From dev-return-111249-archive-asf-public=cust-asf.ponee.io@cloudstack.apache.org Tue Apr 10 10:10:54 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 59E7918064C for ; Tue, 10 Apr 2018 10:10:53 +0200 (CEST) Received: (qmail 10606 invoked by uid 500); 10 Apr 2018 08:10:51 -0000 Mailing-List: contact dev-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list dev@cloudstack.apache.org Received: (qmail 10582 invoked by uid 99); 10 Apr 2018 08:10:50 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 10 Apr 2018 08:10:50 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 1D477180334 for ; Tue, 10 Apr 2018 08:10:50 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.999 X-Spam-Level: * X-Spam-Status: No, score=1.999 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=2, KAM_SHORT=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (1024-bit key) header.d=shapeblue.onmicrosoft.com header.b=fgHBYqvK; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=shapeblue.onmicrosoft.com header.b=DhKH/qdU Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id 7GRLxkkiLybd for ; Tue, 10 Apr 2018 08:10:42 +0000 (UTC) Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01on0126.outbound.protection.outlook.com [104.47.1.126]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 3DA195F47B for ; Tue, 10 Apr 2018 08:10:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shapeblue.onmicrosoft.com; s=selector1-shapeblue-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=8Op6NJpdiMcpHHs5opcqr8bhAnhVkVa0KEpFnBkgQ5U=; b=fgHBYqvKI+8CnphXvSyhGphuIOh3HBf0e8BXCpKjwrup57qFSopKLXgH05h37hxgqn0cDoazbMHz1XamC2a2utTci9iic8ipsDlgqv7ozS1ws+V9o1jyTEOmMI8z5b7CjIBEatLlVS4iwv9fUvTgxjU1GP/2HO+zBAmwDOQY910= Received: from AM6PR07CA0035.eurprd07.prod.outlook.com (2603:10a6:209:2a::48) by AM5PR0701MB2897.eurprd07.prod.outlook.com (2603:10a6:203:47::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.675.3; Tue, 10 Apr 2018 08:10:34 +0000 Received: from VE1EUR01FT009.eop-EUR01.prod.protection.outlook.com (2a01:111:f400:7e01::206) by AM6PR07CA0035.outlook.office365.com (2603:10a6:209:2a::48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.675.4 via Frontend Transport; Tue, 10 Apr 2018 08:10:33 +0000 Authentication-Results: spf=fail (sender IP is 104.40.179.195) smtp.mailfrom=shapeblue.com; cloudstack.apache.org; dkim=fail (body hash did not verify) header.d=shapeblue.onmicrosoft.com;cloudstack.apache.org; dmarc=none action=none header.from=shapeblue.com; Received-SPF: Fail (protection.outlook.com: domain of shapeblue.com does not designate 104.40.179.195 as permitted sender) receiver=protection.outlook.com; client-ip=104.40.179.195; helo=smtpworker-in-14.xware-eu-1.o365.crossware.co.nz; Received: from smtpworker-in-14.xware-eu-1.o365.crossware.co.nz (104.40.179.195) by VE1EUR01FT009.mail.protection.outlook.com (10.152.2.141) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.20.653.8 via Frontend Transport; Tue, 10 Apr 2018 08:10:33 +0000 Received: from EUR02-AM5-obe.outbound.protection.outlook.com (213.199.180.143) by smtpworker-in-14.xware-eu-1.o365.crossware.co.nz with Crossware for Office365; Tue, 10 Apr 2018 08:10:32 +0000 Received: from AM4PR07MB3490.eurprd07.prod.outlook.com (10.171.190.27) by AM4PR07MB3410.eurprd07.prod.outlook.com (10.171.189.159) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.675.3; Tue, 10 Apr 2018 08:10:29 +0000 Received: from AM4PR07MB3490.eurprd07.prod.outlook.com ([fe80::7c4f:7d5e:e9b2:739]) by AM4PR07MB3490.eurprd07.prod.outlook.com ([fe80::7c4f:7d5e:e9b2:739%4]) with mapi id 15.20.0675.009; Tue, 10 Apr 2018 08:10:29 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shapeblue.onmicrosoft.com; s=selector1-shapeblue-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=qa4jzHUiNXefbWIpEE54wKQmvl1KkKSF5RS4clV/0oM=; b=DhKH/qdUq0nhvBi5Kz1DOGgUkKpZaTQoJntvY67OJg1Vy5sDQXI0kGqFVt34G/6fA+siJ/NL8HxwuXmKqdjwdVZ2E+EqNcS/IpnoJuUtA2faJYGm2vaYSlQOVdE86Rl2U3il62H3IeCsJ0iWyPGv6WXubzdf9G63n7IUZfL6Zok= From: