) |
| ike_version | string | yes | CRU | IKEv1 | N/A | IKEv1 or IKEv2 version |
| vpnservice_conn_id | uuid | yes | CR | N/A | uuid of vpnserviceconnection | uuid id of vpnserviceconnection |
+-------------------------+--------------+------+-----+---------+-------+ | Field | Type | Null | Key | Default | Extra | +-------------------------+--------------+------+-----+---------+-------+ | tenant_id | varchar(255) | YES | | NULL | | | id | varchar(36) | NO | PRI | NULL | | | name | varchar(255) | YES | | NULL | | | description | varchar(255) | YES | | NULL | | | auth_algorithm | varchar(8) | NO | | NULL | | | encryption_algorithm | varchar(16) | NO | | NULL | | | phase1_negotiation_mode | varchar(16) | NO | | NULL | | | lifetime_units | varchar(16) | NO | | NULL | | | lifetime_value | int(11) | NO | | NULL | | | pfs | varchar(8) | NO | | NULL | | +-------------------------+--------------+------+-----+---------+-------+
IPsecPolicys Table
| Attribute | Type | Required | CRUD | DefaultValue | Validation Constraint | Notes |
|---|---|---|---|---|---|---|
| id | uuid-str | N/A | R | generated | N/A | UUID for the IPsecPolicy |
| tenant_id | uuid-str | Yes | CR | None | valid tenant_id | UUID for owner of the vpn service |
| name | string | no | CRU | None | N/A | friendly name for the IPsecPolicy |
| description | string | no | CRU | None | N/A | Description of the policy |
| transform_protocol | string | yes | CRU | ESP | N/A | Tranform Protocol used such as ESP or AH or AH-ESP |
| encapsulation_mode | string | yes | CRU | tunnel | N/A | Encapsulation mode either Tunnel mode or transport mode |
| auth_algorithm | string | yes | CRU | sha1 | N/A | Authentication algorithms md5 and sha1 |
| encryption_algorithm | string | yes | CRU | aes-128 | N/A | Encryption Algorithms3des, aes-128, aes-256, aes-192, des |
| lifetime_units | string | no | CRU | seconds | "seconds / kilobytes" | Lifetime of the SA unit in ‘seconds’ or ‘kilobytes’ |
| lifetime_value | integer | yes | CRU | 3600 for seconds OR 1843200 for kilobytes | Integer | Lifetime value in seconds or kilobytes |
| pfs | string | yes | CRU | Group2 | N/A | Perfect Forward Secrecy (Group1, Group2, Group5, Group14) |
| vpnservice_conn_id | uuid | yes | CR | N/A | uuid of vpnserviceconnection | uuid id of vpnserviceconnection |
+----------------------+--------------+------+-----+---------+-------+ | Field | Type | Null | Key | Default | Extra | +----------------------+--------------+------+-----+--------+-------+ | tenant_id | varchar(255) | YES | | NULL | | | id | varchar(36) | NO | PRI | NULL | | | name | varchar(255) | YES | | NULL | | | description | varchar(255) | YES | | NULL | | | transform_protocol | varchar(8) | NO | | NULL | | | auth_algorithm | varchar(8) | NO | | NULL | | | encryption_algorithm | varchar(16) | NO | | NULL | | | encapsulation_mode | varchar(16) | NO | | NULL| | | lifetime_units | varchar(16) | NO | | NULL | | | lifetime_value | int(11) | NO | | NULL | | | pfs | varchar(8) | NO | | NULL | | +----------------------+--------------+------+-----+---------+-------+
VPNServiceConnections Table
| Attribute | Type | Required | CRUD | DefaultValue | Validation Constraint | Notes |
|---|---|---|---|---|---|---|
| id | uuid-str | N/A | R | generated | N/A | UUID for the vpns connection |
| tenant_id | uuid-str | Yes | CR | None | valid tenant_id | UUID for owner of the vpn service |
| name | string | no | CRU | None | N/A | name for vpnconnection |
| description | string | no | CRU | None | N/A | Description of the vpnconnection |
| peer_address | ipaddress(v4 or v6) | yes | CRU | N/A | valid ip address (v4 or v6) | peer vpn gateway public address or FQDN |
| peer_id | string | yes | CRU | N/A | N/A | Peer identifier ( Can be name, string or FQDN ) |
| peer_cidrs | list[string] | yes | CRU | N/A | list of valid cidr in the form <network_address>/<prefix> | Peer private cidrs |
| local_cidrs | list[string] | yes | CRU | N/A | list of valid cidr in the form <network_address>/<prefix> | local cidrs |
| route_mode | string | yes | R | static | static | Static |
