[MidoNet-dev] Draft proposal: IPsec in midonet

Jacob Mandelson jlm at midokura.com
Thu Feb 14 21:52:48 UTC 2013


On Thu, Feb 14, 2013 at 1:41 AM, Guillermo Ontañón <guillermo at midokura.jp>wrote:

> Hi Jacob,
>
> On Wed, Feb 13, 2013 at 10:44 PM, Jacob Mandelson <jlm at midokura.com>wrote:
>
>> Hi Guillermo,
>>
>>
>> > I'm including below my initial discussion about adding IPsec
>> > support for midonet.
>>
>>     I think this needs to emphasize that it's supporting IPSec VPNs only,
>> and not any other pieces of the IPSec suite.  (If I see "Supports
>> IPSec" with no modifier, I expect it to terminate ESP, verify AH, and
>> perform IKE.)
>
>
> Yeah, good point. To be specific, implementing the current proposal would
> mean:
>
>   * IKE (validation via PSK only, no certificates)
>   * ESP termination.
>   * So called 'route-based' VPNs with BGP. (this is what I call 'dynamic'
> in my proposal.
>   * (maybe) 'policy-based' VPNs (what I call 'static' in my proposal.
>
> I'll add it to the feature description.
>

As I understand your proposal, it terminates ESP (specifically, it has the
host OS terminate it), but only for VPN traffic.  This seems to fall shy of
"ESP termination" sans modifiers.  For that, I'd expect MidoNet to be able
to receive ESP traffic for a public address it manages and send its payload
to the internal address.  Though with us terminating ESP for the VPN, we
should be able to build on that to providing ESP termination for
external/internal addresses.

     -- Jacob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.midonet.org/pipermail/midonet-dev/attachments/20130214/3d2edddf/attachment.html>


More information about the MidoNet-dev mailing list