[MidoNet-dev] Draft proposal: IPsec in midonet

Jacob Mandelson jlm at midokura.com
Fri Feb 15 17:50:40 UTC 2013


On Fri, Feb 15, 2013 at 1:46 AM, Navarro, Abel <abel at midokura.com> wrote:

> Hi, I think you guys are talking about the same concepts. Let me see if I
> understand correctly:
>
> Requirement: be able to connect to Amazon VPN
>
> We MUST:
> - Offer ESP termination
>

To clarify, we must terminate ESP (for VPN traffic), but offering ESP
termination (for other services) would be a different feature, one that
should be able to re-use some of the IPSec VPN work if we get around to it.
What "offering ESP termination" makes me think of is a scenario like this:
    * Client has a service that requires cryptographic protection on the
public internet, so accepts only ESP traffic
    * Client runs multiple servers as guests in a MinoNet cloud to provide
the service
    * Because MN offers ESP termination, it decrypts the ESP'd traffic and
balances it among the servers

I don't think it's important to be offering this, but it's what I
understand when a product says it offers ESP termination.

I do think it's important to not interfere with a guest terminating ESP
traffic for an address in case a client wants to do ESP termination
themselves, for some non-VPN thing.

    -- Jacob


> - Offer IKE, for authentication coordination
>
> We SHOULD:
> - Offer BGP failover on routes over ESP
>
> We MAY:
> - Offer AH
> - Offer other IPsec suite capabilities
>
>       The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
>       NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and
>       "OPTIONAL" in this document are to be interpreted as described in
>       RFC 2119.
>
>
> --
> abel
>
>
>
> On Thu, Feb 14, 2013 at 10:52 PM, Jacob Mandelson <jlm at midokura.com>wrote:
>
>> On Thu, Feb 14, 2013 at 1:41 AM, Guillermo Ontañón <guillermo at midokura.jp
>> > wrote:
>>
>>> Hi Jacob,
>>>
>>> On Wed, Feb 13, 2013 at 10:44 PM, Jacob Mandelson <jlm at midokura.com>wrote:
>>>
>>>> Hi Guillermo,
>>>>
>>>>
>>>> > I'm including below my initial discussion about adding IPsec
>>>> > support for midonet.
>>>>
>>>>     I think this needs to emphasize that it's supporting IPSec VPNs
>>>> only,
>>>> and not any other pieces of the IPSec suite.  (If I see "Supports
>>>> IPSec" with no modifier, I expect it to terminate ESP, verify AH, and
>>>> perform IKE.)
>>>
>>>
>>> Yeah, good point. To be specific, implementing the current proposal
>>> would mean:
>>>
>>>   * IKE (validation via PSK only, no certificates)
>>>   * ESP termination.
>>>   * So called 'route-based' VPNs with BGP. (this is what I call
>>> 'dynamic' in my proposal.
>>>   * (maybe) 'policy-based' VPNs (what I call 'static' in my proposal.
>>>
>>> I'll add it to the feature description.
>>>
>>
>> As I understand your proposal, it terminates ESP (specifically, it has
>> the host OS terminate it), but only for VPN traffic.  This seems to fall
>> shy of "ESP termination" sans modifiers.  For that, I'd expect MidoNet to
>> be able to receive ESP traffic for a public address it manages and send its
>> payload to the internal address.  Though with us terminating ESP for the
>> VPN, we should be able to build on that to providing ESP termination for
>> external/internal addresses.
>>
>>      -- Jacob
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.midonet.org/pipermail/midonet-dev/attachments/20130215/486ccbec/attachment.html>


More information about the MidoNet-dev mailing list