[MidoNet-dev] Draft proposal: IPsec in midonet
jlm at midokura.com
Wed Feb 13 21:44:18 UTC 2013
> I'm including below my initial discussion about adding IPsec
> support for midonet.
I think this needs to emphasize that it's supporting IPSec VPNs only,
and not any other pieces of the IPSec suite. (If I see "Supports
IPSec" with no modifier, I expect it to terminate ESP, verify AH, and
> - Statically add SA's localnet-0.0.0.0/0. Meaning that anytime the
> IPsec instance sees a packet coming from one of the known local
> networks the tuple of that network with 0.0.0.0/0 will match and let
> the traffic through.
Will this cause problems for IPSec traffic which isn't part of the VPN?
> - IKE pre-shared key.
If you have a pre-shared key, why perform IKE?
> - IPsec connection parameters: PFS mode, hash function, encryption
> function. Amazon is very strict on this, requiring exactly:
> Group-2, SHA-1, AES-128. IMHO that's a correct philosophy,
> sticking to the common minimum. If midonet is as strict as Amazon
> the user doesn't need to supply this.
Could we use being more flexible as a selling point, for those that
want to use (eg) SHA-2 instead?
Thanks for the writeup Guillermo, Jacob
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the MidoNet-dev