Rohit Yadav To: dev Subject: Re: [DISCUSS] New VPN implementation based on IKEv2 backed by Vault Thread-Topic: [DISCUSS] New VPN implementation based on IKEv2 backed by Vault Thread-Index: AQHTyroMM0rWBuJOUUKri54spAXlyaPwZ3cAgABDy4CAAAPfAIAACu8AgAABfgCAAATeAIAAA3uAgAAK1YCAABZvgIAALImAgAAGwACAAA58gIAIiZit Date: Tue, 10 Apr 2018 08:10:28 +0000 Message-ID: References: , In-Reply-To: Accept-Language: en-US, en-IN Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=rohit.yadav@shapeblue.com; x-originating-ip: [122.162.6.159] x-ms-publictraffictype: Email X-Microsoft-Exchange-Diagnostics-untrusted: 1;AM4PR07MB3410;7:M5+KcrhlgaG0xkvBHpPLNF7VBYWQdcEMdp7O3F5+nWOeusBWT64jfK0M0Ddc7TwszAMA7ZWp5XgrB9rJqe7OfhTCtiFJ/PieF5AFAZVSucqZcnsNdi3/w4P1J9Xh1409H41uphVWfV5nei17kTyCJiZBum590hDvenD+pXGfCgpctFdHrXXMfARuiIGzZ9CbTV1eFGoyoZj9/jRpCmoyn5gAUod0739g8JnQ2B4V+gwuKxftDPm0FujL9NWnYoRa x-ms-exchange-antispam-srfa-diagnostics: SOS; X-MS-Office365-Filtering-Correlation-Id: 90e0497b-d30c-47dd-01b2-08d59eba88b0 X-Microsoft-Antispam-Untrusted: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(4652020)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020);SRVR:AM4PR07MB3410; X-MS-TrafficTypeDiagnostic: AM4PR07MB3410:|AM5PR0701MB2897: X-Microsoft-Antispam-PRVS: x-exchange-antispam-report-test: UriScan:(158342451672863)(85827821059158)(15185016700835)(190461294614860)(148501403981450)(67729699691378);UriScan:(158342451672863)(85827821059158)(15185016700835)(190461294614860)(148501403981450)(67729699691378); x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(6040522)(2401047)(8121501046)(5005006)(93006095)(93001095)(3231221)(944501327)(52105095)(3002001)(10201501046)(6041310)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123560045)(20161123564045)(6072148)(201708071742011);SRVR:AM4PR07MB3410;BCL:0;PCL:0;RULEID:;SRVR:AM4PR07MB3410;BCL:0;PCL:0;RULEID:(6040522)(2401047)(8121501046)(5005006)(3002001)(10201501046)(3231221)(944501327)(52105095)(93006095)(93003095)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123558120)(20161123562045)(20161123564045)(6072148)(201708071742011);SRVR:AM5PR0701MB2897;BCL:0;PCL:0;RULEID:;SRVR:AM5PR0701MB2897; x-forefront-prvs: 0638FD5066 X-Forefront-Antispam-Report-Untrusted: SFV:NSPM;SFS:(10019020)(376002)(346002)(366004)(396003)(39380400002)(39830400003)(13464003)(51914003)(189003)(199004)(446003)(11346002)(606006)(53546011)(6506007)(3660700001)(478600001)(53386004)(236005)(105586002)(86362001)(93886005)(3280700002)(2900100001)(6246003)(25786009)(5660300001)(11609785009)(59450400001)(8676002)(476003)(486006)(76176011)(8936002)(81166006)(97736004)(81156014)(7736002)(68736007)(316002)(102836004)(106356001)(14454004)(66066001)(55016002)(6436002)(561944003)(26005)(7696005)(1680700002)(2906002)(9686003)(3846002)(6606003)(74316002)(551544002)(54896002)(966005)(6306002)(6916009)(33656002)(19627405001)(229853002)(53936002)(5250100002)(6116002)(99286004)(186003);DIR:OUT;SFP:1102;SCL:1;SRVR:AM4PR07MB3410;H:AM4PR07MB3490.eurprd07.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:3;A:3; received-spf: None (protection.outlook.com: shapeblue.com does not designate permitted sender hosts) X-Microsoft-Antispam-Message-Info-Original: YZnOoR+2QTm39H5KeGXItMTnLmc9IcrDvpUkxFqeay6WPaZEt9XoX2SKnPsnePEL6UfYt/cz5oLxb6hwVdhquiFjy7XNQ1UcIyMe1wS/LNxh3VFbVNis+oyW1Xlb6GidQ7G6AeQFDfEKY3p/tiDcSjfdxyESq6S6ZdQRmC6Rfd2kM1ftsm3TXOMZIUL4/L08kbNvV6xmKJiaEIYzhRSDVkeIsEhQ/ay0aWrrHhtmQFf9Og0XZ0f7lX7i7t99Tqaz6FT8xdQgQ7kWgvVB7OYrEu+5PxjQb/BPDyW42IMGG6pQ4Ivu3aJSHNgE1euM9BqZVJ7hXYu6LhwTZeV3KEA8N4H8jKhOjduFnXtdqe1mw42c+UmC1aZvz1NQdOMkwSAMHbCSmFSuFWCoA0shyF+qFZeHMpe3Xh4XjwawCCN30+8= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-CWesigProcessed: Y X-MAIL_SIG_VERSION: 4.0.2.4454 X-MAIL_SIG_SERVER: smtpworker-in-14.xware-eu-1.o365.crossware.co.nz X-MAIL_SIG_CONFIGNAME: Plain Text for Mailing Lists