Neutron/VPNaaS
Contents
- 1 Overview
- 2 Command Specification
- 2.1 vpn-service-create
- 2.2 vpn-service-delete
- 2.3 vpn-service-list
- 2.4 vpn-service-show
- 2.5 vpn-service-update
- 2.6 vpn-ikepolicy-create
- 2.7 vpn-ikepolicy-delete
- 2.8 vpn-ikepolicy-list
- 2.9 vpn-ikepolicy-show
- 2.10 vpn-ikepolicy-update
- 2.11 vpn-ipsecpolicy-create
- 2.12 vpn-ipsecpolicy-delete
- 2.13 vpn-ipsecpolicy-list
- 2.14 vpn-ipsecpolicy-show
- 2.15 vpn-ipsecpolicy-update
- 2.16 ipsec-site-connection-create
- 2.17 ipsec-site-connection-delete
- 2.18 ipsec-site-connection-list
- 2.19 ipsec-site-connection-show
- 2.20 ipsec-site-connection-update
- 3 REST API
- 4 Blueprints
- 5 Havana Plan
Overview
VPNaaS (VPN-as-a-Service) is a Neutron extension that introduces VPN feature set.
The following is the proposed plan for design and implementation of the VPN as a Service feature in OpenStack Networking for the Havana release. While our long term goal for VPNaaS is to make it very feature rich and to support multiple tunneling,security protocols that supports both static and dynamic routing, but for the short term we would want to deliver a basic experimental reference implementation based on opensource for IPsec based VPNs using just static routing that will allow us to evaluate the API, resource model and usability of this feature. This will allow us to gather feedback, and make enhancements if required.
Also we would like to have a simple model such as the AWS for configuring the VPN. In AWS the IKE and IPsec Policies are pre-defined, but we would want to make it more user configurable rather than pre-defined templates.
Again for simplicity we will be just implementing IKE with “PSK” authentication mode rather than using certificates. In future we can extend to support certificate based authentication.
DataModel
VPNServices Resource
Attribute | Type | Required | CRUD | DefaultValue | Validation Constraint | Notes |
---|---|---|---|---|---|---|
id | uuid-str | N/A | R | generated | N/A | UUID for VPNService Object |
tenant_id | uuid-str | Yes | CR | None | valid tenant_id | UUID of the tenant for the vpn service |
name | string | no | CRU | None | N/A | name of the VPN Service |
description | string | no | CRU | None | N/A | Description of the VPN Service |
status | string | N/A | R | N/A | N/A | Indicates whether ipsec vpnservice is currently operational. Possible values include:
ACTIVE DOWN BUILD ERROR |
admin_state_up | bool | N/A | CRU | TRUE | true/false | Administrative state of vpnservice. If false (down), port does not forward packets |
subnet_id | uuid | yes*( subnet_id is needed) | CR | N/A | Valid subnet id | Subnet id in which the tenant wants the vpn service |
router_id | uuid | yes | CR | N/A | Valid router id | Router id to which the vpn service is inserted |
IKEPolicies Resource
Attribute | Type | Required | CRUD | DefaultValue | Validation Constraint | Notes |
---|---|---|---|---|---|---|
id | uuid-str | N/A | R | generated | N/A | UUID for the IKEPolicy |
tenant_id | uuid-str | Yes | CR | None | valid tenant_id | UUID for owner of the vpn service |
name | string | yes | CRU | None | N/A | friendly name for the ikepolicy |
description | string | no | CRU | None | N/A | Description of the ikepolicy |
auth_algorithm | string | no | CRU | sha1 | N/A | Authentication Hash algorithms“sha1”. |
encryption_algorithm | string | no | CRU | aes-128 | N/A | Encryption Algorithms 3des, aes-128, aes-256, aes-192 etc., |
phase1_negotiation_mode | string | no | CRU | Main Mode | N/A | IKE mode Main mode |
pfs | string | no | CRU | Group5 | N/A | Perfect Forward Secrecy ( Group2, Group5, Group14) |
ike_version | string | no | CRU | v1 | N/A | v1 or v2 version |
lifetime | ||||||
units | string | no | CRU | seconds | "seconds" | Lifetime of the SA unit in ‘seconds’ |
