Jump to: navigation, search

Difference between revisions of "Quantum-l3-firewalls-and-dhcps"

 
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
__NOTOC__
 
 
* '''Git Branch''': https://github.com/locaweb/quantum
 
* '''Git Branch''': https://github.com/locaweb/quantum
  
= Blanka layer 3 plugin =
+
= Handling layer 3 =
  
<<[[TableOfContents]]()>>
+
__TOC__
  
 
== Abstract ==
 
== Abstract ==
Blanka is a quantum plugin to handle layer 3.
+
The idea behind this blueprint is to extend quantum to provide firewalls and dhcps control.
 
 
Blanka plugin extends quantum and provides mainly firewalls and dhcps.
 
  
 
== Design ==
 
== Design ==
  
[[Media:quantum-l3-firewalls-and-dhcps$firewalls-dhcps-design.png||alt L3 Firewalls and DHCPs Design]]
+
[[Image:firewalls-dhcps-design.png||alt L3 Firewalls and DHCPs Design]]
  
 
== Summary ==
 
== Summary ==
Line 25: Line 22:
 
DHCP servers run on the hypervisor server where the VM is running, providing better fail-over architecture. It follows the logic: get data from the amqp server, write the template file ( witch uses cheetah templates ) and send a request to quantum committing the action. The agent knows how to keep the dhcp server running in case of wrong data format sent to it.
 
DHCP servers run on the hypervisor server where the VM is running, providing better fail-over architecture. It follows the logic: get data from the amqp server, write the template file ( witch uses cheetah templates ) and send a request to quantum committing the action. The agent knows how to keep the dhcp server running in case of wrong data format sent to it.
  
[[Media:quantum-l3-firewalls-and-dhcps$dhcp.png||alt L3 Dhcps Workflow]]^l
+
[[Image:dhcp.png||alt L3 Dhcps Workflow]]^l
  
 
=== Firewall ===
 
=== Firewall ===
Line 31: Line 28:
 
Firewall agent run o top of linux firewall server, each ip has its own firewall policy for input and output traffic and you can also enforce a range or network policy to each one which will prevail over the bottom level policy, according to the follow hierarchy: network > range > ip. This agent works retrieving data from amqp, running the iptables rule and sending a request to commit the action.
 
Firewall agent run o top of linux firewall server, each ip has its own firewall policy for input and output traffic and you can also enforce a range or network policy to each one which will prevail over the bottom level policy, according to the follow hierarchy: network > range > ip. This agent works retrieving data from amqp, running the iptables rule and sending a request to commit the action.
  
[[Media:quantum-l3-firewalls-and-dhcps$firewall.png||alt L3 Firewalls Workflow]]
+
[[Image:firewall.png||alt L3 Firewalls Workflow]]
  
= Proposed Quantum APIs =
+
= Proposed Quantum API Operations =
  
 
== Policies ==
 
== Policies ==
Line 40: Line 37:
  
 
Creating a Policy should be done directly associated with the network entity.
 
Creating a Policy should be done directly associated with the network entity.
Quantum should handle which firewalls would process the policy, based on the provided dst address (or send to all firewall in the network if no dst address is provided - network policy), validating if the dst is configured in the network (IP or Range)
+
Quantum should handle which firewalls would process the policy, based on the provided dst address (or send to all firewall in the network if no dst address is provided - network policy), validating if the dst is configured in the network (IP or Range).
 +
The default firewall policy we are working with is DROP, so the policies you should add are to ALLOW the packages.
  
 
Request:
 
Request:
Line 46: Line 44:
 
POST /tenants/XYZ/networks/158233b0-ca9a-40b4-8614-54a4a99d47d1/policies.xml
 
POST /tenants/XYZ/networks/158233b0-ca9a-40b4-8614-54a4a99d47d1/policies.xml
  
<pre><nowiki>#!highlight xml
+
<source lang="xml">
 
<policy>
 
<policy>
 
     <protocol>tcp</protocol>
 
     <protocol>tcp</protocol>
Line 52: Line 50:
 
     <dst_port>80</dst_port>
 
     <dst_port>80</dst_port>
 
</policy>
 
</policy>
</nowiki></pre>
+
</source>
 
 
  
 
Response:
 
Response:
  
