diff options
Diffstat (limited to 'docs')
-rw-r--r-- | docs/requirements/glossary.rst | 77 | ||||
-rw-r--r-- | docs/requirements/index.rst | 52 | ||||
-rw-r--r-- | docs/requirements/introduction.rst | 106 | ||||
-rw-r--r-- | docs/requirements/references.rst | 18 | ||||
-rw-r--r-- | docs/requirements/summary.rst | 46 | ||||
-rw-r--r-- | docs/requirements/use_cases.rst | 14 | ||||
-rw-r--r-- | docs/requirements/use_cases/georedundancy.rst | 72 | ||||
-rw-r--r-- | docs/requirements/use_cases/georedundancy_cells.rst | 61 | ||||
-rw-r--r-- | docs/requirements/use_cases/georedundancy_regions_insances.rst | 54 | ||||
-rw-r--r-- | docs/requirements/use_cases/l3vpn.rst | 29 | ||||
-rw-r--r-- | docs/requirements/use_cases/l3vpn_any_to_any.rst | 183 | ||||
-rw-r--r-- | docs/requirements/use_cases/l3vpn_ecmp.rst | 175 | ||||
-rw-r--r-- | docs/requirements/use_cases/l3vpn_hub_and_spoke.rst | 270 | ||||
-rw-r--r-- | docs/requirements/use_cases/multiple_backends.rst | 132 | ||||
-rw-r--r-- | docs/requirements/use_cases/programmable_provisioning.rst | 52 | ||||
-rw-r--r-- | docs/requirements/use_cases/service_binding_pattern.rst | 198 |
16 files changed, 0 insertions, 1539 deletions
diff --git a/docs/requirements/glossary.rst b/docs/requirements/glossary.rst deleted file mode 100644 index b45304e..0000000 --- a/docs/requirements/glossary.rst +++ /dev/null @@ -1,77 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 International License. -.. http://creativecommons.org/licenses/by/4.0 - -**Definition of terms** - -Different standards developing organizations and communities use different -terminology related to Network Function Virtualization, Cloud Computing, and -Software Defined Networking. This list defines the terminology in the contexts -of this document. - - -.. glossary:: - - API - Application Programming Interface. - - Cloud Computing - A model that enables access to a shared pool of configurable computing - resources, such as networks, servers, storage, applications, and - services, that can be rapidly provisioned and released with minimal - management effort or service provider interaction. - - Edge Computing - Edge computing pushes applications, data and computing power (services) - away from centralized points to the logical extremes of a network. - - Instance - Refers in OpenStack terminology to a running VM, or a VM in a known - state such as suspended, that can be used like a hardware server. - - NFV - Network Function Virtualization. - - NFVI - Network Function Virtualization Infrastructure. Totality of all hardware - and software components which build up the environment in which VNFs are - deployed. - - SDN - Software-Defined Networking. Emerging architecture that decouples the - network control and forwarding functions, enabling the network control - to become directly programmable and the underlying infrastructure to be - abstracted for applications and network services. - - Server - Computer that provides explicit services to the client software running - on that system, often managing a variety of computer operations. In - OpenStack terminology, a server is a VM instance. - - vForwarder - vForwarder is used as generic and vendor neutral term for a software - packet forwarder. Concrete examples includes OpenContrail vRouter, - OpenvSwitch, Cisco VTF. - - VIM - Virtualized Infrastructure Manager. Functional block that is responsible - for controlling and managing the NFVI compute, storage and network - resources, usually within one operator's Infrastructure Domain, e.g. - NFVI Point of Presence (NFVI-PoP). - - Virtual network - Virtual network routes information among the network interfaces of VM - instances and physical network interfaces, providing the necessary - connectivity. - - VM - Virtual Machine. Virtualized computation environment that behaves like a - physical computer/server by modeling the computing architecture of a - real or hypothetical computer. - - VNF - Virtualized Network Function. Implementation of an Network Function - that can be deployed on a Network Function Virtualization - Infrastructure (NFVI). - - WAN - Wide Area Network. diff --git a/docs/requirements/index.rst b/docs/requirements/index.rst deleted file mode 100644 index 74d5efb..0000000 --- a/docs/requirements/index.rst +++ /dev/null @@ -1,52 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 International License. -.. http://creativecommons.org/licenses/by/4.0 - -*************************** -NetReady: Network Readiness -*************************** - -:Project: NetReady, https://wiki.opnfv.org/display/netready/NetReady -:Editors: TBD -:Authors: Bin Hu (AT&T), Gergely Csatari (Nokia), Georg Kunz (Ericsson) and - others - -:Abstract: OPNFV provides an infrastructure with different SDN controller - options to realize NFV functionality on the platform it builds. As - OPNFV uses OpenStack as a VIM, we need to analyze the capabilities this - component offers us. The networking functionality is provided by a - single component called Neutron, which hides the controller under it, - let it be Neutron itself or any supported SDN controller. As NFV - wasn't taken into consideration at the time when Neutron was designed - we are already facing several bottlenecks and architectural - shortcomings while implementing our use cases. - - The NetReady project aims at evolving OpenStack networking - step-by-step to find the most efficient way to fulfill the - requirements of the identified NFV use cases, taking into account the - NFV mindset and the capabilities of SDN controllers. - -:History: - - ========== ===================================================== - Date Description - ========== ===================================================== - 22.03.2016 Project creation - 19.04.2016 Initial version of the deliverable uploaded to Gerrit - 22.07.2016 First version ready for sharing with the community - ========== ===================================================== - -.. raw:: latex - - \newpage - -.. include:: - glossary.rst - -.. toctree:: - :maxdepth: 4 - :numbered: - - introduction.rst - use_cases.rst - summary.rst - references.rst diff --git a/docs/requirements/introduction.rst b/docs/requirements/introduction.rst deleted file mode 100644 index 0593e07..0000000 --- a/docs/requirements/introduction.rst +++ /dev/null @@ -1,106 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 International License. -.. http://creativecommons.org/licenses/by/4.0 - -Introduction -============ - -This document represents and describes the results of the OPNFV NetReady -(Network Readiness) project. Specifically, the document comprises a selection of -NFV-related networking use cases and their networking requirements. For every -use case, it furthermore presents a gap analysis of the aforementioned -requirements with respect to the current OpenStack networking architecture. -Finally it provides a description of potential solutions and improvements. - - -Scope ------ - -NetReady is a project within the OPNFV initiative. Its focus is on NFV (Network -Function Virtualization) related networking use cases and their requirements on -the underlying NFVI (Network Function Virtualization Infrastructure). - -The NetReady project addresses the OpenStack networking architecture, -specifically OpenStack Neutron, from a NFV perspective. Its goal is to identify -gaps in the current OpenStack networking architecture with respect to NFV -requirements and to propose and evaluate improvements and potential complementary -solutions. - - -Problem Description -------------------- - -Telco ecosystem's movement towards the cloud domain results in Network Function -Virtualization that is discussed and specified in ETSI NFV. This movement opens -up many green field areas which are full of potential growth in both business -and technology. This new NFV domain brings new business opportunities and new -market segments as well as emerging technologies that are exploratory and -experimental in nature, especially in NFV networking. - -It is often stated that NFV imposes additional requirements on the networking -architecture and feature set of the underlying NFVI beyond those of data center -networking. For instance, the NFVI needs to establish and manage connectivity -beyond the data center to the WAN (Wide Area Network). Moreover, NFV networking -use cases often abstract from L2 connectivity and instead focus on L3-only -connectivity. Hence, the NFVI networking architecture needs