Brocade Vyatta VPN service and device driver for Neutron¶
Introduce the Brocade Vyatta VPN service and device driver to provide VPNaaS solution using Vyatta vRouter VM running as a Neutron router.
Brocade Vyatta vRouter is a multi-service product that provides various L3 and L4 services like Routing, NAT, Firewall, VPN, etc. While basic neutron router L3 functions are available using the Brocade Vyatta L3 plugin  vRouter’s IPSec site-to-site VPN functionality is currently not configurable through existing Neutron VPN APIs.
When available Cloud Service providers would be able to create site-to-site IPSec VPN to connect tenant networks to remote DC networks using Vyatta vRouter.
This blueprint proposes a new vendor service and device drivers for the Neutron VPN plugin and agent.
+----------------------+ +----------------------+ | | | Neutron L3 Agent | | | | | | | | | | +------------------+ | | +------------------+ | | | VPN | | | | VPN Agent | | | | Service Plugin | | | +------------------+ | | +------------------+ | | | Vyatta VPN | | | | Vyatta VPN | | RPC | | Device Driver | | | | Service Driver | + <--------------> | | | | +-+------------------+-+ +-+--------+---------+-+ | | | REST API | +--------v---------+ | | | | | Vyatta vRouter | | | | | | | | | +------------------+
Vyatta VPN service driver will inherit from the reference ipsec service driver except it will use a unique topic for RPCs to and from the Vyatta VPN device driver. This is done to be inline with existing service-type framework already partially in place and the expectation that if neutron flavor framework  materializes the functionality proposed in this BP will work as-is.
Vyatta VPN device driver will perform the following functions:
- Handles the RPC message from vpn service-plugin that indicates a CRUD operation for site-to-site vpn connection
- Gets the list of VPN services from the service-plugin using a RPC call
- Prepares the list of new, deleted and updated vpn connection based on the local service-cache entries
- Processes the above lists into effect using vRouter’s REST API interface
- Updates the local service-cache to reflect the new changes
- Reports the status of the vpn connections back to the vpn service-plugin
All these functions are similar to the existing reference vpn device driver implementation.
Additionally during L3 Agent startup the device driver will read vRouter VPN configuration using its REST API to rebuild the local service-cache. Once rebuilt the steps 2 through 6 are repeated. This helps to bring the vRouter VPN configuration to be in sync with the changes (if any) in the plugin DB while the L3 agent was down.
Note, we are aware of the current L3 agent refactoring proposed for Kilo . Given the device driver interface is planned to be kept as-is the changes proposed in this blueprint will integrate with minimal impact vis-a-vis the refactoring.
This effort is part of a wider set of blueprints to offer Neutron L3 and L4 services using the Vyatta vRouter VM:
-  introduces neutron router functionality using the Vyatta vRouter
-  introduces firewall service using the Vyatta vRouter.
Data Model Impact¶
REST API Impact¶
The device driver will use a common RESTapi client library that uses basic-auth authentication to connect to Vyatta vRouter.
Other End User Impact¶
When tenants creates VPN using the Neutron API it will be created on the carrier-grade Vyatta vRouter.
Expected to work with IPv6
Other Deployer Impact¶
Operators should first configure the Brocade Vyatta L3 plugin as described in . Then they can configure the new vpn service and device drivers to offer Vyatta VPN using Neutron APIs as follows:
- Edit /etc/neutron/neutron.conf and specify Vyatta VPN service driver as the default service provider for VPN.
>> [service_providers] >> service_provider=VPN:brocade:neutron.services.vpn.service_drivers.vyatta_ipsec.BrocadeVyattaIPsecVPNDriver:default
- Edit /etc/neutron/vpn_agent.ini and specify Vyatta VPN device driver.
>> [vpnagent] >> vpn_device_driver=neutron.services.vpn.device_drivers.vyatta_ipsec.VyattaIPSecDriver
Validating Neutron VPN APIs with multiple vendor, including this one from Brocade, will help to move out of current experimental state for these APIs.
- Primary assignee:
- Other contributors:
- Add new vyatta service driver for VPN service plugin (currently planned for neutron/services/vpn/service_drivers/vyatta_ipsec.py)
- Add new vyatta device driver for VPN agent (currently planned for neutron/services/vpn/device_drivers/vyatta_ipsec.py)
- Add unit tests required to test the new code
- Add tempest tests for new scenarios
- Brocade Vyatta L3 Plugin 
- 3rd party testing will be provided (Brocade Vyatta CI)
- Brocade Vyatta CI will report on all changes affecting this plugin
- Testing is done using devstack and Vyatta vRouter
No new API tests are planned as no APIs are changed as part of this blueprint.
Brocade specific documentation will be updated on the availability of this functionality in Neutron and the vpn_device_driver configuration required to enable it.