SlideShare a Scribd company logo

Quantum L3 (forwarding) model - OpenStack Folsom Design Summit

S
Sumit Naiksatam

Slides presented at OpenStack Folsom Design Summit (April 17 2012) during the L3 (forwarding) model discussions.

Technology
1 of 22
L3 Tenant-facing Abstractions/Model (aka Forwarding per Dan)
Motivation  Routing within the Further evolve Quantum to be a multi-tenant network tenant (support service for creating virtual data centers (application specific topologies + network services) multi-tier topologies)  Overlapping IP addresses  Support gateways – Internet, VPN  Support other L3 services – LB, Firewall, Cachin g, etc.  Hybrid Cloud (Public + Private)
Proposal: Tenant Facing L3 Abstractions  Tenant  An individual customer or a distributed application that requires a set of resources assigned to meet a particular set of functions.  Expects networking services from Quantum to isolate and/or connect subsets of the resources  L3 Abstractions  Allow the tenant to request connectivity between its resources at the granularity of subnets and endpoints on a subnet  Allow the tenant to request gateway services  Allow the tenant to insert it’s own gateway services  Design Goal – Make life easier for the user (user will probably *not* be a network admin!)
The role of a Plugin in Quantum  Before proceeding further, it’s important to note that Quantum adopts a plugin-based approach to realize the abstractions it exposes  A plugin is a vendor/technology-specific entity which maps the abstractions to the underlying infrastructure  As such, the Service Provider specific model required to realize the tenant-facing abstractions can be wrapped inside the plugin  A SP model to represent the SP infra is also desirable, however, as a first step we are proposing only a tenant facing model
Quantum L3 (Tenant) Model Schematic Tenant VM Create Project/Tenant Legend:New Tenant VM Tenant VM resources proposed for the Create L3 model in Quantum Plug L3 Subnet L3 Subnet Map L3 Subnet L2 Network L2 Network L2 Network Create Routes Route-table Tenant owned network Target resources Associate Targets VPN Gateway “VPN” (Target) Internet Gateway Other Services “VPN” (Target) Tenant VM ID, IP VM ID, IP Addr Addr SP resources created for tenant Tenant resources 3rd Party Resources Target Entities Public SP-Local SP managed VPN VPN infrastructure Network Network VPN Note: Route-table and Target are *not* the same as routing tables in a router, or a route-target in the BGP context.
Definitions (as used in the current context)  Subnets  A logical subdivision of an IP network expressed using a CIDR notation. Entities residing on a subnet appear to the tenant as directly connected and do not require setting up routes for connectivity (with the ability to override this default behavior).  Route-tables  A Route-table is a tenant instantiated resource that provides operations to manipulate routing entries. One can conceptually think of a Route-table mapping to a logical routing entity.  Each row in the table has a Target column, which effectively resolves to a next hop – hence the notion of routes and route-table. (Note: as explained later these route-tables are different from routing tables in routers or Linux hosts.)  Targets  These are service gateways such as an Internet Gateway, VPN, NAT router, a VM which is serving this function, or any other service.
Resources’ Relationship 1 1 1 Project/Tenant 0..* 1 1 L2 Network 1 0..* 0..* Route-table Target 0..* L3 Subnet
Route-table A Route-table is a tenant instantiated resource that provides operations to manipulate routing entries. One can conceptually think of a Route- table mapping to a logical routing entity. Each entry in the Route-table is of the following format: Source Destination Target Source: Subnet resource ID or CIDR Destination: Subnet resource ID or CIDR (0.0.0.0 for default) Target: A Target resource ID such that the SP should be able to resolve the ID to a single endpoint (e.g. IP address) One Route-table per tenant.
Targets These are service gateways such as an Internet Gateway, VPN, NAT router, a VM which is serving this function, or any other service. The target can take one of the following values: 1. A reference (i.e. UUID) to an explicitly created target resource. This target resource could point to one of the following: a. A gateway service (Internet , VPN, other) provided by the SP. b. A resource belonging to the same tenant or another tenant providing some service (e.g. a NAT VM). (Details on how to create the target resource are in the following slides.) 2. A reference (i.e. UUID) to the subnet in the Destination column of the route-table (this is to account for the direct connection between two subnets, or to IP addresses on the same subnet).
Creating a Target to point to a SP managed gateway The tenant queries the SP for the available target types by calling: list_target_types(tenant_id) The SP responds with a list of the available target types, e.g.: type_id=“Public”, type_name=“Internet Gateway” type_id=“VPN 1”, type_name=“VPN Gateway”, protocol=“IPSec”, version=“1” type_id=“VM Resource”, type_name=“Virtual Machines” Note: The above are not actual entities, they are types of targets which the SP supports in the context of this tenant. The tenant makes another call to request creating a target corresponding to one of these types - e.g. create_target(tenantID, name=“My Internet Gateway”, type_id=“Public”). The SP creates a target resource (an actual entity) specific to this tenant (and also the necessary configuration to instantiate the “Internet Gateway” in the case of the above example). The tenant can refer to this target in multiple routes (and/or create additional such targets).