to be flexible -enough to be able to meet the requirements of NFV-related use cases in addition -to traditional data center networking. - -Traditionally, OpenStack networking, represented typically by the OpenStack -Neutron project, targets virtualized data center networking. This comprises -originally establishing and managing layer 2 network connectivity among VMs -(Virtual Machines). Over the past releases of OpenStack, Neutron has grown to -provide an extensive feature set, covering both L2 as well as L3 networking -services such as virtual routers, NATing, VPNaaS and BGP VPNs. - -It is an ongoing debate how well the current OpenStack networking architecture -can meet the additional requirements of NFV networking. Hence, a thorough -analysis of NFV networking requirements and their relation to the OpenStack -networking architecture is needed. - -Besides current additional use cases and requirements of NFV networking, -more importantly, because of the **green field** nature of NFV, it is foreseen -that there will be more and more new NFV networking use cases and services, -which will bring new business, in near future. The challenges for telco ecosystem -are to: - -- Quickly catch the new business opportunity; - -- Execute it in agile way so that we can accelerate the time-to-market and improve - the business agility in offering our customers with innovative NFV services. - -Therefore, it is critically important for telco ecosystem to quickly develop and deploy -new NFV networking APIs on-demand based on market need. - -Goals ------ - -The goals of the NetReady project and correspondingly this document are the -following: - -- This document comprises a collection of relevant NFV networking use cases and - clearly describes their requirements on the NFVI. These requirements are - stated independently of a particular implementation, for instance OpenStack - Neutron. Instead, requirements are formulated in terms of APIs (Application - Programming Interfaces) and data models needed to realize a given NFV use - case. - -- The list of use cases is not considered to be all-encompassing but it - represents a carefully selected set of use cases that are considered to be - relevant at the time of writing. More use cases may be added over time. The - authors are very open to suggestions, reviews, clarifications, corrections - and feedback in general. - -- This document contains a thorough analysis of the gaps in the current - OpenStack networking architecture with respect to the requirements imposed - by the selected NFV use cases. To this end, we analyze existing functionality - in OpenStack networking. - -- Beyond current list of use cases and gap analysis in the document, more importantly, - it is the future of NFV networking that needs to be made easy to innovate, quick to - develop, and agile to deploy and operate. A model-driven, extensible framework - is expected to achieve agility for innovations in NFV networking. - -- This document will in future revisions describe the proposed improvements - and complementary solutions needed to enable OpenStack to fulfill the - identified NFV requirements. - diff --git a/docs/requirements/references.rst b/docs/requirements/references.rst deleted file mode 100644 index 5f1f925..0000000 --- a/docs/requirements/references.rst +++ /dev/null @@ -1,18 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 International License. -.. http://creativecommons.org/licenses/by/4.0 - -.. References -.. ========== - -.. [BGPVPN] http://docs.openstack.org/developer/networking-bgpvpn/ -.. [MULTISITE] https://wiki.opnfv.org/display/multisite/Multisite -.. [NETREADY] https://wiki.opnfv.org/display/netready/NetReady -.. [NETREADY-JIRA] https://jira.opnfv.org/projects/NETREADY/issues/NETREADY-19?filter=allopenissues -.. [NETWORKING-SFC] https://wiki.openstack.org/wiki/Neutron/ServiceInsertionAndChaining -.. [NEUTRON-ROUTED-NETWORKS] https://specs.openstack.org/openstack/neutron-specs/specs/newton/routed-networks.html -.. [OS-NETWORKING-GUIDE-ML2] http://docs.openstack.org/mitaka/networking-guide/config-ml2-plug-in.html -.. [RFC4364] http://tools.ietf.org/html/rfc4364 -.. [RFC7432] https://tools.ietf.org/html/rfc7432 -.. [SELF] http://artifacts.opnfv.org/netready/docs/requirements/index.html -.. [TRICIRCLE] https://wiki.openstack.org/wiki/Tricircle#Requirements -.. [VLAN-AWARE-VMs] https://blueprints.launchpad.net/neutron/+spec/vlan-aware-vms diff --git a/docs/requirements/summary.rst b/docs/requirements/summary.rst deleted file mode 100644 index 2761a48..0000000 --- a/docs/requirements/summary.rst +++ /dev/null @@ -1,46 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 International License. -.. http://creativecommons.org/licenses/by/4.0 - -Summary and Conclusion -====================== - -This document presented the results of the OPNFV NetReady (Network Readiness) -project ([NETREADY]_). It described a selection of NFV-related networking use -cases and their corresponding networking requirements. Moreover, for every use -case, it describes an associated gap analysis which analyses the aforementioned -networking requirements with respect to the current OpenStack networking -architecture. - -The contents of the current document are the selected use cases and their -derived requirements and identified gaps for OPNFV C release. - -OPNFV NetReady is open to take any further use cases under analysis in later -OPNFV releases. The project backlog ([NETREADY-JIRA]_) lists the use cases and -topics planned to be developed in future releases of OPNFV. - -Based on the gap analyses, we draw the following conclusions: - -* Besides current requirements and gaps identified in support of NFV networking, - more and more new NFV networking services are to be innovated in the near future. - Those innovations will bring additional requirements, and more significant gaps - will be expected. On the other hand, NFV networking business requires it - to be made easy to innovate, quick to develop, and agile to deploy and operate. - Therefore, a model-driven, extensible framework is expected to support NFV - networking on-demand in order to accelerate time-to-market and achieve business - agility for innovations in NFV networking business. - -* Neutron networks are implicitly, because of their reliance on subnets, L2 - domains. L2 network overlays are the only way to implement Neutron networks - because of their semantics. However, L2 networks are inefficient ways to - implement cloud networking, and while this is not necessarily a problem for - enterprise use cases with moderate traffic it can add expense to the - infrastructure of NFV cases where networking is heavily used and efficient use - of capacity is key. - -* In NFV environment it should be possible to execute network administrator tasks - without OpenStack administrator rights. - -* In a multi-site setup it should be possible to manage the connection between - the sites in a programmable way. - -The latest version of this document can be found at [SELF]_. diff --git a/docs/requirements/use_cases.rst b/docs/requirements/use_cases.rst deleted file mode 100644 index d31bbd3..0000000 --- a/docs/requirements/use_cases.rst +++ /dev/null @@ -1,14 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 International License. -.. http://creativecommons.org/licenses/by/4.0 - -Use cases -========= - -The following sections address networking use cases that have been identified to be relevant in the scope of NFV and NetReady. - -.. toctree:: - use_cases/multiple_backends.rst - use_cases/l3vpn.rst - use_cases/service_binding_pattern.rst - use_cases/programmable_provisioning.rst - use_cases/georedundancy.rst diff --git a/docs/requirements/use_cases/georedundancy.rst b/docs/requirements/use_cases/georedundancy.rst deleted file mode 100644 index d168206..0000000 --- a/docs/requirements/use_cases/georedundancy.rst +++ /dev/null @@ -1,72 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 International License. -.. http://creativecommons.org/licenses/by/4.0 - -Georedundancy -============= -Georedundancy refers to a configuration which ensures the service continuity of -the VNF-s even if a whole datacenter fails. - -It is possible that the VNF application layer provides additional redundancy -with VNF pooling on top of the georedundancy functionality described here. - -It is possible that either the VNFC-s of a single VNF are spread across several -datacenters (this case is covered