Return-Path: X-Original-To: apmail-incubator-cloudstack-dev-archive@minotaur.apache.org Delivered-To: apmail-incubator-cloudstack-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 41747C151 for ; Mon, 2 Jul 2012 22:09:15 +0000 (UTC) Received: (qmail 60142 invoked by uid 500); 2 Jul 2012 22:09:15 -0000 Delivered-To: apmail-incubator-cloudstack-dev-archive@incubator.apache.org Received: (qmail 60100 invoked by uid 500); 2 Jul 2012 22:09:15 -0000 Mailing-List: contact cloudstack-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: cloudstack-dev@incubator.apache.org Delivered-To: mailing list cloudstack-dev@incubator.apache.org Received: (qmail 60090 invoked by uid 99); 2 Jul 2012 22:09:15 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 02 Jul 2012 22:09:15 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of Chiradeep.Vittal@citrix.com designates 66.165.176.63 as permitted sender) Received: from [66.165.176.63] (HELO SMTP02.CITRIX.COM) (66.165.176.63) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 02 Jul 2012 22:09:09 +0000 X-IronPort-AV: E=Sophos;i="4.77,512,1336363200"; d="scan'208";a="200817771" Received: from sjcpmailmx01.citrite.net ([10.216.14.74]) by FTLPIPO02.CITRIX.COM with ESMTP/TLS/RC4-MD5; 02 Jul 2012 18:08:48 -0400 Received: from SJCPMAILBOX01.citrite.net ([10.216.4.73]) by SJCPMAILMX01.citrite.net ([10.216.14.74]) with mapi; Mon, 2 Jul 2012 15:08:47 -0700 From: Chiradeep Vittal To: CloudStack DeveloperList Date: Mon, 2 Jul 2012 15:09:28 -0700 Subject: Re: site-to-site VPN review Thread-Topic: site-to-site VPN review Thread-Index: Ac1Yn0Cp1glNSrnWTfujay2AlK0QQQ== Message-ID: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.13.0.110805 acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Also, if we could put out an example Cisco / Juniper configuration that is known to work with the CloudStack site-to-site VPN, that would be great. On 7/2/12 3:06 PM, "Chiradeep Vittal" wrote: > > >On 7/2/12 2:33 PM, "Sheng Yang" wrote: > >>On Monday, July 02, 2012 12:48:33 PM Chiradeep Vittal wrote: >>> I took another look at the FS >>>=20 >>>http://wiki.cloudstack.org/display/DesignDocs/Site-to-site+VPN+functiona >>>l >>>+sp >>> ec And the test suite >>> http://wiki.cloudstack.org/display/QA/Site-to-Site+VPN >>> >>> >>> 1. It isn't clear if we are going to use pre-shared keys (PSK) or >>> public-key (RSA keys) * If PSK, who generates this and what is the >>> strength of this key? * Can this PSK be changed / revoked ? >> >>We're using PSK. Currently user generate the psk key and program it on >>the >>both side of VPN. Update the spec. > >The Remote Access Vpn service generates the PSK on the user's behalf. This >makes it easier for the cloud admin to enforce key strength. >This is also the way AWS VPC works. > >> >>> 2. Why is this restricted to admin only? >> >>Currently only admin can create/delete private gateway and vpn gateway of >>VPC. >>Though Alena just update me that he/she can do it on behavior of other >>account. >> >>> 3. Does this require "conserve mode =3D true" ? >> >>Currently we only support VPC, so it's no conserve mode here. >> >>I think even in the future when we support isolated guest network, this >>wouldn't be an restriction. >> >>> 4. Is NAT traversal supported? >> >>Yes. I enabled it in openswan configuration. >> >>> 5. FS and test suite in my mind should cover FCAPS (faults, >>>configuration, >>> administration, performance, security) * How do you deal with faults? >> >>DPD would try to keep it recover and connected. >> >>> What happens when the VR is restarted? >> >>Currently we didn't restart VPN connection automatically. I would fix >>that. >> >>> What happens if VR gets disconnected from the remote end? >> >>DPD would try to recover it. I've set a 3 time retry for initial >>connection, >>but not sure about how many time it would retry in the disconnection >>after >>that. >> >>> * The API parameters and responses need to be more >>> completely documented. >> >>Sure. >> >>> * If a user complains that his s-2-s VPN is not >>> working / used to work but does not now, how can customer support >>>diagnose >>> this problem? >> >>Log is in the /var/log/auth.log and /var/log/daemon.log. I didn't pull it >>out >>to separate files because openswan separate log output lacks of >>timestamp. > >Can we think of a better way? Are these logs being rotated / archived? I >think the former is, not sure about the latter. > >> >>> * How well does this perform: what is the target throughput >>> and what is the size (RAM/CPU) needed to achieve this performance? >> >>Not tested yet. >> >>> * Is there a need for a later kernel on the VR for AES support? >> >>No. AES can be done by software as well. > >What I mean is: take advantage of acceleration offered by Intel chips that >implement the AES-NI instruction. It is my understanding that the current >bits of the VR are unable to do this. > >> >>> * How secure >>> is this implementation? Can the PSK be guessed? Are the latest security >>> patches for OpenSwan available in the VR? >> >>The level of security is the same as normal site to site implementation. >>So it >>depends on PSK to be generated. Since we didn't generated it, user >>controls >>it. >> >>For the security upgrade, it would be a common issue rather than vpn >>specified. >>We lack of up-to-date security upgrade mechanism. I suppose it's should >>in the >>plan. > >My point is that when the feature is released, there shouldn't be any >known security issues with the software and it should be patched to the >latest level. Of course, future security issues is a different question. > >> >>--Sheng >