Creating a Target to point to a Resource with an IP address There are two possibilities here: 1. The resource is owned by the same tenant The tenant creates a target with the information about the VM - e.g. create_target(tenantID, name=“My NAT”, type_id=“VM Resource”, resource_id=“nat_vm_uuid”, ip_addr=“vm_ip_ad dress”) 2. The resource is owned by a different tenant. There are again two possibilities here: a. The resource has an IP address on the SP’s “public” network, e.g. a storage service create_target(tenantID, name=“External Storage”, type_id=“VM Resource”, ip_addr=“storage_ip_address”) b. The resource is on a private network, create_target(tenantID, name=“target_web_server_x”, type_id=“VM Resource”, target_tenant=“web_server_tenant_uuid” ip_addr=“server_x_private_ip”, auth_token=“token_to_access_web_server” )
APIs
API at a glance Resource URL GET POST PUT DELETE Subnets /v2.0/tenants/{tenant-id}/subnets Y Y - - /v2.0/tenants/{tenant-id}/subnets/{subnet-id} Y - Y Y Route- /v2.0/tenants/{tenant-id}/route_table Y Y Y - tables /v2.0/tenants/{tenant-id}/route_tables/{routetable-id} Y - Y Y Targets /v2.0/tenants/{tenant-id}/targets Y Y - - /v2.0/tenants/{tenant-id}/targets/{target-id} Y - Y Y /v2.0/tenants/{tenant-id}/targets/types Y [Strickthrough text – These API calls are not required with one route-table per tenant]
Subnets def create_subnet(tenant_id, CIDR, **kwargs) def show_subnet(tenant_id, subnet_id, **kwargs) def update_subnet(tenant_id, subnet_id, **kwargs) def delete_subnet(tenant_id, subnet_id, **kwargs) def list_subnets(tenant_id, **kwargs)) kwargs: name description network_id_list
Route-tables create_route_table(tenant_id, routes_list, **kwargs) show_route_table(tenant_id, route_table_id, **kwargs) delete_route_table(tenant_id, route_table_id, **kwargs) update_route_table(tenant_id, route_table_id, routes_list, **kwa rgs) list_route_tables(tenant_id, **kwargs) route_list: List of routes in the format: Source, Destination, Target kwargs: name description [Strickthrough text – These API calls are not required with one route-table per tenant]
Targets create_target(tenant_id, **kwargs) kwargs: name description type_id resource_id ip_address target_tenant auth_token show_target(tenant_id, target_id, **kwargs) delete_target(tenant_id, target_id, **kwargs) update_target(tenant_id, target_id, **kwargs) list_target_types(tenant_id, **kwargs)
Use Cases
Conventions used in the following examples  Private Subnets  These subnets reside on the tenant’s private IP address space and do not have a route to the public network (Internet).  Public Subnets  VMs on these subnets have a default route to the public network (Internet). They are also associated with Floating (public) IPs, hence they can be accessed from the Internet. This association of Floating IPs is a separate feature, and it’s specification is not captured in this proposal.  The following are not prescriptive, could be target type driven):  Intra-subnet traffic is always allowed, i.e. entities on the same subnet are always assumed to be directly connected and do not require an entry in the route-table.  Inter-subnet traffic is not allowed by default, i.e. there is no implicit routing to/from subnets; routing will happen between entities on different subnets only if a routing entry exists in the route-table.  Routes are reflexive, i.e. no explicit route entry needs to be created for a connection’s return path. A stateful entity which tracks connection states might be required to achieve this.
Use case: One publicly accessible subnet Public subnet can also initiate connections to the Internet Source Destination Target Subnet-A 0.0.0.0 “My Internet Gateway”* Public Subnet *Refers to the ID of a target resource created by (ID: the tenant with the following call: Subnet-A) create_target(tenantID, name=“My 10.0.0.0/24 Internet Gateway”, type_id=“Public”) Web Server 10.0.0.5 198.51.100.1 (FIP) Web Server 10.0.0.8 198.51.100.4 (FIP)
Use case: One private subnet Private subnet can also initiate connections to the home network via VPN Source Destination Target Subnet-A 0.0.0.0 “My VPN Gateway”* Private Subnet *Refers to the ID of a target resource created by (ID: the tenant with the following call: Subnet-A) create_target(tenantID, name=“My 10.0.0.0/24 VPN Gateway”, type_id=“VPN 1”, protocol=“IPSec”, version=“1”) Application 10.0.0.5 Application 10.0.0.8
Use case: Public and VPN Access One publicly accessible subnet, which can also initiate connections to the Internet One private subnet, which can also initiate connections to the home network via VPN Source Destination Target Subnet-A 10.0.1.0/24 Subnet-B Subnet-B 10.0.0.0/24 Subnet-A Subnet-A 0.0.0.0 “My Internet Gateway” Subnet-B 0.0.0.0 “My VPN Gateway” Public Subnet Private (ID: Subnet Subnet-A) (ID: 10.0.0.0/24 Subnet-B) 10.0.1.0/24 Web Server 10.0.0.5 DB Server 198.51.100.1 (FIP) 10.0.1.5 Web Server 10.0.0.8 DB Server 198.51.100.4 (FIP) 10.0.1.6
Use case: 3-tier app One publicly accessible subnet and two private Subnets Public subnet can also initiate connections to the Internet Source Destination Target Subnet-A 10.0.20.0/24 Subnet-B Public Subnet-B 10.0.30.0/24 Subnet-C Subnet Subnet-A 0.0.0.0 “My Internet Gateway”* (ID: Subnet-A) 10.0.10.0/24 *Refers to the ID of a target resource created Web Server by the tenant with the following call: 10.0.10.2 create_target(tenantID, name=“My 198.51.100.1 (FIP) Internet Gateway”, Web Server type_id=“Public”) 10.0.10.3 198.51.100.4 (FIP) Private Private Subnet Subnet (ID: (ID: Subnet-C) Subnet-B) 10.0.30.0/24 10.0.20.0/24 DB Server App Server 10.0.30.2 10.0.20.2 DB Server App Server 10.0.30.3 10.0.20.3

