Neutron/MPLSVPNaaS
Contents
Overview
MPLS VPNaaS (MPLS VPN-as-a-Service) is a Neutron extension that introduces MPLS VPN feature set.
The following is the proposed plan for design and implementation of the MPLS VPN as a Service feature in OpenStack Networking for the Havana release.
This BP refers to Neutron/VPNaaS (IPSec VPN)( https://wiki.openstack.org/wiki/Neutron/VPNaaS) .
Related Blueprints
2013-03-27 Neutron Extension for BGP MPLS VPN
2013-01-07 Quantum VPN for WAN(wide area network)
2013-07-17 Neutron/MPLS VPNaaS
Why MPLS VPN In OpenStack
1. To meet users’ demands: QoS guarantee
2. MPLS is widely supported by backbone devices: Generally, core nodes in backbone have the ability to deploy MPLS tunnels.
In era of cloud computing, tenants have more and more data interactions with datacenter network, and also secure connections, QoS and elastic adjustment are needed. Consequently, MPLS tunnel is a better solution to construct VPN through backbone.
Attention
The Definition of "VPN Service" in this BP may be out of date,we will renew it later.
Welcome to join us
We focus on MPLS VPN in OpenStack,if you have any interest or questions in this BP,please contact us:
laixuejiao@gmail.com
wangchang365@gmail.com
Precondition
We consider that the MPLS VPN in WAN have been established by ISP(or other provider),so we just need to consider how a tenant’s subnet could access the MPLS VPN .We use term of MPLS VPN Access Connection to represent the connection between a neutron router(which connects a subnet or just a vm of a tenant) and a PE.Also,a MPLS VPN Access Connection can represent the connection between a vendor’s hardware device(a CE router) and PE.
USE CASE
USE CASE 1
If there are no hardware devices in OpenStack as a CE devices.Then we combine quagga and Neutron router to make Neutron a CE access router.This implementation need no specific hardware device.
USE CASE 2
If there are vendor’s hardware devices in OpenStack,a vendor need to provide its driver,which will configure vendor’s devices to access MPLS VPN.
How MPLS VPN Works
Neutron Router
In Neutron, a tenant can create routers for subnets or tenant and define the connections between subnets,these are all done by Neutron Router.
MPLS VPN Service
According to RFC-4364 BGP/MPLS IP Virtual Private Networks (VPNs),to implement MPLS VPN in Neutron, we need a Quagga instance to corperate with Neutron Router,then this Quagga Router will exchange routes from PE(or run some protocols such as BGP etc…), finally a tenant’s subnet or vm will access MPLS VPN.
MPLS VPN ACCESS Connection
As the RFC defines, A VPN service (Neutron Router with Quagga) can be attached to PE in a variety of different ways: PPP connections, ATM Virtual Circuits (VCs), Frame Relay VCs, Ethernet interfaces, Virtual Local Area Networks (VLANs) on Ethernet interfaces, GRE tunnels, Layer 2 Tunneling Protocol (L2TP) tunnels, IPSec tunnels, etc. We will use the data model “MPLS VPN ACCESS Connection” to refer these connection technologies.
Architecture
Below shows the architecture of Neutron MPLS VPN:
MPLS VPN Access Connection Model
Tenant’s subnet access MPLS VPN:
Tenant’s VM access MPLS VPN:
DataMode
VPN Services Resource
| Attribute | Type | Required | CRUDt | DefaultValue | Validation Constraint | Notes |
|---|---|---|---|---|---|---|
| id | uuid-str | N/A | R | generated | N/A | UUID for VPN Service Object |
| tenant_id | uuid-str | Yes | CR | None | valid tenant_id | UUID of the tenant for the vpn service |
| name | string | no | CRU | None | N/A | name of the VPN Service |
| description | string | no | CRU | None | N/A | Description of the VPN Service |
| vpn_type | string | yes | C | None | L2 MPLS ORL3 MPLS | Service type - Defines the services type. |
| status | string | N/A | R | N/A | N/A | Indicates whether mpls vpnservice is currently operational. Possible values include:ACTIVE DOWN BUILD ERROR |
| admin_state_up | bool | N/A | CRU | TRUE | true/false | Administrative state of vpnservice. If false (down), port does not forward packets |
| subnet_id | uuid | yes*( subnet_id is needed) | CR | N/A | Valid subnet id | Subnet id in which the tenant wants the vpn service |
| router_id | uuid | yes | CR | N/A | Valid router id | Router id to which the vpn service is inserted |