by the OPNFV multi-site project [MULTISITE]_ -or different, redundant VNF-s are started in different datacenters. - -When the different VNF-s are started in different datacenters the redundancy -can be achieved by redundant VNF-s in a hot (spare VNF is running its -configuration and internal state is synchronized to the active VNF), -warm (spare VNF is running, its configuration is synchronized to the active VNF) -or cold (spare VNF is not running, active VNF-s configuration is stored in a -persistent, central store and configured to the spare VNF during its activation) -standby state in a different datacenter from where the active VNF-s are running. -The synchronization and data transfer can be handled by the application or by -the infrastructure. - -In all of these georedundancy setups there is a need for a network connection -between the datacenter running the active VNF and the datacenter running the -spare VNF. - -In case of a distributed cloud it is possible that the georedundant cloud of an -application is not predefined or changed and the change requires configuration -in the underlay networks when the network operator uses network isolation. -Isolation of the traffic between the datacenters might be needed due to the -multi-tenant usage of NFVI/VIM or due to the IP pool management of the network -operator. - -This set of georedundancy use cases is about enabling the possibility to select a -datacenter as backup datacenter and build the connectivity between the NFVI-s in -the different datacenters in a programmable way. - -The focus of these uses cases is on the functionality of OpenStack it is not -considered how the provisioning of physical resources is handled by the SDN -controllers to interconnect the two datacenters. - -As an example the following picture (:numref:`georedundancy-before`) shows a -multi-cell cloud setup where the underlay network is not fully meshed. - -.. figure:: images/georedundancy-before.png - :name: georedundancy-before - :width: 50% - -Each datacenter (DC) is a separate OpenStack cell, region or instance. Let's -assume that a new VNF is started in DC b with a Redundant VNF in DC d. In this -case a direct underlay network connection is needed between DC b and DC d. The -configuration of this connection should be programmable in both DC b and DC d. -The result of the deployment is shown in the following figure -(:numref:`georedundancy-after`): - -.. figure:: images/georedundancy-after.png - :name: georedundancy-after - :width: 50% - -.. toctree:: - georedundancy_cells.rst - georedundancy_regions_insances.rst - -Conclusion ----------- - An API is needed what provides possibility to set up the local and remote - endpoints for the underlay network. This API present in the SDN solutions, but - OpenStack does not provides and abstracted API for this functionality to hide - the differences of the SDN solutions. diff --git a/docs/requirements/use_cases/georedundancy_cells.rst b/docs/requirements/use_cases/georedundancy_cells.rst deleted file mode 100644 index ad664e8..0000000 --- a/docs/requirements/use_cases/georedundancy_cells.rst +++ /dev/null @@ -1,61 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 International License. -.. http://creativecommons.org/licenses/by/4.0 - -Connection between different OpenStack cells --------------------------------------------- -Description -~~~~~~~~~~~ -There should be an API to manage the infrastructure-s networks between two -OpenStack cells. (Note: In the Mitaka release of OpenStack cells v1 are -considered as experimental, while cells v2 functionality is under -implementation). Cells are considered to be problematic from maintainability -perspective as the sub-cells are using only the internal message bus and there -is no API (and CLI) to do maintenance actions in case of a network connectivity -problem between the main cell and the sub cells. - -The following figure (:numref:`cells-architecture`) shows the architecture of -the most relevant OpenStack components in multi cell OpenStack environment. - -.. figure:: images/cells-architecture.png - :name: cells-architecture - :width: 50% - -The functionality behind the API depends on the underlying network providers (SDN -controllers) and the networking setup. -(For example OpenDaylight has an API to add new BGP neighbor.) - -OpenStack Neutron should provide an abstracted API for this functionality what -calls the underlying SDN controllers API. - -Derived Requirements -~~~~~~~~~~~~~~~~~~~~~ - - Possibility to define a remote and a local endpoint - - As in case of cells the nova-api service is shared it should be possible - to identify the cell in the API calls - -Northbound API / Workflow -+++++++++++++++++++++++++ - - An infrastructure network management API is needed - - API call to define the remote and local infrastructure endpoints - - When the endpoints are created neutron is configured to use the new network. - -Dependencies on compute services -++++++++++++++++++++++++++++++++ - None. - -Data model objects -++++++++++++++++++ - - local and remote endpoint objects (Most probably IP addresses with some - additional properties). - -Current implementation -~~~~~~~~~~~~~~~~~~~~~~ - Current OpenStack implementation provides no way to set up the underlay - network connection. - OpenStack Tricircle project [TRICIRCLE]_ - has plans to build up inter datacenter L2 and L3 networks. - -Gaps in the current solution -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - An infrastructure management API is missing from Neutron where the local and - remote endpoints of the underlay network could be configured. diff --git a/docs/requirements/use_cases/georedundancy_regions_insances.rst b/docs/requirements/use_cases/georedundancy_regions_insances.rst deleted file mode 100644 index 995eb49..0000000 --- a/docs/requirements/use_cases/georedundancy_regions_insances.rst +++ /dev/null @@ -1,54 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 International License. -.. http://creativecommons.org/licenses/by/4.0 - -Connection between different OpenStack regions or cloud instances ------------------------------------------------------------------ - -Description -~~~~~~~~~~~ -There should be an API to manage the infrastructure-s networks between two -OpenStack regions or instances. - -The following figure (:numref:`instances-architecture`) shows the architecture -of the most relevant OpenStack components in multi instance OpenStack -environment. - -.. figure:: images/instances-architecture.png - :name: instances-architecture - :width: 50% - -The functionality behind the API depends on the underlying network providers (SDN -controllers) and the networking setup. -(For example OpenDaylight has an API to add new BGP neighbor.) - -OpenStack Neutron should provide an abstracted API for this functionality what -calls the underlying SDN controllers API. - -Derived Requirements -~~~~~~~~~~~~~~~~~~~~~ -- Possibility to define a remote and a local endpoint -- As in case of cells the nova-api service is shared it should be possible - to identify the cell in the API calls - -Northbound API / Workflow -+++++++++++++++++++++++++ -- An infrastructure network management API is needed -- API call to define the remote and local infrastructure endpoints -- When the endpoints are created neutron is configured to use the new network. - -Data model objects -++++++++++++++++++ -- local and remote endpoint objects (Most probably IP addresses with some -additional properties). - -Current implementation -~~~~~~~~~~~~~~~~~~~~~~ - Current OpenStack implementation provides no way to set up the underlay - network connection. - OpenStack Tricircle project [TRICIRCLE]_ - has plans to build up inter datacenter L2 and L3 networks. - -Gaps in the current solution -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - An infrastructure management API is missing from Neutron where the local and - remote endpoints of the underlay network could be configured. diff --git a/docs/requirements/use_cases/l3vpn.rst b/docs/requirements/use_cases/l3vpn.rst deleted file mode 100644 index c2da424..0000000 --- a/docs/requirements/use_cases/l3vpn.rst +++ /dev/null @@ -1,29 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 International License. -.. http://creativecommons.org/licenses/by/4.0 -.. (c) Bin Hu - -L3VPN Use Cases -=============== - -.. toctree:: - l3vpn_any_to_any.rst - l3vpn_ecmp.rst - l3vpn_hub_and_spoke.rst - - -Conclusion ----------- - -Based