etc X-MAIL_SIG_CONFIGNAMEPLIED: Plain Text for Mailing Lists etc Content-Type: multipart/alternative; boundary="_000_AM4PR07MB349043883EB0C0138D1C64A9E9BE0AM4PR07MB3490eurp_" MIME-Version: 1.0 X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR07MB3410 X-EOPAttributedMessage: 0 X-CrossPremisesHeadersPromoted: VE1EUR01FT009.eop-EUR01.prod.protection.outlook.com X-CrossPremisesHeadersFiltered: VE1EUR01FT009.eop-EUR01.prod.protection.outlook.com X-MS-Exchange-Transport-CrossTenantHeadersStripped: VE1EUR01FT009.eop-EUR01.prod.protection.outlook.com X-Forefront-Antispam-Report: CIP:104.40.179.195;IPV:NLI;CTRY:;EFV:NLI;SFV:NSPM;SFS:(10019020)(396003)(39830400003)(346002)(376002)(39380400002)(2980300002)(1110001)(1109001)(339900001)(189003)(199004)(13464003)(51914003)(186003)(84326002)(85426001)(106466001)(55016002)(86362001)(11609785009)(5660300001)(6306002)(74316002)(93886005)(7736002)(9686003)(54896002)(61614004)(606006)(97736004)(102836004)(53386004)(105606002)(26005)(15974865002)(14454004)(446003)(336012)(236005)(53936002)(5250100002)(316002)(356003)(53946003)(966005)(16586007)(6246003)(229853002)(19627405001)(8936002)(55236004)(68736007)(3846002)(66066001)(6116002)(2900100001)(81156014)(59450400001)(7696005)(76176011)(8676002)(99286004)(53546011)(561944003)(25786009)(6506007)(1680700002)(2906002)(81166006)(486006)(478600001)(11346002)(6916009)(33656002)(551544002)(476003)(126002)(579004);DIR:OUT;SFP:1102;SCL:1;SRVR:AM5PR0701MB2897;H:smtpworker-in-14.xware-eu-1.o365.crossware.co.nz;FPR:;SPF:Fail;LANG:en;PTR:InfoDomainNonexistent;MX:1;A:1; X-Microsoft-Exchange-Diagnostics: 1;VE1EUR01FT009;1:MVNHOmnT8xHe/6odCwjAaC8yICYZePLHyK38KIJ+QzJmWAgVLZx6iy6R0GgyhnPORoKhqtrbPPvi4KvV12f2919CjkX62r30/JoHpRywFh81wcuFOgrtHxfokbSzbmL1 X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(4652020)(5600026)(4604075)(3008032)(4534165)(7168020)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020);SRVR:AM5PR0701MB2897; X-Microsoft-Exchange-Diagnostics: 1;AM5PR0701MB2897;3:dXgTajWSr+hCkvunrlTGqar1fW67iRy3iuq1qOGve/TrN+395Tb7wK5Y43L4lAKGVnYk7EJ3PTs+7RWgiMS9MrWPbPkEOihzrTTYlrKDo/f9+2qogaUnczapvEoB/CUCeZvMJK0jq2YH80JPfkolV5The9JutGa3L7RHl5DCGVR6rhIl8T4GZixfSSeyrJly7LwbJ+ZN5mIZbmfxF0TQ7Ij8I82s445CksZC1JF5292SYUSONIDArO1DuqwobCEx4+LnBw8IJzMXzSyMvde/kxWRKRFOXU4isoGL59k61oKFd3XIlSHwQ7G6MfVB8CNIvFNm4pC9Vdjoe1aJ3EAa/+YErBTrSePM3WXOCtbxmEU=;25:Y1pwrCftWKsy3ITahlPj4/33V3Fg6c4/ZOXocWQPGqLpg4uDKc63+yFFcTNG/WDdnrDO6DKwNfmN/6ARKTuanQGsu4Y/c3pp5L69+QCLm/o5z4kNB0roUXc1FZjku3q22yCvK2726VeFmKK7PuobvXB0IbH11lkYcox+Ef8kne87oLT3NWoZqVDOAx7faX8CFAxCacgSc+Vu4PaNr1FIfErWloJ8DLZwcV4ty/6sarJvCnnHbSxTU0hvNDMDfUc+s+AcIYjf5a7+kidpnIfhptySIGi7yTiLTSEwdg8uQQt/5RCd4odDrPmueNAwRCmYgkAhrIJW2042FfSCt1TkBw== X-Microsoft-Exchange-Diagnostics: 1;AM5PR0701MB2897;31:R2nOIvaJCjRwHYcQSlGFMn49U+JqTr5BEkRdW6/KkgZP/67tGlWTgIhN5ZdoC1Hh0QFR3xXKCxe8Y+3WG2mTFo2qatph5RrZMqMYQGHnLtZEVkARQyV9k8KP5jsOwq6DQYE0JMmAEKu7AQHIOTyx9CI9oX/3jERQsHb8TCafVWQcb63w17+NqzuWkcpM71dVPGJ0KeJfY6nxlGXRMAAUuRC9qMCwYhQvNmzUYfbDOaM=;20:Vc39L6NVRqflHGliG/crnqNPeRZfupxSKqhZLFrEzUQBX+xgStSOIIeWT/XxjukGUL8otEmb/5mY68gc2mDezaUQkM7JZbKOUPsPyabgcJ+T7rioKOuwZZmkmMwM92N2qnKZh0xUldpStp9UW3nSPD4J1tA0ijUZjrhb4bzmVtnbCvpfDYB8kBlM+kUV/wxGxeZKnTNRmdvNOuRrW2kq3h1QZVS6LintTDY6pXWQRtN1HPkIVkcVILGghH9mN/F1 X-Microsoft-Exchange-Diagnostics: 1;AM5PR0701MB2897;4:JikHGVWEoLkotfEKuwoz7x8+z+nJQSjnnysnMXAk40RzF8Rnz+GTLczRteC06PgYysKB14/S3YwWzQ99KXWtyFYyj28PLcTJnBmc0raWlf0Wt3/aLwr7xagd78oU8itkxZUD4YhHfRDk0T0X2eLoPi8P9vkI/4QEBzRcAo3t4G7D45XTbpRq3LpiomiPy3HmA62WDUpalsd8KjbZx0NFU8iU0cpKRMKEc7NC9+Shkpna/ED1GzkxuWll4A8ykTW6UA0AmLzAPiYlBDP3V/zm3jKYqxAuODza3sLfFscoRwCI3nf69Hbi54abSqD+Hwv90fVYCRWVahnJTobT4NHsmYvX2741I0n9Fv5Z3ZsVvDcBcCONSYMLEoiuLCNNP9W2eFp9MXRNYLCkZyiJmMZ+YZTCyFd2PVBW/xsKD61f/05atw8xt+tMhmo8D/VG6l+qRZjFbFcrS/+itaACEXGW4pMtV70pkJo9rkH6h6A7caA= X-Forefront-PRVS: 0638FD5066 X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1;AM5PR0701MB2897;23:6c2suFvcbfAFgdxr9DQIrVs7I1kLsGmNse4s+5N?