Re: [openstack-dev] [VPNaaS] Support for Stronger hashes and combined mode ciphers
I think Kyle polled operators and a few mentioned using VPNaaS for site-to-site IPSec - do a search in this ML for VPNaaS. AFAIK, no one so far is stepping up to work on VPNaaS. Regards, PCM On Tue, Jun 14, 2016 at 1:40 PM Mark Fenwick wrote: > Hi Paul, > > On 06/14/16 10:27, Paul Michali wrote: > > Certainly the ciphers and hashes could be enhanced for VPNaaS. This would > > require converting the user selections into options for the underlying > > device driver, modifying the neutron client (OSC) to allow entry of the > new > > selections, updating unit tests, and likely adding some validators to > > reject these options on drivers that may not support them (e.g. if > OpenSwan > > doesn't support an option, you'll want to reject it). > > > > I made some changes and got this working quiet quickly, would need some > polish. > > > There is not an active VPNaaS team any more, so, if this is something > that > > you'd like to see, you'll need to provide some sweat equity to make it > > happen. There are still some people that can core review changes, but > don't > > expect much community support for VPNaaS at this time. In fact, I think > the > > plan is to archive/mothball/whatever VPNaaS in a few months (it's on > double > > secret probation :)), if there is no-one actively supporting it (I'll > leave > > to the PTL to define what "support" means - not sure what the > > qualifications will be to maintain this project). > > So I'm curious, does anybody actually use VPNaaS for anything ? > > Thanks > > Mark > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [VPNaaS] Support for Stronger hashes and combined mode ciphers
Hi Paul, On 06/14/16 10:27, Paul Michali wrote: Certainly the ciphers and hashes could be enhanced for VPNaaS. This would require converting the user selections into options for the underlying device driver, modifying the neutron client (OSC) to allow entry of the new selections, updating unit tests, and likely adding some validators to reject these options on drivers that may not support them (e.g. if OpenSwan doesn't support an option, you'll want to reject it). I made some changes and got this working quiet quickly, would need some polish. There is not an active VPNaaS team any more, so, if this is something that you'd like to see, you'll need to provide some sweat equity to make it happen. There are still some people that can core review changes, but don't expect much community support for VPNaaS at this time. In fact, I think the plan is to archive/mothball/whatever VPNaaS in a few months (it's on double secret probation :)), if there is no-one actively supporting it (I'll leave to the PTL to define what "support" means - not sure what the qualifications will be to maintain this project). So I'm curious, does anybody actually use VPNaaS for anything ? Thanks Mark __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [VPNaaS] Support for Stronger hashes and combined mode ciphers
Certainly the ciphers and hashes could be enhanced for VPNaaS. This would require converting the user selections into options for the underlying device driver, modifying the neutron client (OSC) to allow entry of the new selections, updating unit tests, and likely adding some validators to reject these options on drivers that may not support them (e.g. if OpenSwan doesn't support an option, you'll want to reject it). There is not an active VPNaaS team any more, so, if this is something that you'd like to see, you'll need to provide some sweat equity to make it happen. There are still some people that can core review changes, but don't expect much community support for VPNaaS at this time. In fact, I think the plan is to archive/mothball/whatever VPNaaS in a few months (it's on double secret probation :)), if there is no-one actively supporting it (I'll leave to the PTL to define what "support" means - not sure what the qualifications will be to maintain this project). Regards, PCM On Wed, Jun 8, 2016 at 5:19 PM Mark Fenwick wrote: > Hi, > > I was wondering if there are any plans to extend support for IPsec and > IKE algorithms. Looks like only AES-CBC mode and SHA1 are supported. > > It would be nice to see: > > SHA256, SHA384, SHA512 > > As well as the combined mode ciphers: > > AES-CCM and AES-GCM > > StrongSWAN already supports all of these ciphers and hashes. > > Thanks > > Mark > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [VPNaaS] Support for Stronger hashes and combined mode ciphers
Hi, I was wondering if there are any plans to extend support for IPsec and IKE algorithms. Looks like only AES-CBC mode and SHA1 are supported. It would be nice to see: SHA256, SHA384, SHA512 As well as the combined mode ciphers: AES-CCM and AES-GCM StrongSWAN already supports all of these ciphers and hashes. Thanks Mark __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev