19:05:23 <salv-orlando> #startmeeting quantum-vpn
19:05:24 <openstack> Meeting started Fri Apr  5 19:05:23 2013 UTC.  The chair is salv-orlando. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:05:25 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
19:05:27 <openstack> The meeting name has been set to 'quantum_vpn'
19:05:35 <nati_ueno> salv-orlando: thanks
19:05:43 <salv-orlando> I don't know if this starts the log too however
19:05:55 <salv-orlando> it should… but… don't trust me!
19:05:56 <nati_ueno> may be :)
19:06:13 <nati_ueno> I'll also copy and paste logs
19:06:22 <nati_ueno> #topic [Agenda0] Share definitions
19:06:44 <nati_ueno> I wrote some terms of definitions. Is this OK for you guys?
19:06:53 <nati_ueno> #link https://etherpad.openstack.org/HavanaVPNaaS
19:07:09 <salv-orlando> well, it was logging even before that: http://eavesdrop.openstack.org/irclogs/%23openstack-meeting/%23openstack-meeting.2013-04-05.log
19:07:17 <salv-orlando> but this should give us also the minutes
19:07:24 <nati_ueno> salv-orlando: nice!
19:07:49 <mestery> nanti_ueno: Thanks for writing that etherpad up, reading through parts of it now.
19:07:58 <nati_ueno> mestery: :)
19:08:15 <nati_ueno> Is Swaminathan here?
19:08:40 <nati_ueno> ah he looks trying to connect IRC
19:10:11 <Nachi> test from webchat
19:10:21 <nati_ueno> hm webchat looks working
19:10:29 <salv-orlando> nati_ueno: have you summarised the agenda somewhere? It might be me but it seems a bit cluttered now on the etherpad
19:10:45 <nati_ueno> salv-orlando: yes https://etherpad.openstack.org/HavanaVPNaaS L40
19:12:46 <salv-orlando> ok looks good.
19:13:26 <nati_ueno> OK I'll proxy etherpad and IRC for Swaminathan
19:14:27 <salv-orlando> can you start with an overview of the use cases?
19:14:36 <salv-orlando> just the 30,000 high ft view
19:14:47 <nati_ueno> salv-orlando: so you wanna discuss about usecase before sharing definitions?
19:15:31 <salv-orlando> if you want to start with terminology I'm fine either
19:15:43 <salv-orlando> actually as long as we start,I'm ok with it :)
19:15:57 <nati_ueno> OK the usecase also using the terminology, so let's discuss terminology first
19:16:14 <nati_ueno> Quantum Router  - Quantum Router defined by Quantum V2.0 API
19:16:14 <nati_ueno> Quantum Network - Quantum Network defined by Quantum V2.0 API
19:16:14 <nati_ueno> Quantum Subnet - Quantum Subnet defined by Quantum V2.0 API
19:16:21 <nati_ueno> This three is OK?
19:16:27 <mestery> Those look good, yes.
19:16:36 <nati_ueno> VPN Site - One exsting network which is connected via Network
19:17:02 <mestery> Do you mean "connected via Quantum Network" here?
19:17:25 <nati_ueno> no any network
19:17:44 <mestery> OK
19:17:50 <nati_ueno> may be it should be via any VPN method
19:18:08 <nati_ueno> I updated the def
19:18:16 <mestery> OK, I think that is a bit clearer
19:18:38 <nati_ueno> Note: Swan added Remote Users in the definition
19:18:41 <nati_ueno> kk
19:18:47 <nati_ueno> VPN Site Group - a set of VPN Site
19:19:06 <nati_ueno> L3 Connection - Network is reachable via L3 layer
19:19:06 <nati_ueno> L2 Connection - Network is reachable via L2 layer
19:19:19 <nati_ueno> Hub - Spoke Model -  Spoke site can connect to the Hub site. but spoke to spoke connection is prohibited
19:19:19 <nati_ueno> Remote Clients - Remote Users who uses the VPN Network
19:19:26 <nati_ueno> OK no problem for defs?
19:19:33 <nati_ueno> Please feel free to add new terms
19:19:40 <nati_ueno> Can we go usecase ?
19:20:00 <mestery> Those all look good to me.