Recommended

AGPM: An Authenticated Secure Group Communication Protocol for MANETs
AGPM: An Authenticated Secure Group Communication Protocol for MANETsAGPM: An Authenticated Secure Group Communication Protocol for MANETs
AGPM: An Authenticated Secure Group Communication Protocol for MANETs
IDES Editor
 
Cello saas scalability architecture
Cello saas scalability architectureCello saas scalability architecture
Cello saas scalability architecture
Techcello
 
Advanced Concepts in Software as a Service / Service Oriented Architecture
Advanced Concepts in Software as a Service / Service Oriented ArchitectureAdvanced Concepts in Software as a Service / Service Oriented Architecture
Advanced Concepts in Software as a Service / Service Oriented Architecture
Damon Carr
 
SaaS Business Architecture - Definition Update
SaaS Business Architecture - Definition UpdateSaaS Business Architecture - Definition Update
SaaS Business Architecture - Definition Update
Lincoln Murphy
 
SaaS Business Architecture
SaaS Business ArchitectureSaaS Business Architecture
SaaS Business Architecture
Lincoln Murphy
 
A Well Architected SaaS - A Holistic Look at Cloud Architecture - Pop-up Loft...
A Well Architected SaaS - A Holistic Look at Cloud Architecture - Pop-up Loft...A Well Architected SaaS - A Holistic Look at Cloud Architecture - Pop-up Loft...
A Well Architected SaaS - A Holistic Look at Cloud Architecture - Pop-up Loft...
Amazon Web Services
 
Open Architecture for Developing Multitenant Software-as-a-Service Applications
Open Architecture for Developing Multitenant Software-as-a-Service ApplicationsOpen Architecture for Developing Multitenant Software-as-a-Service Applications
Open Architecture for Developing Multitenant Software-as-a-Service Applications
Javier Mijail Espadas Pech
 
SaaS Architecture Past and Present
SaaS Architecture Past and PresentSaaS Architecture Past and Present
SaaS Architecture Past and Present
Techcello
 

Recommended

AGPM: An Authenticated Secure Group Communication Protocol for MANETs
AGPM: An Authenticated Secure Group Communication Protocol for MANETsAGPM: An Authenticated Secure Group Communication Protocol for MANETs
AGPM: An Authenticated Secure Group Communication Protocol for MANETs
IDES Editor
 
Cello saas scalability architecture
Cello saas scalability architectureCello saas scalability architecture
Cello saas scalability architecture
Techcello
 
Advanced Concepts in Software as a Service / Service Oriented Architecture
Advanced Concepts in Software as a Service / Service Oriented ArchitectureAdvanced Concepts in Software as a Service / Service Oriented Architecture
Advanced Concepts in Software as a Service / Service Oriented Architecture
Damon Carr
 
SaaS Business Architecture - Definition Update
SaaS Business Architecture - Definition UpdateSaaS Business Architecture - Definition Update
SaaS Business Architecture - Definition Update
Lincoln Murphy
 
SaaS Business Architecture
SaaS Business ArchitectureSaaS Business Architecture
SaaS Business Architecture
Lincoln Murphy
 
A Well Architected SaaS - A Holistic Look at Cloud Architecture - Pop-up Loft...
A Well Architected SaaS - A Holistic Look at Cloud Architecture - Pop-up Loft...A Well Architected SaaS - A Holistic Look at Cloud Architecture - Pop-up Loft...
A Well Architected SaaS - A Holistic Look at Cloud Architecture - Pop-up Loft...
Amazon Web Services
 
