Return-Path: X-Original-To: apmail-incubator-cloudstack-dev-archive@minotaur.apache.org Delivered-To: apmail-incubator-cloudstack-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id AD1F3C12E for ; Mon, 2 Jul 2012 22:06:31 +0000 (UTC) Received: (qmail 50512 invoked by uid 500); 2 Jul 2012 22:06:31 -0000 Delivered-To: apmail-incubator-cloudstack-dev-archive@incubator.apache.org Received: (qmail 50464 invoked by uid 500); 2 Jul 2012 22:06:31 -0000 Mailing-List: contact cloudstack-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: cloudstack-dev@incubator.apache.org Delivered-To: mailing list cloudstack-dev@incubator.apache.org Received: (qmail 50456 invoked by uid 99); 2 Jul 2012 22:06:31 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 02 Jul 2012 22:06:31 +0000 X-ASF-Spam-Status: No, hits=-5.0 required=5.0 tests=RCVD_IN_DNSWL_HI,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of Chiradeep.Vittal@citrix.com designates 66.165.176.89 as permitted sender) Received: from [66.165.176.89] (HELO SMTP.CITRIX.COM) (66.165.176.89) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 02 Jul 2012 22:06:25 +0000 X-IronPort-AV: E=Sophos;i="4.77,512,1336363200"; d="scan'208";a="30196606" Received: from sjcpmailmx01.citrite.net ([10.216.14.74]) by FTLPIPO01.CITRIX.COM with ESMTP/TLS/RC4-MD5; 02 Jul 2012 18:06:04 -0400 Received: from SJCPMAILBOX01.citrite.net ([10.216.4.73]) by SJCPMAILMX01.citrite.net ([10.216.14.74]) with mapi; Mon, 2 Jul 2012 15:06:03 -0700 From: Chiradeep Vittal To: CloudStack DeveloperList Date: Mon, 2 Jul 2012 15:06:44 -0700 Subject: Re: site-to-site VPN review Thread-Topic: site-to-site VPN review Thread-Index: Ac1Ynt8HUaeK0HduQbKIDwY559lNqQ== Message-ID: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.13.0.110805 acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 On 7/2/12 2:33 PM, "Sheng Yang" wrote: >On Monday, July 02, 2012 12:48:33 PM Chiradeep Vittal wrote: >> I took another look at the FS >>=20 >>http://wiki.cloudstack.org/display/DesignDocs/Site-to-site+VPN+functional >>+sp >> ec And the test suite >> http://wiki.cloudstack.org/display/QA/Site-to-Site+VPN >> >> >> 1. It isn't clear if we are going to use pre-shared keys (PSK) or >> public-key (RSA keys) * If PSK, who generates this and what is the >> strength of this key? * Can this PSK be changed / revoked ? > >We're using PSK. Currently user generate the psk key and program it on the >both side of VPN. Update the spec. The Remote Access Vpn service generates the PSK on the user's behalf. This makes it easier for the cloud admin to enforce key strength. This is also the way AWS VPC works. > >> 2. Why is this restricted to admin only? > >Currently only admin can create/delete private gateway and vpn gateway of >VPC. >Though Alena just update me that he/she can do it on behavior of other >account. > >> 3. Does this require "conserve mode =3D true" ? > >Currently we only support VPC, so it's no conserve mode here. > >I think even in the future when we support isolated guest network, this >wouldn't be an restriction. > >> 4. Is NAT traversal supported? > >Yes. I enabled it in openswan configuration. > >> 5. FS and test suite in my mind should cover FCAPS (faults, >>configuration, >> administration, performance, security) * How do you deal with faults? > >DPD would try to keep it recover and connected. > >> What happens when the VR is restarted? > >Currently we didn't restart VPN connection automatically. I would fix >that. > >> What happens if VR gets disconnected from the remote end? > >DPD would try to recover it. I've set a 3 time retry for initial >connection, >but not sure about how many time it would retry in the disconnection after >that. > >> * The API parameters and responses need to be more >> completely documented. > >Sure. > >> * If a user complains that his s-2-s VPN is not >> working / used to work but does not now, how can customer support >>diagnose >> this problem? > >Log is in the /var/log/auth.log and /var/log/daemon.log. I didn't pull it >out >to separate files because openswan separate log output lacks of timestamp. Can we think of a better way? Are these logs being rotated / archived? I think the former is, not sure about the latter. > >> * How well does this perform: what is the target throughput >> and what is the size (RAM/CPU) needed to achieve this performance? > >Not tested yet. > >> * Is there a need for a later kernel on the VR for AES support? > >No. AES can be done by software as well. What I mean is: take advantage of acceleration offered by Intel chips that implement the AES-NI instruction. It is my understanding that the current bits of the VR are unable to do this. > >> * How secure >> is this implementation? Can the PSK be guessed? Are the latest security >> patches for OpenSwan available in the VR? > >The level of security is the same as normal site to site implementation. >So it >depends on PSK to be generated. Since we didn't generated it, user >controls >it. > >For the security upgrade, it would be a common issue rather than vpn >specified. >We lack of up-to-date security upgrade mechanism. I suppose it's should >in the >plan. My point is that when the feature is released, there shouldn't be any known security issues with the software and it should be patched to the latest level. Of course, future security issues is a different question. > >--Sheng