| mtu | integer | no | CRU | 1500 | Integer | mtu - maximum transmission unit to address fragmentation |
| dpd_actions | string | no | CRU | hold | "hold / clear / disabled /restart /restart_by_peer" | DPD actions controls the use of Dead Peer Detection Protocol. ( clear, hold, restart, disabled, restart_by_peer) |
| dpd_interval | integer | no | CRU | 30 | > 0 | sec for DPD delay |
| dpd_timeout | integer | no | CRU | 120 | > 0 & > dpd_interval | sec for DPD timeout |
| auth_mode | string | no | R | psk | psk/certs | Authentication mode, either PSK or certificate |
| psk | string | yes | CRU | N/A | NO | Pre-shared-key any string. |
| initiator | string | no | CRU | bidirectional | "bidirectional / response_only" | Whether this VPN can only respond to connections or can initiate as well |
| admin_status_up | bool | N/A | CRU | TRUE | "true / false" | Administrative state of vpn connection. If false (down), vpn concd nection does not forward packets |
| status | string | N/A | R | N/A | N/A | Indicates whether vpn connection is currently operational. Possible values include:ACTIVE,DOWN,BUILD,ERROR |
| vpnservice_ikepolicy_id | uuid | yes | CR | N/A | uuid of vpnservice_ikepolicy | uuid id of vpnservice_ikepolicy |
| vpnservice_ipsecpolicy_id | uuid | yes | CR | N/A | uuid of vpnservice_ipsecpolicy | uuid id of vpnservice_ipsecpolicy |
| vpnservice_id | uuid | yes | CR | N/A | uuid of vpnservice | service id of vpnservice |
+---------------------------+--------------+------+-----+---------+-------+ | Field | Type | Null | Key | Default | Extra | +---------------------------+--------------+------+-----+---------+-------+ | tenant_id | varchar(255) | YES | | NULL | | | id | varchar(36) | NO | PRI | NULL | | | name | varchar(255) | YES | | NULL | | | description | varchar(255) | YES | | NULL | | | peer_address | varchar(64) | NO | | NULL | | | peer_id | varchar(255) | NO | | NULL | | | peer_cidrs | varchar(64) | NO | | NULL | | | local_cidrs | varchar(64) | NO | | NULL | | | route_mode | varchar(8) | NO | | NULL | | | mtu | int(11) | NO | | NULL | | | initiator | varchar(16) | NO | | NULL | | | auth_mode | varchar(16) | NO | | NULL | | | psk | varchar(255) | NO | | NULL | | | dpd_action | varchar(16) | NO | | NULL | | | dpd_interval | int(11) | NO | | NULL | | | dpd_timeout | int(11) | NO | | NULL | | | status | varchar(16) | NO | | NULL | | | admin_state_up | tinyint(1) | NO | | NULL | | | vpnservice_id | varchar(36) | NO | MUL | NULL | | | vpnservice_ipsecpolicy_id | varchar(36) | NO | MUL | NULL | | | vpnservice_ikepolicy_id | varchar(36) | NO | MUL | NULL | | +---------------------------+--------------+------+-----+---------+-------+
Current Proposed API for VPNaaS "Quantum/VPNaaS/API"
This section describes commands that will be introduced into python-quantumclient in order to support VPNaaS advanced service.
vpn-vpnservice-create Create a VPNService vpn-vpnservice-delete Delete a given VPNService vpn-vpnservice-list List all VPNService for a given tenant. vpn-vpnservice-show Show detailed information of a given VPNService. vpn-vpnservice-update Update a given VPNservice. vpn-ikepolicy-create Create an IKEPolicy vpn-ikepolicy-delete Delete a given IKE Policy. vpn-ikepolicy-list List IKEPolicies that belong to a given tenant. vpn-ikepolicy-show Show detailed information of a given IKEPolicy. vpn-ikepolicy-update Update a given IKE Policy. vpn-ipsecpolicy-create Create an IPsec policy vpn-ipsecpolicy-delete Delete a given IPsec Policy vpn-ipsecpolicy-list List IPsec Policy that belong to a given tenant connection. vpn-ipsecpolicy-show Show detailed information of a given IPsec Policy vpn-ipsecpolicy-update Update a given IPsec Policy. vpn-vpnserviceconnection-create Create a VPNServiceConnection vpn-vpnserviceconnection-delete Delete a given VPNServiceConnection. vpn-vpnserviceconnection-list List VPNServiceConnections that belong to a given tenant. vpn-vpnserviceconnection-show Show information of a given VPNServiceConnection. vpn-vpnserviceconnection-update Update a given VPNServiceConnection.