on the gap analyses of the three specific L3VPN use cases we conclude that -there are gaps in both the functionality provided by the BGPVPN project as well -as the support for multiple backends in Neutron. - -Some of the identified gaps [L3VPN-ECMP-GAP1, L3VPN-ECMP-GAP2, L3VPN-HS-GAP3] -in the BGPVPN project are merely missing functionality which can be integrated -in the existing OpenStack networking architecture. - -Other gaps, such as the inability to explicitly disable the layer 2 semantics of -Neutron networks [L3VPN-HS-GAP1] or the tight integration of ports and networks -[L3VPN-HS-GAP2] hinder a clean integration of the needed functionality. In order -to close these gaps, fundamental changes in Neutron or alternative approaches -need to be investigated. diff --git a/docs/requirements/use_cases/l3vpn_any_to_any.rst b/docs/requirements/use_cases/l3vpn_any_to_any.rst deleted file mode 100644 index 574eac6..0000000 --- a/docs/requirements/use_cases/l3vpn_any_to_any.rst +++ /dev/null @@ -1,183 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 International License. -.. http://creativecommons.org/licenses/by/4.0 -.. (c) Bin Hu - -L3VPNs are virtual layer 3 networks described in multiple standards and RFCs, -such as [RFC4364]_ and [RFC7432]_. Connectivity as well as traffic separation is -achieved by exchanging routes between VRFs (Virtual Routing and Forwarding). - -Moreover, a Service Providers' virtualized network infrastructure may consist of -one or more SDN Controllers from different vendors. Those SDN Controllers may be -managed within one cloud or multiple clouds. Jointly, those VIMs (e.g. OpenStack -instances) and SDN Controllers work together in an interoperable framework to -create L3 services in the Service Providers' virtualized network infrastructure. - -While interoperability between SDN controllers and the corresponding data planes -is ensured based on standardized protocols (e.g., [RFC4364]_ and [RFC7432]_), -the integration and management of different SDN domains from the VIM is not -clearly defined. Hence, this section analyses three L3VPN use cases involving -multiple SDN Controllers. - - - -Any-to-Any Base Case --------------------- - -Description -~~~~~~~~~~~ - -This any-to-any use case is the base scenario, providing layer 3 connectivity -between VNFs in the same L3VPN while separating the traffic and IP address -spaces of different L3VPNs belonging to different tenants. - -There are 2 hosts (compute nodes). SDN Controller A and vForwarder A are -provided by Vendor A and run on host A. SDN Controller B and vForwarder B -are provided by Vendor B, and run on host B. - -There are 2 tenants. Tenant 1 creates L3VPN Blue with 2 subnets: 10.1.1.0/24 and -10.3.7.0/24. Tenant 2 creates L3VPN Red with 1 subnet and an overlapping -address space: 10.1.1.0/24. The network topology is shown in -:numref:`l3vpn-any2any-figure`. - -.. figure:: images/l3vpn-any2any.png - :name: l3vpn-any2any-figure - :width: 100% - -In L3VPN Blue, VMs G1 (10.1.1.5) and G2 (10.3.7.9) are spawned on host A, and -attached to 2 subnets (10.1.1.0/24 and 10.3.7.0/24) and assigned IP addresses -respectively. VMs G3 (10.1.1.6) and G4 (10.3.7.10) are spawned on host B, and -attached to 2 subnets (10.1.1.0/24 and 10.3.7.0/24) and assigned IP addresses -respectively. - -In L3VPN Red, VM G5 (10.1.1.5) is spawned on host A, and attached to subnet -10.1.1.0/24. VM G6 (10.1.1.6) is spawned on host B, and attached to the same -subnet 10.1.1.0/24. - - - -Derived Requirements -~~~~~~~~~~~~~~~~~~~~~ - -Northbound API / Workflow -+++++++++++++++++++++++++ - -.. **Georg: this section needs to be made more readable** - -An example of the desired workflow is as follows: - -1. Create Network - -2. Create Network VRF Policy Resource ``Any-to-Any`` - - 2.1. This policy causes the following configuration when a VM of this tenant is spawned on a host: - - 2.1.1. There will be a RD assigned per VRF - - 2.1.2. There will be a RT used for the common any-to-any communication - -3. Create Subnet - -4. Create Port (subnet, network VRF policy resource). This causes the controller to: - - 4.1. Create a VRF in vForwarder's FIB, or update VRF if it already exists - - 4.2. Install an entry for the guest's host route in FIBs of the vForwarder serving this tenant's virtual network - - 4.3. Announce guest host route to WAN-GW via MP-BGP - - - - -Current implementation -~~~~~~~~~~~~~~~~~~~~~~ - -Support for creating and managing L3VPNs is available in OpenStack Neutron by -means of the [BGPVPN]_ project. In order to create the L3VPN network -configuration described above using the API [BGPVPN]_ API, the following workflow -is needed: - -1. Create Neutron networks for tenant "Blue" - - ``neutron net-create --tenant-id Blue net1`` - - ``neutron net-create --tenant-id Blue net2`` - - -2. Create subnets for the Neutron networks for tenant "Blue" - - ``neutron subnet-create --tenant-id Blue --name subnet1 net1 10.1.1.0/24`` - - ``neutron subnet-create --tenant-id Blue --name subnet2 net2 10.3.7.0/24`` - - -3. Create Neutron ports in the corresponding networks for tenant "Blue" - - ``neutron port-create --tenant-id Blue --name G1 --fixed-ip subnet_id=subnet1,ip_address=10.1.1.5 net1`` - - ``neutron port-create --tenant-id Blue --name G2 --fixed-ip subnet_id=subnet1,ip_address=10.1.1.6 net1`` - - ``neutron port-create --tenant-id Blue --name G3 --fixed-ip subnet_id=subnet2,ip_address=10.3.7.9 net2`` - - ``neutron port-create --tenant-id Blue --name G4 --fixed-ip subnet_id=subnet2,ip_address=10.3.7.10 net2`` - - -4. Create Neutron network for tenant "Red" - - ``neutron net-create --tenant-id Red net3`` - - -5. Create subnet for the Neutron network of tenant "Red" - - ``neutron subnet-create --tenant-id Red --name subnet3 net3 10.1.1.0/24`` - - -6. Create Neutron ports in the networks of tenant "Red" - - ``neutron port-create --tenant-id Red --name G5 --fixed-ip subnet_id=subnet3,ip_address=10.1.1.5 net3`` - - ``neutron port-create --tenant-id Red --name G7 --fixed-ip subnet_id=subnet3,ip_address=10.1.1.6 net3`` - - -7. Create a L3VPN by means of the BGPVPN API for tenant "Blue" - - ``neutron bgpvpn-create --tenant-id Blue --route-targets AS:100 --name vpn1`` - - -8. Associate the L3VPN of tenant "Blue" with the previously created networks - - ``neutron bgpvpn-net-assoc-create --tenant-id Blue --network net1 --name vpn1`` - - ``neutron bgpvpn-net-assoc-create --tenant-id Blue --network net2 --name vpn1`` - - -9. Create a L3VPN by means of the BGPVPN API for tenant "Red" - - ``neutron bgpvpn-create --tenant-id Red --route-targets AS:200 --name vpn2`` - - -10. Associate the L3VPN of tenant "Red" with the previously created networks - - ``neutron bgpvpn-net-assoc-create --tenant-id Red --network net3 --name vpn2`` - - -Comments: - -* In this configuration only one BGPVPN for each tenant is created. - -* The ports are associated indirectly to the VPN through their networks. - -* The BGPVPN backend takes care of distributing the /32 routes to the vForwarder - instances and assigning appropriate RD values. - - - -Gaps in the current solution -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -In terms of the functionality provided by the BGPVPN project, there are no gaps -preventing this particular use case from a L3VPN perspective. - -However, in order to support the multi-vendor aspects of this use case, a better -support for integrating multiple backends is needed (see previous use case). - - diff --git a/docs/requirements/use_cases/l3vpn_ecmp.rst b/docs/requirements/use_cases/l3vpn_ecmp.rst deleted file mode 100644 index 7bcb64f..0000000 --- a/docs/requirements/use_cases/l3vpn_ecmp.rst +++ /dev/null @@ -1,175 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 International License. -.. http://creativecommons.org/licenses/by/4.0 -.. (c) Bin Hu - -L3VPN: ECMP Load Splitting Case (Anycast) ------------------------------------------ - -Description -~~~~~~~~~~~ - -In this use case, multiple instances of a VNF are reachable through the same IP. -The networking infrastructure is then responsible for spreading the network load -across the VNF instances using Equal-Cost Multi-Path (ECMP) or perform a -fail-over in case of a VNF failure. - -There are 2 hosts (compute nodes). SDN Controller A and vForwarder A are provided by -Vendor A, and run on host A. SDN Controller B and vForwarder B are provided by -Vendor B, and run on host B. - -There is one tenant. Tenant 1 creates