= =?us-ascii?Q?6gRl/4663SaqQJ7nF9PN9VoT6VnZ4yM3WvNwgK+vWbg4DG/iquwZtJIhKGl1?= =?us-ascii?Q?pV0zEawwE85ej6Vzll6DFp/uDmU9XEVNOnjU+qluF4fAHLRwPZBfwmtrNPNO?= =?us-ascii?Q?mQSzX51EPim3NsKf1xZEgsoTkzXBtP8qRKnCDchSAfOR2DrarctHEcu/ZtE9?= =?us-ascii?Q?KGnYXBCIVXofSwqV+4/ANusfkqQ9hcenH8zQh2NK5zRh7vpu66dmOe5SlL5E?= =?us-ascii?Q?kZknVqzA4yV3nM/M8Yv7fWA5GrcRHKiciGkQgdBKqrPQykMjEiscYg5l7Hpj?= =?us-ascii?Q?ELI5nDY01EqGF7uMD0Hzp5CewizJmJDSLUndvZ26kw3ovoMBK2VFqDUdlXHw?= =?us-ascii?Q?BSGhO9L5byvTsS29DPK+lnCqb4wkIDPS1cM1QTlpv3L+5eGff3fdDCBly4RN?= =?us-ascii?Q?XeFhNISv/2s9zOVPa2SNbn2mFReA/lz8My6vA/8geSznP/gd5WvbH1gE/NRA?= =?us-ascii?Q?TUlUhptndA8nRJ4Fp/YBrUIJn8Y5WhtQDNym6c+INJVGdkwydbF2FWhQNvDg?= =?us-ascii?Q?1w5lzvlRPFkUidlAemJgxQSy48eyxi9eOfLDbgwXtUHhO28KIgwtvbS8u7Tz?= =?us-ascii?Q?Oey+n8v0kpw/PiAS1cbT6VBCOVBRy8XYI5nZqDndbgehZnO1/HukEWxNVfGV?= =?us-ascii?Q?s8O9RKy6lVfZxHawTgikbESI/ncQFum585GDf5AVBCesi/Uq1HqOdjg8pyOR?= =?us-ascii?Q?W+P8E9Nn4NovfjPU6kBDTlUlAtOp9A+fYurjIV391aN1TAafS8DY8PjF8oRZ?= =?us-ascii?Q?lvkKmxFBu0gXMtwKZc+gff30Zn9vuTRJUFb3bK3TMP/xABVh5cCKKFPRDyDn?= =?us-ascii?Q?vXTEVDKbCKx74nWtYjd8A2tFRm3huDrDALaDqGd2OPa4HO/RDDufWuZgbSmE?= =?us-ascii?Q?0S/vb1XybaTUIX0qcUELoKg02iT0AOZbFpHMNmVcdUBBeg3v1mbbgAzMYZrA?= =?us-ascii?Q?dmUR/gPU/8L6cidkimfLkNoRJ8ENKxBdDuEfVgVUkg+1AHDdVl05Xo9WpWnw?= =?us-ascii?Q?QjssrrglnHPllrQCfV03kfdq0W0plHzNQxrav6UHrlPZHD09/2VUiTUsQYtx?= =?us-ascii?Q?O2BBXc4kAIsulGJUjvfVqPQAyUy9mS2JjCASgStSQgCpQRELMnF3X1YMCplw?= =?us-ascii?Q?oEz/nGDrsOxFtuhuRL4t9thGjGk3kfb4zVGiRF1m1M2tUADYckDENAxhyScS?= =?us-ascii?Q?/E9OGRL0ORdq5nBrJmGxlMTVfSFER0/siXFjk8NTeV9spP9T7gOZIfiYoH4L?= =?us-ascii?Q?re01DnpfpXJWG+MdS5ehYJV9GrsuqL6e2rm8yQZrVVBpcEn7mfWE35WGMMok?= =?us-ascii?Q?rMYDAcZYyKCZ2jvSsekTVH00sXSC6gbROUvYaRmACf49lZd6YMeiijI7f/OY?= =?us-ascii?Q?d0iMN8ZFuJr0Ov74Rg9XW2YfUfNQK1GFYK+3uQsJ/YpBd5XTF3lF3xtmnSHU?= =?us-ascii?Q?eVl6L8t2oD9T/nH/AUKfX7IiFGoVmOpXNI2iVHgFuqUJhLmiEIhY514Z3HdZ?= =?us-ascii?Q?q0+AYNmIaKLc+ZQeFA2yDdUwOI+1xO/jm4/GC3GRnETri/kTtujQsejO59jd?= =?us-ascii?Q?NS7w2MNT+2nnoA5TmGdYOhgPcRt/AIJW34amqnGsqDWqNF/uS3MuzU0RgC3U?= =?us-ascii?Q?dyFvpzpUuBAFu7Wbl/UFkDX7F9MhpUk3+4Ubd0zKqvVkvKmrArtuAGBQnaMj?= =?us-ascii?Q?vN3t/JHYh?= X-Microsoft-Antispam-Message-Info: EAU+umV7Zl/HJ8VoDhuHnawN+vIngbv5OGn7zKywc+vrxKHFVoP1ABt6jUcw3OJ0t8D8W/6NArn7zDQG3oI1dgiBRDlY9GXPbTd6+D63ONat9Mz4cVMCyl2ZW+++EWTcLf+z+xIHhJuFouxgHAI5eO9D8kY7qMeagLjDhUZ0akHQZ4ippp5Iir0HU+CcoWCzzowQz8IsAYnSrUQAXDbjdUwmj2VfI+GvXbJMrpH3BwEITPLOL6G1Kff0mW3DdqHWcuL6QJ33AULV/Af1YG9DVDUR4Mg88fU5g8hakCpsB71oMXZAg4vjqz20wh2PuOFck5MC3+30Hks/eRVJVTqJEhuPFn4dYlXCLQOA6xWOtSEOO88N+cLw5x0OxWm7irzt1OEe/V2GberT2vLM6a0fXc/ys15V7RosX7Cs9pkxt1E= X-Microsoft-Exchange-Diagnostics: 1;AM5PR0701MB2897;6:zV9YEYfDbd1vOSLrjiFaU64yFH8wQO76jD7kWYh7ZeuL/U/vUFAs2BcGlIm5wPVcEMqdts9qUVmrkJPYVUeQ1l0AxqQE1FQt+rasqj6VpFTpfNQHwNjSuYbCKwEQquGqr8QWXTAttiijU8AnRN9J3JsB3iSZz6T2zdwpkXHkcEr1pN/Y316AEgk/vLQ+EJ7/09qrXn0PWYAs7pE0vqxdY5PDmvXNj9wl6y4SAuR2tHwtdtD1+82AZNlAaC0lcLE96hCxsYD+dvWBYgGaoiePGbG0VXwZ380zhi18tLaj54fLs0Q+nxdFL82SSw+/LUS/NgqjBz9HEz4Ns2mvhtcbPHvJC1i9IKVhVCYPb97/N15FdnukGc3jWhnPXI+4KrcAiYZGw/mRSyJzfdFf//TecIPawTAEPdR9aNauk2tq7XPh5rJQoPVyH0iaOQa5EuwtYVpfXNDD+kVwXgmm2hMDljj1ci5CabUUNTTfLziyaA3XTahGQqvQKb6/P8J+S8qy;5:EWEDPkl/Q8FNUmMSF+DmwwMuxF90g4thDfD3dOOqTmI/smGKwvLO6ywNr6eXoWYOC5cRQG47KaHkhuN9txQnO55QkUXMj/ApIZd5q8BKr9ASW50Tu3i6GQoQ8fO3alkFhiSMHMaDVLwH79hTR9NMsSYUh4M0/gr85uviQXLDzlQ=;24:T4zkKNrv1aU+5JlFOPrYB9YK8+2hSfpF8ajG1QvVqLFAHeGhfvAaAhQxC1uuNBJjt7ZpzsyGb33IMf0IeMM6RArgTFn+29tg4byRlNZ6izM= X-Microsoft-Exchange-Diagnostics: 1;AM5PR0701MB2897;7:/Crq3m1IaDRQujYc35z0Bv5iDj57hWemGXrmTI7XC2SA33fPTp9ojfXvN1RI1o+TsKL/bUQaqzjGtAREOb9bspsQzXaYT3aXNoy4qqN8CbzycQM1Cljn9lkNk88pVaF4u0IykK0Rn53ARXe0H+nbzZ8BUemO4fTQTatvGC4hiJRiLzEs7/Ge5ON9EP9dZioFELetwm3vQSd3Ih+Y4HUAETGa+GuHTEbBFypPtLl/vxP/mW0dWRMcwtHJgBKxWRaN X-OriginatorOrg: shapeblue.