Jump to: navigation, search

Isolated-network

Revision as of 20:31, 22 April 2013 by Édouard Thuleau (talk | contribs) (IPv4 Local proxy ARP)

Overview

When a network is created, a broadcast domain is available to plug ports. It should be interesting to proposed an option on the network creation that enable the isolation between ports in a same broadcast domain (network), similar to a common use of private VLANs with isolated port technologies (RFC 3069 and RFC 5517). This prevents communication between VMs on the same logical switch. The promiscuous port will be the gateway port by default. And if we want, we can authorize the traffic between port through a local proxy ARP/NDP.

This functionality could address the use cases where we create a shared network between tenants, for example. This should also work with a provider network.

Possible implementation

IPv4 and/or Local proxy ARP

  • ARP broadcast modifies to unicast MAC address of the gateway when it defines.
  • Multicast bootp traffic modifies to unicast MAC address of the DHCP agent when it defines
  • Authorize traffic for the gateway MAC address if it defines
  • Drop all other traffic

When a network is created, a boolean can specify if it's isolated. And when a gateway is added to the network, a boolean can enable a local proxy ARP on the gateway to enable l3 traffic between the ports.

Note: If the gateway and local proxy ARP port aren't managed by Quantum (on a provider network for example), it could be possible to define trough the API (on subnet creation for example) the MAC address of the gateway/local proxy ARP.

Note: It's not sure that the local proxy ARP must be handled by the gateway. If not, we can imagine implement the local proxy ARP by a new agent with a dedicated IP.

Technical implementation

Local Proxy ARP

The Linux kernel proposes the possibility to enable a proxy ARP which can replies back to the same interface (/proc/sys/net/ipv4/conf/<interface>/proxy_arp_pvlan)

Flows

With OVS driver in tunneling mode we can use the open flow tools to NAT flows with mod_dl_dst action and drop flows with drop action.

ebtables

With LB driver and the OVS driver in VLAN mode, we can use Linux-based bridging firewall ebtables

IPv6 Proxies NDP messages

Not yet define but actually, the OpenStack networking l3 agent does not support IPv6

Retrieved from "https://wiki.openstack.org/w/index.php?title=Isolated-network&oldid=20921"