19:05:23 <salv-orlando> #startmeeting quantum-vpn 19:05:24 <openstack> Meeting started Fri Apr 5 19:05:23 2013 UTC. The chair is salv-orlando. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:05:25 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 19:05:27 <openstack> The meeting name has been set to 'quantum_vpn' 19:05:35 <nati_ueno> salv-orlando: thanks 19:05:43 <salv-orlando> I don't know if this starts the log too however 19:05:55 <salv-orlando> it should… but… don't trust me! 19:05:56 <nati_ueno> may be :) 19:06:13 <nati_ueno> I'll also copy and paste logs 19:06:22 <nati_ueno> #topic [Agenda0] Share definitions 19:06:44 <nati_ueno> I wrote some terms of definitions. Is this OK for you guys? 19:06:53 <nati_ueno> #link https://etherpad.openstack.org/HavanaVPNaaS 19:07:09 <salv-orlando> well, it was logging even before that: http://eavesdrop.openstack.org/irclogs/%23openstack-meeting/%23openstack-meeting.2013-04-05.log 19:07:17 <salv-orlando> but this should give us also the minutes 19:07:24 <nati_ueno> salv-orlando: nice! 19:07:49 <mestery> nanti_ueno: Thanks for writing that etherpad up, reading through parts of it now. 19:07:58 <nati_ueno> mestery: :) 19:08:15 <nati_ueno> Is Swaminathan here? 19:08:40 <nati_ueno> ah he looks trying to connect IRC 19:10:11 <Nachi> test from webchat 19:10:21 <nati_ueno> hm webchat looks working 19:10:29 <salv-orlando> nati_ueno: have you summarised the agenda somewhere? It might be me but it seems a bit cluttered now on the etherpad 19:10:45 <nati_ueno> salv-orlando: yes https://etherpad.openstack.org/HavanaVPNaaS L40 19:12:46 <salv-orlando> ok looks good. 19:13:26 <nati_ueno> OK I'll proxy etherpad and IRC for Swaminathan 19:14:27 <salv-orlando> can you start with an overview of the use cases? 19:14:36 <salv-orlando> just the 30,000 high ft view 19:14:47 <nati_ueno> salv-orlando: so you wanna discuss about usecase before sharing definitions? 19:15:31 <salv-orlando> if you want to start with terminology I'm fine either 19:15:43 <salv-orlando> actually as long as we start,I'm ok with it :) 19:15:57 <nati_ueno> OK the usecase also using the terminology, so let's discuss terminology first 19:16:14 <nati_ueno> Quantum Router - Quantum Router defined by Quantum V2.0 API 19:16:14 <nati_ueno> Quantum Network - Quantum Network defined by Quantum V2.0 API 19:16:14 <nati_ueno> Quantum Subnet - Quantum Subnet defined by Quantum V2.0 API 19:16:21 <nati_ueno> This three is OK? 19:16:27 <mestery> Those look good, yes. 19:16:36 <nati_ueno> VPN Site - One exsting network which is connected via Network 19:17:02 <mestery> Do you mean "connected via Quantum Network" here? 19:17:25 <nati_ueno> no any network 19:17:44 <mestery> OK 19:17:50 <nati_ueno> may be it should be via any VPN method 19:18:08 <nati_ueno> I updated the def 19:18:16 <mestery> OK, I think that is a bit clearer 19:18:38 <nati_ueno> Note: Swan added Remote Users in the definition 19:18:41 <nati_ueno> kk 19:18:47 <nati_ueno> VPN Site Group - a set of VPN Site 19:19:06 <nati_ueno> L3 Connection - Network is reachable via L3 layer 19:19:06 <nati_ueno> L2 Connection - Network is reachable via L2 layer 19:19:19 <nati_ueno> Hub - Spoke Model - Spoke site can connect to the Hub site. but spoke to spoke connection is prohibited 19:19:19 <nati_ueno> Remote Clients - Remote Users who uses the VPN Network 19:19:26 <nati_ueno> OK no problem for defs? 19:19:33 <nati_ueno> Please feel free to add new terms 19:19:40 <nati_ueno> Can we go usecase ? 