Re: [openstack-dev] [NEUTRON] [IPv6] [VPNaaS] - IPSec by default on each Tenant router, the beginning of the Opportunistic Encryption era (rfc4322 ?)...
Keys are distributed via dns records. https://tools.ietf.org/html/rfc4322 Carl On Apr 21, 2014 5:35 PM, Kevin Benton blak...@gmail.com wrote: This is interesting. How is key distribution handled when I want to use OE with someone like Google.com for example? On Thu, Apr 17, 2014 at 12:07 PM, Martinx - ジェームズ thiagocmarti...@gmail.com wrote: Guys, I here thinking about IPSec when with IPv6 and, one of the first ideas/wishes of IPv6 scientists, was to always deploy it with IPSec enabled, always (I've heard). But, this isn't well diffused by now. Who is actually using IPv6 Opportunistic Encryption?! For example: With O.E., we'll be able to make a IPv6 IPSec VPN with Google, so we can ping6 google.com safely... Or with Twitter, Facebook! Or whatever! That is the purpose of Opportunistic Encryption, am I right?! Then, with OpenStack, we might have a muiti-Region or even a multi-AZ cloud, based on the topology Per-Tenant Routers with Private Networks, for example, so, how hard it will be to deploy the Namespace routers with IPv6+IPSec O.E. just enabled by default? I'm thinking about this: * IPv6 Tenant 1 subnet A - IPv6 Router + IPSec O.E. - *Internet IPv6* - IPv6 Router + IPSec O.E. - IPv6 Tenant 1 subnet B So, with O.E., it will be simpler (from the tenant's point of view) to safely interconnect multiple tenant's subnets, don't you guys think?! Amazon in the other hand, for example, provides things like VPC Peering, or VPN Instances, or NAT instances, as a solution to interconnect creepy IPv4 networks... We don't need none of this kind of solutions when with IPv6... Right?! Basically, the OpenStack VPNaaS (O.E.) will come enabled at the Namespace Router by default, without the tenant even knowing it is there, but of course, we can still show that IPv6-IPSec-VPN at the Horizon Dashboard, when established, just for fun... But tenants will never need to think about it... =) And to share the IPSec keys, the stuff required for Opportunistic Encryption to gracefully works, each OpenStack in the wild, can become a *pod*, which will form a network of *pods*, I mean, independently owned *pods* which interoperate to form the *Opportunistic Encrypt Network of OpenStack Clouds*. I'll try to make a comparison here, as an analogy, do you guys have ever heard about the DIASPORA* Project? No, take a look: http://en.wikipedia.org/wiki/Diaspora_(social_network) I think that, OpenStack might be for the Opportunistic Encryption, what DIASPORA* Project is for Social Networks! If OpenStack can share its keys (O.E. stuff) in someway, with each other, we can easily build a huge network of OpenStacks, and then, each one will naturally talk with each other, using a secure connection. I would love to hear some insights from you guys! Please, keep in mind that I never deployed a IPSec O.E. before, this is just an idea I had... If I'm wrong, ignore this e-mail. References: https://tools.ietf.org/html/rfc4322 https://groups.google.com/d/msg/ipv6hackers/3LCTBJtr-eE/Om01uHUcf9UJ http://www.inrialpes.fr/planete/people/chneuman/OE.html Best! Thiago ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Kevin Benton ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [NEUTRON] [IPv6] [VPNaaS] - IPSec by default on each Tenant router, the beginning of the Opportunistic Encryption era (rfc4322 ?)...
Have you considered filing a blueprint for this? It'd be good to keep this on the radar. https://wiki.openstack.org/wiki/Blueprints#Neutron -- Sean M. Collins ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [NEUTRON] [IPv6] [VPNaaS] - IPSec by default on each Tenant router, the beginning of the Opportunistic Encryption era (rfc4322 ?)...
