[MidoNet-dev] Draft proposal: IPsec in midonet

Jacob Mandelson jlm at midokura.com
Wed Feb 13 21:44:18 UTC 2013


Hi Guillermo,

> I'm including below my initial discussion about adding IPsec
> support for midonet.

    I think this needs to emphasize that it's supporting IPSec VPNs only,
and not any other pieces of the IPSec suite.  (If I see "Supports
IPSec" with no modifier, I expect it to terminate ESP, verify AH, and
perform IKE.)

>   - Statically add SA's localnet-0.0.0.0/0. Meaning that anytime the
>     IPsec instance sees a packet coming from one of the known local
>     networks the tuple of that network with 0.0.0.0/0 will match and let
>     the traffic through.

Will this cause problems for IPSec traffic which isn't part of the VPN?

>    - IKE pre-shared key.

If you have a pre-shared key, why perform IKE?

>     - IPsec connection parameters: PFS mode, hash function, encryption
>       function. Amazon is very strict on this, requiring exactly:
>       Group-2, SHA-1, AES-128. IMHO that's a correct philosophy,
>       sticking to the common minimum. If midonet is as strict as Amazon
>       the user doesn't need to supply this.

Could we use being more flexible as a selling point, for those that
want to use (eg) SHA-2 instead?


    Thanks for the writeup Guillermo,       Jacob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.midonet.org/pipermail/midonet-dev/attachments/20130213/186114cb/attachment.html>


More information about the MidoNet-dev mailing list