Brocade Vyatta VPN service and device drivers
Spec for introducing Brocade Vyatta VPN solution using new vendor specific service and device drivers for Neutron Implements: blueprint brocade-vyatta-vpnaas-plugin Change-Id: I8a30cacaeb6c906d6deca8b49f38d224e4746e25
This commit is contained in:
parent
eea45b5493
commit
59e8b09278
257
specs/kilo/brocade-vyatta-vpnaas-plugin.rst
Normal file
257
specs/kilo/brocade-vyatta-vpnaas-plugin.rst
Normal file
@ -0,0 +1,257 @@
|
||||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
========================================================
|
||||
Brocade Vyatta VPN service and device driver for Neutron
|
||||
========================================================
|
||||
|
||||
https://blueprints.launchpad.net/neutron/+spec/brocade-vyatta-vpnaas-plugin
|
||||
|
||||
Introduce the Brocade Vyatta VPN service and device driver to provide VPNaaS
|
||||
solution using Vyatta vRouter VM running as a Neutron router.
|
||||
|
||||
|
||||
Problem Description
|
||||
===================
|
||||
|
||||
Brocade Vyatta vRouter is a multi-service product that provides various L3 and
|
||||
L4 services like Routing, NAT, Firewall, VPN, etc. While basic neutron router L3
|
||||
functions are available using the Brocade Vyatta L3 plugin [1] vRouter's IPSec
|
||||
site-to-site VPN functionality is currently not configurable through existing
|
||||
Neutron VPN APIs.
|
||||
|
||||
When available Cloud Service providers would be able to create site-to-site
|
||||
IPSec VPN to connect tenant networks to remote DC networks using Vyatta vRouter.
|
||||
|
||||
|
||||
Proposed Change
|
||||
===============
|
||||
|
||||
This blueprint proposes a new vendor service and device drivers for the
|
||||
Neutron VPN plugin and agent.
|
||||
|
||||
::
|
||||
|
||||
|
||||
+----------------------+ +----------------------+
|
||||
| | | Neutron L3 Agent |
|
||||
| | | |
|
||||
| | | |
|
||||
| +------------------+ | | +------------------+ |
|
||||
| | VPN | | | | VPN Agent | |
|
||||
| | Service Plugin | | | +------------------+ |
|
||||
| +------------------+ | | | Vyatta VPN | |
|
||||
| | Vyatta VPN | | RPC | | Device Driver | |
|
||||
| | Service Driver | + <--------------> | | | |
|
||||
+-+------------------+-+ +-+--------+---------+-+
|
||||
|
|
||||
|
|
||||
| REST API
|
||||
|
|
||||
+--------v---------+
|
||||
| |
|
||||
| |
|
||||
| Vyatta vRouter |
|
||||
| |
|
||||
| |
|
||||
| |
|
||||
| |
|
||||
+------------------+
|
||||
|
||||
|
||||
|
||||
|
||||
Vyatta VPN service driver will inherit from the reference ipsec service driver
|
||||
except it will use a unique topic for RPCs to and from the Vyatta VPN device
|
||||
driver. This is done to be inline with existing service-type framework already
|
||||
partially in place and the expectation that if neutron flavor framework [4]
|
||||
materializes the functionality proposed in this BP will work as-is.
|
||||
|
||||
Vyatta VPN device driver will perform the following functions:
|
||||
|
||||
1. Handles the RPC message from vpn service-plugin that indicates a CRUD
|
||||
operation for site-to-site vpn connection
|
||||
2. Gets the list of VPN services from the service-plugin using a RPC call
|
||||
3. Prepares the list of new, deleted and updated vpn connection based on the
|
||||
local service-cache entries
|
||||
4. Processes the above lists into effect using vRouter's REST API interface
|
||||
5. Updates the local service-cache to reflect the new changes
|
||||
6. Reports the status of the vpn connections back to the vpn service-plugin
|
||||
|
||||
All these functions are similar to the existing reference vpn device driver
|
||||
implementation.
|
||||
|
||||
Additionally during L3 Agent startup the device driver will read vRouter VPN
|
||||
configuration using its REST API to rebuild the local service-cache. Once
|
||||
rebuilt the steps 2 through 6 are repeated. This helps to bring the vRouter
|
||||
VPN configuration to be in sync with the changes (if any) in the plugin DB
|
||||
while the L3 agent was down.
|
||||
|
||||
Note, we are aware of the current L3 agent refactoring proposed for Kilo [3].
|
||||
Given the device driver interface is planned to be kept as-is the changes
|
||||
proposed in this blueprint will integrate with minimal impact vis-a-vis the
|
||||
refactoring.
