neutron

[RFE] Add LBaaSv2 TLS re-encryption to backend members

Bug #1523222 reported by Kobi Samoray on 2015-12-06

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Expired	Wishlist	Unassigned

Bug Description

Most of the load balancers allow termination of TLS connections. A load balancer may run a TLS connection on the client side while running an unencrypted connection at the server side - which is called offloading and is currently supported by the LBaaSv2 API.
Another common practice is terminating the TLS connection at the load balancer - in order to allow L7 decision making or header manipulation, and running a TLS session on the server side. This is not supported by the current implementation.

This involves two items:
- Allowing a protocol of HTTPS for members.
- Toggling the bits in the haproxy config file that connect via tls to members, instead of cleartext.

See original description

Tags:

Kobi Samoray (ksamoray) on 2015-12-06

Changed in neutron:
assignee:	nobody → Kobi Samoray (ksamoray)

Michael Johnson (johnsom) on 2015-12-06

tags:

added: lbaas

Revision history for this message

Brandon Logan (brandon-logan) wrote on 2015-12-07:

I believe I understand this as TLS re-encryption (or thats my own terrible name for it). Basically all traffic into the LB and out of the LB will be encrypted, but the LB will decrypt to make L7 decisions and then re-encrypt. Do I understand this correctly? If so sounds like this will be another API change and as such will need an RFE tag.

Kobi Samoray (ksamoray) on 2015-12-07

tags:

added: rfe

Revision history for this message

Henry Gessau (gessau) wrote on 2015-12-07:

Consider rewording the title to describe the feature/enhancement you want.

Changed in neutron:
status:	New → Confirmed
importance:	Undecided → Wishlist

Doug Wiegley (dougwig) on 2015-12-07

tags:	added: rfe-approved
Changed in neutron:
status:	Confirmed → Triaged

Armando Migliaccio (armando-migliaccio) on 2015-12-08

tags:	removed: rfe
tags:	added: rfe removed: rfe-approved

Revision history for this message

Armando Migliaccio (armando-migliaccio) wrote on 2015-12-08:

Let's have comment #2 addressed and have more clarity on the goal of the effort.

Doug Wiegley (dougwig) on 2015-12-08

summary:	- LBaaSv2 TLS support is limited to offloading + Add LBaaSv2 TLS re-encryption to backend members
description:	updated

Henry Gessau (gessau) on 2015-12-08

summary:

- Add LBaaSv2 TLS re-encryption to backend members
+ [RFE] Add LBaaSv2 TLS re-encryption to backend members

Revision history for this message

Armando Migliaccio (armando-migliaccio) wrote on 2015-12-11:

@Doug: what is your recommendation for feature submission? Spec or no spec?

Revision history for this message

Armando Migliaccio (armando-migliaccio) wrote on 2015-12-11:

Was the lack of TLS support a design oversight or an explicit decision?

Revision history for this message

Armando Migliaccio (armando-migliaccio) wrote on 2015-12-16:

Anyone?

Revision history for this message

Baptiste Assmann (bassmann) wrote on 2016-01-12:

A couple of useful HAProxy settings for this feature:

1. ' ssl-server-verify' in the global section or 'verify' on the server line
http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.6.html#3.1-ssl-server-verify
http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.6.html#verify%20%28Server%20and%20default-server%20options%29

=> may be used to avoid or force validation of certificate sent by the server (self-signed certificates, etc...)

2. you may want to set a client certificate on the server side, so when connecting, HAProxy can send it and both HAProxy and the server can mutually identify themselves:
http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.6.html#crt%20%28Server%20and%20default-server%20options%29

Revision history for this message

Armando Migliaccio (armando-migliaccio) wrote on 2016-02-11:

This lost momentum.

Changed in neutron:
status:	Triaged → Incomplete
assignee:	Kobi Samoray (ksamoray) → nobody

Revision history for this message

Armando Migliaccio (armando-migliaccio) wrote on 2016-02-11:

No code, no follow-up.

https://review.openstack.org/#/q/owner:ksamoray%2540vmware.com+status:open

Revision history for this message

Armando Migliaccio (armando-migliaccio) wrote on 2016-02-12:

#10

Status update:

http://eavesdrop.openstack.org/meetings/neutron_drivers/2016/neutron_drivers.2016-02-11-22.00.log.html#l-180

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-04-12:

#11

[Expired for neutron because there has been no activity for 60 days.]

Changed in neutron:
status:	Incomplete → Expired

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.