value | integer | no | CRU | 3600 for seconds | Integer | Lifetime value in seconds |
IPsecPolicies Resource
Attribute | Type | Required | CRUD | DefaultValue | Validation Constraint | Notes |
---|---|---|---|---|---|---|
id | uuid-str | N/A | R | generated | N/A | UUID for the IPsecPolicy |
tenant_id | uuid-str | Yes | CR | None | valid tenant_id | UUID for owner of the vpn service |
name | string | yes | CRU | None | N/A | friendly name for the IPsecPolicy |
description | string | no | CRU | None | N/A | Description of the policy |
transform_protocol | string | no | CRU | ESP | N/A | Tranform Protocol used such as ESP or AH or AH-ESP |
encapsulation_mode | string | no | CRU | tunnel | N/A | Encapsulation mode either Tunnel mode or transport mode |
auth_algorithm | string | no | CRU | sha1 | N/A | Authentication algorithm sha1 |
encryption_algorithm | string | no | CRU | aes-128 | N/A | Encryption Algorithms 3des, aes-128, aes-256, aes-192 |
pfs | string | no | CRU | group5 | N/A | Perfect Forward Secrecy ( group2, group5, group14) |
lifetime | ||||||
units | string | no | CRU | seconds | "seconds / kilobytes" | Lifetime of the SA unit in ‘seconds’ or ‘kilobytes’ |
value | integer | no | CRU | 3600 for seconds OR 1843200 for kilobytes | Integer | Lifetime value in seconds or kilobytes |
ipsec-site-connection Resource
Attribute | Type | Required | CRUD | DefaultValue | Validation Constraint | Notes |
---|---|---|---|---|---|---|
id | uuid-str | N/A | R | generated | N/A | UUID for the vpns connection |
tenant_id | uuid-str | Yes | CR | None | valid tenant_id | UUID for owner of the vpn service |
name | string | no | CRU | None | N/A | name for ipsec-site-connection |
description | string | no | CRU | None | N/A | Description of the ipsec-site-connection |
peer_address | ipaddress(v4 or v6) | yes | CRU | N/A | valid ip address (v4 or v6) | peer vpn gateway public address or FQDN |
peer_id | string | yes | CRU | N/A | N/A | Peer identifier ( Can be name, string or FQDN ) |
peer_cidrs | list[string] | yes | CRU | N/A | list of valid cidr in the form <network_address>/<prefix> | Peer private cidrs |
route_mode | string | no | R | static | static | Static |
mtu | integer | no | CRU | 1500 | Integer | mtu - maximum transmission unit to address fragmentation |
auth_mode | string | no | R | psk | psk/certs | Authentication mode, either PSK or certificate |
psk | string | yes | CRU | N/A | NO | Pre-shared-key any string. |
initiator | string | no | CRU | bi-directional | "bi-directional / response-only" | Whether this VPN can only respond to connections or can initiate as well |
admin_state_up | bool | N/A | CRU | TRUE | "true / false" | Administrative state of vpn connection. If false (down), vpn concd nection does not forward packets |
status | string | N/A | R | N/A | N/A | Indicates whether vpn connection is currently operational. Possible values include:ACTIVE,DOWN,BUILD,ERROR |
ikepolicy_id | uuid | yes | CR | N/A | uuid of ikepolicy | uuid id of ikepolicy |
ipsecpolicy_id | uuid | yes | CR | N/A | uuid of ipsecpolicy | uuid id of ipsecpolicy |
vpnservice_id | uuid | yes | CR | N/A | uuid of vpnservice | service id of vpnservice |
dpd | ||||||
action | string | no | CRU | hold | "hold / clear / disabled /restart /restart_by_peer" | DPD actions controls the use of Dead Peer Detection Protocol. ( clear, hold, restart, disabled, restart-by-peer) |
interval | integer | no | CRU | 30 | > 0 | sec for DPD delay |
timeout | integer | no | CRU | 120 | > 0 & > dpd_interval | sec for DPD timeout |
Current Proposed API for VPNaaS "Neutron/VPNaaS/API"
This section describes commands that will be introduced into python-neutronclient in order to support VPNaaS advanced service.