Open Architecture for Developing Multitenant Software-as-a-Service Applications
Open Architecture for Developing Multitenant Software-as-a-Service ApplicationsOpen Architecture for Developing Multitenant Software-as-a-Service Applications
Open Architecture for Developing Multitenant Software-as-a-Service Applications
Javier Mijail Espadas Pech
 
SaaS Architecture Past and Present
SaaS Architecture Past and PresentSaaS Architecture Past and Present
SaaS Architecture Past and Present
Techcello
 
Advanced network services insertions framework
Advanced network services insertions frameworkAdvanced network services insertions framework
Advanced network services insertions framework
salv_orlando
 
Openstack Quantum yahoo meetup 1 23-13
Openstack Quantum yahoo meetup 1 23-13Openstack Quantum yahoo meetup 1 23-13
Openstack Quantum yahoo meetup 1 23-13
Dan Wendlandt
 
09 (IDNOG02) Services SDN & NFV Delivering more with less by Mochammad Irzan
09 (IDNOG02) Services SDN & NFV Delivering more with less by Mochammad Irzan09 (IDNOG02) Services SDN & NFV Delivering more with less by Mochammad Irzan
09 (IDNOG02) Services SDN & NFV Delivering more with less by Mochammad Irzan
Indonesia Network Operators Group
 
Quantum grizzly summit
Quantum grizzly summitQuantum grizzly summit
Quantum grizzly summit
Dan Wendlandt
 
Quantum PTL Update - Grizzly Summit.pptx
Quantum PTL Update - Grizzly Summit.pptxQuantum PTL Update - Grizzly Summit.pptx
Quantum PTL Update - Grizzly Summit.pptx
OpenStack Foundation
 
CloudStack DC Meetup - Apache CloudStack Overview and 4.1/4.2 Preview
CloudStack DC Meetup - Apache CloudStack Overview and 4.1/4.2 PreviewCloudStack DC Meetup - Apache CloudStack Overview and 4.1/4.2 Preview
CloudStack DC Meetup - Apache CloudStack Overview and 4.1/4.2 Preview
Chip Childers
 
Using Node-RED for building IoT workflows
Using Node-RED for building IoT workflowsUsing Node-RED for building IoT workflows
Using Node-RED for building IoT workflows
Aniruddha Chakrabarti
 
neutron_icehouse_update
neutron_icehouse_updateneutron_icehouse_update
neutron_icehouse_update
Akihiro Motoki
 
Network Virtualization with quantum
Network Virtualization with quantum Network Virtualization with quantum
Network Virtualization with quantum
openstackindia
 
Multi-operator "IPC" VPN Slices: Applying RINA to Overlay Networking
Multi-operator "IPC" VPN Slices: Applying RINA to Overlay NetworkingMulti-operator "IPC" VPN Slices: Applying RINA to Overlay Networking
Multi-operator "IPC" VPN Slices: Applying RINA to Overlay Networking
ARCFIRE ICT
 
CloudStack Networking
CloudStack NetworkingCloudStack Networking
CloudStack Networking
CloudStack - Open Source Cloud Computing Project
 
(ATS3-PLAT06) Handling “Big Data” with Pipeline Pilot (MapReduce/NoSQL)
(ATS3-PLAT06) Handling “Big Data” with Pipeline Pilot (MapReduce/NoSQL)(ATS3-PLAT06) Handling “Big Data” with Pipeline Pilot (MapReduce/NoSQL)
(ATS3-PLAT06) Handling “Big Data” with Pipeline Pilot (MapReduce/NoSQL)
BIOVIA
 
Lap around windows azure
Lap around windows azureLap around windows azure
Lap around windows azure
Manish Corriea
 
Quantum diablo summary
Quantum diablo summaryQuantum diablo summary
Quantum diablo summary
Dan Wendlandt
 
OpenStack Quantum Intro (OS Meetup 3-26-12)
OpenStack Quantum Intro (OS Meetup 3-26-12)OpenStack Quantum Intro (OS Meetup 3-26-12)
OpenStack Quantum Intro (OS Meetup 3-26-12)
Dan Wendlandt
 
RunningQuantumOnQuantumAtNicira.pdf
RunningQuantumOnQuantumAtNicira.pdfRunningQuantumOnQuantumAtNicira.pdf
RunningQuantumOnQuantumAtNicira.pdf
OpenStack Foundation
 
Nos Windows
Nos WindowsNos Windows
Nos Windows
Ruben Gonzalez
 
Deep Dive Into Quantum
Deep Dive Into QuantumDeep Dive Into Quantum
Deep Dive Into Quantum
OpenCity Community
 
Learn OpenStack from trystack.cn ——Folsom in practice
Learn OpenStack from trystack.cn ——Folsom in practiceLearn OpenStack from trystack.cn ——Folsom in practice
Learn OpenStack from trystack.cn ——Folsom in practice
OpenCity Community
 
