Ben,

Thanks I wondered why I did not hear from him.

One of the other questions he asked was about either adding a new table
for SFC. If we did that I would assume it would be before Ingress Table 4:
Destination Lookup, as it would override existing destinations. Right now
I have implemented roughly the same thing by giving the SFC rules a higher
priority.

Also I have skeleton networking-sfc driver implemented for OVN, that uses
my existing changes to ovn-northd - but there are a lot of corner cases
and other aspects to work through.

Regards

John

On 4/18/16, 12:44 PM, "Ben Pfaff" <b...@ovn.org> wrote:

>I think that this is roughly what Russell had in mind,
>documentation-wise.
>
>I think there'll be a delay because Russell is out on leave for a few
>weeks.
>
>On Mon, Apr 18, 2016 at 06:55:40PM +0000, John McDowall wrote:
>> Russell,
>> 
>> Sorry for the delay, I have edited two documents to start to address
>>items 2 and 4, they are in my private fork of ovs. Let me know if this
>>is what you were thinking about.
>> 
>> 
>>ovn-architecture.7.xml<https://urldefense.proofpoint.com/v2/url?u=https-3
>>A__github.com_doonhammer_ovs_blob_master_ovn_ovn-2Darchitecture.7.xml&d=C
>>wIDaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=vZ6VUDaavDpfOdPQrz1
>>ED54jEjvAE36A8TVJroVlrOQ&m=lKkgUGfwpdf40pGt5ho8vfQruHa9W_C-SOB4ZbzEM1s&s=
>>C4q9xqoNtYkg-EXfHNArcsTb-6wu1idMltqzgvalMhA&e= >
>> 
>>ovn-nb.xml<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.co
>>m_doonhammer_ovs_blob_master_ovn_ovn-2Dnb.xml&d=CwIDaQ&c=V9IgWpI5PvzTw83U
>>yHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=vZ6VUDaavDpfOdPQrz1ED54jEjvAE36A8TVJroVlrOQ
>>&m=lKkgUGfwpdf40pGt5ho8vfQruHa9W_C-SOB4ZbzEM1s&s=XtZo_6uqSmqLeePpc6zX4jzY
>>3wVZLMZCM0H3mtQwa28&e= >
>> 
>> I have talked to the networking-sfc team and I think we have an
>>approach to use the networking-sfc interface in Openstack. I think it is
>>better than the API I created in Openstack and leverages their driver
>>model. I am going to try and get something working to illustrate the
>>model. Simple case should be relatively easy - if we want to add
>>multiple VNF¹s it will get a little harder.
>> 
>> Regards
>> 
>> John
>> 
>> 
>> 
>> From: Russell Bryant <russ...@ovn.org<mailto:russ...@ovn.org>>
>> Date: Wednesday, March 30, 2016 at 6:48 PM
>> To: John McDowall
>><jmcdow...@paloaltonetworks.com<mailto:jmcdow...@paloaltonetworks.com>>
>> Cc: Ben Pfaff <b...@ovn.org<mailto:b...@ovn.org>>,
>>"discuss@openvswitch.org<mailto:discuss@openvswitch.org>"
>><discuss@openvswitch.org<mailto:discuss@openvswitch.org>>
>> Subject: Re: [ovs-discuss] [ovn4nfv]
>> 
>> I won't be at the OpenStack Summit this time around.
>> 
>> I'm happy to jump on the phone sometime for quick clarifications if
>>needed, but in general I think it's best if we keep discussion in public
>>as much as possible.  I want to make sure we include whoever else is
>>interested.  I certainly don't have all the answers.  :-)
>> 
>> I feel like we have a lot of good ideas, and our instincts are saying
>>we can do this, but I know we have some details missing.  I'd also like
>>to feel reasonably confident that the solution we come up with more
>>generally supports other uses of the networking-sfc API.
>> 
>> What I'd like to see as a next step is a detailed end-to-end design for
>>a simple use case that shows:
>> 
>> 1) A sample use of the networking-sfc API
>> 
>> 2) How we would reflect that in the OVN_Northbound database
>> 
>> 3) An explanation of the logical flows we would generate to implement
>>what was specified in OVN_Northbound
>> 
>> 4) Docs on the "Life Cycle of a Packet through a Service Chain".  In
>>ovn-architecture(7), there are several very detailed "Life Cycle"
>>sections.  I feel this functionality could really benefit from a
>>detailed walkthrough.
>> 
>> I feel like I had a pretty good idea of how this could work if all the
>>ports were on the same logical switch.  I never figured out allowing
>>ports in the chain to exist on separate logical switches.  It'd be nice
>>to include that in the sample.  Or is that limitation a reasonable one
>>to accept as a first cut?  If so, we might be able to move quickly on a
>>first iteration based on the work I had done before.
>> 
>> --
>> Russell Bryant
>> 
>> 
>> On Wed, Mar 30, 2016 at 1:13 PM, John McDowall
>><jmcdow...@paloaltonetworks.com<mailto:jmcdow...@paloaltonetworks.com>>
>>wrote:
>> Russell,
>> 
>> Let me try and answer your questions:
>> 
>>   1.  I looked at the networking-sfc API