19:20:08 <sthakkar> seems ok
19:20:12 <nati_ueno> ok
19:20:21 <nati_ueno> #topic [Agenda1]  Identify unique use cases from various proposals (SSL/IPSEC/MPLS or other)
19:20:30 <sthakkar> sure i think narrowing those down will be important in priorizing
19:20:44 <nati_ueno> so I summarize use case for three
19:20:50 <nati_ueno> Use case [ Router to VPN Site ]
19:20:55 <nati_ueno> Use case2 [ Network to VPN Site ]
19:21:04 <nati_ueno> Use case3 [Deffrent teant]
19:21:12 <nati_ueno> On 1.  Use case [ Router to VPN Site ]
19:21:22 <nati_ueno> We will connect quantum router to VPN site
19:21:44 <nati_ueno> Assumption; All site is owned by single tenant
19:21:44 <nati_ueno> Router and VPN Site is connected by L3 connection
19:22:00 <nati_ueno> There is some variation
19:22:04 <nati_ueno> 1-1. Connect Quantum Router to One VPN site
19:22:04 <nati_ueno> 1-2 . Connect Quantum Router to the multiple VPN Site
19:22:04 <nati_ueno> 1-2-1  both direction
19:22:05 <nati_ueno> 1-2-2  hub and spoke model
19:22:12 <nati_ueno> and routing
19:22:15 <nati_ueno> 1-3.  Static route between connected Site  (may be combination of 1-1,1-2,)
19:22:15 <nati_ueno> 1.4.  Dynamic routing between connected Site  (may be combination of 1-1,1-2
19:22:30 <nati_ueno> Usecase 1 is clear for you guys?
19:22:45 <sthakkar> is that in priority. i think the use case is fine
19:22:58 <mestery> Looks good to me too.
19:23:02 <nati_ueno> OK let's discuss priority after we share the usecases
19:23:10 <nati_ueno> ok 2. Use case2 [ Network to VPN Site ]
19:23:19 <sthakkar> fair enough
19:23:24 <nati_ueno> Connect Quantum Network to VPN Site directry by L2 connection
19:23:42 <nati_ueno> Use case2 is OK?
19:24:18 <nati_ueno> Swaminathan Vasudevan(HP):12:23 Looks good for me as well
19:24:25 <salv-orlando> use case 2 is an extension of a broadcast domain?
19:24:45 <mestery> salv-orlando: Effectively it would have to be I think.
19:24:55 <mestery> Since it's L2, it implies the same broadcast domain I think.
19:25:03 <nati_ueno> salv-orlando: is there any any variation?
19:25:18 <salv-orlando> nope, just want to make sure it was not a different kind of site-2-site
19:25:25 <ywu> case 1 is L3 VPN, case 2 is L2 VPN, am I understand correctly?
19:25:34 <nati_ueno> ywu: yes
19:25:49 <nati_ueno> so if we wanna connect quantum network to vpn directory. I should be L2
19:26:05 <nati_ueno> but if there are the other way, I'll add usecase under the usecase2
19:26:35 <nati_ueno> s/I should be L2/it should be L2/
19:26:50 <nati_ueno> Swaminathan Vasudevan(HP):12:24 Is Use case 2 similar to a Cloud Bridge
19:27:06 <nati_ueno> Swaminathan: what's a Cloud Bridge ?
19:27:18 <salv-orlando> like the company verizon bought
19:27:29 <nati_ueno> salv-orlando: thanks
19:27:41 <nati_ueno> OK usecase2 is OK for you guys?
19:27:42 <salv-orlando> a layer-2 bridge between on premise network and a network in the cloud
19:27:46 <salv-orlando> it's ok for me
19:27:56 <nati_ueno> salv-orlando: aha kind of EVPN service
19:28:13 <nati_ueno> 3. Use case3 [Deffrent teant]
19:28:24 <nati_ueno> sorry typo
19:28:30 <nati_ueno> . Use case3 [Deffrent tenant]
19:28:47 <nati_ueno> so usecase 3 may be combined by usecase1 and 2
19:28:50 <nati_ueno> difference is
19:29:00 <nati_ueno> the resources are owned by different tenant
19:29:16 <nati_ueno> We should discuss permission model on usecase3
19:29:47 <nati_ueno> OK usecase3 is oK?
19:30:06 <mestery> So use case 3 is letting networks from different tenants connect?
19:30:21 <nati_ueno> mestery: yes
19:30:27 <sthakkar> i think rbac will be a separate discussion from the base object model thought, right?
