Revision as of 18:18, 25 March 2013

Overview

When a network is created, a broadcast domain is available to plug ports. It should be interesting to proposed an option on the network creation that enable the isolation between ports in a same broadcast domain (network), similar to a common use of private VLANs with isolated port technologies (RFC 5517). This prevents communication between VMs on the same logical switch.

This functionality could addressed the use cases where we create a shared network between tenants, for example. This should work also with a provider network.

Possible implementation

Local proxy ARP

• ARP broadcast modifies to unicast MAC address of a local proxy ARP (gateway)
• Multicast bootp traffic modifies to unicast MAC address of the DHCP agent
• drop all other broadcast and multicast traffic
• Drop all other traffic aren't having the MAC address of the local proxy ARP as destination (broadcast, multicast, illegitimate unicast)

When a network is created, a boolean can specify if it's isolated. And when a gateway is added to the network, the gateway port enables a locale proxy ARP.

Note: If the gateway and local proxy ARP port aren't manage by Quantum (on a provider network for example), it could be possible to define trough the API (on subnet creation for example) the MAC address of the gateway/local proxy ARP.

Note: It's not sure that the local proxy ARP must be handle by the gateway. If not, we can imagine implement the local proxy ARP by a new agent with a dedicated IP.