Jump to: navigation, search

Difference between revisions of "Tacker/neutron-port-attributes"

(summary)
 
(9 intermediate revisions by 3 users not shown)
Line 2: Line 2:
 
NFV and ServiceVM need extensions/enhancements for neutron port.
 
NFV and ServiceVM need extensions/enhancements for neutron port.
 
With this page, use cases/requirements are collected and then they will be broken down to actual blueprints and implemtations.
 
With this page, use cases/requirements are collected and then they will be broken down to actual blueprints and implemtations.
 +
For non-port related stuff, please refer to https://wiki.openstack.org/wiki/ServiceVM/neutron-and-other-project-items
  
 
== summary ==
 
== summary ==
Line 7: Line 8:
 
{| class="wikitable sortable"
 
{| class="wikitable sortable"
 
|-
 
|-
! Requirement !! class="unsortable" | Description !! Priority !! class="unsorable" | Blueprint Link !! class="unsortable" | design link !! class="unsortable"|Patch Link
+
! Requirement !! class="unsortable" | Description !! Priority !! class="unsorable" | Blueprint Link !! class="unsortable" | design link !! class="unsortable"|Patch Link !! class="unsorable"|Use Case
 
|-
 
|-
 
| VLAN trunkport/l2-gateway
 
| VLAN trunkport/l2-gateway
Line 13: Line 14:
 
| High
 
| High
 
| https://blueprints.launchpad.net/neutron/+spec/vlan-aware-vms, https://blueprints.launchpad.net/neutron/+spec/l2-gateway
 
| https://blueprints.launchpad.net/neutron/+spec/vlan-aware-vms, https://blueprints.launchpad.net/neutron/+spec/l2-gateway
| https://review.openstack.org/97714 https://review.openstack.org/#/c/94612/
+
| https://review.openstack.org/97714 https://review.openstack.org/#/c/94612/ https://review.openstack.org/#/c/100278/
 
| https://review.openstack.org/#/c/92541/  
 
| https://review.openstack.org/#/c/92541/  
 +
|
 
|-
 
|-
 
| unfirewalled port  
 
| unfirewalled port  
| disable security group/anti-spoofing etc  
+
| disable security group/anti-spoofing etc. Fix Security Groups to disable anti-spoofing mechanism to allow non VM IP/mac addresses in traffic from the Service VMs.
 +
security group should be more flexible that allows the service VMs to spoof ip or MAC. Ability to disable security groups on service VM port, at least ML2 OVS mechanism driver (e.g., by implementing the "port-security" extension
 
| High
 
| High
| https://blueprints.launchpad.net/neutron/+spec/nfv-unaddressed-interfaces
+
| https://blueprints.launchpad.net/neutron/+spec/nfv-unaddressed-interfaces https://blueprints.launchpad.net/neutron/+spec/ml2-ovs-portsecurity
| https://review.openstack.org/97715
+
| https://review.openstack.org/97715 https://review.openstack.org/#/c/99873/
 
|
 
|
 +
| router/vpm vm
 
|-
 
|-
 
| unaddressed port  
 
| unaddressed port  
| allow port creation without IP/MAC address  
+
| allow port creation without IP/MAC address.
|  
+
| Middle?
 
|
 
|
 
|
 
|
 
|
 
|
 +
|a FW that is deployed in the bump-in-the-wire mode or tap mode(no ip address, no mac address), change network/subnet of vNIC(neutron port) to other without deleting vNIC in order to save unplug/plug nic(no ip address, mac address kept during unconnected state).
 
|-
 
|-
 
| sharing mac/IP addres
 
| sharing mac/IP addres
Line 34: Line 39:
 
|
 
|
 
|  
 
|  
 +
|
 
|  
 
|  
 +
| redundant port to back up each other and both them have the same MAC and IP
 +
|-
 +
| port without subnet
 +
|  port that isn't attached to any subnet. It Thus port without IP address
 +
|
 +
|
 +
|
 +
|
 +
|
 +
|-
 +
| Unplugged port
 +
| allow port creation without associating any network/subnetwork. Allow VM creation with such port. And later those port will be pluged into network/subnet and given IP address
 +
|
 +
|
 +
|
 +
|
 
|
 
|
 
|}
 
|}
  
== routing/VPM VM ==
+
== routing/VPN VM ==
 
=== Use case ===
 
=== Use case ===
 
Service VM implements some service, e.g., routing or VPN. That VM will then be connected to a number of Neutron Networks/Subnets in some tenant.
 
Service VM implements some service, e.g., routing or VPN. That VM will then be connected to a number of Neutron Networks/Subnets in some tenant.

Latest revision as of 17:49, 19 May 2015

Neutron port attribute enhancement

NFV and ServiceVM need extensions/enhancements for neutron port. With this page, use cases/requirements are collected and then they will be broken down to actual blueprints and implemtations. For non-port related stuff, please refer to https://wiki.openstack.org/wiki/ServiceVM/neutron-and-other-project-items

summary

Requirement Description Priority Blueprint Link design link Patch Link Use Case
VLAN trunkport/l2-gateway High https://blueprints.launchpad.net/neutron/+spec/vlan-aware-vms, https://blueprints.launchpad.net/neutron/+spec/l2-gateway https://review.openstack.org/97714 https://review.openstack.org/#/c/94612/ https://review.openstack.org/#/c/100278/ https://review.openstack.org/#/c/92541/
unfirewalled port disable security group/anti-spoofing etc. Fix Security Groups to disable anti-spoofing mechanism to allow non VM IP/mac addresses in traffic from the Service VMs.

security group should be more flexible that allows the service VMs to spoof ip or MAC. Ability to disable security groups on service VM port, at least ML2 OVS mechanism driver (e.g., by implementing the "port-security" extension

High https://blueprints.launchpad.net/neutron/+spec/nfv-unaddressed-interfaces https://blueprints.launchpad.net/neutron/+spec/ml2-ovs-portsecurity https://review.openstack.org/97715 https://review.openstack.org/#/c/99873/ router/vpm vm
unaddressed port allow port creation without IP/MAC address. Middle? a FW that is deployed in the bump-in-the-wire mode or tap mode(no ip address, no mac address), change network/subnet of vNIC(neutron port) to other without deleting vNIC in order to save unplug/plug nic(no ip address, mac address kept during unconnected state).
sharing mac/IP addres share a (virtual) mac/IP address by multiple service VM instances or even the two ports on the same VM redundant port to back up each other and both them have the same MAC and IP
port without subnet port that isn't attached to any subnet. It Thus port without IP address
Unplugged port allow port creation without associating any network/subnetwork. Allow VM creation with such port. And later those port will be pluged into network/subnet and given IP address

routing/VPN VM

Use case

Service VM implements some service, e.g., routing or VPN. That VM will then be connected to a number of Neutron Networks/Subnets in some tenant. To provide its service the VM must be able to FORWARD traffic (i.e., packets come in on one VM interface and same packets leave on another one).

Requirement

It must be possible to disable security groups on Neutron Ports used by a service VM. There exists an extension for this: https://github.com/openstack/neutron/blob/master/neutron/extensions/portsecurity.py However it is not implemented by the free plugins like ML2, Openvswitch etc.

Use Case Name

Use case

Requirement