vpn-service-create Create a VPNService vpn-service-delete Delete a given VPNService vpn-service-list List all VPNService for a given tenant. vpn-service-show Show detailed information of a given VPNService. vpn-service-update Update a given VPNservice. vpn-ikepolicy-create Create an IKEPolicy vpn-ikepolicy-delete Delete a given IKE Policy. vpn-ikepolicy-list List IKEPolicies that belong to a given tenant. vpn-ikepolicy-show Show detailed information of a given IKEPolicy. vpn-ikepolicy-update Update a given IKE Policy. vpn-ipsecpolicy-create Create an IPsec policy vpn-ipsecpolicy-delete Delete a given IPsec Policy vpn-ipsecpolicy-list List IPsecPolicies that belong to a given tenant connection. vpn-ipsecpolicy-show Show detailed information of a given IPsec Policy vpn-ipsecpolicy-update Update a given IPsec Policy. ipsec-site-connection-create Create a ipsec-site-connection ipsec-site-connection-delete Delete a given ipsec-site-connection. ipsec-site-connection-list List ipsec-site-connections that belong to a given tenant. ipsec-site-connection-show Show information of a given ipsec-site-connection. ipsec-site-connection-update Update a given ipsec-site-connection.
Command Specification
vpn-service-create
Create a new vpnservice
neutron vpn-service-create [-h] [-f {shell,table}] [-c COLUMN] [--variable VARIABLE] [--prefix PREFIX] [--request-format {json,xml}] [--tenant-id TENANT_ID] [--admin-state-down] [--name NAME] [--description DESCRIPTION] ROUTER SUBNET
- tenant-id: ID of the Tenant that owns the VPN Service.
- router: Unique identifier of the Router (either 'name' or 'id') to which the VPN will be attached to.
- subnet: Unique identifier of the Subnet (either 'name' or 'id') to which the VPN will provide service. (*)
vpn-service-delete
Delete a given vpnservice object.
neutron vpn-service-delete [-h] [--request-format {json,xml}] VPNSERVICE
- VPNSERVICE: Unique identifier that identifies the VPN Service to be deleted.
vpn-service-list
Show list of VPN Service objects available to tenant.
neutron vpn-service-list
vpn-service-show
Shows information about a given VPN Service object.
neutron vpn-service-show [-h] [-f {shell,table}] [-c COLUMN] [--variable VARIABLE] [--prefix PREFIX] [--request-format {json,xml}] [-D] [-F FIELD] VPNSERVICE
vpn-service-update
Update information of a given VPN Service Object.
neutron vpn-service-update [-h] [--request-format {json,xml}] VPNSERVICE
Note: Only can change when status is not PENDING_CREATE, PENDING_UPDATE, or PENDING_DELETE.
vpn-ikepolicy-create
Create a new ikepolicy object
neutron vpn-ikepolicy-create [-h] [-f {shell,table}] [-c COLUMN] [--variable VARIABLE] [--prefix PREFIX] [--request-format {json,xml}] [--tenant-id TENANT_ID] [--description DESCRIPTION] [--auth-algorithm AUTH-ALGORITHM] [--encryption-algorithm ENCRYPTION-ALGORITHM] [--phase1-negotiation-mode PHASE1-NEGOTIATION-MODE] [--ike-version IKE-VERSION] [--pfs PFS] [--lifetime unit=UNITS,value=VALUE] NAME
- NAME: Friendly name of the IKEPolicy used in IPsec VPN Service Connections
- description: Friendly description of the IKEPolicy used in IPsec VPN Service Connections
- tenant-id: ID of the Tenant that owns the VPN Service.
- auth-algorithm: Authentication algorithm used in the IKEPolicy.
- encryption-algorithm: Encryption algorithm used in the IKEPolicy.
- phase1-negotiation-mode: Phase1 negotiation mode for IKE either 'Main' or 'Aggressive'.
- lifetime: String with lifetime specific parameters example: --lifetime "units=seconds,value=3600"
- units: Units for lifetime ('seconds' or 'kilobytes')
- value. Value for lifetime (non-negative integer).
- ike-version: Specify the ike_version.
