Recomendados
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (20)
Similar a Address Scopes OpenStack Summit 2016
Similar a Address Scopes OpenStack Summit 2016 (20)
Último
Último (20)
Address Scopes OpenStack Summit 2016
- 1. Neutron Address Scopes Speakers: • Carl Baldwin, HPE – IRC: carl_baldwin – Twitter: @CarlNBaldwin • Hong Hui Xiao, IBM – IRC: xiaohhui 1
- 2. Neutron Address Scopes Motivation – NAT to isolate private networks from the external – Allowed / required users to bring their own addresses – Neutron has no NAT for IPv6 – Mitaka added announcing private networks via BGP – Which ones can be advertised? – Plan to enhance BGP dynamic routing with L2VPN/L3VPN – Need to isolate routing domains more precisely – Need to prevent IP address overlap within routing domain 2
- 3. Neutron Address Scopes Subnet Pools – Range of addresses from which subnets may be allocated – May be exclusive to a tenant or shared. Enforces a quota for shared pools – Optionally specify a pool when allocating a subnet – Leave out the CIDR and just pass a prefix length (or use the default prefix length) – Specify a CIDR if you want, as long as it fits in the pool without overlap – Used in ... – Neutron's auto allocated topology extension (aka "Get me a Network”) – Project Kuryr – Your projects? – Reference: – https://blueprints.launchpad.net/neutron/+spec/subnet-allocation 3
- 4. Neutron Address Scopes Subnet Pools support Address Scopes – They both prevent address overlap – How do they differ? Why is there a distinction? – Subnet pools manage the allocation of subnets – Address scopes isolate routing domains – Subnet pools are an accounting mechanism to support address scopes – Multiple pools within the scope allows delegating parts of the scope differently 4
- 5. Neutron Address Scopes Maintaining Compatibility – Aggregation instead of Composition – Subnets can still exist without subnet pools – Subnet pools can still exist without address scopes – The “no scope” scope – Includes all subnets without a subnet pool – Includes all subnet pools without an address scope – Constraints are relaxed – Arbitrary address overlap is allowed – Implicit NAT between private IPv4 networks and the external network 5
- 6. Create an Address Scope
- 7. Create a Subnet Pool
- 10. Implementation of Address Scopes • Iptables is used. • Traffic will be marked according to address scope, at pre- routing chain. • Traffic will be blocked if the mark of source doesn’t match with the mark of destination, at forward chain. • In the case of NAT, connmark will be used. So that the returning packet can be marked with the right address scope, and go through the forward chain.
- 11. Address Scopes in the L3 Agent --- E-W traffic Private network 10.0.1.0/24 Private network 10.0.0.0/24 Router Private network 20.0.0.0/24 Private network 10.0.0.0/24 Router Address scope1 Address scope2 Within the same address scope, the traffic is allowed. Across different address scopes, the traffic will be blocked at neutron router. This is a different behavior with address scope.
- 12. Address Scopes in the L3 Agent --- E-W traffic Every network packet will be associated with a mark according to its originating interface. If the network packet wants to go into an interface and the mark does not match, the packet will be dropped
- 13. Address Scopes in the L3 Agent --- N-S traffic External network 172.24.4.0/24 Private network 10.0.0.0/24 Router Private network 20.0.0.0/24 External network 172.24.4.0/24 Address scope1 Address scope2 Within the same address scope, neutron router will directly route the traffic. This is a different behavior with address scope. Across different address scopes, neutron router will NAT the traffic from private network to external network NAT Router 172.24.4.2
- 14. Address Scopes in the L3 Agent --- N-S traffic Every connection that will go out of router gateway will record the mark to connmark SNAT is not used if it is a connection in scope
- 15. Address Scopes in the L3 Agent --- floating IP Private network VM External network Address scope1 Address scope2 Without floating ip, the VM can not access other private network across address scope. With floating ip, the VM can access private networks in the same address scope as external network, even if it is a cross scope traffic. NAT Router Private network fip 172.24.4.3 20.0.0.3
- 16. Address Scopes in the L3 Agent --- floating IP All network packets whose destination are the floatingip will be marked according to the fixed ip If the network packet comes from fixed ip and go to the scope of external network, its mark will be changed to make it go through the filter table
- 17. Neutron Address Scopes Address Scopes and BGP – Route announcement with BGP is available in Mitaka – BGP will look at all of the routers with gateways connected to an network. – Looks through the routers to find private networks. – How does it know if it should advertise that network? – BGP reference: – https://blueprints.launchpad.net/neutron/+spec/bgp-dynamic-routing 17
- 20. Routed Networks – Dynamic routing may be an integral part of routed provider networks – Floating IPs – Routed network reference: – https://blueprints.launchpad.net/neutron/+spec/routed-networks 20
- 21. Thank you 21
Notas del editor
- Carl
- Carl
- Carl
- Carl
- We call a traffic between private networks as an east to west traffic. In an east to west traffic, if the private networks are with the same address scope, the traffic between will be allowed. This is just a normal behavior of neutron router. And that is what you have already known about neutron router before address scopes. But for private networks with different address scopes, the east to west traffic will be blocked at neutron router. This is what we called “go in a wrong scope” in last page.
- The mark here has a 1-1 relationship with address scope. So if the network packet comes from address scope a, it will have the mark a. And when it tries to go into address scope b, it will be blocked, because the mark doesn't match..
- We call a traffic between private network and external network as a north to south traffic. In a north to south traffic, if the private network and external network are not in the same address scope, neutron router will NAT the traffic. This is what you have already known before address scopes. If the private network and external network are in the same address scope, neutron router will do straight routing. That is to say, the addresses in the private network can go directly to the external network, and vice versa. Because they are in the same address scope, the addresses of them must be unique and legitimate. So, straight routing is feasible between them. As Carl has mentioned, there is one exception to this scenario, that is “no scope”. There is always NAT between private networks and external network in the “no scope”.
- connmark can be persisted along with the connection. So, when the returning packet comes from router gateway, its mark can be set according to the connmark. As a result, the returning packet can go back to the source address through the iptables. At the nat table, the SNAT will be not be used if it is a connection in scope. As a result, the direct route will be performed.
- This is a picture that combines the 2 previous scenarios. Across scopes, E-W traffic is not allowed, and N-S traffic will do NAT. For the floating IP, it will still serve as the access point for a fixed IP in the external network. That is to say, there will always be NAT between fixed IP and floating IP, no matter if they are in the same address scope or not. When a port is associated with a floating IP, the port will be given the access to the scope of floating IP. So, after associating a floating IP, the vm can access the private networks in the scope of external network, even if it is a cross scope traffic. This is because the port now has 2 addresses in 2 scopes. As a result, it can access these 2 scopes.
- So that the packets can go through iptables and reach the fixed ip address. So that after associating floating ip, the port can access the whole address scope of external network.