<div dir="ltr">Thanks for sharing your thoughts on the mailing list.<div style>I will read them carefully and provide my comments soon.</div><div style><br></div><div style>In the meanwhile, I advice you file a blueprint, possibly with more design/implementation details.</div>
<div style>The blueprint you reference aimed at solving a much easier problem.</div><div style>In the spec (or the whiteboard) it was mentioned that a full solution to the issue of network domain sharing was out of its scope.</div>
<div style><br></div><div style>Salvatore</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On 5 July 2013 16:11, Zang MingJie <span dir="ltr"><<a href="mailto:zealot0630@gmail.com" target="_blank">zealot0630@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi:<br>
Currently we are working on a problem of neutron network isolation<br>
and inter-communication. Currently neutron has private network and<br>
shared network, but they are not flexible. The private network cannot<br>
access other network, and the shared network is fully open. To solve<br>
this problem, we got another design.<br>
<br>
First, introduce a new concept "Zone", basically each Zone is a<br>
isolated ip address space, like VPN-Site in cisco vrf or route<br>
distinguisher in mpls-vpn or bgp-vpnv4. Each network must belong to a<br>
Zone. And we must ensure ip address is unique inside every Zone, which<br>
means no duplicated ip in the same Zone. By this assumption, given<br>
(Zone,ip-address) tuple we can locate a unique port.<br>
<br>
Then, we implement our l3 agent, make sure all networks in the same<br>
Zone can communicate each other, and network in different Zones can't<br>
communicate. Each tenant can create limit number of Zones (quota) and<br>
share it to others for intercommunication.<br>
<br>
By separate Zone from tenant, we get more flexible control of<br>
network scope. To maintain backward compatibility, when migrate,<br>
create a Zone for all shared network and create Zones for each tenant.<br>
<br>
Data Model:<br>
* add a new resource: Zone (CRUD)<br>
* add a new parameter Zone to network<br>
* deprecate 'shared' param of network<br>
* a network w/o Zone and is shared belongs global Zone<br>
* a network w/o Zone and is not shared belongs the Zone which has<br>
the same id of tenant-id<br>
<br>
API change:<br>
* add API to grant/revoke Zone access to others (should we support<br>
revoke ?). a tenant only permitted to create network in the Zone he<br>
can access.<br>
<br>
Implementation overview:<br>
* l3-agent should be changed to suite the requirement, don't<br>
launch l3-agent per node*tenant, but per node*Zone. This should be<br>
very easy.<br>
* Ensure ip uniqueness inside Zone when creating subnets<br>
<br>
Related BPs:<br>
* <a href="https://blueprints.launchpad.net/neutron/+spec/sharing-model-for-external-networks" target="_blank">https://blueprints.launchpad.net/neutron/+spec/sharing-model-for-external-networks</a><br>
<br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</blockquote></div><br></div>