>>(https://urldefense.proofpoint.com/v2/url?u=http-3A__docs.openstack.org_d
>>eveloper_networking-2Dsfc_api.html-23rest-2Dapi&d=CwIDaQ&c=V9IgWpI5PvzTw8
>>3UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=vZ6VUDaavDpfOdPQrz1ED54jEjvAE36A8TVJroVlr
>>OQ&m=lKkgUGfwpdf40pGt5ho8vfQruHa9W_C-SOB4ZbzEM1s&s=0p76aZBJqBZOu0Jz3KHIFv
>>ewgtRiNpkN0Hc9DA9MloE&e=
>><https://urldefense.proofpoint.com/v2/url?u=http-3A__docs.openstack.org_d
>>eveloper_networking-2Dsfc_api.html-23rest-2Dapi&d=CwMFaQ&c=V9IgWpI5PvzTw8
>>3UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=vZ6VUDaavDpfOdPQrz1ED54jEjvAE36A8TVJroVlr
>>OQ&m=bjFO8SzAuBNWXRgV8_NHbcEXferyEEOP15T70AuyNjY&s=1qDCEkqqbrKpNuK77WIr7R
>>KYwEJPC5u7_m53C7-LSIU&e=>) and I think we can fit into it pretty easily.
>>I would use the neutron port-pair-create and use the
>>service-function-parameters option to pass in a type indicating service
>>insertion and the application-id that the service would be inserted to.
>>Port-pair-groups could be used to do simple chain ­ I think but needs
>>more investigation.
>>   2.  Yes, also interested in service insertion outside of Openstack, I
>>implemented a set of ovn-nbctl commands to enable insertion outside of
>>openstack. I have really used Openstack as the centralized management
>>plane.
>>   3.  As a ³legacy² vendor :-), we would rather remain unaware of the
>>NSH headers, though we would change if we can see good use cases that
>>require the VNF to participate in the service chain.
>> 
>> I assume you will be at the Openstack Summit in Austin perhaps we could
>>do a f2f there.
>> 
>> Would like to ask everyone on the list about potential use cases so we
>>can make sure we can address the widest audience.
>> 
>> Regards
>> 
>> John
>> 
>> From: Russell Bryant <russ...@ovn.org<mailto:russ...@ovn.org>>
>> Date: Tuesday, March 29, 2016 at 6:06 AM
>> To: John McDowall
>><jmcdow...@paloaltonetworks.com<mailto:jmcdow...@paloaltonetworks.com>>
>> Cc: Ben Pfaff <b...@ovn.org<mailto:b...@ovn.org>>,
>>"discuss@openvswitch.org<mailto:discuss@openvswitch.org>"
>><discuss@openvswitch.org<mailto:discuss@openvswitch.org>>
>> Subject: Re: [ovs-discuss] [ovn4nfv]
>> 
>> On Mon, Mar 28, 2016 at 6:56 PM, John McDowall
>><jmcdow...@paloaltonetworks.com<mailto:jmcdow...@paloaltonetworks.com>>
>>wrote:
>> Russell,
>> 
>> Thanks of taking the time to provide a detailed response. Let me try
>>and answer your questions, and ask a few on my own.
>> 
>>   1.  Yes, I want to continue working through this as we see it really
>>important to enable easy service insertion at scale. Think of the
>>problem of how to deploy hundreds of VNF¹s that can be scaled up/down
>>with no manual intervention.
>> 
>> Fantastic.  :-)
>> 
>>   1.  The Neutron API I created was done for much the same reason as
>>your prototype - seeing how hard it was and making sure I could get
>>something to work. Creating and supporting yet another API is rarely a
>>good idea and so aligning with the networking-sfc API is the right thing
>>to do. I have had a few off-line conversations with that team and will
>>continue to try and fit this under that umbrella as it evolves.
>> 
>> Great!  Do you have specific issues with their API?  I'd be interested
>>to hear about what changes you think should be made.
>> 
>>   1.  I agree with you idea of a separate table, once again I just took
>>what I could see was the shortest path to get something working for a
>>prototype. I will take a look at your code and see how to implement an
>>extra table.
>> 
>> I totally understand.  A prototype of something working is a great way
>>to get the conversation going!
>> 
>> 
>>   1.  The issue with routing between subnets to chain VNF¹s could be
>>looked at in three ways, 1) If each subnet has one or more VNF¹s the
>>problem  is easy; 2) If the application being protected is communicating
>>with applications/hosts on a different subnet then the traffic is, I
>>assume, forwarded the default router; 3) The hardest case is if the
>>topology is such that all the VNF¹s are placed in a shared subnet, then
>>we would need to add additional information in the API  to direct
>>traffic to that subnet, or OVN could look up the subnet based on logical
>>port? - have not thought about it a lot but seems doable.
>> 
>> IP addresses are stored in the logical port "addresses" column.
>> 
>>   1.  The toughest question here is what is a VNF and does it operate
>>at L3, L2, or as a transparent bump in the wire. The related question is
>>how complex is the service chain of these virtual functions. I would