Command Specification
vpn-vpnservice-create
Create a new vpnservice
quantum vpn-vpnservice-create [-h] [-f {shell,table}] [-c COLUMN]
[--variable VARIABLE] [--prefix PREFIX]
[--request-format {json,xml}]
[--tenant-id TENANT_ID]
[--admin-state-down] [--name NAME]
[--description DESCRIPTION] --vpn_type
VPN_TYPE [--router_id ROUTER_ID]
--subnet_id SUBNET_ID [--port_id PORT_ID]
- vpn_type: One of predefined vpn service types, for the first release only "ipsec" supported.
- tenant-id: ID of the Tenant that owns the VPN Service.
- router-id: ID of the router to which the VPN will be attached to.
- subnet-id: ID of the Subnet to which the VPN will provide service. (*)
- port-id: ID of the port to which the VPN address will be associated with. (*)
(*) subnet-id or port-id should be specified such as router
vpn-vpnservice-delete
Delete a given vpnservice object.
quantum vpn-vpnservice-delete [-h] [--request-format {json,xml}] VPNSERVICE
- VPNSERVICE: Unique identifier that identifies the VPN Service to be deleted.
vpn-vpnservice-list
Show list of VPN Service objects available to tenant.
quantum vpn-vpnservice-list
vpn-vpnservice-show
Shows information about a given VPN Service object.
quantum vpn-vpnservice-show [-h] [-f {shell,table}] [-c COLUMN]
[--variable VARIABLE] [--prefix PREFIX]
[--request-format {json,xml}] [-D]
[-F FIELD]
VPNSERVICE
vpn-vpnservice-update
Update information of a given VPN Service Object.
quantum vpn-vpnservice-update [-h] [--request-format {json,xml}] VPNSERVICE
vpn-ikepolicy-create
Create a new ikepolicy object
quantum vpn-ikepolicy-create [-h] [-f {shell,table}] [-c COLUMN]
[--variable VARIABLE] [--prefix PREFIX]
[--request-format {json,xml}]
[--tenant-id TENANT_ID] --name NAME
[--description DESCRIPTION]
[--auth_algorithm AUTH_ALGORITHM]
[--encryption_algorithm ENCRYPTION_ALGORITHM]
[--phase1_negotiation_mode PHASE1_NEGOTIATION_MODE]
[--lifetime_units LIFETIME_UNITS]
[--lifetime_value LIFETIME_VALUE]
[--pfs PFS]
- name: Friendly name of the IKEPolicy used in IPsec VPN Service Connections
- description: Friendly description of the IKEPolicy used in IPsec VPN Service Connections
- tenant-id: ID of the Tenant that owns the VPN Service.
- auth_algorithm: Authentication algorithm used in the IKEPolicy.
- encryption_algorithm: Encryption algorithm used in the IKEPolicy.
- phase1_negotiation_mode: Phase1 negotiation mode for IKE either 'Main' or 'Aggressive'.
- lifetime_units: Specify the unit of measurement for the lifetime either 'seconds' or 'kilobytes'.
- lifetime_value: Specify the lifetime value based on the unit selected.
vpn-ikepolicy-delete
Delete a given IKEPolicy object.
quantum vpn-ikepolicy-delete [-h] [--request-format {json,xml}]
IKEPOLICY
- IKEPOLICY: Unique identifier that identifies the IKEPolicy to be deleted.
vpn-ikepolicy-list
Show list of IKEPolicy objects available to tenant.
quantum vpn-ikepolicy-list
vpn-ikepolicy-show
Shows information about a given IKEPolicy object.
quantum vpn-ikepolicy-show [-h] [-f {shell,table}] [-c COLUMN]
[--variable VARIABLE] [--prefix PREFIX]
[--request-format {json,xml}] [-D]
[-F FIELD]
IKEPOLICY
vpn-ikepolicy-update
Update information of a given IKEPolicy Object.
