Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Neutron Address Scopes
Speakers:
• Carl Baldwin, HPE
– IRC: carl_baldwin
– Twitter: @CarlNBaldwin
• Hong Hui Xiao, IBM
– I...
Neutron Address Scopes
Motivation
– NAT to isolate private networks from the external
– Allowed / required users to bring ...
Neutron Address Scopes
Subnet Pools
– Range of addresses from which subnets may be allocated
– May be exclusive to a tenan...
Neutron Address Scopes
Subnet Pools support Address Scopes
– They both prevent address overlap
– How do they differ? Why i...
Neutron Address Scopes
Maintaining Compatibility
– Aggregation instead of Composition
– Subnets can still exist without su...
Create an Address Scope
Create a Subnet Pool
Allocate a Subnet
Network Attributes
Implementation of Address Scopes
• Iptables is used.
• Traffic will be marked according to address scope, at pre-
routing ...
Address Scopes in the L3 Agent --- E-W traffic
Private network
10.0.1.0/24
Private network
10.0.0.0/24
Router
Private netw...
Address Scopes in the L3 Agent --- E-W traffic
Every network packet will be associated with a mark according to its
origin...
Address Scopes in the L3 Agent --- N-S traffic
External network
172.24.4.0/24
Private network
10.0.0.0/24
Router
Private n...
Address Scopes in the L3 Agent --- N-S traffic
Every connection that will go out of router gateway will record the mark to...
Address Scopes in the L3 Agent --- floating IP
Private
network
VM
External
network
Address scope1 Address scope2
Without f...
Address Scopes in the L3 Agent --- floating IP
All network packets whose destination are the floatingip will be marked
acc...
Neutron Address Scopes
Address Scopes and BGP
– Route announcement with BGP is available in Mitaka
– BGP will look at all ...
18
Neutron Address Scopes
19
Neutron Address Scopes
Routed Networks
– Dynamic routing may be an integral part of routed provider networks
– Floating IPs
– Routed network refe...
Thank you
21
Nächste SlideShare
Wird geladen in …5
×

Address Scopes OpenStack Summit 2016

432 Aufrufe

Veröffentlicht am

Neutron Address Scopes given at the OpenStack Summit in Austin, TX in 2016

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

Address Scopes OpenStack Summit 2016

  1. 1. Neutron Address Scopes Speakers: • Carl Baldwin, HPE – IRC: carl_baldwin – Twitter: @CarlNBaldwin • Hong Hui Xiao, IBM – IRC: xiaohhui 1
  2. 2. Neutron Address Scopes Motivation – NAT to isolate private networks from the external – Allowed / required users to bring their own addresses – Neutron has no NAT for IPv6 – Mitaka added announcing private networks via BGP – Which ones can be advertised? – Plan to enhance BGP dynamic routing with L2VPN/L3VPN – Need to isolate routing domains more precisely – Need to prevent IP address overlap within routing domain 2
  3. 3. Neutron Address Scopes Subnet Pools – Range of addresses from which subnets may be allocated – May be exclusive to a tenant or shared. Enforces a quota for shared pools – Optionally specify a pool when allocating a subnet – Leave out the CIDR and just pass a prefix length (or use the default prefix length) – Specify a CIDR if you want, as long as it fits in the pool without overlap – Used in ... – Neutron's auto allocated topology extension (aka "Get me a Network”) – Project Kuryr – Your projects? – Reference: – https://blueprints.launchpad.net/neutron/+spec/subnet-allocation 3
  4. 4. Neutron Address Scopes Subnet Pools support Address Scopes – They both prevent address overlap – How do they differ? Why is there a distinction? – Subnet pools manage the allocation of subnets – Address scopes isolate routing domains – Subnet pools are an accounting mechanism to support address scopes – Multiple pools within the scope allows delegating parts of the scope differently 4
  5. 5. Neutron Address Scopes Maintaining Compatibility – Aggregation instead of Composition – Subnets can still exist without subnet pools – Subnet pools can still exist without address scopes – The “no scope” scope – Includes all subnets without a subnet pool – Includes all subnet pools without an address scope – Constraints are relaxed – Arbitrary address overlap is allowed – Implicit NAT between private IPv4 networks and the external network 5
  6. 6. Create an Address Scope
  7. 7. Create a Subnet Pool
  8. 8. Allocate a Subnet
  9. 9. Network Attributes
  10. 10. Implementation of Address Scopes • Iptables is used. • Traffic will be marked according to address scope, at pre- routing chain. • Traffic will be blocked if the mark of source doesn’t match with the mark of destination, at forward chain. • In the case of NAT, connmark will be used. So that the returning packet can be marked with the right address scope, and go through the forward chain.
  11. 11. Address Scopes in the L3 Agent --- E-W traffic Private network 10.0.1.0/24 Private network 10.0.0.0/24 Router Private network 20.0.0.0/24 Private network 10.0.0.0/24 Router Address scope1 Address scope2 Within the same address scope, the traffic is allowed. Across different address scopes, the traffic will be blocked at neutron router. This is a different behavior with address scope.
  12. 12. Address Scopes in the L3 Agent --- E-W traffic Every network packet will be associated with a mark according to its originating interface. If the network packet wants to go into an interface and the mark does not match, the packet will be dropped
  13. 13. Address Scopes in the L3 Agent --- N-S traffic External network 172.24.4.0/24 Private network 10.0.0.0/24 Router Private network 20.0.0.0/24 External network 172.24.4.0/24 Address scope1 Address scope2 Within the same address scope, neutron router will directly route the traffic. This is a different behavior with address scope. Across different address scopes, neutron router will NAT the traffic from private network to external network NAT Router 172.24.4.2
  14. 14. Address Scopes in the L3 Agent --- N-S traffic Every connection that will go out of router gateway will record the mark to connmark SNAT is not used if it is a connection in scope
  15. 15. Address Scopes in the L3 Agent --- floating IP Private network VM External network Address scope1 Address scope2 Without floating ip, the VM can not access other private network across address scope. With floating ip, the VM can access private networks in the same address scope as external network, even if it is a cross scope traffic. NAT Router Private network fip 172.24.4.3 20.0.0.3
  16. 16. Address Scopes in the L3 Agent --- floating IP All network packets whose destination are the floatingip will be marked according to the fixed ip If the network packet comes from fixed ip and go to the scope of external network, its mark will be changed to make it go through the filter table
  17. 17. Neutron Address Scopes Address Scopes and BGP – Route announcement with BGP is available in Mitaka – BGP will look at all of the routers with gateways connected to an network. – Looks through the routers to find private networks. – How does it know if it should advertise that network? – BGP reference: – https://blueprints.launchpad.net/neutron/+spec/bgp-dynamic-routing 17
  18. 18. 18 Neutron Address Scopes
  19. 19. 19 Neutron Address Scopes
  20. 20. Routed Networks – Dynamic routing may be an integral part of routed provider networks – Floating IPs – Routed network reference: – https://blueprints.launchpad.net/neutron/+spec/routed-networks 20
  21. 21. Thank you 21

×