VPNaaS in Neutron: A Technical Overview of Neutron's VPN-as-a-Service Capabilities
•
36 likes•9,304 views
- VPNaaS in Neutron aims to provide virtual private network services to OpenStack tenants through the Neutron API and plugins. - Initial work focused on IPsec VPN support, including defining a resource model and APIs for VPN services, connections, policies and more. - Future work will explore supporting BGP/MPLS VPNs, which provide inter-AS connectivity and require integration with external MPLS domains and protocols like BGP. - Two potential architectures are proposed for BGP/MPLS VPN support: one relying on configuring provider edge routers from Neutron, and another using an L3 agent and separate controller/forwarder.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (17)
Similar to VPNaaS in Neutron: A Technical Overview of Neutron's VPN-as-a-Service Capabilities
Similar to VPNaaS in Neutron: A Technical Overview of Neutron's VPN-as-a-Service Capabilities (20)
Recently uploaded
Recently uploaded (20)
VPNaaS in Neutron: A Technical Overview of Neutron's VPN-as-a-Service Capabilities
- 1. VPNaaS in Neutron Kazunori Takeuchi
- 2. Quantum -‐> Neutron • Based on the legal agreement with Quantum Corpora@on, the owner of the “Quantum” trademark. • “Neutron” was announced on Jun 19. 2
- 3. History of “Neutron” 3 Essex • L2 API Folsom • L3 API • More L2 plugins Grizzly • LBaaS • Scheduler • etc. Havana • FWaaS • VPNaaS • Modular L2/L3 • QoS API • etc. Ryu plugin Meta plugin Sta@c rou@ng for Router Incubated Project Core Project!!!
- 4. VPNaaS: Use Cases 4 Virtual Private Network OpenStack Tenant VM VM LB LR VM VPN Site VPN Site VPN Site VM VM LB LR VM Access from VPN Sites via VPN Remote Access VPN Types • IPsec-‐VPN • SSL-‐VPN • BGP/MPLS VPN OpenStack Tenant
- 5. Road to Havana • Havana-‐2 (2013 Jul 18) – design and implement General VPN API – use IPsec-‐VPN as reference • Havana-‐3 (2013 Sep 5) – Horizon integra@on – extend VPN types such as BGP/MPLS VPN 5
- 6. 6 VPNaaS for IPsec-‐VPN (WIP)
- 7. Peer CIDR Resource Model 7 VPNService id tenant_id vpn_type subnet_id router_id … VPNConnec?on id tenant_id peer_address peer_cidrs psk ikepolicy_id ipsecpolicy_id vpn_service_id … IKEPolicy id tenant_id transform_protocol encapsula@on_mode auth_algorithm encryp@on_algorithm … IPsecPolicy id tenant_id ike_version auth_algorithm encryp@on_algorithm … Router hfps://wiki.openstack.org/wiki/Neutron/VPNaaS Subnet Neutron Router Remote GW Peer Address
- 8. API and CLI 8 hfps://wiki.openstack.org/wiki/Neutron/VPNaaS e.g.) VPNService API and CLI REST API CLI Create a VPNService POST /v1.0/vpnservices vpn-‐service-‐create Delete a given VPNService DELETE /v1.0/vpnservices/vpnservice_id vpn-‐service-‐delete List all VPNService for a given tenant GET /v1.0/vpnservices/ vpn-‐service-‐list Show detailed informa@on GET /v1.0/vpnservices/vpnservice_id vpn-‐service-‐show Update a given VPNService UPDATE /v1.0/vpnservices/vpnservice_id vpn-‐service-‐update
- 9. Remote Site Architecture: First POC Driver 9 Neutron IPsecDriver L3 Agent CE (LR) Rou@ng Table RPC Configure Remote GW Tenant network IPsec Tunnel SPD SAD
- 10. 10 VPNaaS for BGP/MPLS VPN (Not Started)
- 11. What’s BGP/MPLS VPN? • RFC4364 – CE: Customer Edge router – PE: Provider Edge router – P: Provider router – VRF: VPN Rou@ng and Forwarding table – VPN-‐IPv4 Address Family – RD: Route Dis@nguisher – RT: Route Target 11
- 12. VPN-‐B Site-‐B2 VPN-‐B Site-‐B1 What’s BGP/MPLS VPN? 12 PE P P PE RR CE CE LDP LDP LDP MP-‐iBGP MP-‐iBGP Sta@c BGP RIP OSPF Sta@c BGP RIP OSPF IP packet VPN Label Tunnel Label VRF VRF VRF VRF VRF VRF L2 VPN-‐A Site-‐A1 CE VPN-‐A Site-‐A1 CE
- 13. VPN-‐B Site-‐B2 VPN-‐B Site-‐B1 What’s BGP/MPLS VPN? 13 PE P P PE CE CE IP packet IP packet #B #X IP packet #B #Y IP packet #B IP packet MPLS Domain (AS) VRF VRF VRF VRF VRF VRF VPN-‐A Site-‐A1 CE VPN-‐A Site-‐A1 CE
- 14. MPLS Domain Architecture: Design 1 14 Neutron BGPMPLS Driver L3 Agent CE (LR) Rou@ng Table RPC Configure PE VRF VRF VRF PE controller Configure Sta@c or dynamic rou@ng Tenant network • PE provisioning: CLI in many cases • Per-‐tenant dynamic rou@ng
- 15. VPN-‐A Site-‐A2 VPN-‐A Site-‐A1 Inter-‐AS 15 PE ASBR CE CE AS #1 P ASBR PE AS #2 P RR RR MP-‐iBGP MP-‐iBGP MP-‐eBGP VRF VRF VRF MP-‐iBGP MP-‐iBGP VRF VRF VRF IP packet #A IP packet #A #X IP packet #A #Y
- 16. MPLS Domain Architecture: Design 2 16 Neutron BGPMPLS Driver L3 Agent CE (LR) Rou@ng Table RPC Configure Tenant network • L3 Agent & LR: simple • Impact to exis@ng BGP/MPLS infra: small VPN Connec@on Controller & Forwarder IP packet #A IP packet VRF VRF VRF MP-‐eBGP ASBR
- 17. 17 Thank you!!!