Overview

When a network is created, a broadcast domain is available to plug ports. It should be interesting to proposed an option on the network creation that enable the isolation between ports in a same broadcast domain (network), similar to a common use of private VLANs with isolated port technologies (RFC 3069 and RFC 5517). This prevents communication between VMs on the same logical switch.

This functionality could address the use cases where we create a shared network between tenants, for example. This should also work with a provider network.

Possible implementation

Local proxy ARP

• ARP broadcast modifies to unicast MAC address of a local proxy ARP (gateway)
• Multicast bootp traffic modifies to unicast MAC address of the DHCP agent
• drop all other broadcast and multicast traffic
• Drop all other traffic aren't having the MAC address of the local proxy ARP as destination (broadcast, multicast, illegitimate unicast)

When a network is created, a boolean can specify if it's isolated. And when a gateway is added to the network, the gateway port enables a local proxy ARP.

Note: If the gateway and local proxy ARP port aren't managed by Quantum (on a provider network for example), it could be possible to define trough the API (on subnet creation for example) the MAC address of the gateway/local proxy ARP.

Note: It's not sure that the local proxy ARP must be handled by the gateway. If not, we can imagine implement the local proxy ARP by a new agent with a dedicated IP.

Technical implementation

Local Proxy ARP

The Linux kernel proposes the possibility to enable a proxy ARP which can replies back to the same interface (/proc/sys/net/ipv4/conf/<interface>/proxy_arp_pvlan)

Flows

With OVS driver in tunneling mode we can use the open flow tools to NAT flows with mod_dl_dst action and drop flows with drop action.

ebtables

With LB driver and the OVS driver in VLAN mode, we can use Linux-based bridging firewall ebtables