19:30:31 <sthakkar> *though
19:30:49 <salv-orlando> rbac is always orthogonal
19:30:57 <nati_ueno> sthakkar: yeah, but we should identify rbac is needed or not via Usecase discussion
19:31:10 <salv-orlando> at least for quantum API - the API police will enforce this through havana release cycle
19:31:40 <sthakkar> nati_ueno: sure that seems fair. i think maybe we nail down the obj model and then attach rbac to each obj in the model as appropriate
19:32:04 <salv-orlando> sounds good
19:32:08 <nati_ueno> good
19:32:13 <nati_ueno> OK let's prioritize usecases
19:32:31 <nati_ueno> I think all bp is on Use case1
19:32:32 <sthakkar> yep, simpler if we separate the two for now
19:32:34 <sthakkar> ok sounds good
19:33:04 <nati_ueno> so IMO priority is Use case1  -> Use case2 -> Usecase 3
19:33:08 <nati_ueno> is this fair?
19:33:27 <mestery> I agree with that prioritization.
19:33:40 <nati_ueno> Ok let's sort sub usecases
19:33:58 <nati_ueno> IMO, simple usecase get more high priorities
19:34:21 <nati_ueno> ah I didn't describe sub usecases yet
19:34:27 <nati_ueno> let's me explain
19:34:35 <nati_ueno> 1-1. Connect Quantum Router to One VPN site
19:34:43 <salv-orlando> #info attendees agree with following priority: use case 1, use case 2, use case 3
19:34:45 <nati_ueno> this is one to one connection between router and one vpn site
19:34:57 <nati_ueno> quite simple
19:35:02 <nati_ueno> 1-2 . Connect Quantum Router to the VPN Site Group
19:35:08 <nati_ueno> one to many connection
19:35:21 <nati_ueno> 1-3.  Static route between connected Site  (may be combination of 1-1,1-2,)
19:35:29 <nati_ueno> static routing version
19:35:35 <nati_ueno> 1.4.  Dynamic routing between connected Site  (may be combination of 1-1,1-2
19:35:56 <nati_ueno> IMO priority is 1-1,1-2,1-3,1-4
19:36:24 <nati_ueno> simple to complex
19:36:41 <nati_ueno> Is this fair?
19:36:59 <nati_ueno> Swaminathan Vasudevan(HP):12:36 My priority will be 1-1,1-3,1-2,1-4
19:37:02 <mestery> makes sense from an implementation perspective
19:37:12 <nati_ueno> kk
19:37:20 <nati_ueno> OK how about 1-1,1-3,1-2,1-4 ?
19:37:33 <nati_ueno> if this is ok, I'll sort usecases
19:37:42 <mestery> I think as long as 1-1 is first we're good.
19:37:51 <sthakkar> isnt 1-2 a prereq for 3?
19:38:14 <nati_ueno> sthakkar: one site may have muliple subnet
19:38:18 <nati_ueno> sthakkar: I'll update defs
19:38:50 <nati_ueno> done
19:38:52 <sthakkar> kk
19:38:58 <nati_ueno> Swaminathan Vasudevan(HP):12:38 I don't think there is a dependency of 1-2 for 1-3
19:39:07 <nati_ueno> OK I'll sort usecase
19:39:37 <salv-orlando> nati_ueno: I have a trivial question here. Is the quantum router itself an endpoint for the VPN in your view?
19:40:21 <nati_ueno> salv-orlando: Impl could be different, but we will connect router resource and some vpn on the resource model
19:40:56 <salv-orlando> thanks. I am not talking about implementation, but about the resource model exposed to the user.
19:41:09 <salv-orlando> through the quantum API. So there would be a VPN resource, wouldn't it?
19:41:25 <nati_ueno> salv-orlando: IMO, we should discuss the modeling after we agreed usecase
19:41:35 <salv-orlando> I do apologise for asking trivial question, my only purpose is to avoid ambiguity at all costs.
19:41:44 <salv-orlando> let's move ahead then
19:41:48 <nati_ueno> salv-orlando: kk
19:41:57 <nati_ueno> so usecases are all ok for you guys?
19:42:08 <nati_ueno> Swaminathan added Remote Clients
19:42:10 <nati_ueno> on the defs
19:42:22 <nati_ueno> How this related with usecases?
19:42:23 <ywu> sounds good to me.
19:42:34 <nati_ueno> I feel we should add usecase for the term
19:43:14 <nati_ueno> IMO, any user can connect to the VPN Site, can connect the quantum router if the vpn site and quantum router is connected
19:43:45 <nati_ueno> but there could be more advanced usecase
19:43:57 <salv-orlando> It's probably best to ask Swaminathan as he's probably be envisioning a different situation.