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Apr 2018 08:10:33.6509 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 90e0497b-d30c-47dd-01b2-08d59eba88b0 X-MS-Exchange-CrossTenant-Id: fc8906f6-e50e-4dad-98a0-ec2e3abe14f5 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=fc8906f6-e50e-4dad-98a0-ec2e3abe14f5;Ip=[104.40.179.195];Helo=[smtpworker-in-14.xware-eu-1.o365.crossware.co.nz] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5PR0701MB2897 --_000_AM4PR07MB349043883EB0C0138D1C64A9E9BE0AM4PR07MB3490eurp_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Khosrow, I think you can implement your own Vault based CA plugin. However,= bear in mind that it will be used for securing KVM hosts and ssvms/cpvms a= s well. Can you share if any systemvmtemplate change will be required, and = how will ipsec configuration/re-configuration work? Also, impact on upgrade= s? - Rohit ________________________________ From: Khosrow Moossavi Sent: Thursday, April 5, 2018 3:15:07 AM To: dev Subject: Re: [DISCUSS] New VPN implementation based on IKEv2 backed by Vaul= t Thanks Ilya for the feedback. The way I currently implemented it, two items need to be set in global settings beforehand: - you need to specify the VPN implementation (either L2TP or IKEv2) - then select the PKI engine backend (Vault or Default) so there won't be any immediate and blocking coupling between management-server and Vault. But... I would argue that we should leverage these new *tools* in our own infra where Cloudstack runs, such as ELK, RabbitMQ, Kafka, Redis, MongoDB, or Vault in this particular case. I would assume everyone of us does use these tools one way or another to keep the infrastructure up an running. Why not provide an easy, OOB way to do so from ACS itself? On the other hand, I totally agree that ACS must not fully depend on these so if any of these were not available ACS won't work. But at the end of the day ACS is a *webapp* -which does something special of its own- and it should get help from all the *cool kids*. On code quality, test coverage and integrations tests I completely 100% agree. On Wed, Apr 4, 2018 at 4:53 PM, Rafael Weing=E4rtner < rafaelweingartner@gmail.com> wrote: > To complement one thing that Ilya mentioned here. I do not worry much abo= ut > the =93requirement=94 for Vault systems to test ACS. This would be the ca= se if > Khosrow, when developing, only created tests using what the community cal= ls > integration tests. > > However, it is an implementation from scratch and as such it can and shou= ld > use a very high bar for code quality, which enables proper unit testing f= or > all methods. This means, that we can check all of the code in our domain > (code base) without requiring third-party software. It does not mean that > we do not need =93integration tests=94 checking the system integration wi= th > Vault, but we could then restrict this execution to RCs. > > On Wed, Apr 4, 2018 at 5:29 PM, ilya musayev > > wrote: > > > Khosrow > > > > My 2c, little less than ideal to manage yet another external end point > > like. > > > > While i understand that it makes it easier to manage certificates - it > also > > means going forward - Vault implementation will become a requirement to > > validate future ACS release. > > > > With that said - i do like the proposal and not against it, but: > > 1) Please consider decoupling it from cloudstack-management server - an= d > > release it as server plugin > > 2) Test coverage must be sufficient enough to validate the functionalit= y > > (perhaps mock vault endpoints and response) > > > > Regards, > > ilya > > > > On Wed, Apr 4, 2018 at 10:49 AM, Khosrow Moossavi < > kmoossavi@cloudops.com> > > wrote: > > > > > Thanks Paul, the proposed feature will enable the functionality to us= e > > > Vault to > > > act as CA if enabled in ACS, otherwise will fall back to "default" > > > implementation > > > which Rohit has already done. > > > > > > > > > On Wed, Apr 4, 2018 