Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Peter</strong> <strong>Bandzi</strong>, <strong>Ahmed</strong> <strong>Maged</strong><br />
@pbandzi @amaged<br />
Nov 2015<br />
1
• Assembling a VPN in the Cloud Service<br />
• Learning Experience<br />
2
- - - - - - - - - - -<br />
- - - - - - - - - -<br />
3
Application<br />
Home-grown<br />
Python Code<br />
Front End<br />
/User Portal<br />
Sharing VPN Meta-<br />
Data over Facebook<br />
Back End<br />
Orchestration/<br />
Dispatching
Bootstrap/Get Started (BGS)<br />
• The main goal of BGS is to assemble and test a base set of infrastructure<br />
components for OPNFV.<br />
• This project achieved that by supporting two deployers for OPNFV Arno, we<br />
used Fuel for building our infrastructure.<br />
5
Application<br />
Front End<br />
/User Portal<br />
Back End<br />
BGS/OPNFV<br />
Deployer<br />
Sharing VPN Meta-<br />
Data over Facebook<br />
Orchestration/<br />
Dispatching<br />
REST API<br />
RESTConf<br />
OpenStack<br />
Virtual Infra Manager<br />
SDN Controller<br />
OpenDayLight
Application<br />
Front End<br />
/User Portal<br />
Back End<br />
BGS/OPNFV<br />
Deployer<br />
Sharing VPN Meta-<br />
Data over Facebook<br />
Orchestration/<br />
Dispatching<br />
REST API<br />
RESTConf<br />
OpenStack<br />
Virtual Infra Manager<br />
SDN Controller<br />
OpenDayLight<br />
VPN Termination<br />
VNF<br />
Netconf/Yang
User<br />
Facebook<br />
App/<br />
Portal<br />
Open<br />
Stack<br />
OpenDay<br />
Light<br />
VNF/<br />
Router<br />
1<br />
Request VPN service<br />
2<br />
3<br />
4<br />
5<br />
6<br />
7<br />
8<br />
Peer Picking<br />
Peer Picked<br />
Post addressing and Password<br />
Spin up VNF<br />
Instruct ODL to provision VNF<br />
Report addressing and preshared key<br />
Provision IPSec<br />
9<br />
IPSec Tunnel Established<br />
8
ü Picking Peer from Facebook for rapid, painless setup *<br />
* Inspired by Cedric Dessez, https://www.ietf.org/proceedings/87/slides/slides-87-homenet-6.pdf<br />
9
User<br />
Facebook<br />
App/<br />
Portal<br />
Open<br />
Stack<br />
OpenDay<br />
Light<br />
VNF/<br />
Router<br />
1<br />
Request VPN service<br />
2<br />
3<br />
4<br />
5<br />
6<br />
7<br />
8<br />
Peer Picking<br />
Peer Picked<br />
Post addressing and Password<br />
Spin up VNF<br />
Instruct ODL to provision VNF<br />
Report addressing and preshared key<br />
Provision IPSec<br />
9<br />
IPSec Tunnel Established<br />
10
REST<br />
Calls<br />
http:///servers<br />
Python<br />
SDK<br />
client_manager.compute.servers.create(’router',<br />
image, flavor,<br />
key_name=keypair.name,<br />
nics=[{'net-id': network.id}])<br />
Nova Server<br />
RESTful<br />
API<br />
Create<br />
a VM<br />
VNF<br />
Hypervisor<br />
(KVM, etc)<br />
11
User<br />
Facebook<br />
App/<br />
Portal<br />
Open<br />
Stack<br />
OpenDay<br />
Light<br />
VNF/<br />
Router<br />
1<br />
Request VPN service<br />
2<br />
3<br />
4<br />
5<br />
6<br />
7<br />
8<br />
Peer Picking<br />
Peer Picked<br />
Post addressing and Password<br />
Spin up VNF<br />
Instruct ODL to provision VNF<br />
Report addressing and preshared key<br />
Provision IPSec<br />
9<br />
IPSec Tunnel Established<br />
12
RESTConf<br />
/restconf/data/ipsec-service:ipsec/ /<br />
<br />
JSON<br />
{<br />
“ipsec-service:node-list” :<br />
[<br />
{<br />
“node-name”: “vRouter”,<br />
“node-ip”: “X.X.X.X”<br />
}<br />
]<br />
}<br />
Appl/<br />
Portal<br />
ODL<br />
list node-subnets {<br />
description "IP and mask behind route";<br />
key "ip inv-mask";<br />
leaf ip {type inet:ipv4-address;}<br />
leaf inv-mask {type inet:ipv4-address;}<br />
}<br />
list shared-key {<br />
key shared-key;<br />
leaf shared-key Nova {type string;} Server<br />
leaf peer-address {type inet:ip-address;}<br />
}<br />
YANG Model<br />
VNF / Router<br />
13
User<br />
Facebook<br />
App/<br />
Portal<br />
Open<br />
Stack<br />
OpenDay<br />
Light<br />
VNF/<br />
Router<br />
1<br />
Request VPN service<br />
2<br />
3<br />
4<br />
5<br />
6<br />
7<br />
8<br />
Peer Picking<br />
Peer Picked<br />
Post addressing and Password<br />
Spin up VNF<br />
Instruct ODL to provision VNF<br />
Report addressing and preshared key<br />
Provision IPSec<br />
9<br />
IPSec Tunnel Established<br />
14
crypto isakmp key KEY address x.x.x.x<br />
!<br />
crypto ipsec transform-set TS esp-des esp-md5-<br />
hmac<br />
!<br />
crypto map CRYPTO 10 ipsec-isakmp<br />
set peer y.y.y.y<br />
set transform-set TS<br />
match address Spoke<br />
!<br />
interface TenGig0/0<br />
ip address x.x.x.x 255.255.255.0<br />
crypto map CRYPTO<br />
Peer 2<br />
CLI Config<br />
Peer 1<br />
15
• Assembling a VPN in the Cloud Service<br />
• Learning Experience<br />
16
“Open source propagates to fill all the nooks and crannies<br />
that people want it to fill.”<br />
Mitch Kapor<br />
Founder of Lotus, Co-Founder EFF
• In 1995, I almost lost my hair, building a Slackware server.<br />
• In 2005, I lost my hair, building/coding a Linux Jumpserver.<br />
• In 2015, We built a VPN in the Cloud server in a few days.<br />
Open Source<br />
Made it possible<br />
18
With BGS :<br />
• Install scripts for automated deployment of<br />
the test setup.<br />
• Comprehensive source-to-testeddeployment<br />
script for running the entire<br />
system start to end.<br />
Task<br />
Installing<br />
Infra(Arno/Fuel)<br />
Time<br />
1 Day
• APIs coming to networking, took networking out of its Silo.<br />
• Now Applications can easily control and interact with Networking.<br />
• Opening up the possibility to a wide range of use cases.<br />
I need<br />
REST<br />
APIs<br />
Task<br />
Write PoC Code*<br />
Time<br />
3 Days<br />
* Without Facebook App/Front End.<br />
20
Q&A<br />
Thanks<br />
21
Change language