cloud vpn usecase - opnfv.org summit
TRANSCRIPT
1
Ahmed Maged Cisco – OPNFV Team @amaged
• Assembling a VPN in the Cloud Service • Learning Experience
2
3
- - - - - - - - - - -
- - - - - - - - - -
Virtual Infra Manager
REST API RESTConf
Netconf/Yang
SDN Controller
VNF
Application
OpenStack OpenDayLight
Front End Back End
Sharing VPN Meta-Data over Facebook
Orchestration/Dispatching
VPN Termination
BGS/OPNFV Deployer
/User Portal
Virtual Infra Manager
REST API RESTConf
Netconf/Yang
SDN Controller
VNF
Application
OpenStack OpenDayLight
Front End Back End
Sharing VPN Meta-Data over Facebook
Orchestration/Dispatching
VPN Termination
BGS/OPNFV Deployer
/User Portal
7
App/ Portal
Open Stack
OpenDayLight
1 2 3 4 5 6 7 8 9
Request VPN service
VNF/Router
Instruct ODL to provision VNF
User Facebook
Peer Picking
Peer Picked
Spin up VNF
Provision IPSec
Report addressing and preshared key
Post addressing and Password
IPSec Tunnel Established
8
ü Picking Peer from Facebook for rapid, painless setup *
* Inspired by Cedric Dessez, https://www.ietf.org/proceedings/87/slides/slides-87-homenet-6.pdf
9
App/ Portal
Open Stack
OpenDayLight
1 2 3 4 5 6 7 8 9
Request VPN service
VNF/Router
Instruct ODL to provision VNF
User Facebook
Peer Picking Peer Picked
Spin up VNF
Provision IPSec
Report addressing and preshared key
Post addressing and Password
IPSec Tunnel Established
10
client_manager.compute.servers.create(’router', image, flavor, key_name=keypair.name, nics=[{'net-id': network.id}])
http://<api-server>/servers REST Calls
Python SDK
Nova Server
Hypervisor (KVM, etc)
VNF
RESTful API
Create a VM
11
App/ Portal
Open Stack
OpenDayLight
1 2 3 4 5 6 7 8 9
Request VPN service
VNF/Router
Instruct ODL to provision VNF
User Facebook
Peer Picking
Peer Picked
Spin up VNF
Provision IPSec
Report addressing and preshared key
Post addressing and Password
IPSec Tunnel Established
12
Nova Server
Appl/ Portal
ODL
VNF / Router
list node-subnets { description "IP and mask behind route"; key "ip inv-mask"; leaf ip {type inet:ipv4-address;} leaf inv-mask {type inet:ipv4-address;} } list shared-key { key shared-key; leaf shared-key {type string;} leaf peer-address {type inet:ip-address;} }
YANG Model
/restconf/data/ipsec-service:ipsec/ <list name>/ <key value(s)>
RESTConf
{ “ipsec-service:node-list” : [ { “node-name”: “vRouter”, “node-ip”: “X.X.X.X” } ] }
JSON
13
App/ Portal
Open Stack
OpenDayLight
1 2 3 4 5 6 7 8 9
Request VPN service
VNF/Router
Instruct ODL to provision VNF
User Facebook
Peer Picking
Peer Picked
Spin up VNF
Provision IPSec
Report addressing and preshared key
Post addressing and Password
IPSec Tunnel Established
14 Peer 1
crypto isakmp key KEY address x.x.x.x ! crypto ipsec transform-set TS esp-des esp-md5-hmac ! crypto map CRYPTO 10 ipsec-isakmp set peer y.y.y.y set transform-set TS match address Spoke ! interface TenGig0/0 ip address x.x.x.x 255.255.255.0 crypto map CRYPTO
CLI Config
Peer 2
• Assembling a VPN in the Cloud Service
• Learning Experience
15
“Open source propagates to fill all the nooks and crannies that people want it to fill.”
Mitch Kapor Founder of Lotus, Co-Founder EFF
• In 1995, I almost lost my hair, building a Slackware server.
• In 2005, I lost my hair, building/coding a Linux Jumpserver.
• In 2015, We built a VPN in the Cloud server in a few days.
17
Open Source Made it possible
With BGS : • Install scripts for automated deployment of
the test setup.
• Comprehensive source-to-tested-deployment script for running the entire system start to end.
Task Time Installing Infra(Arno/Fuel)
1 Day
• APIs coming to networking, took networking out of its Silo.
• Now Applications can easily control and interact with Networking.
• Opening up the possibility to a wide range of use cases.
19
Task Time Write PoC Code* A few Days
* Without Facebook App/Front End.
I need REST APIs
Thanks
Q&A
20