at 12:29 PM, Paul Angus > > > wrote: > > > > > > > You guys should speak to Rohit about the CA framework. CloudStack > can > > > > manage certificates now, including creating them itself and acting > as a > > > > root CA. > > > > > > > > > > > > > > > > > > > > Kind regards, > > > > > > > > Paul Angus > > > > > > > > paul.angus@shapeblue.com > > > > www.shapeblue.com > > > > 53 Chandos Place, Covent Garden, London WC2N 4HSUK > > > > @shapeblue > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > From: Rafael Weing=E4rtner > > > > Sent: 04 April 2018 16:51 > > > > To: dev > > > > Subject: Re: [DISCUSS] New VPN implementation based on IKEv2 backed > by > > > > Vault > > > > > > > > Thanks for sharing the details. Now I have a better perspective of > the > > > > proposal.It is an interesting integration of CloudStack VPN service > > with > > > > Vault PKI feature. > > > > > > > > On Wed, Apr 4, 2018 at 12:38 PM, Khosrow Moossavi < > > > kmoossavi@cloudops.com> > > > > wrote: > > > > > > > > > One of the things Vault does is essentially one of the thing Let'= s > > > > > Encrypt does, acting as CA and generating/signing certificates. > > > > > > > > > > From the Vault website itself: > > > > > > > > > > "HashiCorp Vault secures, stores, and tightly controls access to > > > > > tokens, passwords, certificates, API keys, and other secrets in > > modern > > > > > computing. Vault handles leasing, key revocation, key rolling, an= d > > > > > auditing. Through a unified API, users can access an encrypted > > > > > Key/Value store and network encryption-as-a-service, or generate > AWS > > > > > IAM/STS credentials, SQL/NoSQL databases, X.509 certificates, SSH > > > > > credentials, and more." > > > > > > > > > > In our case we are going to use Vault as PKI backend engine, to a= ct > > as > > > > > Root CA, sign certificates, handle CRL (Certificate Revocation > List), > > > > > etc. > > > > > Technically we can > > > > > do these with Let's Encrypt, but I haven't started exploring the > > > > > possibilities or potential limitation. Using external services > (such > > > > > as Let's Encrypt) or going forward with Bring You Own Certificate > > > > > model would be for future, it they ever made sense to do. > > > > > > > > > > > > > > > > > > > > On Wed, Apr 4, 2018 at 11:20 AM, Rafael Weing=E4rtner < > > > > > rafaelweingartner@gmail.com> wrote: > > > > > > > > > > > Got it. Thanks for the explanations. > > > > > > There is one other thing I do not understand. This Vault thing > that > > > > > > you mention, how does it work? Is it similar to let's encrypt? > > > > > > > > > > > > On Wed, Apr 4, 2018 at 12:15 PM, Khosrow Moossavi < > > > > > kmoossavi@cloudops.com> > > > > > > wrote: > > > > > > > > > > > > > On Wed, Apr 4, 2018 at 10:36 AM, Rafael Weing=E4rtner < > > > > > > > rafaelweingartner@gmail.com> wrote: > > > > > > > > > > > > > > > So, you need a certificate that is signed by the CA that is > > used > > > > > > > > by > > > > > the > > > > > > > VPN > > > > > > > > service. Is that it? > > > > > > > > > > > > > > > > > > > > > > > Correct, a self signed "server certificate" against CA, to be > > > > > > > installed directly on VR. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > It has been a while that I do not configure these VPN > systems; > > > > > > > > do you > > > > > > > need > > > > > > > > access to the private key of the CA? Or, does the program > > simply > > > > > > validate > > > > > > > > the user (VPN client) certificate to see if it is issued by= a > > > > > specific > > > > > > > CA? > > > > > > > > I believe it also needs the public key of the user to execu= te > > > > > > > > the > > > > > > > handshake > > > > > > > > and create the connection. