#openstack-meeting log

22:10:42 <nati_ueno> #startmeeting Networking VPNaaS
22:10:43 <openstack> Meeting started Mon Oct  7 22:10:42 2013 UTC and is due to finish in 60 minutes.  The chair is nati_ueno. Information about MeetBot at http://wiki.debian.org/MeetBot.
22:10:44 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
22:10:46 <Swami> hi all
22:10:46 <openstack> The meeting name has been set to 'networking_vpnaas'
22:10:53 <pcm__> hi
22:11:21 <nati_ueno> Swami: pcm__: hi!
22:11:45 <nati_ueno> #topic Summit session
22:11:54 <nati_ueno> I have created a ehterpad page https://etherpad.openstack.org/NeutronVPNaaSIceHouse
22:12:19 <nati_ueno> In previous neutron weekly meeting, we agreed not to use "lecture" style discussion
22:12:29 <Swami> Yes opening the page
22:12:37 <nati_ueno> so I would like to use this etherpad on the summit
22:12:59 <nati_ueno> Also, I would like to start discussion on the etherpad about milestone of VPN on Icehouse
22:13:09 <Swami> Yes that would work out
22:13:33 <nati_ueno> Swami: Thanks
22:14:13 <nati_ueno> Ok
22:14:33 <nati_ueno> #topic Protocol Support
22:15:02 <nati_ueno> It looks like SSL-VPN, MPLS/BGP are proposed with bp
22:15:23 <Swami> Yes
22:15:28 <nati_ueno> "IPSec Certificate authentication support" <-- who's added this one?
22:15:40 <Swami> I added it Nachi to the list
22:15:51 <nati_ueno> Swami: Thanks. could you link the bp?
22:16:01 <Swami> Just to make sure that we don't miss anything left out
22:16:10 <nati_ueno> Thansk
22:17:56 <nati_ueno> IPSec + I2TP, GRE are candidates, but it looks like it lacks bps
22:17:56 <Swami> I don't have the detailed write up for the IPsec certificate authentication support, but since the SSL VPN already handles the certificate table, we can re-use the same for discussions
22:18:13 <nati_ueno> Swami: yes. we can use same tables
22:18:35 <Swami> Nachi: Thanks
22:18:36 <enikanorov> folks, btw, where are you storing certs for the service?
22:18:48 <nati_ueno> enikanorov: I think keystone is applicable
22:18:56 <nati_ueno> enikanorov: it has certificate api
22:19:01 <enikanorov> is it planned or current solution?
22:19:19 <Swami> Nachi: There was also another blueprint targeted for storing the SSL certs for Loadbalancer sSL offload
22:19:23 <nati_ueno> enikanorov: I think it has.. but i'm not confident. I should investigate
22:19:37 <nati_ueno> Swami: Thanks. could you add it on the etherpad
22:19:53 <enikanorov> nati_ueno: I see, thanks. I'm asking because there are talks about adding ssl to lbaas, which will also need certs management
22:19:55 <Swami> Sure
22:20:02 <nati_ueno> certificate resource would be not limited on vpnaas
22:20:29 <nati_ueno> so, let's write some proposal at first, then discussion on the mailing list before the summit
22:20:48 <enikanorov> sounds good
22:21:24 <nati_ueno> Is there anyone to take this resource design?
22:22:42 <nati_ueno> OK let's find the people later
22:22:54 <enikanorov> :)
22:23:08 <nati_ueno> Do you have any other items for Protocol Support?
22:23:37 <Swami> I don't think there is anything more, the etherpad list covers all
22:23:43 <nati_ueno> ok.
22:23:52 <nati_ueno> Swami: so you will raise hand for ssl-vpn?
22:24:42 <Swami> Yes I would raise hand for both ssl-vpn and mpls/bgp, both are required, but I thought we can do baby steps
22:25:31 <nati_ueno> Swami: Ok sure. i'm still working on mpls stuff. so let's discuss detailed API in next meeting
22:25:48 <Swami> nachi: appreciate it
22:25:55 <pcm__> I think Ian Wells has a L2VPN session submitted.
22:26:14 <nati_ueno> pcm__: yes. he wrote some note on the etherpad
22:26:21 <nati_ueno> pcm__: is he around?
