00:06:56 <nati_ueno> #startmeeting openstack_networking_vpn
00:06:57 <openstack> Meeting started Tue May 14 00:06:56 2013 UTC.  The chair is nati_ueno. Information about MeetBot at http://wiki.debian.org/MeetBot.
00:06:58 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
00:07:00 <openstack> The meeting name has been set to 'openstack_networking_vpn'
00:07:14 <nati_ueno> #topic local_subnet vs local_cidr
00:07:42 <nati_ueno> so one minor point on api discussion is local_subnet vs local_cidr
00:08:10 <nati_ueno> openstack networking guys tend to +1 for local_cidr because subnet is already used in more general meanings
00:08:47 <nati_ueno> vpn guys tend to +1 for local_subnet because it is familiar with existing configrations
00:09:42 <nati_ueno> markmcclain: how do you think?
00:10:08 <markmcclain> my preference is for local_cidrs
00:10:20 <nati_ueno> me too
00:10:22 <markmcclain> I know it is different from other implementations
00:10:32 <Swami> I am ok with local_cidrs
00:10:40 <nati_ueno> pcm_ : how do you think?
00:11:28 <pcm_> nati_ueno: no real preference. StrongSwan seems to use left and right for local/remote. Not sure if that muddies it more.
00:11:44 <nati_ueno> pcm_: gotcha
00:11:46 <pcm_> with subnet
00:11:56 <pcm_> leftsubnet rightsubnet
00:12:20 <nati_ueno> it is driver specific so it looks no problem
00:12:45 <Swami> But as far we document in the help string, we can map it in the implementation
00:13:02 <nati_ueno> OK so let's go with local_cidr but may be we should discuss this again when Qin@VMware join the meeting.
00:13:07 <nati_ueno> OK next topic
00:13:11 <markmcclain> the one question I do have to local subnets
00:13:29 <markmcclain> there should be a 1:1 for the cidr list and a tenants subnet correct?
00:13:43 <Swami> Yes
00:14:08 <markmcclain> so would it make more sense to accept a list of subnet ids?
00:14:16 <nati_ueno> No we should support small area of the subnet
00:14:23 <nati_ueno> or aggregate of the subnets
00:14:36 <Swami> Yes that was our proposal, peer_cidrs and local_cidrs will be a list of cidrs
00:14:54 <nati_ueno> let's say if Subnet cidr is 10.0.0.0/24, we can also specify 10.0.0.0/31 on vpn
00:15:16 <nati_ueno> Swami: right
00:15:36 <nati_ueno> markmcclain: is this makes sence?
00:15:36 <Swami> Yes
00:15:44 <markmcclain> nati_ueno: I don't understand that use case
00:16:06 <nati_ueno> markmcclain: so sometimes, we want to expose only limited ips for vpn side
00:16:31 <nati_ueno> or aggregate many tiny subnets for performance reason
00:16:49 <markmcclain> aggregating a list of existing cidrs is easy
00:17:29 <Swami> yes we can aggregate and provide a single cidr that will accept all the subnets in the tenants network
00:18:16 <nati_ueno> so let's numbering the usecase 1) sub area of subnet 2) aggregate multiple subnets
00:18:46 <nati_ueno> markmcclain: 1) don't make sense for you?  and 2) makes sense for you
00:18:49 <nati_ueno> ?
00:19:05 <markmcclain> yeah
00:19:28 <markmcclain> Automating #2 reduces the chance of errors
00:19:46 <nati_ueno> OK for 1). may I ask why it doesn't make sense?
00:21:19 <nati_ueno> how we Automating #2 ?
00:22:50 <markmcclain> have to think a bit more
00:23:05 <nati_ueno> markmcclain: gotcha.
