Post on 08-Apr-2017
Neutron Address Scopes
Speakers:
• Carl Baldwin, HPE– IRC: carl_baldwin– Twitter: @CarlNBaldwin
• Hong Hui Xiao, IBM– IRC: xiaohhui
1
Neutron Address Scopes
Motivation– NAT to isolate private networks from the external
– Allowed / required users to bring their own addresses– Neutron has no NAT for IPv6
– Mitaka added announcing private networks via BGP– Which ones can be advertised?
– Plan to enhance BGP dynamic routing with L2VPN/L3VPN
– Need to isolate routing domains more precisely
– Need to prevent IP address overlap within routing domain
2
Neutron Address ScopesSubnet Pools– Range of addresses from which subnets may be allocated
– May be exclusive to a tenant or shared. Enforces a quota for shared pools
– Optionally specify a pool when allocating a subnet– Leave out the CIDR and just pass a prefix length (or use the default prefix length)– Specify a CIDR if you want, as long as it fits in the pool without overlap
– Used in ...– Neutron's auto allocated topology extension (aka "Get me a Network”)– Project Kuryr– Your projects?
– Reference: – https://blueprints.launchpad.net/neutron/+spec/subnet-allocation
3
Neutron Address Scopes
Subnet Pools support Address Scopes– They both prevent address overlap
– How do they differ? Why is there a distinction?– Subnet pools manage the allocation of subnets– Address scopes isolate routing domains– Subnet pools are an accounting mechanism to support
address scopes– Multiple pools within the scope allows delegating parts
of the scope differently
4
Neutron Address Scopes
Maintaining Compatibility– Aggregation instead of Composition
– Subnets can still exist without subnet pools– Subnet pools can still exist without address scopes
– The “no scope” scope– Includes all subnets without a subnet pool– Includes all subnet pools without an address scope– Constraints are relaxed
– Arbitrary address overlap is allowed– Implicit NAT between private IPv4 networks and the external network
5
Implementation of Address Scopes
• Iptables is used.
• Traffic will be marked according to address scope, at pre-routing chain.
• Traffic will be blocked if the mark of source doesn’t match with the mark of destination, at forward chain.
• In the case of NAT, connmark will be used. So that the returning packet can be marked with the right address scope, and go through the forward chain.
Address Scopes in the L3 Agent --- E-W traffic
Private network10.0.1.0/24
Private network10.0.0.0/24
Router
Private network20.0.0.0/24
Private network10.0.0.0/24
Router
Address scope1 Address scope2
Within the same address scope, the traffic is allowed.
Across different address scopes, the traffic will be blocked at neutron router. This is a different behavior with address scope.
Address Scopes in the L3 Agent --- E-W traffic
Every network packet will be associated with a mark according to its originating interface.
If the network packet wants to go into an interface and the mark does not match, the packet will be dropped
Address Scopes in the L3 Agent --- N-S traffic
External network172.24.4.0/24
Private network10.0.0.0/24
Router
Private network20.0.0.0/24
External network172.24.4.0/24
Address scope1 Address scope2
Within the same address scope, neutron router will directly route the traffic. This is a different behavior with address scope.
Across different address scopes, neutron router will NAT the traffic from private network to external network
NAT
Router
172.24.4.2
Address Scopes in the L3 Agent --- N-S traffic
Every connection that will go out of router gateway will record the mark to connmark
SNAT is not used if it is a connection in scope
Address Scopes in the L3 Agent --- floating IP
Private network
VM
External network
Address scope1 Address scope2
Without floating ip, the VM can not access other private network across address scope.
With floating ip, the VM can access private networks in the same address scope as external network, even if it is a cross scope traffic.
NATRouter
Private network
fip 172.24.4.3
20.0.0.3
Address Scopes in the L3 Agent --- floating IP
All network packets whose destination are the floatingip will be marked according to the fixed ip
If the network packet comes from fixed ip and go to the scope of external network, its mark will be changed to make it go through the filter table
17
Neutron Address Scopes
Address Scopes and BGP– Route announcement with BGP is available in Mitaka
– BGP will look at all of the routers with gateways connected to an network.
– Looks through the routers to find private networks.– How does it know if it should advertise that network?
– BGP reference:– https://blueprints.launchpad.net/neutron/+spec/bgp-dynamic-routing
20
Routed Networks
– Dynamic routing may be an integral part of routed provider networks– Floating IPs
– Routed network reference:– https://blueprints.launchpad.net/neutron/+spec/routed-networks