L3VPN Blue with subnet 10.1.1.0/24. - -The network topology is shown in :numref:`l3vpn-ecmp-figure`: - -.. figure:: images/l3vpn-ecmp.png - :name: l3vpn-ecmp-figure - :width: 100% - -In L3VPN Blue, VNF1.1 and VNF1.2 are spawned on host A, attached to subnet 10.1.1.0/24 -and assigned the same IP address 10.1.1.5. VNF1.3 is spawned on host B, attached to -subnet 10.1.1.0/24 and assigned the same IP addresses 10.1.1.5. VNF 2 and VNF 3 are spawned -on host A and B respectively, attached to subnet 10.1.1.0/24, and assigned different IP -addresses 10.1.1.6 and 10.1.1.3 respectively. - -Here, the Network VRF Policy Resource is ``ECMP/AnyCast``. Traffic to the -anycast IP **10.1.1.5** can be load split from either WAN GW or another VM like -G5. - - - -Current implementation -~~~~~~~~~~~~~~~~~~~~~~ - -Support for creating and managing L3VPNs is, in general, available in OpenStack -Neutron by means of the BGPVPN project [BGPVPN]_. However, the BGPVPN project -does not yet fully support ECMP as described in the following. - -There are (at least) two different approached to configuring ECMP: - -1. Using Neutron ports with identical IP addresses, or - -2. Using Neutron ports with unique IPs addresses and creating static routes to a - common IP prefix with next hops pointing to the unique IP addresses. - - - -Ports with identical IP addresses -+++++++++++++++++++++++++++++++++ - -In this approach, multiple Neutron ports using the same IP address are created. -In the current Neutron architecture, a port has to reside in a specific Neutron -network. However, re-using the same IP address multiple times in a given Neutron -network is not possible as this would create an IP collision. As a consequence, -creating one Neutron network for each port is required. - -Given multiple Neutron networks, the BGPVPN API allows for associating those -networks with the same VPN. It is then up to the networking backend to implement -ECMP load balancing. This behavior and the corresponding API for configuring the -behavior is currently not available. It is nevertheless on the road map of the -BGPVPN project. - -.. **Georg: we could add an API usage example here similarly to the one below** - - -Static Routes to ports with unique IP addresses -+++++++++++++++++++++++++++++++++++++++++++++++ - -In this approach, Neutron ports are assigned unique IPs and static routes -pointing to the same ECMP load-balanced prefix are created. The static routes -define the unique Neutron port IPs as next-hop addresses. - -Currently, the API for static routes is not yet available in the BGPVPN project, -but it is on the road map. The following work flow shows how to realize this -particular use case under the assumption that support for static routes is -available in the BGPVPN API. - - -1. Create Neutron network for tenant "Blue" - - ``neutron net-create --tenant-id Blue net1`` - - -2. Create subnet for the network of tenant "Blue" - - ``neutron subnet-create --tenant-id Blue --name subnet1 net1 5.1.1.0/24`` - - -3. Create Neutron ports in the network of tenant "Blue" - - ``neutron port-create --tenant-id Blue --name G1 --fixed-ip subnet_id=subnet1,ip_address=5.1.1.1 net1`` - - ``neutron port-create --tenant-id Blue --name G2 --fixed-ip subnet_id=subnet1,ip_address=5.1.1.2 net1`` - - ``neutron port-create --tenant-id Blue --name G3 --fixed-ip subnet_id=subnet1,ip_address=5.1.1.3 net1`` - - ``neutron port-create --tenant-id Blue --name G4 --fixed-ip subnet_id=subnet1,ip_address=5.1.1.4 net1`` - - ``neutron port-create --tenant-id Blue --name G5 --fixed-ip subnet_id=subnet1,ip_address=5.1.1.5 net1`` - - ``neutron port-create --tenant-id Blue --name G6 --fixed-ip subnet_id=subnet1,ip_address=5.1.1.6 net1`` - - -4. Create a L3VPN for tenant "Blue" - - ``neutron bgpvpn-create --tenant-id Blue --route-target AS:100 vpn1`` - - -5. Associate the BGPVPN with the network of tenant "Blue" - - ``neutron bgpvpn-network-associate --tenant-id Blue --network-id net1 vpn1`` - - -6. Create static routes which point to the same target - - ``neutron bgpvpn-static-route-add --tenant-id Blue --cidr 10.1.1.5/32 --nexthop-ip 5.1.1.1 vpn1`` - - ``neutron bgpvpn-static-route-add --tenant-id Blue --cidr 10.1.1.5/32 --nexthop-ip 5.1.1.2 vpn1`` - - ``neutron bgpvpn-static-route-add --tenant-id Blue --cidr 10.1.1.5/32 --nexthop-ip 5.1.1.3 vpn1`` - - - -Gaps in the current solution -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Given the use case description and the currently available implementation in -OpenStack provided by BGPVPN project, we identify the following gaps: - -* [L3VPN-ECMP-GAP1] Static routes are not yet supported by the BGPVPN project. - - Currently, no API for configuring static routes is available in the BGPVPN - project. This feature is on the road map, however. - - -* [L3VPN-ECMP-GAP2] Behavior not defined for multiple Neutron ports of the same - IP - - The Neutron and BGPVPN API allow for creating multiple ports with the same - IP in different networks and associating the networks with the same VPN. The - exact behavior of this configuration is however not defined and an API for - configuring the behavior (load-balancing or fail-over) is missing. Development - of this feature is on the road map of the project, however. - - -* [L3VPN-ECMP-GAP3] It is not possible to assign the same IP to multiple Neutron - ports within the same Neutron subnet. - - This is due to the fundamental requirement of avoiding IP collisions within - the L2 domain which is a Neutron network. - - -Conclusions -~~~~~~~~~~~ - -In the context of the ECMP use case, three gaps have been -identified. Gap [L3VPN-ECMP-GAP1] and [L3VPN-ECMP-GAP2] are missing or undefined -functionality in the BGPVPN project. There is no architectural hindrance -preventing the implementation of the missing features in the BGPVPN project as -well as in Neutron. - -The third gap [L3VPN-ECMP-GAP3] is based on the fact that Neutron ports always -have to exist in a Neutron network. As a consequence, in order to create ports -with the same IP, multiple networks must be used. This port-network binding -will most likely not be relaxed in future releases of Neutron to retain backwards -compatibility. A clean alternative to Neutron can instead provide more modeling -flexibility. diff --git a/docs/requirements/use_cases/l3vpn_hub_and_spoke.rst b/docs/requirements/use_cases/l3vpn_hub_and_spoke.rst deleted file mode 100644 index 17459b6..0000000 --- a/docs/requirements/use_cases/l3vpn_hub_and_spoke.rst +++ /dev/null @@ -1,270 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 International License. -.. http://creativecommons.org/licenses/by/4.0 -.. (c) Bin Hu - -Hub and Spoke Case ------------------- - -Description -~~~~~~~~~~~ - -In a traditional Hub-and-spoke topology there are two types of network entities: -a central hub and multiple spokes. The corresponding VRFs of the hub and the -spokes are configured to import and export routes such that all traffic is -directed through the hub. As a result, spokes cannot communicate with each other -directly, but only indirectly via the central hub. Hence, the hub typically -hosts central network functions such firewalls. - -Furthermore, there is no layer 2 connectivity between the VNFs. - -In addition, in this use case, the deployed network infrastructure comprises -equipment from two different vendors, Vendor A and Vendor B. There are 2 hosts -(compute nodes). SDN Controller A and vForwarder A are provided by Vendor A, and -run on host A. SDN Controller B and vForwarder B are provided by Vendor B, and run -on host B. - -There is 1 tenant. Tenant 1 creates L3VPN Blue with 2 subnets: 10.1.1.0/24 and 10.3.7.0/24. - -The network topology is shown in :numref:`l3vpn-hub-spoke-figure`: - -.. figure:: images/l3vpn-hub-spoke.png - :name: l3vpn-hub-spoke-figure - :width: 100% - -In L3VPN Blue, vFW(H) is acting the role of ``hub`` (a virtual firewall). -The other 3 VNF VMs are ``spoke``. vFW(H) and VNF1(S) are spawned on host A, -and VNF2(S) and VNF3(S) are spawned on host B. vFW(H) (10.1.1.5) and VNF2(S) -(10.1.1.6) are attached to subnet 10.1.1.0/24. VNF1(S) (10.3.7.9) and VNF3(S) -(10.3.7.10) are attached to subnet 10.3.7.0/24. - - -Derived Requirements -~~~~~~~~~~~~~~~~~~~~~ - -Northbound API / Workflow -+++++++++++++++++++++++++ - -.. Georg: this needs to be made more readable / explanatory - -Exemplary vFW(H) Hub VRF is as follows: - -* RD1 10.1.1.5 IP_vForwarder1 Label1 -* RD1 0/0 IP_vForwarder1 