Quantum Folsom Summit Developer Overview
Quantum Folsom Summit Developer OverviewQuantum Folsom Summit Developer Overview
Quantum Folsom Summit Developer Overview
Dan Wendlandt
 
Open stack gbp final sn-4-slideshare
Open stack gbp final sn-4-slideshareOpen stack gbp final sn-4-slideshare
Open stack gbp final sn-4-slideshare
Sumit Naiksatam
 
Group-based Policy for Networking
Group-based Policy for NetworkingGroup-based Policy for Networking
Group-based Policy for Networking
Sumit Naiksatam
 

More Related Content

Similar to Quantum L3 (forwarding) model - OpenStack Folsom Design Summit

Openstack Quantum yahoo meetup 1 23-13
Openstack Quantum yahoo meetup 1 23-13Openstack Quantum yahoo meetup 1 23-13
Openstack Quantum yahoo meetup 1 23-13
Dan Wendlandt
 
09 (IDNOG02) Services SDN & NFV Delivering more with less by Mochammad Irzan
09 (IDNOG02) Services SDN & NFV Delivering more with less by Mochammad Irzan09 (IDNOG02) Services SDN & NFV Delivering more with less by Mochammad Irzan
09 (IDNOG02) Services SDN & NFV Delivering more with less by Mochammad Irzan
Indonesia Network Operators Group
 
Network Virtualization with quantum
Network Virtualization with quantum Network Virtualization with quantum
Network Virtualization with quantum
openstackindia
 
Lap around windows azure
Lap around windows azureLap around windows azure
Lap around windows azure
Manish Corriea
 

Similar to Quantum L3 (forwarding) model - OpenStack Folsom Design Summit (20)

Advanced network services insertions framework
Advanced network services insertions frameworkAdvanced network services insertions framework
Advanced network services insertions framework
 
Openstack Quantum yahoo meetup 1 23-13
Openstack Quantum yahoo meetup 1 23-13Openstack Quantum yahoo meetup 1 23-13
Openstack Quantum yahoo meetup 1 23-13
 
09 (IDNOG02) Services SDN & NFV Delivering more with less by Mochammad Irzan
09 (IDNOG02) Services SDN & NFV Delivering more with less by Mochammad Irzan09 (IDNOG02) Services SDN & NFV Delivering more with less by Mochammad Irzan
09 (IDNOG02) Services SDN & NFV Delivering more with less by Mochammad Irzan
 
Quantum grizzly summit
Quantum grizzly summitQuantum grizzly summit
Quantum grizzly summit
 
Quantum PTL Update - Grizzly Summit.pptx
Quantum PTL Update - Grizzly Summit.pptxQuantum PTL Update - Grizzly Summit.pptx
Quantum PTL Update - Grizzly Summit.pptx
 
CloudStack DC Meetup - Apache CloudStack Overview and 4.1/4.2 Preview
CloudStack DC Meetup - Apache CloudStack Overview and 4.1/4.2 PreviewCloudStack DC Meetup - Apache CloudStack Overview and 4.1/4.2 Preview
CloudStack DC Meetup - Apache CloudStack Overview and 4.1/4.2 Preview
 
Using Node-RED for building IoT workflows
Using Node-RED for building IoT workflowsUsing Node-RED for building IoT workflows
Using Node-RED for building IoT workflows
 
neutron_icehouse_update
neutron_icehouse_updateneutron_icehouse_update
neutron_icehouse_update
 
Network Virtualization with quantum
Network Virtualization with quantum Network Virtualization with quantum
Network Virtualization with quantum
 
Multi-operator "IPC" VPN Slices: Applying RINA to Overlay Networking
Multi-operator "IPC" VPN Slices: Applying RINA to Overlay NetworkingMulti-operator "IPC" VPN Slices: Applying RINA to Overlay Networking
Multi-operator "IPC" VPN Slices: Applying RINA to Overlay Networking
 
CloudStack Networking
CloudStack NetworkingCloudStack Networking
CloudStack Networking
 
(ATS3-PLAT06) Handling “Big Data” with Pipeline Pilot (MapReduce/NoSQL)
(ATS3-PLAT06) Handling “Big Data” with Pipeline Pilot (MapReduce/NoSQL)(ATS3-PLAT06) Handling “Big Data” with Pipeline Pilot (MapReduce/NoSQL)
(ATS3-PLAT06) Handling “Big Data” with Pipeline Pilot (MapReduce/NoSQL)
 
Lap around windows azure
Lap around windows azureLap around windows azure
Lap around windows azure
 
Quantum diablo summary
Quantum diablo summaryQuantum diablo summary
Quantum diablo summary
 
OpenStack Quantum Intro (OS Meetup 3-26-12)
OpenStack Quantum Intro (OS Meetup 3-26-12)OpenStack Quantum Intro (OS Meetup 3-26-12)
OpenStack Quantum Intro (OS Meetup 3-26-12)
 