<pre><nowiki>#!highlight xml
+
<source lang="xml">
 
<policy>  
 
<policy>  
 
     <id>98017ddc-efc8-4c25-a915-774b2a633855<id/>
 
     <id>98017ddc-efc8-4c25-a915-774b2a633855<id/>
Line 64: Line 61:
 
     <dst_port>80</dst_port>
 
     <dst_port>80</dst_port>
 
</policy>
 
</policy>
</nowiki></pre>
+
</source>
 
 
  
 
'''List Policies'''
 
'''List Policies'''
Line 75: Line 71:
 
Response:
 
Response:
  
<pre><nowiki>#!highlight xml
+
<source lang="xml">
 
<policies>
 
<policies>
 
     <!-- network policy -->
 
     <!-- network policy -->
Line 101: Line 97:
 
     </policy>
 
     </policy>
 
</policy>
 
</policy>
</nowiki></pre>
+
</source>
 
 
  
 
'''Delete Policy'''
 
'''Delete Policy'''
Line 120: Line 115:
 
POST /tenants/XYZ/dhcps.xml
 
POST /tenants/XYZ/dhcps.xml
  
<pre><nowiki>#!highlight xml
+
<source lang="xml">
 
<dhcp>
 
<dhcp>
 
   <name>dhcp01</dhcp>
 
   <name>dhcp01</dhcp>
 
   <address>192.168.0.254</address>
 
   <address>192.168.0.254</address>
 
</dhcp>
 
</dhcp>
</nowiki></pre>
+
</source>
 
 
  
 
'''Associate DHCP with a range within a network'''
 
'''Associate DHCP with a range within a network'''
Line 132: Line 126:
 
PUT /tenants/XYZ/dhcps/158233b0-ca9a-40b4-8614-54a4a99d47d1/ranges.xml
 
PUT /tenants/XYZ/dhcps/158233b0-ca9a-40b4-8614-54a4a99d47d1/ranges.xml
  
<pre><nowiki>#!highlight xml
+
<source lang="xml">
 
<ip_range>
 
<ip_range>
 
   <id>98017ddc-efc8-4c25-a915-774b2a633855</id>
 
   <id>98017ddc-efc8-4c25-a915-774b2a633855</id>
 
</ip_range>
 
</ip_range>
</nowiki></pre>
+
</source>
  
 
== Ranges ==
 
== Ranges ==
Line 147: Line 141:
 
POST /tenants/XYZ/networks/158233b0-ca9a-40b4-8614-54a4a99d47d1/ranges.xml
 
POST /tenants/XYZ/networks/158233b0-ca9a-40b4-8614-54a4a99d47d1/ranges.xml
  
<pre><nowiki>#!highlight xml
+
<source lang="xml">
 
<ip_range>
 
<ip_range>
 
   <address>192.168.0.0/24</address>
 
   <address>192.168.0.0/24</address>
 
</ip_range>
 
</ip_range>
</nowiki></pre>
+
</source>
 
 
  
 
== IPs ==
 
== IPs ==
Line 163: Line 156:
 
POST /tenants/XYZ/networks/158233b0-ca9a-40b4-8614-54a4a99d47d1/ports/98017ddc-efc8-4c25-a915-774b2a633855/ips.xml
 
POST /tenants/XYZ/networks/158233b0-ca9a-40b4-8614-54a4a99d47d1/ports/98017ddc-efc8-4c25-a915-774b2a633855/ips.xml
  
<pre><nowiki>#!highlight xml
+
<source lang="xml">
 
<ip>
 
<ip>
 
   <address>192.168.0.3</address>
 
   <address>192.168.0.3</address>
 
</ip>
 
</ip>
</nowiki></pre>
+
</source>
 
 
  
(Contact: Willian Molinari ([[PotHix]]), Thiago Morello, Juliano Martinez) <<BR>>
+
(Contact: Willian Molinari ([[PotHix]]), Thiago Morello, Juliano Martinez)

Latest revision as of 22:34, 16 February 2013

Handling layer 3

Abstract

The idea behind this blueprint is to extend quantum to provide firewalls and dhcps control.

