Public bug reported:
The current logic in neutron_dynamic_routing/db/bgp_db.py (specifically
within the _get_dvr_fixed_ip_routes_by_bgp_speaker function and its
helpers) for advertising /32 fixed IP host routes associated with
Distributed Virtual Routers (DVR) is incomplete.
The code correctly checks for matching hosts and address scopes between
the fixed IP port and the potential floatingip_agent_gateway next-hop
port. However, it does not sufficiently verify that the fixed IP's
network is actually attached as an interface to the specific distributed
router whose scope matches the agent gateway's scope. This could lead to
scenarios where a fixed IP route is advertised via an agent gateway,
even if that fixed IP belongs to a network not directly routed by the
distributed router relevant to that agent gateway's external network
scope.
Because of this problem, we are not able to migrate from DVR to
Centralized router. Even removing the network from the DVR router, the
/32 routes still advertised.
To correctly advertise a /32 fixed IP route in a DVR setup via BGP:
- A Fixed IP exists on a port (e.g., compute port) located on a specific
compute host.
- A floatingip_agent_gateway port exists on the same compute host.
- The subnet containing the Fixed IP and the subnet containing the Agent
Gateway IP must belong to the same address scope. (Existing check is correct).
- The network containing the Fixed IP must have an interface attached to a
router.
- That router must be distributed (router.distributed=True).
- That router must have an external gateway port configured (necessary for
external connectivity).
- The critical missing link in the original logic was strongly enforcing
condition #4 and #5 together before relying solely on the host and scope match
(#1, #2, #3) for the final join.
# Environment Details
OpenStack Version: Zed (cluster installed via Kolla-Ansible)
OS Version: Ubuntu 22.04.4 LTS Hosts (Kernel: 5.15.0-117-generic)
Neutron Version: 21.1.3.dev24
Services: neutron-server, neutron-dhcp-agent, neutron-openvswitch-agent,
neutron-l3-agent, neutron-bgp-dragent, neutron-metadata-agent
Controller & Network Nodes: 5 nodes
Networking Backend: OpenvSwitch (DVR mode)
Router HA: Disabled (l3_ha = false)
BGP Dynamic Routing: neutron-bgp-dragent used to announce unique tenant
networks.
Tenant Network Type: VXLAN
External Network Type: VLAN
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2108985
Title:
[BGP DVR] Incorrect /32 Fixed IP Route Advertisement Logic
Status in neutron:
New
Bug description:
The current logic in neutron_dynamic_routing/db/bgp_db.py
(specifically within the _get_dvr_fixed_ip_routes_by_bgp_speaker
function and its helpers) for advertising /32 fixed IP host routes
associated with Distributed Virtual Routers (DVR) is incomplete.
The code correctly checks for matching hosts and address scopes
between the fixed IP port and the potential floatingip_agent_gateway
next-hop port. However, it does not sufficiently verify that the fixed
IP's network is actually attached as an interface to the specific
distributed router whose scope matches the agent gateway's scope. This
could lead to scenarios where a fixed IP route is advertised via an
agent gateway, even if that fixed IP belongs to a network not directly
routed by the distributed router relevant to that agent gateway's
external network scope.
Because of this problem, we are not able to migrate from DVR to
Centralized router. Even removing the network from the DVR router, the
/32 routes still advertised.
To correctly advertise a /32 fixed IP route in a DVR setup via BGP:
- A Fixed IP exists on a port (e.g., compute port) located on a specific
compute host.
- A floatingip_agent_gateway port exists on the same compute host.
- The subnet containing the Fixed IP and the subnet containing the Agent
Gateway IP must belong to the same address scope. (Existing check is correct).
- The network containing the Fixed IP must have an interface attached to a
router.
- That router must be distributed (router.distributed=True).
- That router must have an external gateway port configured (necessary for
external connectivity).
- The critical missing link in the original logic was strongly enforcing
condition #4 and #5 together before relying solely on the host and scope match
(#1, #2, #3) for the final join.
# Environment Details
OpenStack Version: Zed (cluster installed via Kolla-Ansible)
OS Version: Ubuntu 22.04.4 LTS Hosts (Kernel: 5.15.0-117-generic)
Neutron Version: 21.1.3.dev24
Services: neutron-server, neutron-dhcp-agent, neutron-openvswitch-agent,
neutron-l3-agent, neutron-bgp-dragent, neutron-metadata-agent
Controller & Network Nodes: 5 nodes
Networking Backend: OpenvSwitch (DVR mode)
Router HA: Disabled (l3_ha = false)
BGP Dynamic Routing: neutron-bgp-dragent used to announce unique tenant
networks.
Tenant Network Type: VXLAN
External Network Type: VLAN
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2108985/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
