[openstack-dev] [Neutron][LBaaS]L7 conent switching APIs

Samuel Bercovici SamuelB at Radware.com
Wed Apr 30 13:10:38 UTC 2014 

Hi,

We have compared the API the is in the blue print to the one described in Stephen documents.
Follows the differences we have found:

1)      L7PolicyVipAssoc is gone, this means that L7 policy reuse is not possible. I have added use cases 42 and 43 to show where such reuse makes sense.

2)      There is a mix between L7 content switching and L7 content modification, the API in the blue print only addresses L7 content switching. I think that we should separate the APIs from each other. I think that we should review/add use cases targeting L7 content modifications to the use cases document.

a.                   You can see this in L7Policy: APPEND_HEADER, DELETE_HEADER actions

3)      The action to redirect to a URL is missing in Stephen’s document. The 'redirect' action in Stephen’s document is equivalent to the “pool” action in the blue print/code.

4)      All the objects have their parent id as an optional argument (L7Rule.l7_policy_id, L7Policy.listener_id), is this a mistake?

5)      There is also the additional behavior based on L3 information (matching the client/source IP to a subnet). This is addressed by L7Rule.type with a value of 'CLIENT_IP' and L7Rule.compare_type with a value of 'SUBNET'. I think that using Layer 3 type information should not be part of L7 content switching as the use cases I am aware of, might require more than just selecting a different pool (ex: user with ip from internet browsing to an https based application, might need to be secured using 2K SSL keys while internal users could use weaker keys)

I would like to state that although the WIKI describes the solution from a high level it is not totally in sync with the actual code.
The key thing which is missing is that, L7 Policies in a specific listener/vip are ordered (ordered list) and are processed in order so that the 1st policy that has a match will be activated and traversal of the L7 policy list is topped as the processing is final (ex: redirect, pool, reject).
This in effect means that L7 Policy form an ‘or’ condition between them.
L7 Policies have an ordered list of L7 Rules, L7 Rules are processed by this order and also form an ‘or’ condition.

Regards,
                -Avishay, Evgeny and Sam



From: Samuel Bercovici [mailto:SamuelB at Radware.com]
Sent: Sunday, April 27, 2014 1:53 PM
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [Neutron][LBaaS]SSL and L7 conent switching APIs

Hi,

The work to design the APIs concerning L7 content switching and SSL termination has started a bit before the Icehouse summit, it involved the ML in a very active fashion.
The ML was silent on this because we have completed the discussion and moved to implementation.
We got to a very advanced state in completing the code which got stopped due to the discussion about the core model (VIPs, Pools, etc.)
The blue prints WIKIs and code are public (https://blueprints.launchpad.net/neutron/+spec/lbaas-l7-rules and https://blueprints.launchpad.net/neutron/+spec/lbaas-ssl-termination ).
Please take the time to review and discuss on ML if something is missing so we can talk about this at the summit.

-Sam.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140430/a6abfe68/attachment.html>

More information about the OpenStack-dev mailing list