22:26:38 <pcm__> I mentioned the session, but don't think he's on IRC
22:26:45 <pcm__> I'll ping him
22:26:50 <nati_ueno> pcm__: Thanks
22:27:07 <nati_ueno> pcm__: he says ", I'm not bringing an implementation along", so may be we can separate session
22:27:21 <nati_ueno> pcm__: his topic looks like more general terms
22:27:34 <pcm__> gotcha
22:27:43 <nati_ueno> #topic Service
22:27:54 <nati_ueno> I think there is there workitems
22:28:14 <nati_ueno> (1) Service Type Framework (2) Service Insertion (3) Service agent
22:28:45 <nati_ueno> (1) has a patch, and i expect it will be merged in early I
22:28:58 <nati_ueno> (2) and (3) is under the discussion
22:29:10 <enikanorov> nati_ueno: are you aware of service chaining proposal?
22:29:14 <enikanorov> or discussion?
22:29:20 <ijw> o/
22:29:34 <Swami> Nachi: Do you also need to consider the service chaining or will service insertion be part of the service chaining
22:29:42 <nati_ueno> enikanorov: yes
22:29:55 <nati_ueno> I should add it on the list :P
22:30:05 <enikanorov> nati_ueno: it also has an idea of introducing new entity
22:30:09 <enikanorov> "service instance"
22:30:17 <enikanorov> which is used for a few things
22:30:29 <ijw> enikanorov: is that Sumit's proposal, or is this another one?
22:30:33 <SumitNaiksatam> enikanorov:  am in the process of revising the proposal from the last summit on service insertion/chaining
22:30:35 <enikanorov> bind resource to a backend, bind resource to a provider, etc
22:30:46 <enikanorov> yeah, basically it is his proposal
22:31:00 <enikanorov> SumitNaiksatam: hi :)
22:31:09 <SumitNaiksatam> hi :-)
22:31:27 <nati_ueno> so may be we should discuss service related topic in the service session if we have
22:31:36 <pcm__> enikanorov: any link to the proposal?
22:31:40 <nati_ueno> SumitNaiksatam: so you are proposing a session too?
22:31:45 <enikanorov> pcm__: not yet
22:31:49 <ijw> Sumit's got one on service chaining already
22:32:01 <ijw> (independent of VPNs)
22:32:03 * pcm__ just trying to wrap my head around all this
22:32:08 <SumitNaiksatam> ijw: that's right
22:32:34 <ijw> I need a word with people here about service chaining, too - but in general it's an independent topic to VPNs and I would set it aside for now
22:32:50 <nati_ueno> ok
22:33:11 <nati_ueno> SumitNaiksatam: How about have a irc meeting about service related stuff?
22:33:32 <pcm__> nati_ueno: +1
22:33:59 <SumitNaiksatam> nati_ueno: sure
22:34:04 <nati_ueno> SumitNaiksatam: Thanks!
22:34:07 <nati_ueno> #topic misc
22:34:22 <Swami> nachi: please add me in those meeting related to service chaining discussion
22:34:27 <nati_ueno> I would like to add (1) Multiple local subnet support (2) Routing configration support on VPNService
22:34:51 <nati_ueno> Swami: sure. I believe Sumit will send invitation on the openstack-dev
22:35:00 <nati_ueno> do you have any other related bps?
22:35:02 <Swami> nachi: thanks
22:35:52 <nati_ueno> ok it looks nothing
22:35:57 <ijw> nati_ueno: whatever you're proposing for VPNs ought to apply exactly the same as any provider network, shouldn't it?
22:36:17 <ijw> s/as/to/
22:36:36 <nati_ueno> ijw: Ah, I didn't have a thought about that. but may be true
22:36:52 <nati_ueno> ijw: (1) is for vpn service resources.
22:36:58 <nati_ueno> ijw: but (2) is may be related
22:37:31 <ijw> Yeah, I was thinking more in terms of 'if there's an API for this already can we re-use it' but I guess that for L3VPNs it's done differently to networks
22:38:04 <nati_ueno> ijw: no vpnservice is not only for l3. we will remove router_id.
22:38:16 <nati_ueno> ijw: router_id will be deal with service insertion stuff
22:38:47 <nati_ueno> however we should discuss this with a concrete API proposal.
22:39:03 <nati_ueno> so let's discuss the detail in the next meeting. I'll write some proposal
22:39:06 <SumitNaiksatam> nati_ueno: this is a good point, glad you brought it up
22:39:06 <ijw> I don't think you can just remove router_id and make a VPN l2
22:39:15 <ijw> (if that's what you're saying)
22:39:36 <SumitNaiksatam> ijw: removing router id is probably not enough
22:39:54 <SumitNaiksatam> however, router id probably does not belong the way it is modeled now
22:40:08 <nati_ueno> SumitNaiksatam: yes
22:40:09 <SumitNaiksatam> do you agree?