>>disagree a little here with Russell and suggest that the approach is not
>>for ³legacy² VNF¹s but transparent VNF¹s that act as a ³bump in the
>>wire" from a networking POV. The issue becomes what are the specific use
>>cases we want to design for with ovn4nfv.
>> 
>> I meant no harm by using the term "legacy".  :-)  I just needed a term
>>to differentiate from the service chaining aware VNFs that expect some
>>additional metadata.  RFC 7665 calls it a "SFC-unaware Service Function".
>> 
>> I think your "bump in the wire" use case makes sense.
>> 
>> I honestly don't have that strong of an opinion on what use cases to
>>support.  I just want to support whatever it is actual users want.
>> 
>> Let me try to start to separate/segment some of the approaches:
>> 
>> I think there are several segments of the market for VNF¹s and NFV. The
>>two I see most are:
>> 
>>   1.  Carrier networks where they are focused on virtual
>>provider/customer edge routers (vCPE, vPE), border network gateways
>>(BNG) , for wired to wireless networks, and SD-WAN, which is related to
>>vCPE/PE
>>   2.  Public/private cloud data centers and virtual enterprises, where
>>the use cases are centered around virtual load balancing/scaling and
>>security.
>> 
>> The needs of both are different (IMHO), the need for the carriers is to
>>enable the creation of large scale distributed virtual routers,
>>leveraging MPLS and/or BGP as the core transport protocol. The goal for
>>the carriers is to be able to customize their core routing
>>infrastructure without waiting for a new release from their hardware
>>vendors which can take years to get into production. Here the
>>architecture of networking-sfc has it core strengths; with its focus on
>>dynamic routing; as it acts similarly to the ingress/egress forwarding
>>paths of a classical router. This enables carriers to build large scale
>>dynamic distributed virtual routing infrastructure from virtual
>>functions.
>> 
>> The needs in private/public cloud (and enterprises) are simpler as the
>>requirements are to insert either a load-balancer or security VNF to
>>scale up/down applications or secure applications. Here change can be
>>rapid and the need is to deploy and scale up/down in minutes if not
>>seconds in many instances.  I have been focusing on the use cases for
>>the second segment as it is where we are seeing a need for simplicity
>>and speed.
>> 
>> A typical use case we see a lot of is protecting east-west traffic,
>>when an application is deployed, security is deployed with it to protect
>>it, and when the application is removed, security is removed. The goal
>>here is to deploy a ³zero trust² security model. We have deployed a
>>similar architecture very successfully with VMWare¹s NSX product, we
>>would now like to figure out how to do it in the open source environment.
>> 
>> We would prefer to be transparent to networking ³bump in the wire² as
>>this simplifies the interaction between the controller (OVN) and the
>>VNF. The only information that is shared is the logical in and out ports
>>for the VNF. Hence configuration requires less interactions between the
>>networking infrastructure and the VNF/Controller, moving the VNF or
>>application also becomes easier. It becomes a simple API interaction
>>with minimal shared state between OVN and the VNF.
>> 
>> Does this make sense, it is just my rough attempt at breaking down the
>>use cases into a more specific set of cases we can solve?
>> 
>> That's a nice breakdown.  I like the focus on the simpler case.  I
>>always like when a feature can be broken down into smaller useful
>>iterations.
>> 
>> From an OpenStack POV, I always come back to "what API are we
>>implementing?".  You mention that networking-sfc is built in support of
>>#1.  Do you think it can also support #2, or do you think another API is
>>more appropriate?  If networking-sfc works, are there some reasonable
>>limitations we can put in place to get a first version out?
>> 
>> Do you have interest in this functionality in OVN outside of OpenStack?
>> 
>> Also what other use cases should we consider?
>> 
>> There seems to be some industry interest in NSH based SFC.  It's not
>>supported by OVS yet, but it should be on our radar.  I suppose it just
>>comes back to eventually wanting to support SFC-aware VNFs that expect
>>some metadata.
>> 
>> --
>> Russell Bryant
>> 
>> 
>> 
>> --
>> Russell Bryant

_______________________________________________
discuss mailing list
discuss@openvswitch.org
http://openvswitch.org/mailman/listinfo/discuss

Reply via email to