[MidoNet-dev] Draft proposal: IPsec in midonet
jlm at midokura.com
Fri Feb 15 17:50:40 UTC 2013
On Fri, Feb 15, 2013 at 1:46 AM, Navarro, Abel <abel at midokura.com> wrote:
> Hi, I think you guys are talking about the same concepts. Let me see if I
> understand correctly:
> Requirement: be able to connect to Amazon VPN
> We MUST:
> - Offer ESP termination
To clarify, we must terminate ESP (for VPN traffic), but offering ESP
termination (for other services) would be a different feature, one that
should be able to re-use some of the IPSec VPN work if we get around to it.
What "offering ESP termination" makes me think of is a scenario like this:
* Client has a service that requires cryptographic protection on the
public internet, so accepts only ESP traffic
* Client runs multiple servers as guests in a MinoNet cloud to provide
* Because MN offers ESP termination, it decrypts the ESP'd traffic and
balances it among the servers
I don't think it's important to be offering this, but it's what I
understand when a product says it offers ESP termination.
I do think it's important to not interfere with a guest terminating ESP
traffic for an address in case a client wants to do ESP termination
themselves, for some non-VPN thing.
> - Offer IKE, for authentication coordination
> We SHOULD:
> - Offer BGP failover on routes over ESP
> We MAY:
> - Offer AH
> - Offer other IPsec suite capabilities
> The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
> NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
> "OPTIONAL" in this document are to be interpreted as described in
> RFC 2119.
> On Thu, Feb 14, 2013 at 10:52 PM, Jacob Mandelson <jlm at midokura.com>wrote:
>> On Thu, Feb 14, 2013 at 1:41 AM, Guillermo Ontañón <guillermo at midokura.jp
>> > wrote:
>>> Hi Jacob,
>>> On Wed, Feb 13, 2013 at 10:44 PM, Jacob Mandelson <jlm at midokura.com>wrote:
>>>> Hi Guillermo,
>>>> > I'm including below my initial discussion about adding IPsec
>>>> > support for midonet.
>>>> I think this needs to emphasize that it's supporting IPSec VPNs
>>>> and not any other pieces of the IPSec suite. (If I see "Supports
>>>> IPSec" with no modifier, I expect it to terminate ESP, verify AH, and
>>>> perform IKE.)
>>> Yeah, good point. To be specific, implementing the current proposal
>>> would mean:
>>> * IKE (validation via PSK only, no certificates)
>>> * ESP termination.
>>> * So called 'route-based' VPNs with BGP. (this is what I call
>>> 'dynamic' in my proposal.
>>> * (maybe) 'policy-based' VPNs (what I call 'static' in my proposal.
>>> I'll add it to the feature description.
>> As I understand your proposal, it terminates ESP (specifically, it has
>> the host OS terminate it), but only for VPN traffic. This seems to fall
>> shy of "ESP termination" sans modifiers. For that, I'd expect MidoNet to
>> be able to receive ESP traffic for a public address it manages and send its
>> payload to the internal address. Though with us terminating ESP for the
>> VPN, we should be able to build on that to providing ESP termination for
>> external/internal addresses.
>> -- Jacob
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the MidoNet-dev