Jump to: navigation, search

Difference between revisions of "Blueprint-ipam-extensions-for-neutron"

(IPAM Overview)
(IPAM Resource)
 
(17 intermediate revisions by the same user not shown)
Line 1: Line 1:
===IPAM Resource===
 
Information common to a set of subnets on a network will be present in this resource. Following information will be stored in the resource:
 
 
*Address allocation scheme (DHCP or unmanaged)
 
*DNS server information
 
*CIDR to be used by the network (in which all subnet definitions should belong)
 
*List of DHCP option, value tuples
 
 
 
 
== <span>IPAM Overview </span>==
 
== <span>IPAM Overview </span>==
 
Information common to a set of subnets on a network will be present in this resource. Following information will be stored in the resource:
 
Information common to a set of subnets on a network will be present in this resource. Following information will be stored in the resource:
Line 16: Line 7:
 
*List of DHCP option, value tuples
 
*List of DHCP option, value tuples
  
== <span>Network Policy Resource </span>==
+
== <span>IPAM Resource </span>==
Network policy is mechanism by which a declarative way is provided to the clients to decided how Neutron virtual networks are connected and what traffic is allowed over those connections. Clients do not have to worry about how exactly the connectivity is achieved and how/where the rules are applied. This is to simplify deployments of multitier applications
 
 
    
 
    
 
{| class="wikitable"
 
{| class="wikitable"
Line 23: Line 13:
 
! Attribute !! Type !! Required !! CRUD !! DefaultValue !! Validation Constraint !! Notes
 
! Attribute !! Type !! Required !! CRUD !! DefaultValue !! Validation Constraint !! Notes
 
|-
 
|-
| id || uuid-str || N/A || R || generated || N/A || UUID for network policy object
+
| id || uuid-str || N/A || R || generated || N/A || UUID for ipam object
|-
 
| tenant_id || uuid-str || Yes || CR || None || valid tenant_id || UUID of the tenant for the network policies
 
|-
 
| name||string||no||CRU||None||N/A||name of the network policy
 
|-
 
| fq_name||string||no||CRU||None||N/A||fully qualified name of the network policy
 
|-
 
| policy_rules||string||no||CRU||None||N/A||network policy rules resource
 
|}
 
 
 
== <span>Network Policy Rules Resource </span>==
 
{| class="wikitable"
 
|-
 
! Attribute !! Type !! Required !! CRUD !! DefaultValue !! Validation Constraint !! Notes
 
|-
 
| id || uuid-str || N/A || R || generated || N/A || UUID for network policy rule object
 
 
|-
 
|-
| policy_id || uuid-str || Yes || CR || None || valid tenant_id || UUID of the network policy
+
| tenant_id || uuid-str || Yes || CR || None || valid tenant_id || UUID of the tenant for ipam
 
|-
 
|-
| direction||string||no||CRU||None||N/A||direction of the policy rule
+
| name||string||no||CRU||None||N/A||name of the ipam resource
 
|-
 
|-
| protocol||string||no||CRU||None||N/A||fully qualified name of the network policy
+
| fq_name||string||no||CRU||None||N/A||fully qualified name of the ipam object
 
|-
 
|-
| src-addresses||list[string]||no||CRU||None||list of valid cidr in the form <br /><network_address>/<prefix>||list of source cidrs
+
| ipam_method||string||no||CRU||None||N/A||dhcp or fixed assignment
 
|-
 
|-
| src-ports||list[string-string]||no||CRU||None||list[startport-endport]||list of port ranges
+
| ipam_dns_method||string||no||CRU||None||N/A||default, tenant or virtual dns server
 
|-
 
|-
| dst-addresses||list[string]||no||CRU||None||list of valid cidr in the form <br /><network_address>/<prefix>||list of destination cidrs
+
| ipam_dns_addr||list[string]||no||CRU||None||N/A||list of dns server address or name
 
|-
 
|-
| dst-ports||list[string-string]||no||CRU||None||list[startport-endport]||list of port ranges
+
| dhcp_options||list[string-string]||no||CRU||None||list or key-val pairs||list of dhcp key-value pairs
 
|-
 
|-
| action-list||string-string||no||CRU||None||type-action||actions such as <br/> apply-service, mirror-to, simple actions (pass, deny, log, reject, drop, alert)
+
| cidr_block||list[string]||no||CRU||None||list of cidrs||list of cidr blocks
 
|}
 
|}
  
==Network Policy Example==
+
== CLI for IPAM==
For example as application developer user wants to put
 
web servers in network called front-end network.
 
Appservers in network called back-end network
 
Allocate floating ip from public network.
 
