<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
The NS FW will be on a centralized node for sure. For the DVR +
FWaaS solution is really for EW traffic. If you are interested on
the topic, please propose your preferred meeting time and join the
meeting so that we can discuss about it. <br>
<br>
Yi<br>
<br>
<div class="moz-cite-prefix">On 7/2/14, 7:05 PM, joehuang wrote:<br>
</div>
<blockquote
cite="mid:5E7A3D1BF5FD014E86E5F971CF446EFF391272B0@szxema505-mbx.china.huawei.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 12 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:宋体;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@宋体";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:宋体;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:宋体;}
span.hoenzb
{mso-style-name:hoenzb;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">Hello,
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">It’s hard to integrate DVR and FWaaS. My
proposal is to split the FWaaS into two parts: one part is
for east-west FWaaS, this part could be done on DVR side,
and make it become distributed manner. The other part is for
north-south part, this part could be done on Network Node
side, that means work in central manner. After the split,
north-south FWaaS could be implemented by software or
hardware, meanwhile, east-west FWaaS is better to
implemented by software with its distribution nature.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">Chaoyi Huang ( Joe Huang )<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">OpenStack Solution Architect<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">IT Product Line<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">Tel: 0086 755-28423202 Cell: 0086 158 118 117
96 Email: <a class="moz-txt-link-abbreviated" href="mailto:joehuang@huawei.com">joehuang@huawei.com</a><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US">Huawei Area B2-3-D018S Bantian, Longgang
District,Shenzhen 518129, P.R.China
</span><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:10.0pt">发件人<span
lang="EN-US">:</span></span></b><span
style="font-size:10.0pt" lang="EN-US"> Yi Sun
[<a class="moz-txt-link-freetext" href="mailto:beyounn@gmail.com">mailto:beyounn@gmail.com</a>]
<br>
</span><b><span style="font-size:10.0pt">发送时间<span
lang="EN-US">:</span></span></b><span
style="font-size:10.0pt" lang="EN-US"> 2014</span><span
style="font-size:10.0pt">年<span lang="EN-US">7</span>月<span
lang="EN-US">3</span>日<span lang="EN-US"> 4:42<br>
</span><b>收件人<span lang="EN-US">:</span></b><span
lang="EN-US"> OpenStack Development Mailing List (not
for usage questions)<br>
</span><b>抄送<span lang="EN-US">:</span></b><span
lang="EN-US"> Kyle Mestery (kmestery); Rajeev; Gary
Duan; Carl (OpenStack Neutron)<br>
</span><b>主题<span lang="EN-US">:</span></b><span
lang="EN-US"> Re: [openstack-dev] DVR and FWaaS
integration<o:p></o:p></span></span></p>
</div>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">All,<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">After talk to Carl
and FWaaS team , Both sides suggested to call a meeting
to discuss about this topic in deeper detail. I heard
that Swami is traveling this week. So I guess the
earliest time we can have a meeting is sometime next
week. I will be out of town on monday, so any day after
Monday should work for me. We can do either IRC, google
hang out, GMT or even a face to face.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">For anyone
interested, please propose your preferred time. <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Thanks<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Yi<o:p></o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
lang="EN-US"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">On Sun, Jun 29, 2014
at 12:43 PM, Carl Baldwin <<a moz-do-not-send="true"
href="mailto:carl@ecbaldwin.net" target="_blank">carl@ecbaldwin.net</a>>
wrote:<o:p></o:p></span></p>
<p><span lang="EN-US">In line...<o:p></o:p></span></p>
<div>
<p><span lang="EN-US">On Jun 25, 2014 2:02 PM, "Yi Sun"
<<a moz-do-not-send="true"
href="mailto:beyounn@gmail.com" target="_blank">beyounn@gmail.com</a>>
wrote:<br>
><br>
> All,<br>
> During last summit, we were talking about the
integration issues between DVR and FWaaS. After the
summit, I had one IRC meeting with DVR team. But after
that meeting I was tight up with my work and did not
get time to continue to follow up the issue. To not
slow down the discussion, I'm forwarding out the email
that I sent out as the follow up to the IRC meeting
here, so that whoever may be interested on the topic
can continue to discuss about it.<br>
><br>
> First some background about the issue:<br>
> In the normal case, FW and router are running
together inside the same box so that FW can get route
and NAT information from the router component. And in
order to have FW to function correctly, FW needs to
see the both directions of the traffic.<br>
> DVR is designed in an asymmetric way that each
DVR only sees one leg of the traffic. If we build FW
on top of DVR, then FW functionality will be broken.
