I think that this is roughly what Russell had in mind,
documentation-wise.

I think there'll be a delay because Russell is out on leave for a few
weeks.

On Mon, Apr 18, 2016 at 06:55:40PM +0000, John McDowall wrote:
> Russell,
> 
> Sorry for the delay, I have edited two documents to start to address items 2 
> and 4, they are in my private fork of ovs. Let me know if this is what you 
> were thinking about.
> 
> ovn-architecture.7.xml<https://github.com/doonhammer/ovs/blob/master/ovn/ovn-architecture.7.xml>
> ovn-nb.xml<https://github.com/doonhammer/ovs/blob/master/ovn/ovn-nb.xml>
> 
> I have talked to the networking-sfc team and I think we have an approach to 
> use the networking-sfc interface in Openstack. I think it is better than the 
> API I created in Openstack and leverages their driver model. I am going to 
> try and get something working to illustrate the model. Simple case should be 
> relatively easy - if we want to add multiple VNF’s it will get a little 
> harder.
> 
> Regards
> 
> John
> 
> 
> 
> From: Russell Bryant <russ...@ovn.org<mailto:russ...@ovn.org>>
> Date: Wednesday, March 30, 2016 at 6:48 PM
> To: John McDowall 
> <jmcdow...@paloaltonetworks.com<mailto:jmcdow...@paloaltonetworks.com>>
> Cc: Ben Pfaff <b...@ovn.org<mailto:b...@ovn.org>>, 
> "discuss@openvswitch.org<mailto:discuss@openvswitch.org>" 
> <discuss@openvswitch.org<mailto:discuss@openvswitch.org>>
> Subject: Re: [ovs-discuss] [ovn4nfv]
> 
> I won't be at the OpenStack Summit this time around.
> 
> I'm happy to jump on the phone sometime for quick clarifications if needed, 
> but in general I think it's best if we keep discussion in public as much as 
> possible.  I want to make sure we include whoever else is interested.  I 
> certainly don't have all the answers.  :-)
> 
> I feel like we have a lot of good ideas, and our instincts are saying we can 
> do this, but I know we have some details missing.  I'd also like to feel 
> reasonably confident that the solution we come up with more generally 
> supports other uses of the networking-sfc API.
> 
> What I'd like to see as a next step is a detailed end-to-end design for a 
> simple use case that shows:
> 
> 1) A sample use of the networking-sfc API
> 
> 2) How we would reflect that in the OVN_Northbound database
> 
> 3) An explanation of the logical flows we would generate to implement what 
> was specified in OVN_Northbound
> 
> 4) Docs on the "Life Cycle of a Packet through a Service Chain".  In 
> ovn-architecture(7), there are several very detailed "Life Cycle" sections.  
> I feel this functionality could really benefit from a detailed walkthrough.
> 
> I feel like I had a pretty good idea of how this could work if all the ports 
> were on the same logical switch.  I never figured out allowing ports in the 
> chain to exist on separate logical switches.  It'd be nice to include that in 
> the sample.  Or is that limitation a reasonable one to accept as a first cut? 
>  If so, we might be able to move quickly on a first iteration based on the 
> work I had done before.
> 
> --
> Russell Bryant
> 
> 
> On Wed, Mar 30, 2016 at 1:13 PM, John McDowall 
> <jmcdow...@paloaltonetworks.com<mailto:jmcdow...@paloaltonetworks.com>> wrote:
> Russell,
> 
> Let me try and answer your questions:
> 
>   1.  I looked at the networking-sfc API 
> (http://docs.openstack.org/developer/networking-sfc/api.html#rest-api<https://urldefense.proofpoint.com/v2/url?u=http-3A__docs.openstack.org_developer_networking-2Dsfc_api.html-23rest-2Dapi&d=CwMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=vZ6VUDaavDpfOdPQrz1ED54jEjvAE36A8TVJroVlrOQ&m=bjFO8SzAuBNWXRgV8_NHbcEXferyEEOP15T70AuyNjY&s=1qDCEkqqbrKpNuK77WIr7RKYwEJPC5u7_m53C7-LSIU&e=>)
>  and I think we can fit into it pretty easily. I would use the neutron 
> port-pair-create and use the service-function-parameters option to pass in a 
> type indicating service insertion and the application-id that the service 
> would be inserted to. Port-pair-groups could be used to do simple chain – I 
> think but needs more investigation.
