yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #40502
[Bug 1509436] [NEW] Add BGP Listener Support to BGP Dynamic Routing with VPN, for Dynamic Separation of Internet and Tenant External Traffic
Public bug reported:
>From a compute instance with one Neutron port, depending on the destination IP address, some traffic is destined for the Internet, while other traffic is meant to go to a tenant VPN outside of the OpenStack region. There are many possible reasons to have such a tenant VPN, including:
1. Connectivity to an on premises tenant site using L3VPN connectivity, similar to AWS DirectConnect or SoftLayer DirectLink
2. Connectivity between OpenStack regions, either for geographic diversity or due to specific services available in specific OpenStack regions (e.g. bare metal support)
3. Connectivity to a non-OpenStack public data center
One common use case is a web front end within the OpenStack region,
connected to a back end database tier that resides outside of this
OpenStack region. The web front end must be reachable from the Internet.
The back end database tier must not be reachable from the Internet.
Specifically, the scenario of interest involves one or more OpenStack
routers, where each OpenStack router has multiple networks connecting to
the outside world (1). Relying on received BGP VPN routes, the OpenStack
router’s routing table is programmed, causing traffic to different
destination addresses to be directed towards different networks
connecting to the outside world.
The intention is to leave the internal operation of OpenStack (between
compute nodes, and between compute nodes and network nodes) untouched,
only affecting route selection from an OpenStack router to the outside
world. For this reason, this effort is targeted at BGP Dynamic Routing
[1] with VPN support [2].
Note that one goal is to hide the complexity of multiple networks
connecting to the outside world from OpenStack compute instances. The
solution should work with OpenStack compute instances that have only one
Neutron port. The solution should not impose any requirement for host
routing within the compute instances.
The reference implementation will use BGP EVPN Prefix Advertisement [3],
based on EVPN Route Type 5 (EVPN Prefix Route) specifying a recursion
through a GW IP address, linking to an EVPN Route Type 2 (MAC/IP). The
data plane will use VXLAN encapsulation on the networks connecting to
the outside world (2).
The initial scope will be network nodes only. Subsequent enhancements
will extend support to DVR.
(1) How to get more than one network connecting to the outside world,
onto a single OpenStack router, is currently under investigation. This
is not straightforward due to the limitation of one external gateway
network per OpenStack router. Currently under consideration is an
approach where all but one of the networks have router:external set to
false, i.e. the external gateway network connects to the internet (since
that needs Floating IP functionality and possibly a default route),
while networks with router:external set to false connect to tenant VPNs
(no Floating IP or NAT support). If enhancements are required to allow
multiple networks connecting to the outside world from a single
OpenStack router, a separate RFE will be filed.
(2) From an OpenStack router, if one of the networks connecting to the
outside world is considered to be an external gateway network, some
enhancements may be required to support VXLAN encapsulation on that
external gateway network. A separate RFE will be filed, if necessary.
[1] https://blueprints.launchpad.net/neutron/+spec/bgp-dynamic-routing
[2] https://bugs.launchpad.net/neutron/+bug/1509431
[3] draft-ietf-bess-evpn-prefix-advertisement
[4] http://docs.openstack.org/developer/networking-bgpvpn/
** Affects: neutron
Importance: Undecided
Status: New
** Tags: rfe
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1509436
Title:
Add BGP Listener Support to BGP Dynamic Routing with VPN, for Dynamic
Separation of Internet and Tenant External Traffic
Status in neutron:
New
Bug description:
From a compute instance with one Neutron port, depending on the destination IP address, some traffic is destined for the Internet, while other traffic is meant to go to a tenant VPN outside of the OpenStack region. There are many possible reasons to have such a tenant VPN, including:
1. Connectivity to an on premises tenant site using L3VPN connectivity, similar to AWS DirectConnect or SoftLayer DirectLink
2. Connectivity between OpenStack regions, either for geographic diversity or due to specific services available in specific OpenStack regions (e.g. bare metal support)
3. Connectivity to a non-OpenStack public data center
One common use case is a web front end within the OpenStack region,
connected to a back end database tier that resides outside of this
OpenStack region. The web front end must be reachable from the
Internet. The back end database tier must not be reachable from the
Internet.
Specifically, the scenario of interest involves one or more OpenStack
routers, where each OpenStack router has multiple networks connecting
to the outside world (1). Relying on received BGP VPN routes, the
OpenStack router’s routing table is programmed, causing traffic to
different destination addresses to be directed towards different
networks connecting to the outside world.
The intention is to leave the internal operation of OpenStack (between
compute nodes, and between compute nodes and network nodes) untouched,
only affecting route selection from an OpenStack router to the outside
world. For this reason, this effort is targeted at BGP Dynamic Routing
[1] with VPN support [2].
Note that one goal is to hide the complexity of multiple networks
connecting to the outside world from OpenStack compute instances. The
solution should work with OpenStack compute instances that have only
one Neutron port. The solution should not impose any requirement for
host routing within the compute instances.
The reference implementation will use BGP EVPN Prefix Advertisement
[3], based on EVPN Route Type 5 (EVPN Prefix Route) specifying a
recursion through a GW IP address, linking to an EVPN Route Type 2
(MAC/IP). The data plane will use VXLAN encapsulation on the networks
connecting to the outside world (2).
The initial scope will be network nodes only. Subsequent enhancements
will extend support to DVR.
(1) How to get more than one network connecting to the outside world,
onto a single OpenStack router, is currently under investigation. This
is not straightforward due to the limitation of one external gateway
network per OpenStack router. Currently under consideration is an
approach where all but one of the networks have router:external set to
false, i.e. the external gateway network connects to the internet
(since that needs Floating IP functionality and possibly a default
route), while networks with router:external set to false connect to
tenant VPNs (no Floating IP or NAT support). If enhancements are
required to allow multiple networks connecting to the outside world
from a single OpenStack router, a separate RFE will be filed.
(2) From an OpenStack router, if one of the networks connecting to the
outside world is considered to be an external gateway network, some
enhancements may be required to support VXLAN encapsulation on that
external gateway network. A separate RFE will be filed, if necessary.
[1] https://blueprints.launchpad.net/neutron/+spec/bgp-dynamic-routing
[2] https://bugs.launchpad.net/neutron/+bug/1509431
[3] draft-ietf-bess-evpn-prefix-advertisement
[4] http://docs.openstack.org/developer/networking-bgpvpn/
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1509436/+subscriptions
Follow ups