Label1 -* Label 1 Local IF (10.1.1.5) -* RD3 10.3.7.9 IP_vForwarder1 Label2 -* RD2 10.1.1.6 IP_vForwarder2 Label3 -* RD4 10.3.7.10 IP_vForwarder2 Label3 - -Exemplary VNF1(S) Spoke VRF is as follows: - -* RD1 0/0 IP_vForwarder1 Label1 -* RD3 10.3.7.9 IP_vForwarder1 Label2 - -Exemplary workflow is described as follows: - -1. Create Network - -2. Create VRF Policy Resource - - 2.1. Hub and Spoke - -3. Create Subnet - -4. Create Port - - 4.1. Subnet - - 4.2. VRF Policy Resource, [H | S] - - - -Current implementation -++++++++++++++++++++++ - -Different APIs have been developed to support creating a L3 network topology and -directing network traffic through specific network elements in specific order, -for example, [BGPVPN]_ and [NETWORKING-SFC]_. We analyzed those APIs regarding -the Hub-and-Spoke use case. - - -BGPVPN -'''''' - -Support for creating and managing L3VPNs is in general available in OpenStack -Neutron by means of the BGPVPN API [BGPVPN]_. The [BGPVPN]_ API currently -supports the concepts of network- and router-associations. An association maps -Neutron network objects (networks and routers) to a VRF with the following -semantics: - -* A *network association* interconnects all subnets and ports of a Neutron - network by binding them to a given VRF -* a *router association* interconnects all networks, and hence indirectly all - ports, connected to a Neutron router by binding them to a given VRF - -It is important to notice that these associations apply to entire Neutron -networks including all ports connected to a network. This is due to the fact -that in the Neutron, ports can only exist within a network but not individually. -Furthermore, Neutron networks were originally designed to represent layer 2 -domains. As a result, ports within the same Neutron network typically have layer -connectivity among each other. There are efforts to relax this original design -assumption, e.g. routed networks, which however do not solve the problem at hand -here (see the gap analysis further down below). - -In order to realize the hub-and-spoke topology outlined above, VRFs need to be -created on a per port basis. Specifically, ports belonging to the same network -should not be interconnected except through a corresponding configuration of a -per-port-VRF. This configuration includes setting up next-hop routing table, -labels, I-RT and E-RT etc. in order to enable traffic direction from hub to -spokes. - -It may be argued that given the current network- and router-association mechanisms, -the following workflow establishes a network topology which aims to achieve the desired -traffic flow from Hub to Spokes. The basic idea is to model separate VRFs per VM -by creating a dedicated Neutron network with two subnets for each VRF in the -Hub-and-Spoke topology. - -1. Create Neutron network "hub" - ``neutron net-create --tenant-id Blue hub`` - - -2. Create a separate Neutron network for every "spoke" - ``neutron net-create --tenant-id Blue spoke-i`` - - -3. For every network (hub and spokes), create two subnets - ``neutron subnet-create <hub/spoke-i UUID> --tenant-id Blue 10.1.1.0/24`` - - ``neutron subnet-create <hub/spoke-i UUID> --tenant-id Blue 10.3.7.0/24`` - - -4. Create the Neutron ports in the corresponding networks - ``neutron port-create --tenant-id Blue --name vFW(H) --fixed-ip subnet_id=<hub UUID>,ip_address=10.1.1.5`` - - ``neutron port-create --tenant-id Blue --name VNF1(S) --fixed-ip subnet_id=<spoke-i UUID>,ip_address=10.3.7.9`` - - ``neutron port-create --tenant-id Blue --name VNF2(S) --fixed-ip subnet_id=<spoke-i UUID>,ip_address=10.1.1.6`` - - ``neutron port-create --tenant-id Blue --name VNF3(S) --fixed-ip subnet_id=<spoke-i UUID>,ip_address=10.3.7.10`` - - -5. Create a BGPVPN object (VRF) for the hub network with the corresponding import - and export targets - ``neutron bgpvpn-create --name hub-vrf --import-targets <RT-hub RT-spoke> --export-targets <RT-hub>`` - - -6. Create a BGPVPN object (VRF) for every spoke network with the corresponding import - and export targets - ``neutron bgpvpn-create --name spoke-i-vrf --import-targets <RT-hub> --export-targets <RT-spoke>`` - - -7. Associate the hub network with the hub VRF - ``bgpvpn-net-assoc-create hub --network <hub network-UUID>`` - - -8. Associate each spoke network with the corresponding spoke VRF - ``bgpvpn-net-assoc-create spoke-i --network <spoke-i network-UUID>`` - - -9. Add static route to direct all traffic to vFW VNF running at the hub. - - **Note:** Support for static routes not yet available. - - ``neutron bgpvpn-static-route-add --tenant-id Blue --cidr 0/0 --nexthop-ip 10.1.1.5 hub`` - -After step 9, VMs can be booted with the corresponding ports. - -The resulting network topology intents to resemble the target topology as shown in -:numref:`l3vpn-hub-spoke-figure`, and achieve the desired traffic direction from Hub to Spoke. -However, it deviates significantly from the essence of the Hub-and-Spoke use case as -described above in terms of desired network topology, i.e. one L3VPN with multiple -VRFs associated with vFW(H) and other VNFs(S) separately. And this method of using -the current network- and router-association mechanism is not scalable when there are large -number of Spokes, and in case of scale-in and scale-out of Hub and Spokes. - -The gap analysis in the next section describes the technical reasons for this. - - -Network SFC -''''''''''' - -Support of Service Function Chaining is in general available in OpenStack Neutron through -the Neutron API for Service Insertion and Chaining project [NETWORKING-SFC]_. -However, the [NETWORKING-SFC]_ API is focused on creating service chaining through -NSH at L2, although it intends to be agnostic of backend implementation. It is unclear whether -or not the service chain from vFW(H) to VNFs(S) can be created in the way of L3VPN-based -VRF policy approach using [NETWORKING-SFC]_ API. - -Hence, it is currently not possible to configure the networking use case as described above. - -.. **Georg: we need to look deeper into SFC to substantiate our claim here.** - - -Gaps in the Current Solution -++++++++++++++++++++++++++++ - -Given the use case description and the currently available implementation in -OpenStack provided by [BGPVPN]_ project and [NETWORKING-SFC]_ project, -we identify the following gaps: - - -[L3VPN-HS-GAP1] No means to disable layer 2 semantic of Neutron networks -'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' - -Neutron networks were originally designed to represent layer 2 broadcast -domains. As such, all ports connected to a network are in principle -inter-connected on layer 2 (not considering security rules here). In contrast, -in order to realize L3VPN use cases such as the hub-and-spoke topology, -connectivity among ports must be controllable on a per port basis on layer 3. - -There are ongoing efforts to relax this design assumption, for instance by means -of routed networks ([NEUTRON-ROUTED-NETWORKS]_). In a routed network, a Neutron network -is a layer 3 domain which is composed of multiple layer 2 segments. A routed -network only provides layer 3 connectivity across segments, but layer 2 -connectivity across segments is **optional**. This means, depending on the -particular networking backend and segmentation technique used, there might be -layer 2 connectivity across segments or not. A new flag ``l2_adjacency`` -indicates whether or not a user can expect layer 2 connectivity or not across -segments. - -This flag, however, is ready-only and cannot be used to overwrite or disable the -layer 2 semantics of a Neutron network. - - -[L3VPN-HS-GAP2] No port-association available in the BGPVPN project yet -''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' - -Due to gap [L3VPN-HS-GAP1], the [BGPVPN]_ project was not yet able to implement -the concept of a port association. A port association would allow to associate -individual ports with VRFs and thereby control layer 3 connectivity on a per -port basis. - -The workflow described above intents to mimic port associations by means of -separate Neutron networks. Hence, the resulting workflow is overly complicated -and not intuitive by requiring to create additional Neutron entities (networks) -which are not present in the target topology. Moreover, creating large numbers -of Neutron networks limits scalability. - -Port associations are on the road map of the [BGPVPN]_ project, however, no -design that overcomes