>   2.  Yes, also interested in service insertion outside of Openstack, I 
> implemented a set of ovn-nbctl commands to enable insertion outside of 
> openstack. I have really used Openstack as the centralized management plane.
>   3.  As a “legacy” vendor :-), we would rather remain unaware of the NSH 
> headers, though we would change if we can see good use cases that require the 
> VNF to participate in the service chain.
> 
> I assume you will be at the Openstack Summit in Austin perhaps we could do a 
> f2f there.
> 
> Would like to ask everyone on the list about potential use cases so we can 
> make sure we can address the widest audience.
> 
> Regards
> 
> John
> 
> From: Russell Bryant <russ...@ovn.org<mailto:russ...@ovn.org>>
> Date: Tuesday, March 29, 2016 at 6:06 AM
> To: John McDowall 
> <jmcdow...@paloaltonetworks.com<mailto:jmcdow...@paloaltonetworks.com>>
> Cc: Ben Pfaff <b...@ovn.org<mailto:b...@ovn.org>>, 
> "discuss@openvswitch.org<mailto:discuss@openvswitch.org>" 
> <discuss@openvswitch.org<mailto:discuss@openvswitch.org>>
> Subject: Re: [ovs-discuss] [ovn4nfv]
> 
> On Mon, Mar 28, 2016 at 6:56 PM, John McDowall 
> <jmcdow...@paloaltonetworks.com<mailto:jmcdow...@paloaltonetworks.com>> wrote:
> Russell,
> 
> Thanks of taking the time to provide a detailed response. Let me try and 
> answer your questions, and ask a few on my own.
> 
>   1.  Yes, I want to continue working through this as we see it really 
> important to enable easy service insertion at scale. Think of the problem of 
> how to deploy hundreds of VNF’s that can be scaled up/down with no manual 
> intervention.
> 
> Fantastic.  :-)
> 
>   1.  The Neutron API I created was done for much the same reason as your 
> prototype - seeing how hard it was and making sure I could get something to 
> work. Creating and supporting yet another API is rarely a good idea and so 
> aligning with the networking-sfc API is the right thing to do. I have had a 
> few off-line conversations with that team and will continue to try and fit 
> this under that umbrella as it evolves.
> 
> Great!  Do you have specific issues with their API?  I'd be interested to 
> hear about what changes you think should be made.
> 
>   1.  I agree with you idea of a separate table, once again I just took what 
> I could see was the shortest path to get something working for a prototype. I 
> will take a look at your code and see how to implement an extra table.
> 
> I totally understand.  A prototype of something working is a great way to get 
> the conversation going!
> 
> 
>   1.  The issue with routing between subnets to chain VNF’s could be looked 
> at in three ways, 1) If each subnet has one or more VNF’s the problem  is 
> easy; 2) If the application being protected is communicating with 
> applications/hosts on a different subnet then the traffic is, I assume, 
> forwarded the default router; 3) The hardest case is if the topology is such 
> that all the VNF’s are placed in a shared subnet, then we would need to add 
> additional information in the API  to direct traffic to that subnet, or OVN 
> could look up the subnet based on logical port? - have not thought about it a 
> lot but seems doable.
> 
> IP addresses are stored in the logical port "addresses" column.
> 
>   1.  The toughest question here is what is a VNF and does it operate at L3, 
> L2, or as a transparent bump in the wire. The related question is how complex 
> is the service chain of these virtual functions. I would disagree a little 
> here with Russell and suggest that the approach is not for “legacy” VNF’s but 
> transparent VNF’s that act as a “bump in the wire" from a networking POV. The 
> issue becomes what are the specific use cases we want to design for with 
> ovn4nfv.