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > No, end user only needs to have Root CA at hand, to *trust* i= t. > > > > > > > Both > > > > > the > > > > > > > "Server > > > > > > > Certificate" and "Server Private Key" are sensitive informati= on > > > > > > > and > > > > > only > > > > > > > exist on > > > > > > > VR. > > > > > > > > > > > > > > User then can go ahead and install the Root CA on their local > > > > > > > machine > > > > > and > > > > > > > open > > > > > > > up VPN connection with strongSwan client of the correspondnin= g > OS > > > > > they're > > > > > > > on > > > > > > > import the Root CA, and their credential (EAP on VPN side), a= nd > > > > > > > that's > > > > > > it. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Wed, Apr 4, 2018 at 11:22 AM, Khosrow Moossavi < > > > > > > > kmoossavi@cloudops.com> > > > > > > > > wrote: > > > > > > > > > > > > > > > > > Rafael, > > > > > > > > > > > > > > > > > > We cannot use SshKeyPair functionality because the propos= ed > > > > > > > > > VPN implementation does need a signed certificate and not= a > > > > > > > > > ssh key pair. The process > > > > > is > > > > > > > as > > > > > > > > > follow: > > > > > > > > > > > > > > > > > > 1) generate root CA (if doesn't exist) > > > > > > > > > 2) generate bunch of intermediate steps (config urls, CRL= s, > > > > > > > > > role > > > > > > name, > > > > > > > > ...) > > > > > > > > > [I'm not going > > > > > > > > > in detail now, here, for simplicity] > > > > > > > > > 3) self sign a certificate against the root CA (regenerat= e > > > > > > > > > every > > > > > time > > > > > > > > start > > > > > > > > > VPN command > > > > > > > > > executed) > > > > > > > > > > > > > > > > > > This will produce: > > > > > > > > > > > > > > > > > > 1) Root CA cert (one per domain in cloudstack) > > > > > > > > > 2) Server cert (one per VR) > > > > > > > > > 3) Server private key (one per VR) > > > > > > > > > > > > > > > > > > Then all the above will be pushed to the said VR we want = to > > > > > > > > > start > > > > > VPN > > > > > > > on, > > > > > > > > > and start > > > > > > > > > ipsec service on it (with extra configuration - which wil= l > be > > > > > > available > > > > > > > > in > > > > > > > > > codebase) and > > > > > > > > > finally present Root CA for user to download and install = on > > > > > > > > > their > > > > > > local > > > > > > > > > machine to be > > > > > > > > > able to "trust" VR they are VPNing to. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Wed, Apr 4, 2018 at 6:19 AM, Rafael Weing=E4rtner < > > > > > > > > > rafaelweingartner@gmail.com> wrote: > > > > > > > > > > > > > > > > > > > Khosrow thanks for the interesting feature. You mention > two > > > > > > possible > > > > > > > > > > methods to manage certificates; one using the CA > framework, > > > > > > > > > > and > > > > > > other > > > > > > > > > using > > > > > > > > > > third party such as Vault and Let=92s Encrypt. > > > > > > > > > > > > > > > > > > > > Have you considered using the sshKeyPair API methods (i= s > it > > > > > > > > > > part > > > > > of > > > > > > > the > > > > > > > > > CA > > > > > > > > > > framework?)? I mean, users already can generate key pai= rs > > > > > > > > > > via > > > > > ACS, > > > > > > > and > > > > > > > > > then > > > > > > > > > > they are presented with the private key. You could simp= ly > > > > > > > > > > list > > > > > > these > > > > > > > > > > certificates for the user when they want to configure a > new > > > > > > > certificate > > > > > > > > > for > > > > > > > > > > a VPN or generate one in runtime using this feature. > > Reading > > > > > > > > > > your > > > > > > > > feature > > > > > > > > > > proposal I did not understand how you are binding > > > > > > > > > > certificated > > > > > > with a > > > > > > > > VPN > > > > > > > > > > (are you always generating new ones and simply returnin= g > > the > > > > > > private > > > > > > > > key > > > > > > > > > to > > > > > > > > > > users?). > > > > > > > > > > > > > > > > > > > > Moreover, as the sshKeyPair