Design

alt L3 Firewalls and DHCPs Design

Summary

Agents are running on dhcps and firewalls to execute the proper work dictated by quantum via amqp: dhcp plugin works with any *nix os that uses isc-dhcp-server. firewall plugin is currently working with linux, but the data model should be usable with any firewall appliance

DHCP

DHCP servers run on the hypervisor server where the VM is running, providing better fail-over architecture. It follows the logic: get data from the amqp server, write the template file ( witch uses cheetah templates ) and send a request to quantum committing the action. The agent knows how to keep the dhcp server running in case of wrong data format sent to it.

alt L3 Dhcps Workflow^l

Firewall

Firewall agent run o top of linux firewall server, each ip has its own firewall policy for input and output traffic and you can also enforce a range or network policy to each one which will prevail over the bottom level policy, according to the follow hierarchy: network > range > ip. This agent works retrieving data from amqp, running the iptables rule and sending a request to commit the action.

alt L3 Firewalls Workflow

Proposed Quantum API Operations

Policies

Create Policy

Creating a Policy should be done directly associated with the network entity. Quantum should handle which firewalls would process the policy, based on the provided dst address (or send to all firewall in the network if no dst address is provided - network policy), validating if the dst is configured in the network (IP or Range). The default firewall policy we are working with is DROP, so the policies you should add are to ALLOW the packages.

Request:

POST /tenants/XYZ/networks/158233b0-ca9a-40b4-8614-54a4a99d47d1/policies.xml

<policy>
    <protocol>tcp</protocol>
    <src>0.0.0.0/0</src>
    <dst_port>80</dst_port>
</policy>

Response:

<policy> 
    <id>98017ddc-efc8-4c25-a915-774b2a633855<id/>
    <protocol>tcp</protocol>
    <src>0.0.0.0/0</src>
    <dst_port>80</dst_port>
</policy>

List Policies

Request:

GET /tenants/XYZ/networks/158233b0-ca9a-40b4-8614-54a4a99d47d1/policies.xml

Response:

<policies>
    <!-- network policy -->
    <policy>
        <id>98017ddc-efc8-4c25-a915-774b2a633855<id/>
        <protocol>tcp</protocol>
        <src>0.0.0.0/0</src>
        <dst_port>80</dst_port>
    </policy>
    <!-- range policy -->
    <policy> 
        <id>98017ddc-efc8-4c25-a915-774b2a633856<id/>
        <protocol>tcp</protocol>
        <src>0.0.0.0/0</src>
        <dst>192.168.1.0/24</dst>
        <dst_port>8080</dst_port>
    </policy>
    <!-- ip policy -->
    <policy> 
        <id>98017ddc-efc8-4c25-a915-774b2a633857<id/>
        <protocol>tcp</protocol>
        <src>0.0.0.0/0</src>
        <dst>192.168.1.3</dst>
        <dst_port>8000</dst_port>
    </policy>
</policy>

Delete Policy

Request:

DELETE /tenants/XYZ/networks/158233b0-ca9a-40b4-8614-54a4a99d47d1/policies/98017ddc-efc8-4c25-a915-774b2a633855.xml

DHCPs

A network ability to provide DHCP would be based only on it having an DHCP server associated with it. Association between network and DHCP are made through Ranges. DHCP server will provide IPs based on the association Port-IP.

Create DHCP

POST /tenants/XYZ/dhcps.xml

<dhcp>
   <name>dhcp01</dhcp>
   <address>192.168.0.254</address>
</dhcp>

Associate DHCP with a range within a network

PUT /tenants/XYZ/dhcps/158233b0-ca9a-40b4-8614-54a4a99d47d1/ranges.xml

<ip_range>
   <id>98017ddc-efc8-4c25-a915-774b2a633855</id>
</ip_range>

Ranges

Describes IP ranges associated with a network. Quantum should validade if the range isn't conflicting with any range associated with the network.

Create Range/Associate with a network

POST /tenants/XYZ/networks/158233b0-ca9a-40b4-8614-54a4a99d47d1/ranges.xml

<ip_range>
   <address>192.168.0.0/24</address>
</ip_range>

IPs

Describes which IPs are allowed in a network's port. Quantum should validade if the network is compatible with a range that may contain the IP.

Create IP

POST /tenants/XYZ/networks/158233b0-ca9a-40b4-8614-54a4a99d47d1/ports/98017ddc-efc8-4c25-a915-774b2a633855/ips.xml

<ip>
   <address>192.168.0.3</address>
</ip>

(Contact: Willian Molinari (PotHix), Thiago Morello, Juliano Martinez)