<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Salvatore,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">There is FIP distribution at the agent level, in the sense the N/S of FIP for a VM will be hosted on the same compute node. We centralized SNAT from feedback
by others. The current design and code only supports centralized SNAT for DVR routers. The design could be modified to allow for distributed SNAT as an option but would be a tough task to get in for the first release of DVR support.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">We wanted to come in with the basic support first.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Yours,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D">Michael Smith<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D">Hewlett-Packard Company<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D">HP Networking R&D<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D">8000 Foothills Blvd. M/S 5557<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D">Roseville, CA 95747<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D">PC Phone: 916 540-1884<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D">Ph: 916 785-0918<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D">Fax: 916 785-1199
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> Salvatore Orlando [mailto:sorlando@nicira.com]
<br>
<b>Sent:</b> Thursday, July 03, 2014 3:41 AM<br>
<b>To:</b> OpenStack Development Mailing List (not for usage questions)<br>
<b>Subject:</b> Re: [openstack-dev] [Neutron] DVR SNAT shortcut<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">I would just add that if I'm not mistaken the DVR work would also include the features currently offered by nova network's 'multi-host' capability.<o:p></o:p></p>
<div>
<p class="MsoNormal">While DVR clearly does a lot more than multi host, keeping SNAT centralized only might not fully satisfy this requirement.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Indeed nova-network offers SNAT at the compute node thus achieving distribution of N-S traffic.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I agree with Zang's point regarding wasting public IPs. On the other hand one IP per agent with double SNAT might be a reasonable compromise.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">And in that case I'm not sure whether sharing SNAT source IPs among tenants would have any security implications, so somebody else might comment there.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Summarizing, I think that distributing N-S traffic is important, but I don't think that to achieve this we'd necessarily need to implement SNAT at the compute nodes. I have reviewed the l3 agent part of the DVR work, it seems that there
will be floating IP distribution at the agent level - but I could not understand whether there will be also SNAT distribution.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Salvatore<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 3 July 2014 10:45, Zang MingJie <<a href="mailto:zealot0630@gmail.com" target="_blank">zealot0630@gmail.com</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<p class="MsoNormal">Although the SNAT DVR has some trade off, I still think it is<br>
necessary. Here is pros and cons for consideration:<br>
<br>
pros:<br>
<br>
save W-E bandwidth<br>
high availability (distributed, no single point failure)<br>
<br>
cons:<br>
<br>
waste public ips (one ip per compute node vs one ip per l3-agent, if<br>
double-SNAT implemented)<br>
different tenants may share SNAT source ips<br>
compute node requires public interface<br>
<br>
Under certain deployment, the cons may not cause problems, can we<br>
provide SNAT DVR as a alternative option, which can be fully<br>
controlled by could admin ? The admin chooses whether use it or not.<o:p></o:p></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
>> To resolve the problem, we are using double-SNAT,<br>
><br>
>> first, set up one namespace for each router, SNAT tenant ip ranges to<br>
>> a separate range, say <a href="http://169.254.255.0/24" target="_blank">169.254.255.0/24</a><br>
><br>
>> then, SNAT from <a href="http://169.254.255.0/24" target="_blank">169.254.255.0/24</a> to public network.<br>
><br>
>> We are already using this method, and saved tons of ips in our<br>
>> deployment, only one public ip is required per router agent<br>
><br>
> Functionally it could works, but break the existing normal OAM pattern, which expecting VMs from one tenant share a public IP, but share no IP with other tenant. As I know, at least some customer don't accept this way, they think VMs in different hosts appear
as different public IP is very strange.<br>
><br>
> In fact I severely doubt the value of N-S distributing in a real commercialized production environment, including FIP. There are many things that traditional N-S central nodes need to control: security, auditing, logging, and so on, it is not the simple forwarding.
We need a tradeoff between performance and policy control model:<br>
><br>
> 1. N-S traffic is usually much less than W-E traffic, do we really need distribute N-S traffic besides W-E traffic?<br>
> 2. With NFV progress like intel DPDK, we can build very cost-effective service application on commodity x86 server (simple SNAT with 10Gbps/s per core at average Internet packet length)<br>
><o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal">_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><o:p></o:p></p>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>