[openstack-dev] [neutron] Neutron should disallow /32 CIDR

Paul Ward wpward at us.ibm.com
Thu Jan 23 21:11:01 UTC 2014

FWIW, Horizon does prevent the /32 subnet with this message right in the
UI: "The subnet in the Network Address is too small (/32)."  However, it
does NOT prevent a /31 or smaller prefix.

Given your statement about routers potentially using a /30 network, I think
we should leave the restriction at /30 rather than /29.  I'm assuming your
statement that some routers use /30 subnets to connect to each other could
potentially apply to neutron-created routers.

My reasoning behind checking the number of IP addresses in the subnet
rather than the actual CIDR prefix length is that I want the code to be IP
version agnostic.  If we're talking IPv6, then /30 isn't going to be
relevant.  I'm not overly familiar with IPv6, but is it safe to say it has
the same restriction that there must be more than 2 IPs available as the
highest IP is the broadcast?  Thinking more about this, I think this would
be a better check (which still covers both IPv4 and IPv6):

if len(list(netaddr.IPNetwork(new_subnet_cidr))) < 3:
    <raise exception>

So where I think we're at and need to go:
	- Concurrence on whether this change is made at all.  I'm of the
opinion that if a subnet is truly and
	   completely unusable, we should prevent it in neutron rather than
rely on horizon since products
	   built on openstack probably don't use horizon.  If agreed, proceed
to next items.
	- Change current fix to allow /(N-2) prefixes
	- Potential horizon changes, in a separate changeset
		- Change to fail on /(N-1) rather than only /(N)
		- More descriptive failure message... though I kinda think the
current one is sufficient.

"CARVER, PAUL" <pc2929 at att.com> wrote on 01/23/2014 02:22:06 PM:

> From: "CARVER, PAUL" <pc2929 at att.com>
> To: "OpenStack Development Mailing List (not for usage questions)"
> <openstack-dev at lists.openstack.org>,
> Date: 01/23/2014 02:26 PM
> Subject: Re: [openstack-dev] [neutron] Neutron should disallow /32 CIDR
> Paul Ward:

> Thank you to all who have participated in this thread.  I've just
> proposed a fix in gerrit.  For those involved thus far, if you could
> review I would be greatly appreciative!
> https://review.openstack.org/#/c/68742/1
> I wouldn’t go so far as to say this verification SHOULDN’T be added,
> but neither would I say it should. From a general use case
> perspective I don’t think IPv4 subnets smaller than /29 make sense.
> A /32 is a commonly used subnet length for some use cases (e.g.
> router loopback interface) but may not have an applicable use in a
> cloud network. I have never seen a /31 network used anywhere. Point
> to point links (e.g. T1/Frame Relay/etc) are often /30 but I’ve
> never seen a /30 subnet for anything other than connecting two routers.
> However, does it really benefit the user to specifically block them
> from entering /32 or block them from entering /30, /31, and /32?
> It might not be an equal amount of code, I think a much better
> effort to help the user would be to provide them with a subnet
> calculator directly in Horizon to show them how many usable IPs are
> in the subnet they’re defining. In this case, displaying “Usable
> addresses: 0” right when they enter /32 would be helpful and they
> would figure out for themselves whether they really wanted that mask
> or if they meant something else?
>  _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140123/59aad4c0/attachment.html>

More information about the OpenStack-dev mailing list