the problems outlined above has been specified yet. -Consequently, the time-line for this feature is unknown. - -As a result, creating a clean Hub-and-Spoke topology is current not yet -supported by the [BGPVPN]_ API. - - -[L3VPN-HS-GAP3] No support for static routes in the BGPVPN project yet -'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' - -In order to realize the hub-and-spoke use case, a static route is needed to -attract the traffic at the hub to the corresponding VNF (direct traffic to the -firewall). Support for static routes in the BGPVPN project is available for the -router association by means of the Neutron router extra routes feature. However, -there is no support for static routes for network and port associations yet. - -Design work for supporting static routes for network associations has started, -but no final design has been proposed yet. - -.. -.. [L3VPN-HS-GAP4] Creating a clean hub-and-spoke topology is current not yet supported by the NETWORKING-SFC API. -.. [Georg: We need to look deeper into SFC before we can substantiate our claim] - diff --git a/docs/requirements/use_cases/multiple_backends.rst b/docs/requirements/use_cases/multiple_backends.rst deleted file mode 100644 index 62ed42a..0000000 --- a/docs/requirements/use_cases/multiple_backends.rst +++ /dev/null @@ -1,132 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 International License. -.. http://creativecommons.org/licenses/by/4.0 -.. (c) Bin Hu - - -Multiple Networking Backends ----------------------------- - -Description -^^^^^^^^^^^ - -Network Function Virtualization (NFV) brings the need of supporting multiple networking -back-ends in virtualized infrastructure environments. - -First of all, a Service Providers' virtualized network infrastructure will consist of -multiple SDN Controllers from different vendors for obvious business reasons. -Those SDN Controllers may be managed within one cloud or multiple clouds. -Jointly, those VIMs (e.g. OpenStack instances) and SDN Controllers need to work -together in an interoperable framework to create NFV services in the Service -Providers' virtualized network infrastructure. It is needed that one VIM (e.g. OpenStack -instance) shall be able to support multiple SDN Controllers as back-end. - -Secondly, a Service Providers' virtualized network infrastructure will serve multiple, -heterogeneous administrative domains, such as mobility domain, access networks, -edge domain, core networks, WAN, enterprise domain, etc. The architecture of -virtualized network infrastructure needs different types of SDN Controllers that are -specialized and targeted for specific features and requirements of those different domains. -The architectural design may also include global and local SDN Controllers. -Importantly, multiple local SDN Controllers may be managed by one VIM (e.g. -OpenStack instance). - -Furthermore, even within one administrative domain, NFV services could also be quite diversified. -Specialized NFV services require specialized and dedicated SDN Controllers. Thus a Service -Provider needs to use multiple APIs and back-ends simultaneously in order to provide -users with diversified services at the same time. At the same time, for a particular NFV service, -the new networking APIs need to be agnostic of the back-ends. - - - -Requirements -^^^^^^^^^^^^ - -Based on the use cases described above, we derive the following -requirements. - -It is expected that in NFV networking service domain: - -* One OpenStack instance shall support multiple APIs and SDN Controllers simultaneously - -* New NFV Networking APIs shall be agnostic of back-ends - -* Interoperability is needed among multi-vendor SDN Controllers at back-end - - - -Current Implementation -^^^^^^^^^^^^^^^^^^^^^^ - -In the current implementation of OpenStack networking, SDN controllers are -hooked up to Neutron by means of dedicated plugins. A plugin translates -requests coming in through the Neutron northbound API, e.g. the creation of a -new network, into the appropriate northbound API calls of the corresponding SDN -controller. - -There are multiple different plugin mechanisms currently available in Neutron, -each targeting a different purpose. In general, there are `core plugins`, -covering basic networking functionality and `service plugins`, providing layer 3 -connectivity and advanced networking services such as FWaaS or LBaaS. - - - -Core and ML2 Plugins -'''''''''''''''''''' - -The Neutron core plugins cover basic Neutron functionality, such as creating -networks and ports. Every core plugin implements the functionality needed to -cover the full range of the Neutron core API. A special instance of a core -plugin is the ML2 core plugin, which in turn allows for using sub-drivers - -separated again into type drivers (VLAN, VxLAN, GRE) or mechanism drivers (OVS, -OpenDaylight, etc.). This allows to using dedicated sub-drivers for dedicated -functionality. - -In practice, different SDN controllers use both plugin mechanisms to integrate -with Neutron. For instance OpenDaylight uses a ML2 mechanism plugin driver -whereas OpenContrail integrated by means of a full core plugin. - -In its current implementation, only one Neutron core plugin can be active at any -given time. This means that if a SDN controller utilizes a dedicated core -plugin, no other SDN controller can be used at the same time for the same type -of service. - -In contrast, the ML2 plugin allows for using multiple mechanism drivers -simultaneously. In principle, this enables a parallel deployment of multiple SDN -controllers if and only if all SDN controllers integrate through a ML2 mechanism -driver. - - - -Neutron Service Plugins -''''''''''''''''''''''' - -Neutron service plugins target L3 services and advanced networking services, -such as BGPVPN or LBaaS. Typically, a service itself provides a driver plugin -mechanism which needs to be implemented for every SDN controller. As the -architecture of the driver mechanism is up to the community developing the -service plugin, it needs to be analyzed for every driver plugin mechanism -individually if and how multiple back-ends are supported. - - - -Gaps in the current solution -^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Given the use case description and the current implementation of OpenStack -Neutron, we identify the following gaps: - - -[MB-GAP1] Limited support for multiple back-ends -''''''''''''''''''''''''''''''''''''''''''''''' - -As pointed out above, the Neutron core plugin mechanism only allows for one -active plugin at a time. The ML2 plugin allows for running multiple mechanism -drivers in parallel, however, successful inter-working strongly depends on the -individual driver. - - - -Conclusion -^^^^^^^^^^ - -We conclude that a clean method of integrating multiple SDN controllers into a -single OpenStack deployment is needed to fulfill the needs of operators. diff --git a/docs/requirements/use_cases/programmable_provisioning.rst b/docs/requirements/use_cases/programmable_provisioning.rst deleted file mode 100644 index 963451d..0000000 --- a/docs/requirements/use_cases/programmable_provisioning.rst +++ /dev/null @@ -1,52 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 International License. -.. http://creativecommons.org/licenses/by/4.0 - -Programmable Provisioning of Provider Networks ----------------------------------------------- -Description -~~~~~~~~~~~ - -In a NFV environment the VNFMs (Virtual Network Function Manager) are consumers -of the OpenStack IaaS API. They are often deployed without administrative rights -on top of the NFVI platform. Furthermore, in the telco domain provider networks -are often used. However, when a provider network is created administrative -rights are needed what in the case of a VNFM without administrative rights -requires additional manual configuration work. It shall be possible to -configure provider networks without administrative rights. It should be -possible to assign the capability to create provider networks to any roles. - -The following figure (:numref:`api-users`) shows the possible users of an -OpenStack API and the relation of OpenStack and ETSI NFV components. Boxes with -solid line are the ETSI NFV components while the boxes with broken line are the -OpenStack components. - -.. figure:: images/api-users.png - :name: api-users - :width: 50% - -Derived Requirements -~~~~~~~~~~~~~~~~~~~~~ - - Authorize the possibility of provider network