Spec for introducing Brocade Vyatta VPN solution using new vendor specific service and device drivers for Neutron Implements: blueprint brocade-vyatta-vpnaas-plugin Change-Id: I8a30cacaeb6c906d6deca8b49f38d224e4746e25
7.6 KiB
Brocade Vyatta VPN service and device driver for Neutron
https://blueprints.launchpad.net/neutron/+spec/brocade-vyatta-vpnaas-plugin
Introduce the Brocade Vyatta VPN service and device driver to provide VPNaaS solution using Vyatta vRouter VM running as a Neutron router.
Problem Description
Brocade Vyatta vRouter is a multi-service product that provides various L3 and L4 services like Routing, NAT, Firewall, VPN, etc. While basic neutron router L3 functions are available using the Brocade Vyatta L3 plugin [1] vRouter's IPSec site-to-site VPN functionality is currently not configurable through existing Neutron VPN APIs.
When available Cloud Service providers would be able to create site-to-site IPSec VPN to connect tenant networks to remote DC networks using Vyatta vRouter.
Proposed Change
This blueprint proposes a new vendor service and device drivers for the Neutron VPN plugin and agent.
:
+----------------------+ +----------------------+
| | | Neutron L3 Agent |
| | | |
| | | |
| +------------------+ | | +------------------+ |
| | VPN | | | | VPN Agent | |
| | Service Plugin | | | +------------------+ |
| +------------------+ | | | Vyatta VPN | |
| | Vyatta VPN | | RPC | | Device Driver | |
| | Service Driver | + <--------------> | | | |
+-+------------------+-+ +-+--------+---------+-+
|
|
| REST API
|
+--------v---------+
| |
| |
| Vyatta vRouter |
| |
| |
| |
| |
+------------------+
Vyatta VPN service driver will inherit from the reference ipsec service driver except it will use a unique topic for RPCs to and from the Vyatta VPN device driver. This is done to be inline with existing service-type framework already partially in place and the expectation that if neutron flavor framework [4] materializes the functionality proposed in this BP will work as-is.
Vyatta VPN device driver will perform the following functions:
- Handles the RPC message from vpn service-plugin that indicates a CRUD operation for site-to-site vpn connection
- Gets the list of VPN services from the service-plugin using a RPC call
- Prepares the list of new, deleted and updated vpn connection based on the local service-cache entries
- Processes the above lists into effect using vRouter's REST API interface
- Updates the local service-cache to reflect the new changes
- Reports the status of the vpn connections back to the vpn service-plugin
All these functions are similar to the existing reference vpn device driver implementation.
Additionally during L3 Agent startup the device driver will read vRouter VPN configuration using its REST API to rebuild the local service-cache. Once rebuilt the steps 2 through 6 are repeated. This helps to bring the vRouter VPN configuration to be in sync with the changes (if any) in the plugin DB while the L3 agent was down.
Note, we are aware of the current L3 agent refactoring proposed for Kilo [3]. Given the device driver interface is planned to be kept as-is the changes proposed in this blueprint will integrate with minimal impact vis-a-vis the refactoring.
This effort is part of a wider set of blueprints to offer Neutron L3 and L4 services using the Vyatta vRouter VM:
- [1] introduces neutron router functionality using the Vyatta vRouter
- [2] introduces firewall service using the Vyatta vRouter.
Data Model Impact
None.
REST API Impact
None.
Security Impact
The device driver will use a common RESTapi client library that uses basic-auth authentication to connect to Vyatta vRouter.
Notifications Impact
None.
Other End User Impact
When tenants creates VPN using the Neutron API it will be created on the carrier-grade Vyatta vRouter.
Performance Impact
None.
IPv6 Impact
Expected to work with IPv6
Other Deployer Impact
Operators should first configure the Brocade Vyatta L3 plugin as described in [1]. Then they can configure the new vpn service and device drivers to offer Vyatta VPN using Neutron APIs as follows:
- Edit /etc/neutron/neutron.conf and specify Vyatta VPN service driver as the default service provider for VPN.
>> [service_providers]
>> service_provider=VPN:brocade:neutron.services.vpn.service_drivers.vyatta_ipsec.BrocadeVyattaIPsecVPNDriver:default
- Edit /etc/neutron/vpn_agent.ini and specify Vyatta VPN device driver.
>> [vpnagent]
>> vpn_device_driver=neutron.services.vpn.device_drivers.vyatta_ipsec.VyattaIPSecDriver
Developer Impact
None.
Community Impact
Validating Neutron VPN APIs with multiple vendor, including this one from Brocade, will help to move out of current experimental state for these APIs.
Alternatives
None.
Implementation
Assignee(s)
- Primary assignee:
-
srics-r
- Other contributors:
-
None
Work Items
- Add new vyatta service driver for VPN service plugin (currently planned for neutron/services/vpn/service_drivers/vyatta_ipsec.py)
- Add new vyatta device driver for VPN agent (currently planned for neutron/services/vpn/device_drivers/vyatta_ipsec.py)
- Add unit tests required to test the new code
- Add tempest tests for new scenarios
Dependencies
- Brocade Vyatta L3 Plugin [1]
Testing
Tempest Tests
- 3rd party testing will be provided (Brocade Vyatta CI)
- Brocade Vyatta CI will report on all changes affecting this plugin
- Testing is done using devstack and Vyatta vRouter
Functional Tests
None
API Tests
No new API tests are planned as no APIs are changed as part of this blueprint.
Documentation Impact
None.
User Documentation
Brocade specific documentation will be updated on the availability of this functionality in Neutron and the vpn_device_driver configuration required to enable it.
Developer Documentation
None.