Floating ip is assigned as VIP to web servers
 
Only MySQL traffic is allowed from front-end to backend
 
 
This information should be enough for the network plugin to add routing between front-end and back-end and ACLs for MySQL between these two networks. Users (application developers and deployers) need not worry about routers and firewall rules etc. Basically network policy provides this declarative way for user to simplify application deployment.
 
 
In above example user creates policy called
 
front-end-to-back-end:
 
*    pass front-end any <> back-end MySQL
 
This policy is attached to both the networks. Multiple policies can be attached to the network. Policies can be templatized with parameters as attached networks. Admin can provide precooked policy templates
 
 
==Network Policy and FWaaS==
 
Network Policy is in no way a replacement for FWaaS. In this context traditional FW is still valid. Rules provided in Network Policy are simple and limited in comparison to traditional firewall. Though they complement each other. For application deployers firewall rules and configuration might be too overwhelming. Users may have REST interface between front-end and backend. They might want to take all traffic between front-end and back-end via a firewall instance. In this case above rule changes in following way
 
*    pass front-end any <> back-end any any apply-service Firewall_instance_1
 
 
 
==Network Policy and Security Groups==
 
Network policy is not replacement for security groups either. Security groups are protecting the interfaces to VM(s). Network policy is between virtual networks. Have policies at various levels actually increases flexibility and reduces need for NxN matrix like rule explosion.
 
 
==Network Policy Bind Points==
 
In traditional networking gear ACL were always applied at various levels.
 
* Ports ACL(s)  à Security groups
 
* VLAN ACL(s) and Router ACL(s) à network policy
 
 
Network policy can be expressed in terms of network ID(s) rather than IP prefixes (CIDRs)
 
 
Information given in such a resource can be used to derive
 
*Connectivity between networks. i.e whether at a L3 network level routes need to be exchanged. e.g. allow traffic from web-network to db-network.
 
* Packet filters on traffic crossing two networks. e.g. allow only mysql traffic between web-network to db-network
 
 
 
== CLI for Network Policy==
 
 
<pre><nowiki>
 
<pre><nowiki>
policy-create                 Create a policy for a tenant.
+
ipam-create                   Create an IPAM for a given tenant.
policy-delete                 Delete a given policy.
+
ipam-delete                   Delete a given IPAM.
policy-list                   List policy(s) that belong to a given tenant.
+
ipam-list                     List IPAM information that belongs to a given tenant.
policy-show                   Show information of a given policy.
+
ipam-show                     Show information of a given IPAM.
policy-update                 Update a given policy.
+
ipam-update                   Update a given IPAM.
 
 
policy-rule-create                  Create a policy rule in a policy.
 
policy-rule-delete                  Delete a policy rule from a policy.
 
policy-rule-update                  Update policy rule in a policy.
 
policy-rule-show                    Show information of a policy rule.
 
 
</nowiki></pre>
 
</nowiki></pre>
  
 
== REST APIs==
 
== REST APIs==
=== Policy REST APIs===
+
=== IPAM REST APIs===
 
<pre><nowiki>
 
<pre><nowiki>
 
GET
 
GET
/v1.0/policies/
+
/v1.0/ipams/
 
GET
 
GET
/v1.0/policies/policy-id
+
/v1.0/ipams/ipam-id
 
POST
 
POST
/v1.0/policies
+
/v1.0/ipams
 
UPDATE
 
UPDATE
/v1.0/policies/policy-id
+
/v1.0/ipams/ipam-id
 
DELETE
 
DELETE
/v1.0/policies/policy-id
+
/v1.0/ipams/ipam-id
 
</nowiki></pre>
 
</nowiki></pre>
  
===PolicyCreate===
+
===IpamCreate===
 
====JSON Request====
 
====JSON Request====
 
<pre><nowiki>
 
<pre><nowiki>
 
{
 
{
   "policy": {
+
   "ipam": {
 
           "tenant_id": "310df60f-2a10-4ee5-9554-98393092194c",
 
           "tenant_id": "310df60f-2a10-4ee5-9554-98393092194c",
           "name": "test_policy",
+
           "name": "test_ipam",
 
           }
 
           }
 
}
 
}
Line 134: Line 70:
 
<pre><nowiki>
 
<pre><nowiki>
 
{
 
{
   "vpnservice": {
+
   "ipam": {
 
           "id": "02b1fef7-16f5-4917-bf19-c40a9af805ed",
 
           "id": "02b1fef7-16f5-4917-bf19-c40a9af805ed",
 
           "tenant-id": "310df60f-2a10-4ee5-9554-98393092194c",
 
           "tenant-id": "310df60f-2a10-4ee5-9554-98393092194c",
           "name": "test_policy",
+
           "name": "test_ipam",
          }
 
