This is interesting. How is key distribution handled when I want to use OE with someone like Google.com for example?
On Thu, Apr 17, 2014 at 12:07 PM, Martinx - ジェームズ <[email protected] > wrote: > Guys, > > I here thinking about IPSec when with IPv6 and, one of the first > ideas/wishes of IPv6 scientists, was to always deploy it with IPSec > enabled, always (I've heard). But, this isn't well diffused by now. Who is > actually using IPv6 Opportunistic Encryption?! > > For example: With O.E., we'll be able to make a IPv6 IPSec VPN with > Google, so we can "ping6 google.com" safely... Or with Twitter, Facebook! > Or whatever! That is the purpose of Opportunistic Encryption, am I right?! > > Then, with OpenStack, we might have a muiti-Region or even a multi-AZ > cloud, based on the topology "Per-Tenant Routers with Private Networks", > for example, so, how hard it will be to deploy the Namespace routers with > "IPv6+IPSec O.E." just enabled by default? > > I'm thinking about this: > > > * "IPv6 Tenant 1 subnet A" <-> "IPv6 Router + IPSec O.E." <-> *"Internet > IPv6"* <-> "IPv6 Router + IPSec O.E." <-> "IPv6 Tenant 1 subnet B" > > > So, with O.E., it will be simpler (from the tenant's point of view) to > safely interconnect multiple tenant's subnets, don't you guys think?! > > Amazon in the other hand, for example, provides things like "VPC Peering", > or "VPN Instances", or "NAT instances", as a "solution" to interconnect > creepy IPv4 networks... We don't need none of this kind of solutions when > with IPv6... Right?! > > Basically, the OpenStack VPNaaS (O.E.) will come enabled at the Namespace > Router by default, without the tenant even knowing it is there, but of > course, we can still show that IPv6-IPSec-VPN at the Horizon Dashboard, > when established, just for fun... But tenants will never need to think > about it... =) > > And to share the IPSec keys, the stuff required for Opportunistic > Encryption to gracefully works, each OpenStack in the wild, can become a > *"pod"*, which will form a network of *"pods"*, I mean, independently > owned *pods* which interoperate to form the "*Opportunistic Encrypt > Network of OpenStack Clouds*". > > I'll try to make a comparison here, as an analogy, do you guys have ever > heard about the DIASPORA* Project? No, take a look: > http://en.wikipedia.org/wiki/Diaspora_(social_network) > > I think that, OpenStack might be for the Opportunistic Encryption, what > DIASPORA* Project is for Social Networks! > > If OpenStack can share its keys (O.E. stuff) in someway, with each other, > we can easily build a huge network of OpenStacks, and then, each one will > "naturally" talk with each other, using a secure connection. > > I would love to hear some insights from you guys! > > Please, keep in mind that I never deployed a IPSec O.E. before, this is > just an idea I had... If I'm wrong, ignore this e-mail. > > > References: > > https://tools.ietf.org/html/rfc4322 > > https://groups.google.com/d/msg/ipv6hackers/3LCTBJtr-eE/Om01uHUcf9UJ > > http://www.inrialpes.fr/planete/people/chneuman/OE.html > > > Best! > Thiago > > _______________________________________________ > OpenStack-dev mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > -- Kevin Benton
_______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
