Thanks for the response, Charles,

I have added comments in-line:

Charles Duffy wrote:
I'm not an OpenVPN developer per se -- other than a few trivial patches -- but I should be able to comment.

First -- the requirements for what you want a VPN to do in a grid environment are something which need to be specified. Since OpenVPN is limited to either a 2-endpoint peer-to-peer model or a hub-and-spoke model, it isn't necessarily well-suited to cases where a arbitrary communications will need to be encrypted within a cloud.
One of the arguments in my paper takes issue with that belief, which has been put forth in a seminal document be Ian Foster, who is an important figure in Grid research. I like to pick a good fight. ;-) However, I am not dogmatic about it, and accept that I may be off base. I believe that there are times when Grid applications will make persistent connections, with variable degrees of activity, between peers within the cloud. There may be prolonged times of little, or no traffic, and there may be prolonged times of extreme traffic, depending on need and availability. It is all about using the best resources available, when they are needed. But I also believe the grid, if it is to work as envisioned, must be very adaptable to the needs of its participants. Suppose we have a company willing to share their resources on the Grid, but who have a policy of only allowing access to their network via VPN, using X.509 certificates. Maybe they have a massive internal network which is not busy on evenings and week-ends, and they are willing to let research facilities make use of idle CPUs for a reasonable price. Perhaps it would be wise to build the ability into the Globus Toolkit to automatically open and manage VPN connections when they are required. The service could be advertised on a Service Discovery Service, the parameters could be outlined in a WSDL, and the certificate management could occur using the parameters of the Grid Security Infrastructure (GSI), which uses X.509. It seems feasible to me. It may never happen, but it's worth looking at.
Second, OpenVPN already provides a number of methods to interact with it which are readily programmatically accessible. This includes the manual page; OS-level signals; command-line and configuration file parameters; etc. My experience is that these are more than adequate for controlling the behavior which is presently available -- and that in cases where these tools and in of themselves don't provide the desired level of functionality, that building additional layers on top of the preexisting interfaces (rather than building entirely new interfaces) is appropriate.
The goal is, in the long term, to come up with a universal API which would allow developers of Grid service software to write programs which would be able to allow remote Grid clients to manage VPN connections via a Web service interface. A generic API can prove very useful for VPN developers. They could provide implementations of the generic API with their products, which would allow any software using that API to make use of it. A good example of this is the GSSAPI: http://www.faqs.org/faqs/kerberos-faq/general/section-84.html Perhaps, some day, a generic VPN API would be published as an RFC. I am simply using OpenVPN as a test case through which to explore these issues, and make some modest recommendations for future work.
Could you document the exact functionality you wish to add, and the business case for exposing that functionality as a native API?
Actually, one of the main goals of my paper is to determine exactly which functionality should be added. If I could answer that question, I wouldn't be looking for input here. I do believe that if the Grid were ever to live up to its much-hyped promise, much benefit could be accrued to any software which works well with it. After having looked at OpenVPN, as compared to other SSL based VPNs and IPSec based VPNs, I have come to think that OpenVPN would be a perfect fit as a default VPN for the Globus Toolkit (if only I had any degree of clout. My paper will undoubtedly languish in the digital equivalent of a dark and moldy warehouse). It relies on well-known, commonly used protocols, which incidentally are also used in the GSI. It is flexible, not too complex, and secure. Whatever the case, I'm just writing an academic paper, hoping to add a bit to our vast body of knowledge. Maybe someone will read it and do something cool with OpenVPN. It is a nice piece of software.

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel




Reply via email to