|
||||
|
||||
This effort is part of a wider set of blueprints to offer Neutron L3 and L4
|
||||
services using the Vyatta vRouter VM:
|
||||
|
||||
* [1] introduces neutron router functionality using the Vyatta vRouter
|
||||
* [2] introduces firewall service using the Vyatta vRouter.
|
||||
|
||||
|
||||
Data Model Impact
|
||||
-----------------
|
||||
|
||||
None.
|
||||
|
||||
REST API Impact
|
||||
---------------
|
||||
|
||||
None.
|
||||
|
||||
Security Impact
|
||||
---------------
|
||||
|
||||
The device driver will use a common RESTapi client library that uses basic-auth
|
||||
authentication to connect to Vyatta vRouter.
|
||||
|
||||
|
||||
Notifications Impact
|
||||
--------------------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
Other End User Impact
|
||||
---------------------
|
||||
|
||||
When tenants creates VPN using the Neutron API it will be created on the
|
||||
carrier-grade Vyatta vRouter.
|
||||
|
||||
Performance Impact
|
||||
------------------
|
||||
|
||||
None.
|
||||
|
||||
IPv6 Impact
|
||||
-----------
|
||||
|
||||
Expected to work with IPv6
|
||||
|
||||
|
||||
Other Deployer Impact
|
||||
---------------------
|
||||
|
||||
Operators should first configure the Brocade Vyatta L3 plugin as described in
|
||||
[1]. Then they can configure the new vpn service and device drivers to offer
|
||||
Vyatta VPN using Neutron APIs as follows:
|
||||
|
||||
* Edit /etc/neutron/neutron.conf and specify Vyatta VPN service driver as the default service provider for VPN.
|
||||
|
||||
::
|
||||
|
||||
>> [service_providers]
|
||||
>> service_provider=VPN:brocade:neutron.services.vpn.service_drivers.vyatta_ipsec.BrocadeVyattaIPsecVPNDriver:default
|
||||
|
||||
|
||||
* Edit /etc/neutron/vpn_agent.ini and specify Vyatta VPN device driver.
|
||||
|
||||
::
|
||||
|
||||
>> [vpnagent]
|
||||
>> vpn_device_driver=neutron.services.vpn.device_drivers.vyatta_ipsec.VyattaIPSecDriver
|
||||
|
||||
|
||||
Developer Impact
|
||||
----------------
|
||||
|
||||
None.
|
||||
|
||||
Community Impact
|
||||
----------------
|
||||
|
||||
Validating Neutron VPN APIs with multiple vendor, including this one from
|
||||
Brocade, will help to move out of current experimental state for these APIs.
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
None.
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
srics-r
|
||||
|
||||
Other contributors:
|
||||
None
|
||||
|
||||
Work Items
|
||||
----------
|
||||
|
||||
* Add new vyatta service driver for VPN service plugin
|
||||
(currently planned for neutron/services/vpn/service_drivers/vyatta_ipsec.py)
|
||||
* Add new vyatta device driver for VPN agent
|
||||
(currently planned for neutron/services/vpn/device_drivers/vyatta_ipsec.py)
|
||||
* Add unit tests required to test the new code
|
||||
* Add tempest tests for new scenarios
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
* Brocade Vyatta L3 Plugin [1]
|
||||
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
Tempest Tests
|
||||
-------------
|
||||
|
||||
- 3rd party testing will be provided (Brocade Vyatta CI)
|
||||
- Brocade Vyatta CI will report on all changes affecting this plugin
|
||||
- Testing is done using devstack and Vyatta vRouter
|
||||
|
||||
Functional Tests
|
||||
----------------
|
||||
|
||||
None
|
||||
|
||||
API Tests
|
||||
---------
|
||||
|
||||
No new API tests are planned as no APIs are changed as part of this blueprint.
|
||||
|
||||
|
||||
Documentation Impact
|
||||
====================
|
||||
|
||||
None.
|
||||
|
||||
User Documentation
|
||||
------------------
|
||||
|
||||
Brocade specific documentation will be updated on the availability of this
|
||||
functionality in Neutron and the vpn_device_driver configuration required to
|
||||
enable it.
|
||||
|
||||
Developer Documentation
|
||||
-----------------------
|
||||
|
||||
None.
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
* [1] https://blueprints.launchpad.net/neutron/+spec/l3-plugin-brocade-vyatta-vrouter
|
||||
* [2] https://blueprints.launchpad.net/neutron/+spec/firewall-plugin-for-brocade-vyatta-vrouter
|
||||
* [3] https://blueprints.launchpad.net/neutron/+spec/restructure-l3-agent
|
||||
* [4] https://review.openstack.org/#/c/102723
|
Loading…
Reference in New Issue
Block a user