We need to find a good method to have FW to work with
DVR.<br>
><br>
> ---forwarding email---<br>
> During the IRC meeting, we think that we could
force the traffic to the FW before DVR. Vivek had more
detail; He thinks that since the br-int knowns whether
a packet is routed or switched, it is possible for the
br-int to forward traffic to FW before it forwards to
DVR. The whole forwarding process can be operated as
part of service-chain operation. And there could be a
FWaaS driver that understands the DVR configuration to
setup OVS flows on the br-int.<o:p></o:p></span></p>
</div>
<p><span lang="EN-US">I'm not sure what this solution would
look like. I'll have to get the details from Vivek. It
seems like this would effectively centralize the traffic
that we worked so hard to decentralize.<o:p></o:p></span></p>
<p><span lang="EN-US">It did cause me to wonder about
something: would it be possible to reign the symmetry
to the traffic by directing any response traffic back to
the DVR component which handled the request traffic? I
guess this would require running conntrack on the target
side to track and identify return traffic. I'm not sure
how this would be inserted into the data path yet. This
is a half-baked idea here.<o:p></o:p></span></p>
<div>
<p><span lang="EN-US">> The concern is that normally
firewall and router are integrated together so that
firewall can make right decision based on the routing
result. But what we are suggesting is to split the
firewall and router into two separated components,
hence there could be issues. For example, FW will not
be able to get enough information to setup zone.
Normally Zone contains a group of interfaces that can
be used in the firewall policy to enforce the
direction of the policy. If we forward traffic to
firewall before DVR, then we can only create policy
based on subnets not the interface. <br>
> Also, I</span>’<span lang="EN-US">m not sure if
we have ever planed to support SNAT on the DVR, but if
we do, then it depends on at which point we forward
traffic to the FW, the subnet may not even work for us
anymore (even DNAT could have problem too). <o:p></o:p></span></p>
</div>
<p><span lang="EN-US">I agree that splitting the firewall
from routing presents some problems that may be
difficult to overcome. I don't know how it would be
done while maintaining the benefits of DVR.<o:p></o:p></span></p>
<p><span lang="EN-US">Another half-baked idea: could
multi-primary state replication be used between DVR
components to enable firewall operation? Maybe work on
the HA router blueprint -- which is long overdue to be
merged Btw -- could be leveraged. The number of DVR
"pieces" could easily far exceed that of active firewall
components normally used in such a configuration so
there could be a major scaling problem. I'm really just
thinking out loud here.<o:p></o:p></span></p>
<p><span lang="EN-US">Maybe you (or others) have other
ideas?<o:p></o:p></span></p>
<div>
<p><span lang="EN-US">> Another thing that I may have
to get detail is that how we handle the overlap
subnet, it seems that the new namespaces are required.<o:p></o:p></span></p>
</div>
<p><span lang="EN-US">Can you elaborate here?<o:p></o:p></span></p>
<p><span style="color:#888888" lang="EN-US">Carl<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">><br>
> --- end of forwarding ----<br>
><br>
> YI<br>
><br>
><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">>
_______________________________________________<br>
> OpenStack-dev mailing list<br>
> <a moz-do-not-send="true"
href="mailto:OpenStack-dev@lists.openstack.org"
target="_blank">OpenStack-dev@lists.openstack.org</a><br>
> <a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
target="_blank">
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
><o:p></o:p></span></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
lang="EN-US"><br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span lang="EN-US"><br>
<br clear="all">
<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
</div>
<p class="MsoNormal"><span lang="EN-US">-- <br>
Android-x86<br>
<a moz-do-not-send="true"
href="http://www.android-x86.org">http://www.android-x86.org</a>
<o:p></o:p></span></p>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
OpenStack-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>