- pfs: Specify the Perfect Forward Secrecy.
vpn-ikepolicy-delete
Delete a given IKEPolicy object.
neutron vpn-ikepolicy-delete [-h] [--request-format {json,xml}] IKEPOLICY
- IKEPOLICY: Unique identifier that identifies the IKEPolicy to be deleted.
vpn-ikepolicy-list
Show list of IKEPolicy objects available to tenant.
neutron vpn-ikepolicy-list
vpn-ikepolicy-show
Shows information about a given IKEPolicy object.
neutron vpn-ikepolicy-show [-h] [-f {shell,table}] [-c COLUMN] [--variable VARIABLE] [--prefix PREFIX] [--request-format {json,xml}] [-D] [-F FIELD] IKEPOLICY
vpn-ikepolicy-update
Update information of a given IKEPolicy Object.
neutron vpn-ikepolicy-delete [-h] [--request-format {json,xml}] IKEPOLICY
vpn-ipsecpolicy-create
Create a new ipsecpolicy object
neutron vpn-ipsecpolicy-create [-h] [-f {shell,table}] [-c COLUMN] [--variable VARIABLE] [--prefix PREFIX] [--request-format {json,xml}] [--tenant-id TENANT_ID] [--description DESCRIPTION] --transform-protocol TRANSFORM-PROTOCOL [--auth-algorithm AUTH-ALGORITHM] [--encryption-algorithm ENCRYPTION-ALGORITHM] [--encapsulation-mode ENCAPSULATION-MODE] [--pfs PFS] [--lifetime units=UNITS,value=VALUE] NAME
- NAME: Friendly name of the IPsecPolicy used in IPsec VPN Service Connections
- description: Friendly description of the IPsecPolicy used in IPsec VPN Service Connections
- tenant-id: ID of the Tenant that owns the VPN Service.
- auth-algorithm: Authentication algorithm used in the IPsecPolicy.
- encryption-algorithm: Encryption algorithm used in the IPsecPolicy.
- encapsulation-mode: Encapsulation mode for IPsec tunnel either 'tunnel' or 'transport'.
- transfrom-protocol: IPsec Transform Protocol either 'ESP' or 'AH'.
- lifetime: String with lifetime specific parameters example: --lifetime "units=seconds,value=3600"
- units: Units for lifetime ('seconds' or 'kilobytes')
- value. Value for lifetime (non-negative integer).
- pfs: Specify the Perfect Forward Secrecy.
vpn-ipsecpolicy-delete
Delete a given IPsecPolicy object.
neutron vpn-ipsecpolicy-delete [-h] [--request-format {json,xml}] IPSECPOLICY
- IPSECPOLICY: Unique identifier that identifies the IPSECPolicy to be deleted.
vpn-ipsecpolicy-list
Show list of IPSECPolicy objects available to tenant.
neutron vpn-ipsecpolicy-list
vpn-ipsecpolicy-show
Shows information about a given IPsecPolicy object.
neutron vpn-ipsecpolicy-show [-h] [-f {shell,table}] [-c COLUMN] [--variable VARIABLE] [--prefix PREFIX] [--request-format {json,xml}] [-D] [-F FIELD] IPSECPOLICY
vpn-ipsecpolicy-update
Update information of a given IPsecPolicy Object.
neutron vpn-ipsecpolicy-delete [-h] [--request-format {json,xml}] IPSECPOLICY
ipsec-site-connection-create
Create a new ipsec-site-connection object
neutron ipsec-site-connection-create [-h] [-f {shell,table}] [-c COLUMN] [--variable VARIABLE] [--prefix PREFIX] [--request-format {json,xml}] [--tenant-id TENANT_ID] [--admin-state-down] --name NAME [--description DESCRIPTION] --peer-address PEER-ADDRESS --peer-id PEER-ID --peer_cidr PEER-CIDRS [--mtu MTU] [--psk PSK] [--initiator INITIATOR] [--dpd DPD] --vpnservice-id VPNSERVICE --ikepolicy-id IKEPOLICY --ipsecpolicy-id IPSECPOLICY
- peer-address: Remote Peer IP Address for the VPN Connection.
- tenant-id: ID of the Tenant that owns the VPN Service.
- peer-id: Peer identifier string.
- peer_cidr: Remote Peer Subnet with mask in CIDR format.
- mtu: MTU for fragmentation
- dpd: String with the dpd attributes. Example: --dpd "action=hold,interval=30,timeout=120"
- action: Dead peer detection actions (action=hold, restart etc.,).
