opnfv use case: vpn in the cloud

1

Peter Bandzi, Ahmed Maged @pbandzi @amaged Nov 2015

•  Assembling a VPN in the Cloud Service •  Learning Experience

2

3

- - - - - - - - - - -

- - - - - - - - - -

Application Home-grown Python Code

Front End Back End /User Portal

Sharing VPN Meta-Data over Facebook

Orchestration/Dispatching

Bootstrap/Get Started (BGS) •  The main goal of BGS is to assemble and test a base set of infrastructure

components for OPNFV.

•  This project achieved that by supporting two deployers for OPNFV Arno, we used Fuel for building our infrastructure.

5

Virtual Infra Manager

REST API RESTConf

SDN Controller

Application

OpenStack OpenDayLight

Front End Back End



BGS/OPNFV Deployer

/User Portal

Virtual Infra Manager

REST API RESTConf

Netconf/Yang

SDN Controller

VNF

Application

OpenStack OpenDayLight

Front End Back End



VPN Termination

BGS/OPNFV Deployer

/User Portal

8

App/ Portal

Open Stack

OpenDayLight

1 2 3 4 5 6 7 8 9

Request VPN service

VNF/Router

Instruct ODL to provision VNF

User Facebook

Peer Picking

Peer Picked

Spin up VNF

Provision IPSec

Report addressing and preshared key

Post addressing and Password

IPSec Tunnel Established

9

ü  Picking Peer from Facebook for rapid, painless setup *

* Inspired by Cedric Dessez, https://www.ietf.org/proceedings/87/slides/slides-87-homenet-6.pdf

10

App/ Portal

Open Stack

OpenDayLight

1 2 3 4 5 6 7 8 9

Request VPN service

VNF/Router


User Facebook

Peer Picking Peer Picked

Spin up VNF

Provision IPSec




11

client_manager.compute.servers.create(’router', image, flavor, key_name=keypair.name, nics=[{'net-id': network.id}])

http://<api-server>/servers REST Calls

Python SDK

Nova Server

Hypervisor (KVM, etc)

VNF

RESTful API

Create a VM

12

App/ Portal

Open Stack

OpenDayLight

1 2 3 4 5 6 7 8 9

Request VPN service

VNF/Router


User Facebook

Peer Picking

Peer Picked

Spin up VNF

Provision IPSec




13

Nova Server

Appl/ Portal

ODL

VNF / Router

list node-subnets { description "IP and mask behind route"; key "ip inv-mask"; leaf ip {type inet:ipv4-address;} leaf inv-mask {type inet:ipv4-address;} } list shared-key { key shared-key; leaf shared-key {type string;} leaf peer-address {type inet:ip-address;} }

YANG Model

/restconf/data/ipsec-service:ipsec/ <list name>/ <key value(s)>

RESTConf

{ “ipsec-service:node-list” : [ { “node-name”: “vRouter”, “node-ip”: “X.X.X.X” } ] }

JSON

14

App/ Portal

Open Stack

OpenDayLight

1 2 3 4 5 6 7 8 9

Request VPN service

VNF/Router


User Facebook

Peer Picking

Peer Picked

Spin up VNF

Provision IPSec




15 Peer 1

crypto isakmp key KEY address x.x.x.x ! crypto ipsec transform-set TS esp-des esp-md5-hmac ! crypto map CRYPTO 10 ipsec-isakmp set peer y.y.y.y set transform-set TS match address Spoke ! interface TenGig0/0 ip address x.x.x.x 255.255.255.0 crypto map CRYPTO

CLI Config

Peer 2

•  Assembling a VPN in the Cloud Service

•  Learning Experience

16

“Open source propagates to fill all the nooks and crannies that people want it to fill.”

Mitch Kapor Founder of Lotus, Co-Founder EFF

•  In 1995, I almost lost my hair, building a Slackware server.

•  In 2005, I lost my hair, building/coding a Linux Jumpserver.

•  In 2015, We built a VPN in the Cloud server in a few days.

18

Open Source Made it possible

With BGS : •  Install scripts for automated deployment of

the test setup.

•  Comprehensive source-to-tested-deployment script for running the entire system start to end.

Task Time Installing Infra(Arno/Fuel)

1 Day

•  APIs coming to networking, took networking out of its Silo.

•  Now Applications can easily control and interact with Networking.

•  Opening up the possibility to a wide range of use cases.

20

Task Time Write PoC Code* 3 Days

* Without Facebook App/Front End.

I need REST APIs

Thanks

Q&A

21

opnfv use case: vpn in the cloud

Software