Cisco VPNaaS with in-band Cisco CSR router

Blueprint spec for enhancing the Cisco VPNaaS driver to use the Cisco CSR router service VM as being introduced by the cisco-routing-service-vm. Includes update to remove dependency on other blueprints. Change-Id: I9cf7fc30dc4fbc0c1ac73bbd85b6d4983a8b0ee8 Implements: blueprint cisco-vpnaas-with-cisco-csr-router
2014-07-03 16:09:17 -04:00
parent fc0a789d25
commit ae5c33468b
1 changed files with 178 additions and 0 deletions
--- a/specs/juno/cisco-vpnaas-with-cisco-csr-router.rst
+++ b/specs/juno/cisco-vpnaas-with-cisco-csr-router.rst
@@ -0,0 +1,178 @@
 ..
 This work is licensed under a Creative Commons Attribution 3.0 Unported
 License.
 http://creativecommons.org/licenses/by/3.0/legalcode
 ==========================================
 Cisco VPNaaS with in-band Cisco CSR router
 ==========================================
 Include the URL of your launchpad blueprint:
 https://blueprints.launchpad.net/neutron/+spec/cisco-vpnaas-with-cisco-csr-router
 Enhance the Cisco IPSec site-to-site VPNaaS solution, by integrating it with
 a Cisco Cloud Services Router (CSR) running as a Neutron router.
 Problem description
 ===================
 In the current Proof of Concept Cisco VPNaaS, a Cisco CSR VM runs
 out-of-band from OpenStack, and parallel to a reference Neutron router.
 The Cisco CSR is started manually, and independently of OpenStack. the router
 is statically provisioned and information on the Cisco CSR is stored in an
 .ini file for use by the Cisco VPNaaS driver.
 When a VPN IPSec site-to-site connection is established, the VPNaaS drivers
 use the .ini information to communicate with the Cisco CSR and configure
 the VPN IPSec site-to-site connection. A packet redirect is configured on the
 Neutron router, to send all packets for the remote end, to the Cisco CSR.
 The issues with this are:
 * Cisco CSR is manually started and provisioned for use.
 * Static configuration of all Cisco CSRs is established before Neutron startup.
 * We are effectively using two routers to provide VPNaaS capability.
 Proposed change
 ===============
 A separate blueprint, cisco-routing-service-vm [2], will be providing a Cisco CSR
 VM as a Neutron router, dynamically creating and provisioning the Cisco CSR
 when a router specifying this type is created.
 This blueprint proposes to update the Cisco VPNaaS driver to work with this
 "in-band" Cisco CSR. The VPNaaS driver will obtain information (user, password,
 mgmt IP, etc.) on the Cisco CSR dynamically, instead of statically from a config
 file, as done currently, so that VPN IPSec connections can then be provisioned.
 Combined, these two blueprints will allow automatic creation and provisioning
 of Cisco CSRs, dynamic provisioning of VPNaaS connections, and eliminate the
 need for a second router and packet redirection.
 Specifically, in the context of VPNaaS, the user can create a CSR1kV VM based
 Neutron router, and then create a VPN service with IPsec site-to-site connections,
 which will use that router.
 To mitigate the risk of the dependency on the Cisco Routing Service VM
 blueprint [2], the VPN implementation can be phased. In the first phase, the
 code would attempt to obtain information on the CSR from the L3 plugin, but
 if not available, could read the config from an INI file (as done currently
 in the device driver).
 The user could setup a CSR out-of-band manually (as done today), udpate the
 INI file, and then proceed to create the VPN service and connections.
 When the cisco-routing-service-vm [2] is upstreamed, the VPN code that does
 the fallback INI file reading could be removed.
 Alternatives
 ------------
 With the current out-of-band Cisco CSR, the VPNaaS driver could re-read the
 .ini file whenever it changes to obtain updated router information. That
 allows dynamically creating VPNaaS connections, but still requires manual
 start-up and provisioning of the CSR (and use of dual routers).
 Data model impact
 -----------------
 None.
 REST API impact
 ---------------
 None.
 Security impact
 ---------------
 None.
 Notifications impact
 --------------------
 None.
 Other end user impact
 ---------------------
 Eliminates the need for operator to manually start and provision the Cisco CSR
 and create the .ini file.
 Performance Impact
 ------------------
 No effect to the VPNaaS performance.
 Other deployer impact
 ---------------------
 Deployment becomes much easier.
 Developer impact
 ----------------
 None.
 Implementation
 ==============
 Assignee(s)
 -----------
 Primary assignee:
  pmichali
 Work Items
 ----------
 * Removal of device driver code that reads the .ini file with Cisco CSR info.
 * Modification of service driver to obtain Cisco CSR info and pass to device
  driver.
 * Modification of the device driver to use the passed information, instead of
  .ini file info.
 * Update unit tests to reflect changes made.
 Dependencies
 ============
 Requires the cisco-routing-service-vm blueprint implementation, which provides
 the Cisco CSR as a Neutron router and manages the life-cycle of the router.
 Testing
 =======
 Unit tests will be updated accordingly. The cisco-routing-service-vm BP will
 have Tempest tests. Currently, there are no Tempest fucntional tests for
 VPNaaS, but as they become available, third-party tests will be created for
 the Cisco CSR implementation.
 Documentation Impact
 ====================
 None.
 References
 ==========
 * [1] Out-of-band VPN setup: http://docwiki.cisco.com/wiki/Install_and_Setup_of_Cisco_Cloud_Services_Router_(CSR)_for_OpenStack_VPN
 * [2] https://blueprints.launchpad.net/neutron/+spec/cisco-routing-service-vm
 * [3] https://blueprints.launchpad.net/neutron/+spec/ipsec-vpn-reference