22:40:14 <ijw> k
22:40:25 <nati_ueno> ijw: may be, you are right. let's discuss on the proposal in next meeting
22:40:35 <nati_ueno> ijw: are you going to propose l2vpn in the icehouse?
22:42:31 <ijw> I've got the proposal in, yes.  I might present an API for the basic concept but I didn't want to get into specific VPN types so much as the differences between L2 and L3 and how you would want to attach them.
22:43:03 <nati_ueno> ijw: so do you have some impl also in icehouse
22:43:28 <ijw> I was hoping to have a general discussion and hear opinions rather than say 'we should do it exactly like this', if that's all right with people.  I don't have an API implementation right now, no.
22:44:07 <nati_ueno> ijw: yeah, one issue is no one is going to add impl for l2vpn in icehouse, IFIK
22:44:32 <nati_ueno> ijw: if we have no plan to impl it, it isn't makes sence to add API for that in this release
22:44:49 <ijw> We would like to implement it, I think
22:45:05 <nati_ueno> ijw: We == your team?
22:45:51 <ijw> Probably not my specific team, just someone in the wider company - but I'd like to take details and recommendations back to them rather than have them come up with an extension in the absence of any feedback.
22:46:30 <nati_ueno> ijw: Ok let's ask is there anyone to take l2vpn impl in icehouse in mailing list
22:46:46 <ijw> I can probably persuade Kyle to mind it
22:46:54 <nati_ueno> ijw: cool
22:47:02 <nati_ueno> ok next topic
22:47:05 <nati_ueno> #topic Vendor driver support
22:47:13 <nati_ueno> I find there is NSX bp for vpnaas
22:47:23 <nati_ueno> pcm__: IMO, you will going to add cisco support also
22:47:57 <pcm__> yes, will be... in early investigations right now. Will need to do a BP
22:48:16 <nati_ueno> pcm__: Thanks. please link you bp when you write it
22:48:24 <pcm__> will do.
22:48:28 <nati_ueno> any other vender driver proposals on this?
22:49:08 <nati_ueno> OK let's keep asking in the mailing list
22:49:26 <nati_ueno> #topic open discussion
22:49:28 <pcm__> I was curious on how we handle vendor diff in API
22:49:34 <nati_ueno> do you have some discussion items?
22:49:57 <pcm__> e.g. if a vendor supports diff attribute values.
22:49:58 <Swami> Normally vendor diff come in through their plugin
22:50:20 <nati_ueno> pcm__: if the attriubutes differents, we can add vendor-specific extensions
22:50:24 <pcm__> Guess I'm wondering how it is reflect in API
22:51:31 <pcm__> For example, say you support more authentication methods. How does the API reflect that?
22:51:48 <nati_ueno> pcm__: That's sounds not vendor-specific
22:52:04 <nati_ueno> pcm__: we should extend our vpn API for the more authentication methods
22:52:45 <pcm__> Just an example. Could go the other way, like not supporting some of the attribute values.
22:53:40 <nati_ueno> The new attribute is really vendor specific, we can write extension for it
22:53:48 <nati_ueno> we can extend vpnservice resource
22:54:30 <nati_ueno> pcm__: ok let's keep discussion on this
22:54:39 <nati_ueno> #topic next meeting time
22:55:05 <nati_ueno> is that OK for you with same time. After the Next neutron core meeting
22:55:22 <enikanorov> it's a pity it's too late
22:55:27 <Swami> This timeslot works for me.
22:55:31 <enikanorov> i'm not a regular visitor at this time
22:55:46 <enikanorov> but a feel lbaas and vpn has come common points to discuss
22:55:56 <pcm__> normally OK. Though I'm not avail. next two Mon.
22:56:00 <nati_ueno> enikanorov: Ah ok. so let's schedule another time.
22:56:20 <enikanorov> nati_ueno: nope, i don't think my time zone is suitable for you guys
22:56:23 <nati_ueno> enikanorov: pcm__: could you add some candidates on the etherpad
22:56:34 <pcm__> ok
22:56:43 <enikanorov> so I'd prefer to participate in ML threads if you initiate some
22:56:53 <nati_ueno> OK I'll send summary for the mailing list
22:56:58 <pcm__> Time is fine for me, just conflicts the next two weeks.
22:56:59 <Swami> I am ok with any time slot, other than early morning PDT
22:57:05 <nati_ueno> enikanorov: yes. let's keep discussion on the mailing list
22:57:22 <nati_ueno> OK Thanks guys!!
22:57:25 <nati_ueno> #endmeeting