> 
> I meant no harm by using the term "legacy".  :-)  I just needed a term to 
> differentiate from the service chaining aware VNFs that expect some 
> additional metadata.  RFC 7665 calls it a "SFC-unaware Service Function".
> 
> I think your "bump in the wire" use case makes sense.
> 
> I honestly don't have that strong of an opinion on what use cases to support. 
>  I just want to support whatever it is actual users want.
> 
> Let me try to start to separate/segment some of the approaches:
> 
> I think there are several segments of the market for VNF’s and NFV. The two I 
> see most are:
> 
>   1.  Carrier networks where they are focused on virtual provider/customer 
> edge routers (vCPE, vPE), border network gateways (BNG) , for wired to 
> wireless networks, and SD-WAN, which is related to vCPE/PE
>   2.  Public/private cloud data centers and virtual enterprises, where the 
> use cases are centered around virtual load balancing/scaling and security.
> 
> The needs of both are different (IMHO), the need for the carriers is to 
> enable the creation of large scale distributed virtual routers, leveraging 
> MPLS and/or BGP as the core transport protocol. The goal for the carriers is 
> to be able to customize their core routing infrastructure without waiting for 
> a new release from their hardware vendors which can take years to get into 
> production. Here the architecture of networking-sfc has it core strengths; 
> with its focus on dynamic routing; as it acts similarly to the ingress/egress 
> forwarding paths of a classical router. This enables carriers to build large 
> scale dynamic distributed virtual routing infrastructure from virtual 
> functions.
> 
> The needs in private/public cloud (and enterprises) are simpler as the 
> requirements are to insert either a load-balancer or security VNF to scale 
> up/down applications or secure applications. Here change can be rapid and the 
> need is to deploy and scale up/down in minutes if not seconds in many 
> instances.  I have been focusing on the use cases for the second segment as 
> it is where we are seeing a need for simplicity and speed.
> 
> A typical use case we see a lot of is protecting east-west traffic, when an 
> application is deployed, security is deployed with it to protect it, and when 
> the application is removed, security is removed. The goal here is to deploy a 
> “zero trust” security model. We have deployed a similar architecture very 
> successfully with VMWare’s NSX product, we would now like to figure out how 
> to do it in the open source environment.
> 
> We would prefer to be transparent to networking “bump in the wire” as this 
> simplifies the interaction between the controller (OVN) and the VNF. The only 
> information that is shared is the logical in and out ports for the VNF. Hence 
> configuration requires less interactions between the networking 
> infrastructure and the VNF/Controller, moving the VNF or application also 
> becomes easier. It becomes a simple API interaction with minimal shared state 
> between OVN and the VNF.
> 
> Does this make sense, it is just my rough attempt at breaking down the use 
> cases into a more specific set of cases we can solve?
> 
> That's a nice breakdown.  I like the focus on the simpler case.  I always 
> like when a feature can be broken down into smaller useful iterations.
> 
> From an OpenStack POV, I always come back to "what API are we implementing?". 
>  You mention that networking-sfc is built in support of #1.  Do you think it 
> can also support #2, or do you think another API is more appropriate?  If 
> networking-sfc works, are there some reasonable limitations we can put in 
> place to get a first version out?
> 
> Do you have interest in this functionality in OVN outside of OpenStack?
> 
> Also what other use cases should we consider?
> 
> There seems to be some industry interest in NSH based SFC.  It's not 
> supported by OVS yet, but it should be on our radar.  I suppose it just comes 
> back to eventually wanting to support SFC-aware VNFs that expect some 
> metadata.
> 
> --
> Russell Bryant
> 
> 
> 
> --
> Russell Bryant
_______________________________________________
discuss mailing list
discuss@openvswitch.org
http://openvswitch.org/mailman/listinfo/discuss

Reply via email to