quantum vpn-ikepolicy-delete [-h] [--request-format {json,xml}]
IKEPOLICY
vpn-ipsecpolicy-create
Create a new ipsecpolicy object
quantum vpn-ipsecpolicy-create [-h] [-f {shell,table}] [-c COLUMN]
[--variable VARIABLE] [--prefix PREFIX]
[--request-format {json,xml}]
[--tenant-id TENANT_ID] --name NAME
[--description DESCRIPTION]
--transform_protocol TRANSFORM_PROTOCOL
[--auth_algorithm AUTH_ALGORITHM]
[--encryption_algorithm ENCRYPTION_ALGORITHM]
[--encapsulation_mode ENCAPSULATION_MODE]
[--lifetime_units LIFETIME_UNITS]
[--lifetime_value LIFETIME_VALUE]
[--pfs PFS]
- name: Friendly name of the IPsecPolicy used in IPsec VPN Service Connections
- description: Friendly description of the IPsecPolicy used in IPsec VPN Service Connections
- tenant-id: ID of the Tenant that owns the VPN Service.
- auth_algorithm: Authentication algorithm used in the IPsecPolicy.
- encryption_algorithm: Encryption algorithm used in the IPsecPolicy.
- encapsulation_mode: Encapsulation mode for IPsec tunnel either 'tunnel' or 'transport'.
- transfrom_protocol: IPsec Transform Protocol either 'ESP' or 'AH'.
- lifetime_units: Specify the unit of measurement for the lifetime either 'seconds' or 'kilobytes'.
- lifetime_value: Specify the lifetime value based on the unit selected.
vpn-ipsecpolicy-delete
Delete a given IPsecPolicy object.
quantum vpn-ipsecpolicy-delete [-h] [--request-format {json,xml}]
IPSECPOLICY
- IPSECPOLICY: Unique identifier that identifies the IPSECPolicy to be deleted.
vpn-ipsecpolicy-list
Show list of IPSECPolicy objects available to tenant.
quantum vpn-ipsecpolicy-list
vpn-ipsecpolicy-show
Shows information about a given IPsecPolicy object.
quantum vpn-ipsecpolicy-show [-h] [-f {shell,table}] [-c COLUMN]
[--variable VARIABLE] [--prefix PREFIX]
[--request-format {json,xml}] [-D]
[-F FIELD]
IPSECPOLICY
vpn-ipsecpolicy-update
Update information of a given IPsecPolicy Object.
quantum vpn-ipsecpolicy-delete [-h] [--request-format {json,xml}]
IPSECPOLICY
vpn-vpnserviceconnection-create
Create a new vpnserviceconnection object
quantum vpn-vpnserviceconnection-create [-h] [-f {shell,table}]
[-c COLUMN]
[--variable VARIABLE]
[--prefix PREFIX]
[--request-format {json,xml}]
[--tenant-id TENANT_ID]
[--admin-state-down] --name NAME
[--description DESCRIPTION]
--peer_address PEER_ADDRESS
--peer_id PEER_ID --peer_cidrs
PEER_CIDRS --local_cidrs
LOCAL_CIDRS [--mtu MTU]
[--dpd_action DPD_ACTION]
[--dpd_interval DPD_INTERVAL]
[--dpd_timeout DPD_TIMEOUT]
[--route_mode ROUTE_MODE]
[--auth_mode AUTH_MODE] [--psk PSK]
[--initiator INITIATOR]
vpnservice ikepolicy ipsecpolicy
- peer_address: Remote Peer IP Address for the VPN Connection.
- tenant-id: ID of the Tenant that owns the VPN Service.
- peer_id: Peer identifier string.
- peer_cidrs: Remote Peer Subnet with mask in CIDR format.
- local-cidrs: Local Subnet with mask in CIDR format.
- mtu: MTU for fragmentation
- dpd_action: Dead peer detection action.
- dpd_interval: Dead peer detection interval.
- dpd_timeout: Dead peer detection timeout.
- route_mode: Routing mode either 'static' or 'dynamic' - for first release only 'static supported.
- auth_mode: Authentication mode either 'PSK' or 'CERTS'
- psk: Peer identifier string.
- initiator: Initiator mode either 'bi-directional' or 'responder'.
- vpnservice: Unique Identifier to the VPN Service Object.
- ikepolicy: Unique Identifier to the IKE Policy Object.