19:20:00 <mestery> Those all look good to me. 19:20:08 <sthakkar> seems ok 19:20:12 <nati_ueno> ok 19:20:21 <nati_ueno> #topic [Agenda1] Identify unique use cases from various proposals (SSL/IPSEC/MPLS or other) 19:20:30 <sthakkar> sure i think narrowing those down will be important in priorizing 19:20:44 <nati_ueno> so I summarize use case for three 19:20:50 <nati_ueno> Use case [ Router to VPN Site ] 19:20:55 <nati_ueno> Use case2 [ Network to VPN Site ] 19:21:04 <nati_ueno> Use case3 [Deffrent teant] 19:21:12 <nati_ueno> On 1. Use case [ Router to VPN Site ] 19:21:22 <nati_ueno> We will connect quantum router to VPN site 19:21:44 <nati_ueno> Assumption; All site is owned by single tenant 19:21:44 <nati_ueno> Router and VPN Site is connected by L3 connection 19:22:00 <nati_ueno> There is some variation 19:22:04 <nati_ueno> 1-1. Connect Quantum Router to One VPN site 19:22:04 <nati_ueno> 1-2 . Connect Quantum Router to the multiple VPN Site 19:22:04 <nati_ueno> 1-2-1 both direction 19:22:05 <nati_ueno> 1-2-2 hub and spoke model 19:22:12 <nati_ueno> and routing 19:22:15 <nati_ueno> 1-3. Static route between connected Site (may be combination of 1-1,1-2,) 19:22:15 <nati_ueno> 1.4. Dynamic routing between connected Site (may be combination of 1-1,1-2 19:22:30 <nati_ueno> Usecase 1 is clear for you guys? 19:22:45 <sthakkar> is that in priority. i think the use case is fine 19:22:58 <mestery> Looks good to me too. 19:23:02 <nati_ueno> OK let's discuss priority after we share the usecases 19:23:10 <nati_ueno> ok 2. Use case2 [ Network to VPN Site ] 19:23:19 <sthakkar> fair enough 19:23:24 <nati_ueno> Connect Quantum Network to VPN Site directry by L2 connection 19:23:42 <nati_ueno> Use case2 is OK? 19:24:18 <nati_ueno> Swaminathan Vasudevan(HP):12:23 Looks good for me as well 19:24:25 <salv-orlando> use case 2 is an extension of a broadcast domain? 19:24:45 <mestery> salv-orlando: Effectively it would have to be I think. 19:24:55 <mestery> Since it's L2, it implies the same broadcast domain I think. 19:25:03 <nati_ueno> salv-orlando: is there any any variation? 19:25:18 <salv-orlando> nope, just want to make sure it was not a different kind of site-2-site 19:25:25 <ywu> case 1 is L3 VPN, case 2 is L2 VPN, am I understand correctly? 19:25:34 <nati_ueno> ywu: yes 19:25:49 <nati_ueno> so if we wanna connect quantum network to vpn directory. I should be L2 19:26:05 <nati_ueno> but if there are the other way, I'll add usecase under the usecase2 19:26:35 <nati_ueno> s/I should be L2/it should be L2/ 19:26:50 <nati_ueno> Swaminathan Vasudevan(HP):12:24 Is Use case 2 similar to a Cloud Bridge 19:27:06 <nati_ueno> Swaminathan: what's a Cloud Bridge ? 19:27:18 <salv-orlando> like the company verizon bought 19:27:29 <nati_ueno> salv-orlando: thanks 19:27:41 <nati_ueno> OK usecase2 is OK for you guys? 19:27:42 <salv-orlando> a layer-2 bridge between on premise network and a network in the cloud 19:27:46 <salv-orlando> it's ok for me 19:27:56 <nati_ueno> salv-orlando: aha kind of EVPN service 19:28:13 <nati_ueno> 3. Use case3 [Deffrent teant] 19:28:24 <nati_ueno> sorry typo 19:28:30 <nati_ueno> . Use case3 [Deffrent tenant] 19:28:47 <nati_ueno> so usecase 3 may be combined by usecase1 and 2 19:28:50 <nati_ueno> difference is 19:29:00 <nati_ueno> the resources are owned by different tenant 19:29:16 <nati_ueno> We should discuss permission model on usecase3 19:29:47 <nati_ueno> OK usecase3 is oK? 19:30:06 <mestery> So use case 3 is letting networks from different tenants connect? 19:30:21 <nati_ueno> mestery: yes 19:30:27 <sthakkar> i think rbac will be a separate discussion from the base object model thought, right? 19:30:31 <sthakkar> *though 19:30:49 <salv-orlando> rbac is always orthogonal 19:30:57 <nati_ueno> sthakkar: yeah, but we should identify rbac is needed or not via Usecase discussion 19:31:10 <salv-orlando> at least for quantum API - the API police will enforce this through havana release cycle 19:31:40 <sthakkar> nati_ueno: sure that seems fair. i think maybe we nail down the obj model and then attach rbac to each obj in the model as appropriate 19:32:04 <salv-orlando> sounds good 19:32:08 <nati_ueno> good 19:32:13 <nati_ueno> OK let's prioritize usecases 19:32:31 <nati_ueno> I think all bp is on Use case1 19:32:32 <sthakkar> yep, simpler if we separate the two for now 19:32:34 <sthakkar> ok sounds good 19:33:04 <nati_ueno> so IMO priority is Use case1 -> Use case2 -> Usecase 3 19:33:08 <nati_ueno> is this fair? 19:33:27 <mestery> I agree with that prioritization. 