00:23:06 <markmcclain> but it just seems odd that we're requiring a tenant to enter data
00:23:29 <markmcclain> multiple times
00:24:06 <nati_ueno> markmcclain: I agree for that point. may be client can accept subnet_id and translate it to the cidr
00:24:42 <Swami> in that case can we document and say enter the aggregate cidr for the peer and local subnets
00:25:09 <markmcclain> nati_ueno: that approach supports the case of making local_cidrs a list of subnet_ids
00:26:17 <nati_ueno> markmcclain: we should think about cli namings
00:26:46 <nati_ueno> markmcclain: but my intension is specifying subnet_id in local_cidrs on CLI
00:27:11 <nati_ueno> or may be we can hire local_subnet and accept both of subnet_id and cidrs
00:27:13 <markmcclain> Swami: a vpnserviceconnection has a 1:1 with a VPNConneciton
00:27:36 <markmcclain> the VPNService can only have 1 subnet, so we'd be agg'ing only 1 subnet
00:28:19 <markmcclain> nati_ueno: specifying a cidr on the CLI is ambigous
00:28:19 <Swami> Yes that is true
00:28:51 <markmcclain> a tenant can create two networks with the same cidr
00:28:59 <markmcclain> which subnet would you match?
00:29:22 <nati_ueno> markmcclain: it don't matter, because we connect vpn to the router
00:29:34 <nati_ueno> markmcclain: And we can't plug overwrapping subnets for one router
00:29:50 <markmcclain> right but for referential integrity.. we need to know which subnet they want associated
00:30:04 <markmcclain> otherwise the logic in the router becomes more complex
00:30:26 <nati_ueno> what's referential integrity?
00:30:55 <markmcclain> at the db layer how the models relate to each other
00:31:23 <nati_ueno> so some usecase requires different range of subnet's cidr.
00:31:32 <nati_ueno> so we can't mapping it 1to1
00:32:02 <nati_ueno> I agree if we chooose subnet_id
00:32:16 <nati_ueno> when the subnet deleted, we can also update vpn config automatically
00:32:19 <nati_ueno> it is clean
00:32:35 <nati_ueno> however it limits the scope
00:35:22 <nati_ueno> And also even if VPNService can only have 1 subnet, the associated router will be nexthops for multiple local subnets (cidrs)
00:35:53 <nati_ueno> so using cidrs is simple way to support usecases ( #1 #2)
00:37:22 <markmcclain> they'll work because the data is denormalized… but long term this might cause more problems
00:37:53 <markmcclain> we move forward with cidrs for now, but might make sense to revisit this
00:41:56 <nati_ueno> markmcclain: Thanks. Could you target the bp above?
00:42:17 <markmcclain> nati_ueno: done
00:42:21 <nati_ueno> markmcclain: Thanks!
00:42:24 <nati_ueno> ok next.  check default value for lifetime value (Swami)
00:42:31 <nati_ueno> Swami: did you checked this one?
00:42:42 <Swami> nachi: updated the document for the default Kilobytes.
00:42:48 <nati_ueno> Swami: Thanks!
00:43:02 <nati_ueno> Implement Data Model (Swami will push code to the gerrit)
00:43:12 <nati_ueno> Swami: May I ask when you can push?
00:43:26 <Swami> nachi: Yes I have to do some clean up and once done, I will push it to the gerrit for review
00:43:40 <nati_ueno> Swami: in this week or next week?
00:43:59 <Swami> Nachi: By the end of this week, it should be in gerrit, but it may not have the unit-tests covered.
00:44:13 <nati_ueno> Swami: it is OK for now because it is WIP
00:44:21 <Swami> got it.
00:44:32 <nati_ueno> so 5/20 is OK?
00:44:49 <Swami> Yes let us target for 5/20.
00:44:53 <nati_ueno> Swami: Thanks!
00:45:00 <nati_ueno> Implement Driver (Nachi & PCM )
00:45:11 <nati_ueno> pcm_: do you have any progress?
00:45:55 <pcm_> Just looked at StrongSwan docs. See they have example for net2net, psk. Assuming that is what we want to do first off right?
00:46:19 <pcm_> They have example net http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/
00:46:24 <Swami> I pcm if you need any pointers to Strongswan or sample configuration, let me know and I can provide it.
00:46:49 <pcm_> Swami: Can always use more info. Feel free to email me info.
00:46:50 <Swami> Look for IKEv1 examples for the first test case
00:46:56 <Swami> sure.
00:47:00 <nati_ueno> Swami: Thanks!
00:47:07 <pcm_> I was going to try to set this up in VBOX.