- ipsecpolicy: Unique Identifier to the IPsec Policy Object.
vpn-vpnserviceconnection-delete
Delete a given vpnserviceconnection object.
quantum vpn-vpnserviceconnection-delete [-h]
[--request-format {json,xml}]
VPNSERVICECONNECTION
- VPNSERVICECONNECTION: Unique identifier that identifies the VPN Service Connection to be deleted.
vpn-vpnserviceconnection-list
Show list of VPN Service Connection objects available to tenant.
quantum vpn-vpnserviceconnection-list
vpn-vpnserviceconnection-show
Shows information about a given VPN Service Connection object.
quantum vpn-vpnserviceconnection-show [-h] [-f {shell,table}] [-c COLUMN]
[--variable VARIABLE] [--prefix PREFIX]
[--request-format {json,xml}] [-D]
[-F FIELD]
VPNSERVICECONNECTION
vpn-vpnserviceconnection-update
Update information of a given VPN Service Connection Object.
quantum vpn-vpnserviceconnection-update [-h] [--request-format {json,xml}] VPNSERVICECONNECTION
REST API
High-Level Task Flow
The high-level task flow for using VPNaaS API to configure IPsec VPN is as follows:
- The tenant creates a VPNService, without any connections.
- The tenant creates one or more IKEPolicies.
- The tenant creates one or more IPsecPolicies.
- The tenant creates one or more VPNServiceConnections and associates with the VPNService id, IKEPolicy id and IPsecPolicy id.
VPNService APIs
GET /v1.0/vpnservices/ GET /v1.0/vpnservices/vpnservice_id POST /v1.0/vpnservices UPDATE /v1.0/vpnservices/vpnservice_id DELETE /v1.0/vpnservices/vpnservice_id
VPNService Create
JSON Request
#!highlight javascript numbers=disable
POST /v1.0/vpnservices
Content-Type: application/json
Accept: application/json
X-Auth-Token:xyz
Content-Length: abc
{
"vpnservice": {
"tenant_id": "310df60f-2a10-4ee5-9554-98393092194c",
"name": "cloud_vpn",
"subnet_id": "96a4386a-f8c3-42ed-afce-d7954eee77b3",
"router_id": "8acda86a-f8c3-42ed-afce-d7954eee77b3",
"vpn_type": "ipsec”,
}
}
JSON Response
#!highlight javascript numbers=disable
HTTP/1.1 202 Accepted
Content-Type: application/json
Content-Length: abc
{
"vpnservice": {
"id": "02b1fef7-16f5-4917-bf19-c40a9af805ed",
"tenant_id": "310df60f-2a10-4ee5-9554-98393092194c",
"name": "cloud_vpn",
"subnet_id": "96a4386a-f8c3-42ed-afce-d7954eee77b3",
"router_id": "8acda86a-f8c3-42ed-afce-d7954eee77b3",
"port_id" : "cd1f7a47-4fa6-449c-9ee7-632838aedfea",
"vpn_type": "ipsec”,
"admin_state_up": true,
"status": "PENDING_CREATE"
}
}
IKEPolicy APIs
GET /v1.0/ikepolicys/ POST /v1.0/ikepolicys GET /v1.0/ikepolicys/ikepolicy_id UPDATE /v1.0/ikepolicys/ikepolicy_id DELETE /v1.0/ikepolicys/ikepolicy_id
IKEPolicy Create
JSON Request
#!highlight javascript numbers=disable
POST /v1.0/ikepolicys
Accept: application/json
Content-Type: application/json
X-Auth-Token:xyz
Content-Length: abc
{
"ikepolicy" : {
"name": "ikepolicy_1",
"auth_algorithm" : "sha1",
"encryption_algorithm" : "aes-256",
"phase1_negotiation_mode" : "main",
"lifetime_unit" : "seconds"
"lifetime_value" : "28800",
"pfs": " Group2",
}
}
JSON Response
#!highlight javascript numbers=disable
HTTP/1.1 202 Accepted
Content-Type: application/json
Content-Length: abc
{
"ikepolicy" : {
"id":"cfc6589d-f949-4c66-99d2-c2da56ef3764",
"tenant_id": "310df60f-2a10-4ee5-9554-98393092194c",
