neutron

vpn should support different auth algorithm for different driver

Bug #1638152 reported by Na Zhu
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Undecided
Dongcan Ye

Bug Description

Currently, vpnaas plugin limits the ipsec and ike auth algorithm to "sha1" and "sha256", if user add a new driver (for example, hardware vpn gateway), and the new driver supports more auth algorithm, such as "sha2-384", "sha2-512", it can not integrated with current vpnaas plugin.

It is necessary to support different auth algorithm for different drivers.

Tags: vpnaas
Dongcan Ye (hellochosen)
tags: added: vpnaas
Changed in neutron:
assignee: nobody → Dongcan Ye (hellochosen)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-vpnaas (master)

Fix proposed to branch: master
Review: https://review.openstack.org/393702

Changed in neutron:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron-vpnaas (master)

Reviewed: https://review.openstack.org/393702
Committed: https://git.openstack.org/cgit/openstack/neutron-vpnaas/commit/?id=b1530c73da9b8c689c61b3fc726a1ba6e5038ec3
Submitter: Jenkins
Branch: master

commit b1530c73da9b8c689c61b3fc726a1ba6e5038ec3
Author: Dongcan Ye <email address hidden>
Date: Fri Nov 4 18:43:32 2016 +0800

    Add sha384 and sha512 auth algorithms for vendor drivers

    Currently, VPNaaS limits the IPSec and IKE auth algorithm to
    "sha1" and "sha256". If user add a new driver(eg, Hardware VPN Gateway),
    and the new driver supports more auth algorithms, such as "sha2-384",
    "sha2-512", it can not integrated with current VPNaaS plugin.

    This patch add "sha384" and "sha512" auth algorithms in API and DB side,
    Because of Openswan, Strongswan, Libreswan and Cisco CSR driver doesn't
    support these, so we add a validator in ipsec and Cisco CSR service driver,
    that will raise an exception when creating or updating the IPSec/IKE Policy
    auth algorithm with "sha384" and "sha512".
    Other vendors can bypass validate ike_policy and ipsec_policy
    when creating and updating auth_algorithm, or implement specific
    logic for themselves.

    DocImpact
    APIImpact
    NOTE: CLI support also needs change.

    Closes-Bug: #1638152
    Change-Id: I87b257ee6500c424fc273955a6d89d972a2823e9

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/neutron-vpnaas 10.0.0

This issue was fixed in the openstack/neutron-vpnaas 10.0.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-vpnaas (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/460095

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron-vpnaas (stable/newton)

Change abandoned by stephen-ma (<email address hidden>) on branch: stable/newton
Review: https://review.openstack.org/460095

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.