RunningQuantumOnQuantumAtNicira.pdf
RunningQuantumOnQuantumAtNicira.pdfRunningQuantumOnQuantumAtNicira.pdf
RunningQuantumOnQuantumAtNicira.pdf
 
Nos Windows
Nos WindowsNos Windows
Nos Windows
 
Deep Dive Into Quantum
Deep Dive Into QuantumDeep Dive Into Quantum
Deep Dive Into Quantum
 
Learn OpenStack from trystack.cn ——Folsom in practice
Learn OpenStack from trystack.cn ——Folsom in practiceLearn OpenStack from trystack.cn ——Folsom in practice
Learn OpenStack from trystack.cn ——Folsom in practice
 
Quantum Folsom Summit Developer Overview
Quantum Folsom Summit Developer OverviewQuantum Folsom Summit Developer Overview
Quantum Folsom Summit Developer Overview
 

More from Sumit Naiksatam

Network Policy Abstractions in OpenStack Neutron
Network Policy Abstractions in OpenStack NeutronNetwork Policy Abstractions in OpenStack Neutron
Network Policy Abstractions in OpenStack Neutron
Sumit Naiksatam
 
Quantum services' chaining open stack havana design summit, portland 2013
Quantum services' chaining open stack havana design summit, portland 2013Quantum services' chaining open stack havana design summit, portland 2013
Quantum services' chaining open stack havana design summit, portland 2013
Sumit Naiksatam
 
Quantum firewall as a service open stack havana design summit, portland 2013
Quantum firewall as a service open stack havana design summit, portland 2013Quantum firewall as a service open stack havana design summit, portland 2013
Quantum firewall as a service open stack havana design summit, portland 2013
Sumit Naiksatam
 

More from Sumit Naiksatam (8)

Open stack gbp final sn-4-slideshare
Open stack gbp final sn-4-slideshareOpen stack gbp final sn-4-slideshare
Open stack gbp final sn-4-slideshare
 
Group-based Policy for Networking
Group-based Policy for NetworkingGroup-based Policy for Networking
Group-based Policy for Networking
 
Group-based Policy For OpenStack Networking
Group-based Policy For OpenStack NetworkingGroup-based Policy For OpenStack Networking
Group-based Policy For OpenStack Networking
 
Network Policy Abstractions in OpenStack Neutron
Network Policy Abstractions in OpenStack NeutronNetwork Policy Abstractions in OpenStack Neutron
Network Policy Abstractions in OpenStack Neutron
 
OpenStack Neutron Service Chaining and Insertion
OpenStack Neutron Service Chaining and InsertionOpenStack Neutron Service Chaining and Insertion
OpenStack Neutron Service Chaining and Insertion
 
Quantum services' chaining open stack havana design summit, portland 2013
Quantum services' chaining open stack havana design summit, portland 2013Quantum services' chaining open stack havana design summit, portland 2013
Quantum services' chaining open stack havana design summit, portland 2013
 
Quantum firewall as a service open stack havana design summit, portland 2013
Quantum firewall as a service open stack havana design summit, portland 2013Quantum firewall as a service open stack havana design summit, portland 2013
Quantum firewall as a service open stack havana design summit, portland 2013
 
OpenStack Quantum
OpenStack QuantumOpenStack Quantum
OpenStack Quantum
 

Recently uploaded

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 

Recently uploaded (20)