"name": "ikepolicy_1",
"auth_algorithm" : "sha1",
"encryption_algorithm" : "aes-256",
"phase1_negotiation_mode" : "main",
"lifetime_units" : "seconds",
"lifetime" : "28800",
"pfs": "Group2",
}
}
IPsecPolicy APIs
GET /v1.0/ipsecpolicys/ POST /v1.0/ipsecpolicys GET /v1.0/ipsecpolicys/ipsecpolicy_id UPDATE /v1.0/ipsecpolicys/ipsecpolicy_id DELETE /v1.0/ipsecpolicys/ipsecpolicy_id
IPsecPolicy Create
JSON Request
#!highlight javascript numbers=disable
POST /v1.0/ipsecpolicys
Accept: application/json
Content-Type: application/json
X-Auth-Token:xyz
Content-Length: abc
{
"ipsecpolicy" : {
"name": "ipsecpolicy_1",
"transform_protocol": "esp",
"auth_algorithm" : "sha1",
"encryption_algorithm" : "aes-256",
"encapsulation_mode" : "tunnel",
"lifetime_units" : "seconds",
"lifetime" : "28800s",
"pfs": "Group2"
}
}
JSON Response
#!highlight javascript numbers=disable
HTTP/1.1 202 Accepted
Content-Type: application/json
Content-Length: abc
{
"ipsecpolicy" : {
"id":"cfc6589d-f949-4c66-99d2-c2da56ef3764",
"tenant_id": "310df60f-2a10-4ee5-9554-98393092194c",
"name": "ipsecpolicy_1",
"transform_protocol": "esp",
"auth_algorithm" : "sha1",
"encryption_algorithm" : "aes-256",
"encapsulation_mode" : "tunnel",
"lifetime_units" : "seconds",
"lifetime" : "28800",
"pfs": "Group2"
}
}
VPNServiceConnection
VPNServiceConnection APIs
GET /v1.0/vpnserviceconnections/ POST /v1.0/vpnserviceconnections GET /v1.0/vpnserviceconnections/vpnservice_conn_id UPDATE /v1.0/vpnserviceconnections/vpnservice_conn_id DELETE /v1.0/vpnserviceconnections/vpnservice_conn_id
VPNServiceConnection Create
JSON Request
#!highlight javascript numbers=disable
POST /v1.0/vpnserviceconnections
Accept: application/json
Content-Type: application/json
X-Auth-Token:xyz
Content-Length: abc
{
"vpnserviceconnection" : {
"name": "ipsec_connection_1",
"peer_address": "192.168.2.255",
"peer_id" : "192.168.2.255",
"peer_cidrs" : "10.30.2.0/24",
"local_cidrs" : "10.20.3.0/24",
"route_mode" : "static",
"dpd_action" : "hold",
"dpd_timeout" : "30",
"dpd_interval": "150",
"mtu": "1500",
"auth_mode": "psk",
"psk": "bla_bla_bla",
"initiator": "bi-directional",
"vpnservice_id": "02b1fef7-16f5-4917-bf19-c40a9af805ed",
"vpnservice_ikepolicy_id": "03299abc-16f5-4917-bf19-c40a9af805ed",
"vpnservice_ipsecpolicy_id": "0dbc1234-16f5-4917-bf19-c40a9af805ed"
}
}
JSON Response
#!highlight javascript numbers=disable
HTTP/1.1 202 Accepted
Content-Type: application/json
Content-Length: abc
{
"vpnserviceconnection" : {
"id":"cfc6589d-f949-4c66-99d2-c2da56ef3764",
"tenant_id": "310df60f-2a10-4ee5-9554-98393092194c",
"name": "ipsec_connection_1",
"peer_address": "192.168.2.255",
"peer_id" : "192.168.2.255",
"peer_cidrs" : "10.30.2.0/24",
"local_cidrs" : "10.20.3.0/24",
"route_mode" : "static",
"dpd_action" : "hold",
"dpd_timeout" : "30",
"dpd_interval": "150",
"mtu": "1500",
"auth_mode": "psk",
"psk": "bla_bla_bla",
"initiator": "bi-directional",
"vpnservice_id": "02b1fef7-16f5-4917-bf19-c40a9af805ed",
"vpnservice_ikepolicy_id": "03299abc-16f5-4917-bf19-c40a9af805ed",
"vpnservice_ipsecpolicy_id": "0dbc1234-16f5-4917-bf19-c40a9af805ed",
"admin_state_up": true,
"status": "PENDING_CREATE"
}
}
Blueprints
VPN as a Service ( VPNaaS) APIs, DataModel and Use Cases