}
 
</nowiki></pre>
 
 
 
===Polcy Rules REST APIs===
 
<pre><nowiki>
 
GET
 
/v1.0/policy-rules/
 
GET
 
/v1.0/policy-rules/policy-rule-id
 
POST
 
/v1.0/policy-rules
 
UPDATE
 
/v1.0/policy-rules/policy-rule-id
 
DELETE
 
/v1.0/policy-rules/policy-rule-id
 
</nowiki></pre>
 
 
 
===PolicyRuleCreate===
 
====JSON Request====
 
<pre><nowiki>
 
{
 
  "policy_rule": {
 
          "policy_id": "04c77d28-f93d-4405-8b1a-d25b35e05037",
 
          "direction": "ingress",
 
          "protocol": "6",
 
          "src_addresses": ["1.1.1.0/24", "2.2.2.0/24"],
 
          "src_ports": ["10000-10100", "10500-10700"],
 
          "dst_addresses": ["1.1.1.0/24", "2.2.2.0/24"],
 
          "src_ports": ["80-80"],
 
          "action_list": ["simple_action-pass"],
 
          }
 
}
 
</nowiki></pre>
 
 
 
====JSON Response====
 
<pre><nowiki>
 
{
 
  "policy_rule": {
 
          "id": "f3dae1c4-e6f8-4165-ae1f-e20408b04fe2",
 
          "policy_id": "04c77d28-f93d-4405-8b1a-d25b35e05037",
 
          "direction": "ingress",
 
          "protocol": "6",
 
          "src_addresses": ["1.1.1.0/24", "2.2.2.0/24"],
 
          "src_ports": ["10000-10100", "10500-10700"],
 
          "dst_addresses": ["1.1.1.0/24", "2.2.2.0/24"],
 
          "src_ports": ["80-80"],
 
          "action_list": ["simple_action-pass"],
 
 
           }
 
           }
 
}
 
}
 
</nowiki></pre>
 
</nowiki></pre>
  
== Policy Workflow==
+
== IPAM Workflow==
* Policy create
+
* IPAM create with relevant DHCP, DNS and CIDR
* Policy rule add
+
* Neutron Network APIs to attach one or more IPAMS
* Neutron Network APIs to attach one or more policies in certain order.
 

Latest revision as of 17:50, 8 October 2013

IPAM Overview

Information common to a set of subnets on a network will be present in this resource. Following information will be stored in the resource:

  • Address allocation scheme (DHCP or unmanaged)
  • DNS server information
  • CIDR to be used by the network (in which all subnet definitions should belong)
  • List of DHCP option, value tuples

IPAM Resource

Attribute Type Required CRUD DefaultValue Validation Constraint Notes
id uuid-str N/A R generated N/A UUID for ipam object
tenant_id uuid-str Yes CR None valid tenant_id UUID of the tenant for ipam
name string no CRU None N/A name of the ipam resource
fq_name string no CRU None N/A fully qualified name of the ipam object
ipam_method string no CRU None N/A dhcp or fixed assignment
ipam_dns_method string no CRU None N/A default, tenant or virtual dns server
ipam_dns_addr list[string] no CRU None N/A list of dns server address or name
dhcp_options list[string-string] no CRU None list or key-val pairs list of dhcp key-value pairs
cidr_block list[string] no CRU None list of cidrs list of cidr blocks

CLI for IPAM

ipam-create                    Create an IPAM for a given tenant.
ipam-delete                    Delete a given IPAM.
ipam-list                      List IPAM information that belongs to a given tenant.
ipam-show                      Show information of a given IPAM.
ipam-update                    Update a given IPAM.

REST APIs

IPAM REST APIs

GET
/v1.0/ipams/
GET
/v1.0/ipams/ipam-id
POST
/v1.0/ipams
UPDATE
/v1.0/ipams/ipam-id
DELETE
/v1.0/ipams/ipam-id

IpamCreate

JSON Request

{
  "ipam": {
           "tenant_id": "310df60f-2a10-4ee5-9554-98393092194c",
           "name": "test_ipam",
           }
}

JSON Response

{
  "ipam": {
           "id": "02b1fef7-16f5-4917-bf19-c40a9af805ed",
           "tenant-id": "310df60f-2a10-4ee5-9554-98393092194c",
           "name": "test_ipam",
           }
}

IPAM Workflow

  • IPAM create with relevant DHCP, DNS and CIDR
  • Neutron Network APIs to attach one or more IPAMS
Retrieved from "https://wiki.openstack.org/w/index.php?title=Blueprint-ipam-extensions-for-neutron&oldid=31843"