MPLS VPN Access Connection Resource
| Attribute | Type | Required | CRUDt | DefaultValue | Validation Constraint | Notes |
|---|---|---|---|---|---|---|
| id | uuid-str | N/A | CRD | generated | N/A | A MPLS Connection ID |
| Port-id | Uuid-str | yes | CR | None | Valid port id | Which port of router will be used for mpls access. |
| tenant_id | uuid-str | yes | CR | None | valid tenant_id | UUID of the tenant for this vpn connection |
| name | string | no | CRU | None | N/A | name of this VPN connection |
| description | string | no | CRU | None | N/A | Description of this VPN connection |
| connection_type | string | YES | CRD | None | N/A | Define what access technology this VPN Connection will use. |
| vpn_service_id | uuid-str | N/A | CRU | None | Valid vpn service id. | Which VPN Service this connection belongs to. |
Access Technology Resource
GRE Connection
| Attribute | Type | Required | CRUDt | DefaultValue | Validation Constraint | Notes |
|---|---|---|---|---|---|---|
| id | uuid-str | N/A | C | generated | N/A | An access Connection ID |
| Mpls_connection_id | uuid-str | N/A | R | None | Valid existed mpls connection | Which mpls connection will use this access connection |
| GRE_Local_IP | ipaddress | Yes | CR | None | valid ip address format | A gre tunnel’s local ip address |
| GRE_Dst_IP | ipaddress | YES | CRU | None | N/A | A gre tunnel’s destination ip address |
| Local_IP | ipaddress | Yes | CRU | None | N/A | The end device(a vpn service,CE) address |
| Dst_IP | ipaddress | Yes | CRU | None | N/A | The PE’s address |
| Key | int | Yes | CR | None | N/A | The key value of this gre tunnel |
VLAN
| Attribute | Type | Required | CRUD | DefaultValue | Validation Constraint | Notes |
|---|---|---|---|---|---|---|
| id | uuid-str | N/A | R | generated | N/A | An access Connection ID |
| Mpls_connection_id | uuid-str | N/A R | None | Valid existed mpls connection | Which mpls connection will use this access connection | |
| Vlan_id | id | Yes | CR | None | Valid vlan id | A vlan ID for access connection |
PPP
| Attribute | Type | Required | CRUD | DefaultValue | Validation Constraint | Notes |
|---|---|---|---|---|---|---|
| id | uuid-str | N/A | R | generated | N/A | An access Connection ID |
| Mpls_connection_id | uuid-str | N/A | R | None | Valid existed mpls connection | Which mpls connection will use this access connection |
| Ppp-server | Ip address | Yes | CR | None | Valid ip address | Address of ppp server |
| Auth_type | str | yes | Auth_method:chap or pap | |||
| Auth_message | str | yes | Auth messages |
L2TP
| Attribute | Type | Required | CRUD | DefaultValue | Validation Constraint | Notes |
|---|---|---|---|---|---|---|
| id | uuid-str | N/A | R | generated | N/A | An access Connection ID |
| Mpls_connection_id | uuid-str | N/A | R | None | Valid existed mpls connection | Which mpls connection will use this access connection |
| lns | Ip address | Yes | CR | None | Valid vlan id | A vlan ID for access connection |
| Tunnel id | id | yes | A tunnel id | |||
| Session id | Id | yes | A session id | |||
| Ppp-server | Ip address | Yes | CR | None | Valid ip address | Address of ppp server |
| Auth_type | str | yes | Auth_method:chap or pap | |||
| Auth_message | str | yes | Auth messages |
REST APIs
vpn-service-create Create a VPNService
vpn-service-delete Delete a given VPNService
vpn-service-list List all VPNService for a given tenant.
vpn-service-show Show detailed information of a given VPNService.
vpn-service-update Update a given VPNservice.
vpn-mpls-access-connection-create Create a MPLS Access VPNConnection
vpn-mpls-access-connection-delete Delete a given MPLS Access VPNConnection.
vpn-mpls-access-connection-list List MPLS Access VPNConnections that belong to a given tenant.
vpn-mpls-access-connection-show Show information of a given MPLS Access VPNConnection.
vpn-mpls-access-connection-update Update a given MPLS Access VPNConnection.
vpn-mpls-access-connection-config-cretae Create and config a access technology for a MPLS Access
vpn-mpls-access-connection-config-delete Delete a config of access connection of MPLS
vpn-mpls-access-connection-config-show Show information of a given access connection