- interval: Dead peer detection interval.(interval=30)
- timeout: Dead peer detection timeout.(timeout=120)
- route-mode: Routing mode either 'static' or 'dynamic' - for first release only 'static supported.
- auth-mode: Authentication mode either 'PSK' or 'CERTS'
- psk: Peer identifier string.
- initiator: Initiator mode either 'bi-directional' or 'responder'.
- vpnservice-id: Unique Identifier to the VPN Service Object.
- ikepolicy-id: Unique Identifier to the IKE Policy Object.
- ipsecpolicy-id: Unique Identifier to the IPsec Policy Object.
ipsec-site-connection-delete
Delete a given ipsec-site-connection object.
neutron ipsec-site-connection-delete [-h] [--request-format {json,xml}] ipsec-site-connection
- ipsec-site-connection: Unique identifier that identifies the VPN Connection to be deleted.
ipsec-site-connection-list
Show list of VPN Connection objects available to tenant.
neutron ipsec-site-connection-list
ipsec-site-connection-show
Shows information about a given VPN Connection object.
neutron ipsec-site-connection-show [-h] [-f {shell,table}] [-c COLUMN] [--variable VARIABLE] [--prefix PREFIX] [--request-format {json,xml}] [-D] [-F FIELD] ipsec-site-connection
ipsec-site-connection-update
Update information of a given VPN Connection Object.
neutron ipsec-site-connection-update [-h] [--request-format {json,xml}] ipsec-site-connection
Note: Only can change when status is not PENDING_CREATE, PENDING_UPDATE, or PENDING_DELETE.
REST API
High-Level Task Flow
The high-level task flow for using VPNaaS API to configure IPsec VPN is as follows:
- The tenant creates a VPNService, without any connections.
- The tenant creates one or more IKEPolicies.
- The tenant creates one or more IPsecPolicies.
- The tenant creates one or more ipsec-site-connections and associates with the VPNService id, IKEPolicy id and IPsecPolicy id.
VPNService APIs
GET /v1.0/vpnservices/ GET /v1.0/vpnservices/vpnservice-id POST /v1.0/vpnservices UPDATE /v1.0/vpnservices/vpnservice-id DELETE /v1.0/vpnservices/vpnservice-id
VPNService Create
JSON Request
#!highlight javascript numbers=disable POST /v1.0/vpnservices Content-Type: application/json Accept: application/json X-Auth-Token:xyz Content-Length: abc { "vpnservice": { "tenant_id": "310df60f-2a10-4ee5-9554-98393092194c", "name": "cloud_vpn", "subnet": "96a4386a-f8c3-42ed-afce-d7954eee77b3", "router": "8acda86a-f8c3-42ed-afce-d7954eee77b3", } }
JSON Response
#!highlight javascript numbers=disable HTTP/1.1 202 Accepted Content-Type: application/json Content-Length: abc { "vpnservice": { "id": "02b1fef7-16f5-4917-bf19-c40a9af805ed", "tenant-id": "310df60f-2a10-4ee5-9554-98393092194c", "name": "cloud_vpn", "subnet-id": "96a4386a-f8c3-42ed-afce-d7954eee77b3", "router-id": "8acda86a-f8c3-42ed-afce-d7954eee77b3", "admin_state_up": true, "status": "PENDING_CREATE" } }
IKEPolicy APIs
GET /v1.0/ikepolicies/ POST /v1.0/ikepolicies GET /v1.0/ikepolicies/ikepolicy-id UPDATE /v1.0/ikepolicies/ikepolicy-id DELETE /v1.0/ikepolicies/ikepolicy-id
IKEPolicy Create
JSON Request
#!highlight javascript numbers=disable POST /v1.0/ikepolicies Accept: application/json Content-Type: application/json X-Auth-Token:xyz Content-Length: abc { "ikepolicy" : { "name": "ikepolicy_1", "auth-algorithm" : "sha1", "encryption-algorithm" : "aes-256", "phase1-negotiation-mode" : "main", "lifetime": "units=seconds,value=28800", "ike-version" : "v1", "pfs": " Group5", } }