19:33:40 <nati_ueno> Ok let's sort sub usecases 19:33:58 <nati_ueno> IMO, simple usecase get more high priorities 19:34:21 <nati_ueno> ah I didn't describe sub usecases yet 19:34:27 <nati_ueno> let's me explain 19:34:35 <nati_ueno> 1-1. Connect Quantum Router to One VPN site 19:34:43 <salv-orlando> #info attendees agree with following priority: use case 1, use case 2, use case 3 19:34:45 <nati_ueno> this is one to one connection between router and one vpn site 19:34:57 <nati_ueno> quite simple 19:35:02 <nati_ueno> 1-2 . Connect Quantum Router to the VPN Site Group 19:35:08 <nati_ueno> one to many connection 19:35:21 <nati_ueno> 1-3. Static route between connected Site (may be combination of 1-1,1-2,) 19:35:29 <nati_ueno> static routing version 19:35:35 <nati_ueno> 1.4. Dynamic routing between connected Site (may be combination of 1-1,1-2 19:35:56 <nati_ueno> IMO priority is 1-1,1-2,1-3,1-4 19:36:24 <nati_ueno> simple to complex 19:36:41 <nati_ueno> Is this fair? 19:36:59 <nati_ueno> Swaminathan Vasudevan(HP):12:36 My priority will be 1-1,1-3,1-2,1-4 19:37:02 <mestery> makes sense from an implementation perspective 19:37:12 <nati_ueno> kk 19:37:20 <nati_ueno> OK how about 1-1,1-3,1-2,1-4 ? 19:37:33 <nati_ueno> if this is ok, I'll sort usecases 19:37:42 <mestery> I think as long as 1-1 is first we're good. 19:37:51 <sthakkar> isnt 1-2 a prereq for 3? 19:38:14 <nati_ueno> sthakkar: one site may have muliple subnet 19:38:18 <nati_ueno> sthakkar: I'll update defs 19:38:50 <nati_ueno> done 19:38:52 <sthakkar> kk 19:38:58 <nati_ueno> Swaminathan Vasudevan(HP):12:38 I don't think there is a dependency of 1-2 for 1-3 19:39:07 <nati_ueno> OK I'll sort usecase 19:39:37 <salv-orlando> nati_ueno: I have a trivial question here. Is the quantum router itself an endpoint for the VPN in your view? 19:40:21 <nati_ueno> salv-orlando: Impl could be different, but we will connect router resource and some vpn on the resource model 19:40:56 <salv-orlando> thanks. I am not talking about implementation, but about the resource model exposed to the user. 19:41:09 <salv-orlando> through the quantum API. So there would be a VPN resource, wouldn't it? 19:41:25 <nati_ueno> salv-orlando: IMO, we should discuss the modeling after we agreed usecase 19:41:35 <salv-orlando> I do apologise for asking trivial question, my only purpose is to avoid ambiguity at all costs. 19:41:44 <salv-orlando> let's move ahead then 19:41:48 <nati_ueno> salv-orlando: kk 19:41:57 <nati_ueno> so usecases are all ok for you guys? 19:42:08 <nati_ueno> Swaminathan added Remote Clients 19:42:10 <nati_ueno> on the defs 19:42:22 <nati_ueno> How this related with usecases? 19:42:23 <ywu> sounds good to me. 19:42:34 <nati_ueno> I feel we should add usecase for the term 19:43:14 <nati_ueno> IMO, any user can connect to the VPN Site, can connect the quantum router if the vpn site and quantum router is connected 19:43:45 <nati_ueno> but there could be more advanced usecase 19:43:57 <salv-orlando> It's probably best to ask Swaminathan as he's probably be envisioning a different situation. 19:44:00 <nati_ueno> Swaminathan Vasudevan(HP):12:43 We have not discussed use cases were remote warriors connect to the cloud using the vpn client 19:44:01 <nati_ueno> Alan K:12:43 I think we should take that at the end 19:44:01 <nati_ueno> Alan K:12:43 For now i think we figure out how to fullfill the use cases we have outlined 19:44:34 <nati_ueno> Swaminathan: Ah so it is not site-site connection 19:44:45 <salv-orlando> I agree with Alan K 19:44:59 <nati_ueno> Swaminathan Vasudevan(HP):12:44 ok, I am fine with that, we will discuss that at the end 19:45:10 <nati_ueno> but how we prioriteze the new usecase? 