- VPNaaS in Neutron aims to provide virtual private network services to OpenStack tenants through the Neutron API and plugins.
- Initial work focused on IPsec VPN support, including defining a resource model and APIs for VPN services, connections, policies and more.
- Future work will explore supporting BGP/MPLS VPNs, which provide inter-AS connectivity and require integration with external MPLS domains and protocols like BGP.
- Two potential architectures are proposed for BGP/MPLS VPN support: one relying on configuring provider edge routers from Neutron, and another using an L3 agent and separate controller/forwarder.
2. Quantum
-‐>
Neutron
• Based
on
the
legal
agreement
with
Quantum
Corpora@on,
the
owner
of
the
“Quantum”
trademark.
• “Neutron”
was
announced
on
Jun
19.
2
3. History
of
“Neutron”
3
Essex
• L2
API
Folsom
• L3
API
• More
L2
plugins
Grizzly
• LBaaS
• Scheduler
• etc.
Havana
• FWaaS
• VPNaaS
• Modular
L2/L3
• QoS
API
• etc.
Ryu
plugin
Meta
plugin
Sta@c
rou@ng
for
Router
Incubated
Project
Core
Project!!!
4. VPNaaS:
Use
Cases
4
Virtual
Private
Network
OpenStack
Tenant
VM
VM
LB
LR
VM
VPN
Site
VPN
Site
VPN
Site
VM
VM
LB
LR
VM
Access
from
VPN
Sites
via
VPN
Remote
Access
VPN
Types
• IPsec-‐VPN
• SSL-‐VPN
• BGP/MPLS
VPN
OpenStack
Tenant
5. Road
to
Havana
• Havana-‐2
(2013
Jul
18)
– design
and
implement
General
VPN
API
– use
IPsec-‐VPN
as
reference
• Havana-‐3
(2013
Sep
5)
– Horizon
integra@on
– extend
VPN
types
such
as
BGP/MPLS
VPN
5
7. Peer
CIDR
Resource
Model
7
VPNService
id
tenant_id
vpn_type
subnet_id
router_id
…
VPNConnec?on
id
tenant_id
peer_address
peer_cidrs
psk
ikepolicy_id
ipsecpolicy_id
vpn_service_id
…
IKEPolicy
id
tenant_id
transform_protocol
encapsula@on_mode
auth_algorithm
encryp@on_algorithm
…
IPsecPolicy
id
tenant_id
ike_version
auth_algorithm
encryp@on_algorithm
…
Router
hfps://wiki.openstack.org/wiki/Neutron/VPNaaS
Subnet
Neutron
Router
Remote
GW
Peer
Address
8. API
and
CLI
8
hfps://wiki.openstack.org/wiki/Neutron/VPNaaS
e.g.)
VPNService
API
and
CLI
REST
API
CLI
Create
a
VPNService
POST
/v1.0/vpnservices
vpn-‐service-‐create
Delete
a
given
VPNService
DELETE
/v1.0/vpnservices/vpnservice_id
vpn-‐service-‐delete
List
all
VPNService
for
a
given
tenant
GET
/v1.0/vpnservices/
vpn-‐service-‐list
Show
detailed
informa@on
GET
/v1.0/vpnservices/vpnservice_id
vpn-‐service-‐show
Update
a
given
VPNService
UPDATE
/v1.0/vpnservices/vpnservice_id
vpn-‐service-‐update
9. Remote
Site
Architecture:
First
POC
Driver
9
Neutron
IPsecDriver
L3
Agent
CE
(LR)
Rou@ng
Table
RPC
Configure
Remote
GW
Tenant
network
IPsec
Tunnel
SPD
SAD
12.
VPN-‐B
Site-‐B2
VPN-‐B
Site-‐B1
What’s
BGP/MPLS
VPN?
12
PE
P
P
PE
RR
CE
CE
LDP
LDP
LDP
MP-‐iBGP
MP-‐iBGP
Sta@c
BGP
RIP
OSPF
Sta@c
BGP
RIP
OSPF
IP
packet
VPN
Label
Tunnel
Label
VRF
VRF
VRF
VRF
VRF
VRF
L2
VPN-‐A
Site-‐A1
CE
VPN-‐A
Site-‐A1
CE
13.
VPN-‐B
Site-‐B2
VPN-‐B
Site-‐B1
What’s
BGP/MPLS
VPN?
13
PE
P
P
PE
CE
CE
IP
packet
IP
packet
#B
#X
IP
packet
#B
#Y
IP
packet
#B
IP
packet
MPLS
Domain
(AS)
VRF
VRF
VRF
VRF
VRF
VRF
VPN-‐A
Site-‐A1
CE
VPN-‐A
Site-‐A1
CE
14. MPLS
Domain
Architecture:
Design
1
14
Neutron
BGPMPLS
Driver
L3
Agent
CE
(LR)
Rou@ng
Table
RPC
Configure
PE
VRF
VRF
VRF
PE
controller
Configure
Sta@c
or
dynamic
rou@ng
Tenant
network
• PE
provisioning:
CLI
in
many
cases
• Per-‐tenant
dynamic
rou@ng
15.
VPN-‐A
Site-‐A2
VPN-‐A
Site-‐A1
Inter-‐AS
15
PE
ASBR
CE
CE
AS
#1
P
ASBR
PE
AS
#2
P
RR
RR
MP-‐iBGP
MP-‐iBGP
MP-‐eBGP
VRF
VRF
VRF
MP-‐iBGP
MP-‐iBGP
VRF
VRF
VRF
IP
packet
#A
IP
packet
#A
#X
IP
packet
#A
#Y
16. MPLS
Domain
Architecture:
Design
2
16
Neutron
BGPMPLS
Driver
L3
Agent
CE
(LR)
Rou@ng
Table
RPC
Configure
Tenant
network
• L3
Agent
&
LR:
simple
• Impact
to
exis@ng
BGP/MPLS
infra:
small
VPN
Connec@on
Controller
&
Forwarder
IP
packet
#A
IP
packet
VRF
VRF
VRF
MP-‐eBGP
ASBR