methods, I do believe you > > should > > > > > > > > > > only > > > > > > > > return > > > > > > > > > > the private key once. Therefore, you should not store i= t > in > > > > ACS. > > > > > > > > > > > > > > > > > > > > On Mon, Apr 2, 2018 at 4:36 PM, Khosrow Moossavi < > > > > > > > > kmoossavi@cloudops.com > > > > > > > > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > Hi Community > > > > > > > > > > > > > > > > > > > > > > I want to open up a discussion around the new Remote > > > > > > > > > > > Access VPN implementation on VRs. Currently we have > only > > > > > > > > > > > L2TP implementation, which lacks different > > > > > features > > > > > > > > (such > > > > > > > > > as > > > > > > > > > > > verbos logging), so we > > > > > > > > > > > decided to start developing new implementation based = on > > > > > > > > > > > IKEv2 > > > > > (on > > > > > > > top > > > > > > > > > of > > > > > > > > > > > the existing strongSwan). > > > > > > > > > > > > > > > > > > > > > > We have this feature working locally for over a week > now, > > > > > > > > > > > and > > > > > > seems > > > > > > > > to > > > > > > > > > be > > > > > > > > > > > ready for opening up a > > > > > > > > > > > PR on official repo. But before doing so we agreed to > > open > > > > > > > > > > > up a > > > > > > > > > > discussion > > > > > > > > > > > here first. > > > > > > > > > > > > > > > > > > > > > > The current implementation we use EAP + Public Key fo= r > > > > > > > > authentication, > > > > > > > > > so > > > > > > > > > > > we need to have a PKI > > > > > > > > > > > Engine somewhere. Rather than start re-inventing the > > wheel > > > > > > > > > > > (and > > > > > > > start > > > > > > > > > > > extending the current CA Framework which was done by > > > > > > > > > > > Rohit) we decided to delegate this > > > > > > functionality > > > > > > > to > > > > > > > > > > > HashiCorp Vault, which will act as a PKI backend engi= ne > > > > > > > > > > > for Cloudstack. > > > > > > > > > > > > > > > > > > > > > > The way I implemented this specific part of the code, > is > > > > > > > > > > > that > > > > > it > > > > > > > can > > > > > > > > > > easily > > > > > > > > > > > be extended/implemented with other concrete classes o= r > > > > > > > > > > > designs (such as going forward with > > > > > in-house > > > > > > > PKI > > > > > > > > > > > engine, or even use external services such as Let's > > > > > > > > > > > Encrypt), but at the end of the day we strongly > > > > > > > suggest > > > > > > > > > to > > > > > > > > > > > use Vault, as it is really easy to use. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Please find the design document here[1], and share yo= ur > > > > > > feedback. I > > > > > > > > > will > > > > > > > > > > > open up a PR -as is- soon to be able to have a source > > code > > > > > > > > > > > to discuss around it as well. > > > > > > > > > > > > > > > > > > > > > > [1]: > > > > > > > > > > > https://cwiki.apache.org/ > confluence/display/CLOUDSTACK/ > > > > > > > > > > > VPN+Implementation+based+on+ > > IKEv2+backed+by+Vault+as+PKI+ > > > > > Engine > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks > > > > > > > > > > > > > > > > > > > > > > Khosrow Moossavi > > > > > > > > > > > > > > > > > > > > > > Cloud Infrastructure Developer > > > > > > > > > > > > > > > > > > > > > > t 514.447.3456 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > Rafael Weing=E4rtner > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > Rafael Weing=E4rtner > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > Rafael Weing=E4rtner > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > Rafael Weing=E4rtner > > > > > > > > > > > > > -- > Rafael Weing=E4rtner > rohit.yadav@shapeblue.com=A0 www.shapeblue.com 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue =20 =20 --_000_AM4PR07MB349043883EB0C0138D1C64A9E9BE0AM4PR07MB3490eurp_--