19:46:12 <nati_ueno> Swaminathan Vasudevan(HP):12:45 Priority for remote users would be 1-4 19:46:20 <nati_ueno> OK I added 19:46:22 <nati_ueno> 4. Use case4 Client to the Router 19:46:23 <nati_ueno> remote warriors connect to the cloud using the vpn client 19:46:32 <nati_ueno> OK usecase is all set? 19:46:57 <nati_ueno> It sounds Ok 19:47:14 <nati_ueno> #topic [Agenda2] Possible generization of VPN related api 19:47:21 <nati_ueno> OK let's model the usecase we agreed 19:47:39 <nati_ueno> salv-orlando: It looks you have some idea, and you are lead of quantum api 19:48:00 <salv-orlando> I don't have any strong opinion yet 19:48:01 <nati_ueno> salv-orlando: could you add your modeing on the etherpad? 19:48:04 <nati_ueno> salv-orlando: ah ok 19:48:40 <nati_ueno> Swaminathan Vasudevan(HP):12:48 I have modeled API based off of the Loadbalancer approach. 19:48:40 <nati_ueno> Alan K:12:48 reason for this is HA support. I would in the use cases just go with VPN 19:48:48 <salv-orlando> I think we are at a very early stage to discuss API proposal - we can just provide general directions for the model 19:48:58 <nati_ueno> salv-orlando: I agree 19:49:04 <sthakkar> yea salv and i have discussed one of the models 19:49:09 <nati_ueno> Alan K:12:48 so i will put it another way, VPN does not need to be terminated on an L-3 service 19:49:14 <sthakkar> perhaps we follow the same as lb for the mount points? 19:49:50 <nati_ueno> unnamed:12:49 Alan, in user case 2, it is a L2VPN, it may address your concern 19:50:09 <nati_ueno> OK at least we should model VPN site 19:50:15 <nati_ueno> and the connection between router and vpn site 19:50:18 <nati_ueno> (usecase1-1) 19:50:41 <salv-orlando> #info the VPN use case does not need to be terminated on L3 service 19:50:43 <nati_ueno> Swaminathan Vasudevan(HP):12:50 Please take a look at my blueprint and I have captured the API 19:50:43 <nati_ueno> Alan K:12:50 not really. I think we should be careful here. VPN is a service. whether that requires L-2 or L-3 is another matter. both will be used imho 19:51:21 <nati_ueno> Swaminathan :could you add your idea about modeling on the etherpad? 19:51:22 <salv-orlando> Alan K: this would a difference between router-level or network-level plugging. Both should be allowed. 19:51:31 <nati_ueno> Alan K:12:50 ok i will look at your API this evening 19:51:31 <nati_ueno> Alan K:12:51 but if you look at the API i submitted its a good started for a "Core API" for VPN services 19:52:09 <nati_ueno> Alan K:12:51 but for sure we can add to that 19:52:14 <nati_ueno> ywu:12:51 where could I find your API, Alan? thx 19:52:31 <nati_ueno> Swaminathan Vasudevan(HP):12:52 Before we discuss the API, can we discuss the data model and then come to the API to configure the data model 19:52:38 <salv-orlando> nati_ueno: if you have more people on the hangout then IRC, just invite us there 19:52:47 <salv-orlando> this is starting to get a bit awkward 19:52:53 <mestery> Yes, agree with salv-orlando. 19:53:01 <nati_ueno> salv-orlando: yeah, let's move to the etherpad 19:53:06 <mestery> A meeting on the etherpad seems odd, unsure why folks can't get on IRC. 19:53:18 <mestery> OK, odd though it may be, headed over there ... 19:53:29 <nati_ueno> me too for unsure the reason.. 19:53:48 <salv-orlando> ok, I'll switch to ether pad fwiw 19:53:50 <nati_ueno> #info discussion is continued on https://etherpad.openstack.org/HavanaVPNaaS 19:53:57 <nati_ueno> #endmeeting quantum-vpn 19:54:02 <sthakkar> lol fine 19:56:51 <salv-orlando> #endmeeting quantum-vpn