[MidoNet-dev] Draft proposal: IPsec in midonet

Jacob Mandelson jlm at midokura.com
Fri Feb 15 17:50:40 UTC 2013

On Fri, Feb 15, 2013 at 1:46 AM, Navarro, Abel <abel at midokura.com> wrote:

> Hi, I think you guys are talking about the same concepts. Let me see if I
> understand correctly:
> Requirement: be able to connect to Amazon VPN
> We MUST:
> - Offer ESP termination

To clarify, we must terminate ESP (for VPN traffic), but offering ESP
termination (for other services) would be a different feature, one that
should be able to re-use some of the IPSec VPN work if we get around to it.
What "offering ESP termination" makes me think of is a scenario like this:
    * Client has a service that requires cryptographic protection on the
public internet, so accepts only ESP traffic
    * Client runs multiple servers as guests in a MinoNet cloud to provide
the service
    * Because MN offers ESP termination, it decrypts the ESP'd traffic and
balances it among the servers

I don't think it's important to be offering this, but it's what I
understand when a product says it offers ESP termination.

I do think it's important to not interfere with a guest terminating ESP
traffic for an address in case a client wants to do ESP termination
themselves, for some non-VPN thing.

    -- Jacob

> - Offer IKE, for authentication coordination
> - Offer BGP failover on routes over ESP
> We MAY:
> - Offer AH
> - Offer other IPsec suite capabilities
>       The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
>       NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and
>       "OPTIONAL" in this document are to be interpreted as described in
>       RFC 2119.
> --
> abel
> On Thu, Feb 14, 2013 at 10:52 PM, Jacob Mandelson <jlm at midokura.com>wrote:
>> On Thu, Feb 14, 2013 at 1:41 AM, Guillermo Ontañón <guillermo at midokura.jp
>> > wrote:
>>> Hi Jacob,
>>> On Wed, Feb 13, 2013 at 10:44 PM, Jacob Mandelson <jlm at midokura.com>wrote:
>>>> Hi Guillermo,
>>>> > I'm including below my initial discussion about adding IPsec
>>>> > support for midonet.
>>>>     I think this needs to emphasize that it's supporting IPSec VPNs
>>>> only,
>>>> and not any other pieces of the IPSec suite.  (If I see "Supports
>>>> IPSec" with no modifier, I expect it to terminate ESP, verify AH, and
>>>> perform IKE.)
>>> Yeah, good point. To be specific, implementing the current proposal
>>> would mean:
>>>   * IKE (validation via PSK only, no certificates)
>>>   * ESP termination.
>>>   * So called 'route-based' VPNs with BGP. (this is what I call
>>> 'dynamic' in my proposal.
>>>   * (maybe) 'policy-based' VPNs (what I call 'static' in my proposal.
>>> I'll add it to the feature description.
>> As I understand your proposal, it terminates ESP (specifically, it has
>> the host OS terminate it), but only for VPN traffic.  This seems to fall
>> shy of "ESP termination" sans modifiers.  For that, I'd expect MidoNet to
>> be able to receive ESP traffic for a public address it manages and send its
>> payload to the internal address.  Though with us terminating ESP for the
>> VPN, we should be able to build on that to providing ESP termination for
>> external/internal addresses.
>>      -- Jacob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.midonet.org/pipermail/midonet-dev/attachments/20130215/486ccbec/attachment.html>

More information about the MidoNet-dev mailing list