2. Neutron Address Scopes
Motivation
– NAT to isolate private networks from the external
– Allowed / required users to bring their own addresses
– Neutron has no NAT for IPv6
– Mitaka added announcing private networks via BGP
– Which ones can be advertised?
– Plan to enhance BGP dynamic routing with
L2VPN/L3VPN
– Need to isolate routing domains more precisely
– Need to prevent IP address overlap within routing domain
2
3. Neutron Address Scopes
Subnet Pools
– Range of addresses from which subnets may be allocated
– May be exclusive to a tenant or shared. Enforces a quota for shared pools
– Optionally specify a pool when allocating a subnet
– Leave out the CIDR and just pass a prefix length (or use the default prefix length)
– Specify a CIDR if you want, as long as it fits in the pool without overlap
– Used in ...
– Neutron's auto allocated topology extension (aka "Get me a Network”)
– Project Kuryr
– Your projects?
– Reference:
– https://blueprints.launchpad.net/neutron/+spec/subnet-allocation
3
4. Neutron Address Scopes
Subnet Pools support Address Scopes
– They both prevent address overlap
– How do they differ? Why is there a distinction?
– Subnet pools manage the allocation of subnets
– Address scopes isolate routing domains
– Subnet pools are an accounting mechanism to support
address scopes
– Multiple pools within the scope allows delegating parts
of the scope differently
4
5. Neutron Address Scopes
Maintaining Compatibility
– Aggregation instead of Composition
– Subnets can still exist without subnet pools
– Subnet pools can still exist without address scopes
– The “no scope” scope
– Includes all subnets without a subnet pool
– Includes all subnet pools without an address scope
– Constraints are relaxed
– Arbitrary address overlap is allowed
– Implicit NAT between private IPv4 networks and the external network
5
10. Implementation of Address Scopes
• Iptables is used.
• Traffic will be marked according to address scope, at pre-
routing chain.
• Traffic will be blocked if the mark of source doesn’t match with
the mark of destination, at forward chain.
• In the case of NAT, connmark will be used. So that the returning
packet can be marked with the right address scope, and go
through the forward chain.
11. Address Scopes in the L3 Agent --- E-W traffic
Private network
10.0.1.0/24
Private network
10.0.0.0/24
Router
Private network
20.0.0.0/24
Private network
10.0.0.0/24
Router
Address scope1 Address scope2
Within the same address scope,
the traffic is allowed.
Across different address scopes,
the traffic will be blocked at
neutron router. This is a different
behavior with address scope.
12. Address Scopes in the L3 Agent --- E-W traffic
Every network packet will be associated with a mark according to its
originating interface.
If the network packet wants to go into an interface and the mark does not
match, the packet will be dropped
13. Address Scopes in the L3 Agent --- N-S traffic
External network
172.24.4.0/24
Private network
10.0.0.0/24
Router
Private network
20.0.0.0/24
External network
172.24.4.0/24
Address scope1 Address scope2
Within the same address scope,
neutron router will directly route
the traffic. This is a different
behavior with address scope.
Across different address scopes,
neutron router will NAT the
traffic from private network to
external network
NAT
Router
172.24.4.2
14. Address Scopes in the L3 Agent --- N-S traffic
Every connection that will go out of router gateway will record the mark to
connmark
SNAT is not used if it is a connection in scope
15. Address Scopes in the L3 Agent --- floating IP
Private
network
VM
External
network
Address scope1 Address scope2
Without floating ip, the VM can
not access other private network
across address scope.
With floating ip, the VM can
access private networks in the
same address scope as external
network, even if it is a cross
scope traffic.
NAT
Router
Private
network
fip 172.24.4.3
20.0.0.3
16. Address Scopes in the L3 Agent --- floating IP
All network packets whose destination are the floatingip will be marked
according to the fixed ip
If the network packet comes from fixed ip and go to the scope of external
network, its mark will be changed to make it go through the filter table
17. Neutron Address Scopes
Address Scopes and BGP
– Route announcement with BGP is available in Mitaka
– BGP will look at all of the routers with gateways connected to an network.
– Looks through the routers to find private networks.
– How does it know if it should advertise that network?
– BGP reference:
– https://blueprints.launchpad.net/neutron/+spec/bgp-dynamic-routing
17
20. Routed Networks
– Dynamic routing may be an integral part of routed provider networks
– Floating IPs
– Routed network reference:
– https://blueprints.launchpad.net/neutron/+spec/routed-networks
20
We call a traffic between private networks as an east to west traffic. In an east to west traffic, if the private networks are with the same address scope, the traffic between will be allowed. This is just a normal behavior of neutron router. And that is what you have already known about neutron router before address scopes.
But for private networks with different address scopes, the east to west traffic will be blocked at neutron router. This is what we called “go in a wrong scope” in last page.
The mark here has a 1-1 relationship with address scope.
So if the network packet comes from address scope a, it will have the mark a. And when it tries to go into address scope b, it will be blocked, because the mark doesn't match..
We call a traffic between private network and external network as a north to south traffic. In a north to south traffic, if the private network and external network are not in the same address scope, neutron router will NAT the traffic. This is what you have already known before address scopes.
If the private network and external network are in the same address scope, neutron router will do straight routing. That is to say, the addresses in the private network can go directly to the external network, and vice versa. Because they are in the same address scope, the addresses of them must be unique and legitimate. So, straight routing is feasible between them.
As Carl has mentioned, there is one exception to this scenario, that is “no scope”. There is always NAT between private networks and external network in the “no scope”.
connmark can be persisted along with the connection.
So, when the returning packet comes from router gateway, its mark can be set according to the connmark. As a result, the returning packet can go back to the source address through the iptables.
At the nat table, the SNAT will be not be used if it is a connection in scope. As a result, the direct route will be performed.
This is a picture that combines the 2 previous scenarios. Across scopes, E-W traffic is not allowed, and N-S traffic will do NAT.
For the floating IP, it will still serve as the access point for a fixed IP in the external network. That is to say, there will always be NAT between fixed IP and floating IP, no matter if they are in the same address scope or not.
When a port is associated with a floating IP, the port will be given the access to the scope of floating IP. So, after associating a floating IP, the vm can access the private networks in the scope of external network, even if it is a cross scope traffic. This is because the port now has 2 addresses in 2 scopes. As a result, it can access these 2 scopes.
So that the packets can go through iptables and reach the fixed ip address.
So that after associating floating ip, the port can access the whole address scope of external network.