Neutron/MPLSVPNaaS
Contents
Overview
MPLS VPNaaS (MPLS VPN-as-a-Service) is a Neutron extension that introduces MPLS VPN feature set.
The following is the proposed plan for design and implementation of the MPLS VPN as a Service feature in OpenStack Networking for the Havana release.
This BP refers to Neutron/VPNaaS (IPSec VPN)( https://wiki.openstack.org/wiki/Neutron/VPNaaS) .
Related Blueprints
2013-03-27 Neutron Extension for BGP MPLS VPN
2013-01-07 Quantum VPN for WAN(wide area network)
2013-07-17 Neutron/MPLS VPNaaS
Why MPLS VPN IN OPENSTACK
1. To meet users’ demands: QoS guarantee
2. MPLS is widely supported by backbone devices: Generally, core nodes in backbone have the ability to deploy MPLS tunnels.
In era of cloud computing, tenants have more and more data interactions with datacenter network, and also secure connections, QoS and elastic adjustment are needed. Consequently, MPLS tunnel is a better solution to construct VPN through backbone.
Precondition
We consider that the MPLS VPN in WAN have been established by ISP(or other provider),so we just need to consider how a tenant’s subnet could access the MPLS VPN .We use term of MPLS VPN Access Connection to represent the connection between a neutron router(which connects a subnet or just a vm of a tenant) and a PE.Also,a MPLS VPN Access Connection can represent the connection between a vendor’s hardware device(a CE router) and PE.
USE CASE
USE CASE 1
If there are no hardware devices in OpenStack as a CE devices.Then we combine quagga and Neutron router to make Neutron a CE access router.This implementation need no specific hardware device.
USE CASE 2
If there are vendor’s hardware devices in OpenStack,a vendor need to provide its driver,which will configure vendor’s devices to access MPLS VPN.
How MPLS VPN Works
Neutron Router
In Neutron, a tenant can create routers for subnets or tenant and define the connections between subnets,these are all done by Neutron Router.
MPLS VPN Service
According to RFC-4364 BGP/MPLS IP Virtual Private Networks (VPNs),to implement MPLS VPN in Neutron, we need a Quagga instance to corperate with Neutron Router,then this Quagga Router will exchange routes from PE(or run some protocols such as BGP etc…), finally a tenant’s subnet or vm will access MPLS VPN.
MPLS VPN ACCESS Connection
As the RFC defines, A VPN service (Neutron Router with Quagga) can be attached to PE in a variety of different ways: PPP connections, ATM Virtual Circuits (VCs), Frame Relay VCs, Ethernet interfaces, Virtual Local Area Networks (VLANs) on Ethernet interfaces, GRE tunnels, Layer 2 Tunneling Protocol (L2TP) tunnels, IPSec tunnels, etc. We will use the data model “MPLS VPN ACCESS Connection” to refer these connection technologies.
Architecture
Below shows the architecture of Neutron MPLS VPN:
MPLS VPN Access Connection Model
Tenant’s subnet access MPLS VPN:
Tenant’s VM access MPLS VPN:
DataMode
VPN Services Resource
Attribute | Type | Required | CRUDt | DefaultValue | Validation Constraint | Notes |
---|---|---|---|---|---|---|
id | uuid-str | N/A | R | generated | N/A | UUID for VPN Service Object |
tenant_id | uuid-str | Yes | CR | None | valid tenant_id | UUID of the tenant for the vpn service |
name | string | no | CRU | None | N/A | name of the VPN Service |
description | string | no | CRU | None | N/A | Description of the VPN Service |
vpn_type | string | yes | C | None | L2 MPLS ORL3 MPLS | Service type - Defines the services type. |
status | string | N/A | R | N/A | N/A | Indicates whether mpls vpnservice is currently operational. Possible values include:ACTIVE DOWN BUILD ERROR |
admin_state_up | bool | N/A | CRU | TRUE | true/false | Administrative state of vpnservice. If false (down), port does not forward packets |
subnet_id | uuid | yes*( subnet_id is needed) | CR | N/A | Valid subnet id | Subnet id in which the tenant wants the vpn service |
router_id | uuid | yes | CR | N/A | Valid router id | Router id to which the vpn service is inserted |
MPLS VPN Access Connection Resource
Attribute | Type | Required | CRUDt | DefaultValue | Validation Constraint | Notes |
---|---|---|---|---|---|---|
id | uuid-str | N/A | CRD | generated | N/A | A MPLS Connection ID |
Port-id | Uuid-str | yes | CR | None | Valid port id | Which port of router will be used for mpls access. |
tenant_id | uuid-str | yes | CR | None | valid tenant_id | UUID of the tenant for this vpn connection |
name | string | no | CRU | None | N/A | name of this VPN connection |
description | string | no | CRU | None | N/A | Description of this VPN connection |
connection_type | string | YES | CRD | None | N/A | Define what access technology this VPN Connection will use. |
vpn_service_id | uuid-str | N/A | CRU | None | Valid vpn service id. | Which VPN Service this connection belongs to. |
Access Technology Resource
GRE Connection
Attribute | Type | Required | CRUDt | DefaultValue | Validation Constraint | Notes |
---|---|---|---|---|---|---|
id | uuid-str | N/A | C | generated | N/A | An access Connection ID |
Mpls_connection_id | uuid-str | N/A | R | None | Valid existed mpls connection | Which mpls connection will use this access connection |
GRE_Local_IP | ipaddress | Yes | CR | None | valid ip address format | A gre tunnel’s local ip address |
GRE_Dst_IP | ipaddress | YES | CRU | None | N/A | A gre tunnel’s destination ip address |
Local_IP | ipaddress | Yes | CRU | None | N/A | The end device(a vpn service,CE) address |
Dst_IP | ipaddress | Yes | CRU | None | N/A The PE’s address |
VLAN
TBD
PPP
TBD
L2TP
TBD