JSON Response
#!highlight javascript numbers=disable HTTP/1.1 202 Accepted Content-Type: application/json Content-Length: abc { "ikepolicy" : { "id":"cfc6589d-f949-4c66-99d2-c2da56ef3764", "tenant_id": "310df60f-2a10-4ee5-9554-98393092194c", "name": "ikepolicy_1", "auth-algorithm" : "sha1", "encryption-algorithm" : "aes-256", "phase1-negotiation-mode" : "main", "lifetime": { "units" : "seconds" "value" : 28800, } "ike-version" : "v1", "pfs": "Group5", } }
IPsecPolicy APIs
GET /v1.0/ipsecpolicies/ POST /v1.0/ipsecpolicies GET /v1.0/ipsecpolicies/ipsecpolicy-id UPDATE /v1.0/ipsecpolicies/ipsecpolicy-id DELETE /v1.0/ipsecpolicies/ipsecpolicy-id
IPsecPolicy Create
JSON Request
#!highlight javascript numbers=disable POST /v1.0/ipsecpolicies Accept: application/json Content-Type: application/json X-Auth-Token:xyz Content-Length: abc { "ipsecpolicy" : { "name": "ipsecpolicy_1", "transform-protocol": "esp", "auth-algorithm" : "sha1", "encryption-algorithm" : "aes-256", "encapsulation-mode" : "tunnel", "lifetime": "units=seconds,value=28800", "pfs": "Group5" } }
JSON Response
#!highlight javascript numbers=disable HTTP/1.1 202 Accepted Content-Type: application/json Content-Length: abc { "ipsecpolicy" : { "id":"cfc6589d-f949-4c66-99d2-c2da56ef3764", "tenant-id": "310df60f-2a10-4ee5-9554-98393092194c", "name": "ipsecpolicy_1", "transform-protocol": "esp", "auth-algorithm" : "sha1", "encryption-algorithm" : "aes-256", "encapsulation-mode" : "tunnel", "lifetime": { "units" : "seconds" "value" : 28800, } "pfs": "Group5" } }
ipsec-site-connection
ipsec-site-connection APIs
GET /v1.0/ipsec-site-connections/ POST /v1.0/ipsec-site-connections GET /v1.0/ipsec-site-connections/ipsec-site-connection-id UPDATE /v1.0/ipsec-site-connections/ipsec-site-connection-id DELETE /v1.0/ipsec-site-connections/ipsec-site-connection-id
ipsec-site-connection Create
JSON Request
#!highlight javascript numbers=disable POST /v1.0/ipsec-site-connections Accept: application/json Content-Type: application/json X-Auth-Token:xyz Content-Length: abc { "ipsec_site_connection" : { "name": "ipsec_connection_1", "peer-address": "192.168.2.255", "peer-id" : "192.168.2.255", "peer-cidr" : "10.30.2.0/24", "dpd": "action=hold,interval=20,timeout=120", "mtu": "1500", "psk": "bla_bla_bla", "initiator": "bi-directional", "vpnservice-id": "02b1fef7-16f5-4917-bf19-c40a9af805ed", "ikepolicy-id": "03299abc-16f5-4917-bf19-c40a9af805ed", "ipsecpolicy-id": "0dbc1234-16f5-4917-bf19-c40a9af805ed" } }
JSON Response
#!highlight javascript numbers=disable HTTP/1.1 202 Accepted Content-Type: application/json Content-Length: abc { "ipsec_site_connection" : { "id":"cfc6589d-f949-4c66-99d2-c2da56ef3764", "tenant-id": "310df60f-2a10-4ee5-9554-98393092194c", "name": "ipsec_connection_1", "peer-address": "192.168.2.255", "peer-id" : "192.168.2.255", "peer-cidr" : "10.30.2.0/24", "dpd": { "action" : "hold" "interval" : 20, "timeout" : 120, } "mtu": "1500", "psk": "bla_bla_bla", "initiator": "bi-directional", "vpnservice-id": "02b1fef7-16f5-4917-bf19-c40a9af805ed", "ikepolicy-id": "03299abc-16f5-4917-bf19-c40a9af805ed", "ipsecpolicy-id": "0dbc1234-16f5-4917-bf19-c40a9af805ed", "admin_state_up": true, "status": "PENDING_CREATE" } }
Blueprints
VPN as a Service ( VPNaaS) APIs, DataModel and Use Cases