subject:"Re\: \[openstack\-dev\] \[VPNaaS\] Support for Stronger hashes and combined mode ciphers"

Re: [openstack-dev] [VPNaaS] Support for Stronger hashes and combined mode ciphers

2016-06-14 Thread Paul Michali

I think Kyle polled operators and a few mentioned using VPNaaS for
site-to-site IPSec - do a search in this ML for VPNaaS. AFAIK, no one so
far is stepping up to work on VPNaaS.

Regards,

PCM


On Tue, Jun 14, 2016 at 1:40 PM Mark Fenwick 
wrote:

> Hi Paul,
>
> On 06/14/16 10:27, Paul Michali wrote:
> > Certainly the ciphers and hashes could be enhanced for VPNaaS. This would
> > require converting the user selections into options for the underlying
> > device driver, modifying the neutron client (OSC) to allow entry of the
> new
> > selections, updating unit tests, and likely adding some validators to
> > reject these options on drivers that may not support them (e.g. if
> OpenSwan
> > doesn't support an option, you'll want to reject it).
> >
>
> I made some changes and got this working quiet quickly, would need some
> polish.
>
> > There is not an active VPNaaS team any more, so, if this is something
> that
> > you'd like to see, you'll need to provide some sweat equity to make it
> > happen. There are still some people that can core review changes, but
> don't
> > expect much community support for VPNaaS at this time. In fact, I think
> the
> > plan is to archive/mothball/whatever VPNaaS in a few months (it's on
> double
> > secret probation :)), if there is no-one actively supporting it (I'll
> leave
> > to the PTL to define what "support" means - not sure what the
> > qualifications will be to maintain this project).
>
> So I'm curious, does anybody actually use VPNaaS for anything ?
>
> Thanks
>
> Mark
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [VPNaaS] Support for Stronger hashes and combined mode ciphers

2016-06-14 Thread Mark Fenwick


Hi Paul,

On 06/14/16 10:27, Paul Michali wrote:

Certainly the ciphers and hashes could be enhanced for VPNaaS. This would
require converting the user selections into options for the underlying
device driver, modifying the neutron client (OSC) to allow entry of the new
selections, updating unit tests, and likely adding some validators to
reject these options on drivers that may not support them (e.g. if OpenSwan
doesn't support an option, you'll want to reject it).



I made some changes and got this working quiet quickly, would need some 
polish.



There is not an active VPNaaS team any more, so, if this is something that
you'd like to see, you'll need to provide some sweat equity to make it
happen. There are still some people that can core review changes, but don't
expect much community support for VPNaaS at this time. In fact, I think the
plan is to archive/mothball/whatever VPNaaS in a few months (it's on double
secret probation :)), if there is no-one actively supporting it (I'll leave
to the PTL to define what "support" means - not sure what the
qualifications will be to maintain this project).


So I'm curious, does anybody actually use VPNaaS for anything ?

Thanks

Mark

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [VPNaaS] Support for Stronger hashes and combined mode ciphers

2016-06-14 Thread Paul Michali

Certainly the ciphers and hashes could be enhanced for VPNaaS. This would
require converting the user selections into options for the underlying
device driver, modifying the neutron client (OSC) to allow entry of the new
selections, updating unit tests, and likely adding some validators to
reject these options on drivers that may not support them (e.g. if OpenSwan
doesn't support an option, you'll want to reject it).

There is not an active VPNaaS team any more, so, if this is something that
you'd like to see, you'll need to provide some sweat equity to make it
happen. There are still some people that can core review changes, but don't
expect much community support for VPNaaS at this time. In fact, I think the
plan is to archive/mothball/whatever VPNaaS in a few months (it's on double
secret probation :)), if there is no-one actively supporting it (I'll leave
to the PTL to define what "support" means - not sure what the
qualifications will be to maintain this project).

Regards,

PCM

On Wed, Jun 8, 2016 at 5:19 PM Mark Fenwick  wrote:

> Hi,
>
> I was wondering if there are any plans to extend support for IPsec and
> IKE algorithms. Looks like only AES-CBC mode and SHA1 are supported.
>
> It would be nice to see:
>
> SHA256, SHA384, SHA512
>
> As well as the combined mode ciphers:
>
> AES-CCM and AES-GCM
>
> StrongSWAN already supports all of these ciphers and hashes.
>
> Thanks
>
> Mark
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [VPNaaS] Support for Stronger hashes and combined mode ciphers

Re: [openstack-dev] [VPNaaS] Support for Stronger hashes and combined mode ciphers

Re: [openstack-dev] [VPNaaS] Support for Stronger hashes and combined mode ciphers

3 matches

Site Navigation

Mail list logo

Footer information