19:44:00 <nati_ueno> Swaminathan Vasudevan(HP):12:43 We have not discussed use cases were remote warriors connect to the cloud using the vpn client
19:44:01 <nati_ueno> Alan K:12:43 I think we should take that at the end
19:44:01 <nati_ueno> Alan K:12:43 For now i think we figure out how to fullfill the use cases we have outlined
19:44:34 <nati_ueno> Swaminathan: Ah so it is not site-site connection
19:44:45 <salv-orlando> I agree with Alan K
19:44:59 <nati_ueno> Swaminathan Vasudevan(HP):12:44 ok, I am fine with that, we will discuss that at the end
19:45:10 <nati_ueno> but how we prioriteze the new usecase?
19:46:12 <nati_ueno> Swaminathan Vasudevan(HP):12:45 Priority for remote users would be 1-4
19:46:20 <nati_ueno> OK I added
19:46:22 <nati_ueno> 4. Use case4  Client to the Router
19:46:23 <nati_ueno> remote warriors connect to the cloud using the vpn client
19:46:32 <nati_ueno> OK usecase is all set?
19:46:57 <nati_ueno> It sounds Ok
19:47:14 <nati_ueno> #topic [Agenda2]  Possible generization of VPN related api
19:47:21 <nati_ueno> OK let's model the usecase we agreed
19:47:39 <nati_ueno> salv-orlando: It looks you have some idea, and you are lead of quantum api
19:48:00 <salv-orlando> I don't have any strong opinion yet
19:48:01 <nati_ueno> salv-orlando: could you add your modeing on the etherpad?
19:48:04 <nati_ueno> salv-orlando: ah ok
19:48:40 <nati_ueno> Swaminathan Vasudevan(HP):12:48 I have modeled API based off of the Loadbalancer approach.
19:48:40 <nati_ueno> Alan K:12:48 reason for this is HA support. I would in the use cases just go with VPN
19:48:48 <salv-orlando> I think we are at a very early stage to discuss API proposal - we can just provide general directions for the model
19:48:58 <nati_ueno> salv-orlando: I agree
19:49:04 <sthakkar> yea salv and i have discussed one of the models
19:49:09 <nati_ueno> Alan K:12:48 so i will put it another way, VPN does not need to be terminated on an L-3 service
19:49:14 <sthakkar> perhaps we follow the same as lb for the mount points?
19:49:50 <nati_ueno> unnamed:12:49 Alan, in user case 2, it is a L2VPN, it may address your concern
19:50:09 <nati_ueno> OK at least we should model VPN site
19:50:15 <nati_ueno> and the connection between router and vpn site
19:50:18 <nati_ueno> (usecase1-1)
19:50:41 <salv-orlando> #info the VPN use case does not need to be terminated on L3 service
19:50:43 <nati_ueno> Swaminathan Vasudevan(HP):12:50 Please take a look at my blueprint and I have captured the API
19:50:43 <nati_ueno> Alan K:12:50 not really. I think we should be careful here. VPN is a service. whether that requires L-2 or L-3 is another matter. both will be used imho
19:51:21 <nati_ueno> Swaminathan :could you add your idea about modeling on the etherpad?
19:51:22 <salv-orlando> Alan K: this would a difference between router-level or network-level plugging. Both should be allowed.
19:51:31 <nati_ueno> Alan K:12:50 ok i will look at your API this evening
19:51:31 <nati_ueno> Alan K:12:51 but if you look at the API i submitted its a good started for a "Core API" for VPN services
19:52:09 <nati_ueno> Alan K:12:51 but for sure we can add to that
19:52:14 <nati_ueno> ywu:12:51 where could I find your API, Alan? thx
19:52:31 <nati_ueno> Swaminathan Vasudevan(HP):12:52 Before we discuss the API, can we discuss the data model and then come to the API to configure the data model
19:52:38 <salv-orlando> nati_ueno: if you have more people on the hangout then IRC, just invite us there
19:52:47 <salv-orlando> this is starting to get a bit awkward
19:52:53 <mestery> Yes, agree with salv-orlando.
19:53:01 <nati_ueno> salv-orlando: yeah, let's move to the etherpad
19:53:06 <mestery> A meeting on the etherpad seems odd, unsure why folks can't get on IRC.
19:53:18 <mestery> OK, odd though it may be, headed over there ...
19:53:29 <nati_ueno> me too for unsure the reason..
19:53:48 <salv-orlando> ok, I'll switch to ether pad fwiw
19:53:50 <nati_ueno> #info discussion is continued on https://etherpad.openstack.org/HavanaVPNaaS
19:53:57 <nati_ueno> #endmeeting quantum-vpn
19:54:02 <sthakkar> lol fine
19:56:51 <salv-orlando> #endmeeting quantum-vpn