creation based on policy - - There should be a new entry in :code:`policy.json` which controls the provider network creation - - Default policy of this new entry should be :code:`rule:admin_or_owner`. - - This policy should be respected by the Neutron API - -Northbound API / Workflow -+++++++++++++++++++++++++ - - No changes in the API - -Data model objects -++++++++++++++++++ - - No changes in the data model - -Current implementation -~~~~~~~~~~~~~~~~~~~~~~ -Only admin users can manage provider networks [OS-NETWORKING-GUIDE-ML2]_. - -Potential implementation -~~~~~~~~~~~~~~~~~~~~~~~~ - - Policy engine shall be able to handle a new provider network creation and - modification related policy. - - When a provider network is created or modified neutron should check the - authority with the policy engine instead of requesting administrative - rights. diff --git a/docs/requirements/use_cases/service_binding_pattern.rst b/docs/requirements/use_cases/service_binding_pattern.rst deleted file mode 100644 index 8abcf7a..0000000 --- a/docs/requirements/use_cases/service_binding_pattern.rst +++ /dev/null @@ -1,198 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 International License. -.. http://creativecommons.org/licenses/by/4.0 -.. (c) Georg Kunz - - -Service Binding Design Pattern ------------------------------- - -Description -^^^^^^^^^^^ - -This use case aims at binding multiple networks or network services to a single -vNIC (port) of a given VM. There are several specific application scenarios for -this use case: - -* Shared Service Functions: A service function connects to multiple networks of - a tenant by means of a single vNIC. - - Typically, a vNIC is bound to a single network. Hence, in order to directly - connect a service function to multiple networks at the same time, multiple vNICs - are needed - each vNIC binds the service function to a separate network. For - service functions requiring connectivity to a large number of networks, this - approach does not scale as the number of vNICs per VM is limited and additional - vNICs occupy additional resources on the hypervisor. - - A more scalable approach is to bind multiple networks to a single vNIC - and let the service function, which is now shared among multiple networks, - handle the separation of traffic itself. - - -* Multiple network services: A service function connects to multiple different - network types such as a L2 network, a L3(-VPN) network, a SFC domain or - services such as DHCP, IPAM, firewall/security, etc. - - -In order to achieve a flexible binding of multiple services to vNICs, a logical -separation between a vNIC (instance port) - that is, the entity that is used by -the compute service as hand-off point between the network and the VM - and a -service interface - that is, the interface a service binds to - is needed. - -Furthermore, binding network services to service interfaces instead of to the -vNIC directly enables a more dynamic management of the network connectivity of -network functions as there is no need to add or remove vNICs. - - -Requirements -^^^^^^^^^^^^ - -Data model -"""""""""" - -This section describes a general concept for a data model and a corresponding -API. It is not intended that these entities are to be implemented exactly as -described. Instead, they are meant to show a design pattern for future network -service models and their corresponding APIs. For example, the "service" entity -should hold all required attributes for a specific service, for instance a given -L3VPN service. Hence, there would be no entity "service" but rather "L3VPN". - - -* ``instance-port`` - - An instance port object represents a vNIC which is bindable to an OpenStack - instance by the compute service (Nova). - - *Attributes:* Since an instance-port is a layer 2 device, its attributes - include the MAC address, MTU and others. - - -* ``interface`` - - An interface object is a logical abstraction of an instance-port. It allows to - build hierarchies of interfaces by means of a reference to a parent interface. - Each interface represents a subset of the packets traversing a given port or - parent interface after applying a layer 2 segmentation mechanism specific to the - interface type. - - *Attributes:* The attributes are specific to the type of interface. - - *Examples:* trunk interface, VLAN interface, VxLAN interface, MPLS interface - - -* ``service`` - - A service object represents a specific networking service. - - *Attributes:* The attributes of the service objects are service specific and - valid for given service instance. - - *Examples:* L2, L3VPN, SFC - - -* ``service-port`` - - A service port object binds an interface to a service. - - *Attributes:* The attributes of a service-port are specific for the bound - service. - - *Examples:* port services (IPAM, DHCP, security), L2 interfaces, L3VPN - interfaces, SFC interfaces. - - - -Northbound API -"""""""""""""" - -An exemplary API for manipulating the data model is described below. As for the -data model, this API is not intended to be a concrete API, but rather an example -for a design pattern that clearly separates ports from services and service -bindings. - -* ``instance-port-{create,delete} <name>`` - - Creates or deletes an instance port object that represents a vNIC in a VM. - - -* ``interface-{create,delete} <name> [interface type specific parameters]`` - - Creates or deletes an interface object. - - -* ``service-{create,delete} <name> [service specific parameters]`` - - Create a specific service object, for instance a L3VPN, a SFC domain, or a L2 network. - - -* ``service-port-{create,delete} <service-id> <interface-id> [service specific parameters]`` - - Creates a service port object, thereby binding an interface to a given service. - - - -Orchestration -""""""""""""" - -None. - - -Dependencies on other resources -""""""""""""""""""""""""""""""" - -The compute service needs to be enabled to consume instance ports instead of -classic Neutron ports. - - -Current Implementation -^^^^^^^^^^^^^^^^^^^^^^ - -The core Neutron API does not follow the service binding design pattern. For -example, a port has to exist in a Neutron network - specifically it has to be -created for a particular Neutron network. It is not possible to create just a -port and assign it to a network later on as needed. As a result, a port cannot -be moved from one network to another, for instance. - -Regarding the shared service function use case outlined above, there is an -ongoing activity in Neutron [VLAN-AWARE-VMs]_. The solution proposed by this -activity allows for creating a trunk-port and multiple sub-ports per Neutron -port which can be bound to multiple networks (one network per sub-port). This -allows for binding a single VNIC to multiple networks and allow the -corresponding VMs to handle the network segmentation (VLAN tagged traffic) -itself. While this is a step in the direction of binding multiple services -(networks) to a port, it is limited by the fundamental assumption of Neutron -that a port has to exist on a given network. - -There are extensions of Neutron that follow the service binding design pattern -more closely. An example is the BGPVPN project. A rough mapping of the service -binding design pattern to the data model of the BGPVPN project is as follows: - -* instance-port -> Neutron port - -* service -> VPN - -* service-port -> network association - -This example shows that extensions of Neutron can in fact follow the described -design pattern in their respective data model and APIs. - - - -Conclusions -^^^^^^^^^^^ - -In conclusion, the design decisions taken for the core Neutron API and data -model do not follow the service binding model. As a result, it is hard to -implement certain use cases which rely on a flexible binding of services to -ports. Due to the backwards compatibility to the large amount of existing -Neutron code, it is unlikely that the core Neutron API will adapt to this design -pattern. - -New extension to Neutron however are relatively free to choose their data model -and API - within the architectural boundaries of Neutron of course. In order to -provide the flexibility needed, extensions shall aim for following the service -binding design pattern if possible. - -For the same reason, new networking frameworks complementing Neutron, such as -Gluon, shall follow this design pattern and create the foundation for -implementing networking services accordingly. - |