00:47:25 <nati_ueno> OK let's target driver for 5/31 since this one depends CRUD model
00:47:25 <pcm_> Have four VMs, trying to figure out how to do the I/Fs.
00:47:48 <nati_ueno> pcm_: gotcha
00:47:59 <nati_ueno> pcm_: 5/31 is OK for you also?
00:48:14 <pcm_> nachi_ueno: Let me know if it makes sense to do a sample in VBOX for config.
00:48:33 <nati_ueno> pcm_: it sounds make sence
00:49:09 <pcm_> nachi_ueno: Not sure, as I don't know how much there is to do (never have done a driver for OS). Will defer to your assesment.
00:49:45 <nati_ueno> pcm_: gotcha. if strongswan works, it is not difficult to write driver. it just RPC & and conf generation
00:49:46 <markmcclain> Do we have a spec interface for the driver?
00:50:05 <nati_ueno> markmcclain: not yet. I'll propose it
00:50:49 <nati_ueno> OK next
00:51:41 <nati_ueno> CLI (python-quantum client) work (Swami will push code to the gerrit)
00:51:41 <nati_ueno> Swami: this is 5/20 also?
00:51:41 <Swami> agreed!!
00:51:41 <nati_ueno> Swami: Thanks!!
00:51:41 <nati_ueno> Write openstack network api document wiki (Sachin) <-- let's ask this next time
00:51:41 <nati_ueno> Devstack support
00:51:41 <nati_ueno> Any task takers?
00:51:55 <nati_ueno> ok I'll take this for now
00:52:20 <markmcclain> nati_ueno: it's hard to write devstack support until
00:52:27 <pcm_> I can ask if someone on our team wants to help, if you'd like.
00:52:40 <markmcclain> there are rudimenatry steps to install the needed components
00:52:53 <nati_ueno> markmcclain: yeah, I agree. It will be may be late July
00:52:58 <nati_ueno> pcm_: thanks!
00:53:23 <nati_ueno> OK if anyone interested in Horizon and Tempest, please let me know
00:53:30 <markmcclain> for LBaaS we kept a wiki with the installation instructions and then the devstack support became an afternoon project
00:53:59 <nati_ueno> markmcclain: That's nice idea
00:54:14 <nati_ueno> markmcclain: Let's have installation instructions for VPN
00:54:27 <markmcclain> it also helps the reviewers test
00:54:33 <nati_ueno> markmcclain: gotcha
00:54:50 <nati_ueno> markmcclain: I'll link the wiki when I submit strong swan driver
00:54:57 <markmcclain> sounds good
00:55:10 <nati_ueno> OK any other topics?
00:56:16 <pcm_> nati_ueno: Offline maybe we can talk about VBOX emulation of the test setup I have.
00:56:59 <nati_ueno> pcm_: Gotcha. Are you in Bay Area? if so F2F is more efficient for this kind of task :)
00:57:21 <pcm_> nati_ueno: Nope. East Coast :(
00:57:34 <pcm_> Boston area
00:57:50 <nati_ueno> OK let's talk on online. my skype is nati.ueno same for google+
00:58:06 <nati_ueno> Next meeting is 5/16 Thursday at 5pm (PST) ( VMWare guy will join)
00:58:10 <pcm_> Can do a phone call or WebEx possibly.
00:58:18 <pcm_> oh ok.
00:58:20 <nati_ueno> pcm_: yes
00:58:26 <Swami> ok
00:58:31 <nati_ueno> pcm_: webex & phone call is OK too
00:58:38 <nati_ueno> markmcclain: the time is OK for you?
00:59:02 <markmcclain> I'm a maybe for Thurs (it conflicts with the Atlanta OpenStack Meetup)
00:59:19 <markmcclain> if the wifi is good.. I'll do both
00:59:28 <nati_ueno> What's the time of Atlanta OpenStack Meetup>
00:59:29 <nati_ueno> ?
00:59:37 <nati_ueno> May be we can change the time
01:00:14 <markmcclain> the meetup is 7pm eastern
01:00:35 <nati_ueno> Ok let's schedule in the mail
01:00:55 <nati_ueno> Thank for your joining meeting!
01:00:58 <nati_ueno> #endmeeting