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 

Quantum L3 (forwarding) model - OpenStack Folsom Design Summit

  • 1. L3 Tenant-facing Abstractions/Model (aka Forwarding per Dan)
  • 2. Motivation  Routing within the Further evolve Quantum to be a multi-tenant network tenant (support service for creating virtual data centers (application specific topologies + network services) multi-tier topologies)  Overlapping IP addresses  Support gateways – Internet, VPN  Support other L3 services – LB, Firewall, Cachin g, etc.  Hybrid Cloud (Public + Private)
  • 3. Proposal: Tenant Facing L3 Abstractions  Tenant  An individual customer or a distributed application that requires a set of resources assigned to meet a particular set of functions.  Expects networking services from Quantum to isolate and/or connect subsets of the resources  L3 Abstractions  Allow the tenant to request connectivity between its resources at the granularity of subnets and endpoints on a subnet  Allow the tenant to request gateway services  Allow the tenant to insert it’s own gateway services  Design Goal – Make life easier for the user (user will probably *not* be a network admin!)
  • 4. The role of a Plugin in Quantum  Before proceeding further, it’s important to note that Quantum adopts a plugin-based approach to realize the abstractions it exposes  A plugin is a vendor/technology-specific entity which maps the abstractions to the underlying infrastructure  As such, the Service Provider specific model required to realize the tenant-facing abstractions can be wrapped inside the plugin  A SP model to represent the SP infra is also desirable, however, as a first step we are proposing only a tenant facing model
  • 5. Quantum L3 (Tenant) Model Schematic Tenant VM Create Project/Tenant Legend:New Tenant VM Tenant VM resources proposed for the Create L3 model in Quantum Plug L3 Subnet L3 Subnet Map L3 Subnet L2 Network L2 Network L2 Network Create Routes Route-table Tenant owned network Target resources Associate Targets VPN Gateway “VPN” (Target) Internet Gateway Other Services “VPN” (Target) Tenant VM ID, IP VM ID, IP Addr Addr SP resources created for tenant Tenant resources 3rd Party Resources Target Entities Public SP-Local SP managed VPN VPN infrastructure Network Network VPN Note: Route-table and Target are *not* the same as routing tables in a router, or a route-target in the BGP context.
  • 6. Definitions (as used in the current context)  Subnets  A logical subdivision of an IP network expressed using a CIDR notation. Entities residing on a subnet appear to the tenant as directly connected and do not require setting up routes for connectivity (with the ability to override this default behavior).  Route-tables  A Route-table is a tenant instantiated resource that provides operations to manipulate routing entries. One can conceptually think of a Route-table mapping to a logical routing entity.  Each row in the table has a Target column, which effectively resolves to a next hop – hence the notion of routes and route-table. (Note: as explained later these route-tables are different from routing tables in routers or Linux hosts.)  Targets  These are service gateways such as an Internet Gateway, VPN, NAT router, a VM which is serving this function, or any other service.
  • 7. Resources’ Relationship 1 1 1 Project/Tenant 0..* 1 1 L2 Network 1 0..* 0..* Route-table Target 0..* L3 Subnet
  • 8. Route-table A Route-table is a tenant instantiated resource that provides operations to manipulate routing entries. One can conceptually think of a Route- table mapping to a logical routing entity. Each entry in the Route-table is of the following format: Source Destination Target Source: Subnet resource ID or CIDR Destination: Subnet resource ID or CIDR (0.0.0.0 for default) Target: A Target resource ID such that the SP should be able to resolve the ID to a single endpoint (e.g. IP address) One Route-table per tenant.
  • 9. Targets These are service gateways such as an Internet Gateway, VPN, NAT router, a VM which is serving this function, or any other service. The target can take one of the following values: 1. A reference (i.e. UUID) to an explicitly created target resource. This target resource could point to one of the following: a. A gateway service (Internet , VPN, other) provided by the SP. b. A resource belonging to the same tenant or another tenant providing some service (e.g. a NAT VM). (Details on how to create the target resource are in the following slides.) 2. A reference (i.e. UUID) to the subnet in the Destination column of the route-table (this is to account for the direct connection between two subnets, or to IP addresses on the same subnet).
  • 10. Creating a Target to point to a SP managed gateway The tenant queries the SP for the available target types by calling: list_target_types(tenant_id) The SP responds with a list of the available target types, e.g.: type_id=“Public”, type_name=“Internet Gateway” type_id=“VPN 1”, type_name=“VPN Gateway”, protocol=“IPSec”, version=“1” type_id=“VM Resource”, type_name=“Virtual Machines” Note: The above are not actual entities, they are types of targets which the SP supports in the context of this tenant. The tenant makes another call to request creating a target corresponding to one of these types - e.g. create_target(tenantID, name=“My Internet Gateway”, type_id=“Public”). The SP creates a target resource (an actual entity) specific to this tenant (and also the necessary configuration to instantiate the “Internet Gateway” in the case of the above example). The tenant can refer to this target in multiple routes (and/or create additional such targets).