This is interesting. How is key distribution handled when I want to use OE with someone like Google.com for example? On Thu, Apr 17, 2014 at 12:07 PM, Martinx - ジェームズ thiagocmarti...@gmail.com wrote: Guys, I here thinking about IPSec when with IPv6 and, one of the first ideas/wishes of IPv6 scientists, was to always deploy it with IPSec enabled, always (I've heard). But, this isn't well diffused by now. Who is actually using IPv6 Opportunistic Encryption?! For example: With O.E., we'll be able to make a IPv6 IPSec VPN with Google, so we can ping6 google.com safely... Or with Twitter, Facebook! Or whatever! That is the purpose of Opportunistic Encryption, am I right?! Then, with OpenStack, we might have a muiti-Region or even a multi-AZ cloud, based on the topology Per-Tenant Routers with Private Networks, for example, so, how hard it will be to deploy the Namespace routers with IPv6+IPSec O.E. just enabled by default? I'm thinking about this: * IPv6 Tenant 1 subnet A - IPv6 Router + IPSec O.E. - *Internet IPv6* - IPv6 Router + IPSec O.E. - IPv6 Tenant 1 subnet B So, with O.E., it will be simpler (from the tenant's point of view) to safely interconnect multiple tenant's subnets, don't you guys think?! Amazon in the other hand, for example, provides things like VPC Peering, or VPN Instances, or NAT instances, as a solution to interconnect creepy IPv4 networks... We don't need none of this kind of solutions when with IPv6... Right?! Basically, the OpenStack VPNaaS (O.E.) will come enabled at the Namespace Router by default, without the tenant even knowing it is there, but of course, we can still show that IPv6-IPSec-VPN at the Horizon Dashboard, when established, just for fun... But tenants will never need to think about it... =) And to share the IPSec keys, the stuff required for Opportunistic Encryption to gracefully works, each OpenStack in the wild, can become a *pod*, which will form a network of *pods*, I mean, independently owned *pods* which interoperate to form the *Opportunistic Encrypt Network of OpenStack Clouds*. I'll try to make a comparison here, as an analogy, do you guys have ever heard about the DIASPORA* Project? No, take a look: http://en.wikipedia.org/wiki/Diaspora_(social_network) I think that, OpenStack might be for the Opportunistic Encryption, what DIASPORA* Project is for Social Networks! If OpenStack can share its keys (O.E. stuff) in someway, with each other, we can easily build a huge network of OpenStacks, and then, each one will naturally talk with each other, using a secure connection. I would love to hear some insights from you guys! Please, keep in mind that I never deployed a IPSec O.E. before, this is just an idea I had... If I'm wrong, ignore this e-mail. References: https://tools.ietf.org/html/rfc4322 https://groups.google.com/d/msg/ipv6hackers/3LCTBJtr-eE/Om01uHUcf9UJ http://www.inrialpes.fr/planete/people/chneuman/OE.html Best! Thiago ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Kevin Benton ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [NEUTRON] [IPv6] [VPNaaS] - IPSec by default on each Tenant router, the beginning of the Opportunistic Encryption era (rfc4322 ?)...
Guys, I here thinking about IPSec when with IPv6 and, one of the first ideas/wishes of IPv6 scientists, was to always deploy it with IPSec enabled, always (I've heard). But, this isn't well diffused by now. Who is actually using IPv6 Opportunistic Encryption?! For example: With O.E., we'll be able to make a IPv6 IPSec VPN with Google, so we can ping6 google.com safely... Or with Twitter, Facebook! Or whatever! That is the purpose of Opportunistic Encryption, am I right?! Then, with OpenStack, we might have a muiti-Region or even a multi-AZ cloud, based on the topology Per-Tenant Routers with Private Networks, for example, so, how hard it will be to deploy the Namespace routers with IPv6+IPSec O.E. just enabled by default? I'm thinking about this: * IPv6 Tenant 1 subnet A - IPv6 Router + IPSec O.E. - *Internet IPv6* - IPv6 Router + IPSec O.E. - IPv6 Tenant 1 subnet B So, with O.E., it will be simpler (from the tenant's point of view) to safely interconnect multiple tenant's subnets, don't you guys think?! Amazon in the other hand, for example, provides things like VPC Peering, or VPN Instances, or NAT instances, as a solution to interconnect creepy IPv4 networks... We don't need none of this kind of solutions when with IPv6... Right?! Basically, the OpenStack VPNaaS (O.E.) will come enabled at the Namespace Router by default, without the tenant even knowing it is there, but of course, we can still show that IPv6-IPSec-VPN at the Horizon Dashboard, when established, just for fun... But tenants will never need to think about it... =) And to share the IPSec keys, the stuff required for Opportunistic Encryption to gracefully works, each OpenStack in the wild, can become a *pod*, which will form a network of *pods*, I mean, independently owned *pods* which interoperate to form the *Opportunistic Encrypt Network of OpenStack Clouds*. I'll try to make a comparison here, as an analogy, do you guys have ever heard about the DIASPORA* Project? No, take a look: http://en.wikipedia.org/wiki/Diaspora_(social_network) I think that, OpenStack might be for the Opportunistic Encryption, what DIASPORA* Project is for Social Networks! If OpenStack can share its keys (O.E. stuff) in someway, with each other, we can easily build a huge network of OpenStacks, and then, each one will naturally talk with each other, using a secure connection. I would love to hear some insights from you guys! Please, keep in mind that I never deployed a IPSec O.E. before, this is just an idea I had... If I'm wrong, ignore this e-mail. References: https://tools.ietf.org/html/rfc4322 https://groups.google.com/d/msg/ipv6hackers/3LCTBJtr-eE/Om01uHUcf9UJ http://www.inrialpes.fr/planete/people/chneuman/OE.html Best! Thiago ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev