[MidoNet-dev] Draft proposal: IPsec in midonet

Navarro, Abel abel at midokura.com
Fri Feb 15 09:46:32 UTC 2013


Hi, I think you guys are talking about the same concepts. Let me see if I
understand correctly:

Requirement: be able to connect to Amazon VPN

We MUST:
- Offer ESP termination
- Offer IKE, for authentication coordination

We SHOULD:
- Offer BGP failover on routes over ESP

We MAY:
- Offer AH
- Offer other IPsec suite capabilities

      The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
      NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and
      "OPTIONAL" in this document are to be interpreted as described in
      RFC 2119.


--
abel



On Thu, Feb 14, 2013 at 10:52 PM, Jacob Mandelson <jlm at midokura.com> wrote:

> On Thu, Feb 14, 2013 at 1:41 AM, Guillermo Ontañón <guillermo at midokura.jp>wrote:
>
>> Hi Jacob,
>>
>> On Wed, Feb 13, 2013 at 10:44 PM, Jacob Mandelson <jlm at midokura.com>wrote:
>>
>>> Hi Guillermo,
>>>
>>>
>>> > I'm including below my initial discussion about adding IPsec
>>> > support for midonet.
>>>
>>>     I think this needs to emphasize that it's supporting IPSec VPNs only,
>>> and not any other pieces of the IPSec suite.  (If I see "Supports
>>> IPSec" with no modifier, I expect it to terminate ESP, verify AH, and
>>> perform IKE.)
>>
>>
>> Yeah, good point. To be specific, implementing the current proposal would
>> mean:
>>
>>   * IKE (validation via PSK only, no certificates)
>>   * ESP termination.
>>   * So called 'route-based' VPNs with BGP. (this is what I call 'dynamic'
>> in my proposal.
>>   * (maybe) 'policy-based' VPNs (what I call 'static' in my proposal.
>>
>> I'll add it to the feature description.
>>
>
> As I understand your proposal, it terminates ESP (specifically, it has the
> host OS terminate it), but only for VPN traffic.  This seems to fall shy of
> "ESP termination" sans modifiers.  For that, I'd expect MidoNet to be able
> to receive ESP traffic for a public address it manages and send its payload
> to the internal address.  Though with us terminating ESP for the VPN, we
> should be able to build on that to providing ESP termination for
> external/internal addresses.
>
>      -- Jacob
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.midonet.org/pipermail/midonet-dev/attachments/20130215/9b735118/attachment.html>


More information about the MidoNet-dev mailing list