  • 11. Creating a Target to point to a Resource with an IP address There are two possibilities here: 1. The resource is owned by the same tenant The tenant creates a target with the information about the VM - e.g. create_target(tenantID, name=“My NAT”, type_id=“VM Resource”, resource_id=“nat_vm_uuid”, ip_addr=“vm_ip_ad dress”) 2. The resource is owned by a different tenant. There are again two possibilities here: a. The resource has an IP address on the SP’s “public” network, e.g. a storage service create_target(tenantID, name=“External Storage”, type_id=“VM Resource”, ip_addr=“storage_ip_address”) b. The resource is on a private network, create_target(tenantID, name=“target_web_server_x”, type_id=“VM Resource”, target_tenant=“web_server_tenant_uuid” ip_addr=“server_x_private_ip”, auth_token=“token_to_access_web_server” )
  • 12. APIs
  • 13. API at a glance Resource URL GET POST PUT DELETE Subnets /v2.0/tenants/{tenant-id}/subnets Y Y - - /v2.0/tenants/{tenant-id}/subnets/{subnet-id} Y - Y Y Route- /v2.0/tenants/{tenant-id}/route_table Y Y Y - tables /v2.0/tenants/{tenant-id}/route_tables/{routetable-id} Y - Y Y Targets /v2.0/tenants/{tenant-id}/targets Y Y - - /v2.0/tenants/{tenant-id}/targets/{target-id} Y - Y Y /v2.0/tenants/{tenant-id}/targets/types Y [Strickthrough text – These API calls are not required with one route-table per tenant]
  • 14. Subnets def create_subnet(tenant_id, CIDR, **kwargs) def show_subnet(tenant_id, subnet_id, **kwargs) def update_subnet(tenant_id, subnet_id, **kwargs) def delete_subnet(tenant_id, subnet_id, **kwargs) def list_subnets(tenant_id, **kwargs)) kwargs: name description network_id_list
  • 15. Route-tables create_route_table(tenant_id, routes_list, **kwargs) show_route_table(tenant_id, route_table_id, **kwargs) delete_route_table(tenant_id, route_table_id, **kwargs) update_route_table(tenant_id, route_table_id, routes_list, **kwa rgs) list_route_tables(tenant_id, **kwargs) route_list: List of routes in the format: Source, Destination, Target kwargs: name description [Strickthrough text – These API calls are not required with one route-table per tenant]
  • 16. Targets create_target(tenant_id, **kwargs) kwargs: name description type_id resource_id ip_address target_tenant auth_token show_target(tenant_id, target_id, **kwargs) delete_target(tenant_id, target_id, **kwargs) update_target(tenant_id, target_id, **kwargs) list_target_types(tenant_id, **kwargs)
  • 18. Conventions used in the following examples  Private Subnets  These subnets reside on the tenant’s private IP address space and do not have a route to the public network (Internet).  Public Subnets  VMs on these subnets have a default route to the public network (Internet). They are also associated with Floating (public) IPs, hence they can be accessed from the Internet. This association of Floating IPs is a separate feature, and it’s specification is not captured in this proposal.  The following are not prescriptive, could be target type driven):  Intra-subnet traffic is always allowed, i.e. entities on the same subnet are always assumed to be directly connected and do not require an entry in the route-table.  Inter-subnet traffic is not allowed by default, i.e. there is no implicit routing to/from subnets; routing will happen between entities on different subnets only if a routing entry exists in the route-table.  Routes are reflexive, i.e. no explicit route entry needs to be created for a connection’s return path. A stateful entity which tracks connection states might be required to achieve this.
  • 19. Use case: One publicly accessible subnet Public subnet can also initiate connections to the Internet Source Destination Target Subnet-A 0.0.0.0 “My Internet Gateway”* Public Subnet *Refers to the ID of a target resource created by (ID: the tenant with the following call: Subnet-A) create_target(tenantID, name=“My 10.0.0.0/24 Internet Gateway”, type_id=“Public”) Web Server 10.0.0.5 198.51.100.1 (FIP) Web Server 10.0.0.8 198.51.100.4 (FIP)
  • 20. Use case: One private subnet Private subnet can also initiate connections to the home network via VPN Source Destination Target Subnet-A 0.0.0.0 “My VPN Gateway”* Private Subnet *Refers to the ID of a target resource created by (ID: the tenant with the following call: Subnet-A) create_target(tenantID, name=“My 10.0.0.0/24 VPN Gateway”, type_id=“VPN 1”, protocol=“IPSec”, version=“1”) Application 10.0.0.5 Application 10.0.0.8
  • 21. Use case: Public and VPN Access One publicly accessible subnet, which can also initiate connections to the Internet One private subnet, which can also initiate connections to the home network via VPN Source Destination Target Subnet-A 10.0.1.0/24 Subnet-B Subnet-B 10.0.0.0/24 Subnet-A Subnet-A 0.0.0.0 “My Internet Gateway” Subnet-B 0.0.0.0 “My VPN Gateway” Public Subnet Private (ID: Subnet Subnet-A) (ID: 10.0.0.0/24 Subnet-B) 10.0.1.0/24 Web Server 10.0.0.5 DB Server 198.51.100.1 (FIP) 10.0.1.5 Web Server 10.0.0.8 DB Server 198.51.100.4 (FIP) 10.0.1.6
  • 22. Use case: 3-tier app One publicly accessible subnet and two private Subnets Public subnet can also initiate connections to the Internet Source Destination Target Subnet-A 10.0.20.0/24 Subnet-B Public Subnet-B 10.0.30.0/24 Subnet-C Subnet Subnet-A 0.0.0.0 “My Internet Gateway”* (ID: Subnet-A) 10.0.10.0/24 *Refers to the ID of a target resource created Web Server by the tenant with the following call: 10.0.10.2 create_target(tenantID, name=“My 198.51.100.1 (FIP) Internet Gateway”, Web Server type_id=“Public”) 10.0.10.3 198.51.100.4 (FIP) Private Private Subnet Subnet (ID: (ID: Subnet-C) Subnet-B) 10.0.30.0/24 10.0.20.0/24 DB Server App Server 10.0.30.2 10.0.20.2 DB Server App Server 10.0.30.3 10.0.20.3