<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Vivek,<br>
I will try to join the DVR meeting. Since it conflicts with one of
my other meeting (from my real job), I may join late or may not be
able to join at all. If I missed it, please see if you can join
FWaaS meeting at Wed 11:30AM PST on openstack-meeting-3.
Otherwise, a separated meeting is still preferred<br>
<br>
Thanks<br>
Yi<br>
<br>
<div class="moz-cite-prefix">On 7/4/14, 12:23 AM, Narasimhan,
Vivekanandan wrote:<br>
</div>
<blockquote
cite="mid:289BD3B977EE7247AB06499D1B4AF1C4269B37D8@G5W2725.americas.hpqcorp.net"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 12 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:SimSun;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:SimSun;
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:SimSun;
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hi
Yi,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Swami
will be available from this week.
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Will
it be possible for you to join the regular DVR Meeting (Wed
8AM PST) next week and we can slot that to discuss this.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
see that FwaaS is of much value for E/W traffic (which has
challenges), but for me it looks easier to implement the
same in N/S with the
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">current
DVR architecture, but there might be less takers on that.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">--<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Vivek<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
Yi Sun [<a class="moz-txt-link-freetext" href="mailto:beyounn@gmail.com">mailto:beyounn@gmail.com</a>]
<br>
<b>Sent:</b> Thursday, July 03, 2014 11:50 AM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a><br>
<b>Subject:</b> Re: [openstack-dev] DVR and FWaaS
integration<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">The NS FW will
be on a centralized node for sure. For the DVR + FWaaS
solution is really for EW traffic. If you are interested on
the topic, please propose your preferred meeting time and join
the meeting so that we can discuss about it. <br>
<br>
Yi<o:p></o:p></p>
<div>
<p class="MsoNormal">On 7/2/14, 7:05 PM, joehuang wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D">Hello,
</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D">It’s
hard to integrate DVR and FWaaS. My proposal is to split
the FWaaS into two parts: one part is for east-west
FWaaS, this part could be done on DVR side, and make it
become distributed manner. The other part is for
north-south part, this part could be done on Network
Node side, that means work in central manner. After the
split, north-south FWaaS could be implemented by
software or hardware, meanwhile, east-west FWaaS is
better to implemented by software with its distribution
nature.</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D">Chaoyi
Huang ( Joe Huang )</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D">OpenStack
Solution Architect</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D">IT
Product Line</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D">Tel:
0086 755-28423202 Cell: 0086 158 118 117 96 Email:
<a moz-do-not-send="true"
href="mailto:joehuang@huawei.com">joehuang@huawei.com</a></span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D">Huawei
Area B2-3-D018S Bantian, Longgang District,Shenzhen
518129, P.R.China
</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
style="font-size:10.0pt" lang="ZH-CN">发件人</span></b><b><span
style="font-size:10.0pt">:</span></b><span
style="font-size:10.0pt"> Yi Sun [<a
moz-do-not-send="true"
href="mailto:beyounn@gmail.com">mailto:beyounn@gmail.com</a>]
<br>
<b><span lang="ZH-CN">发送时间</span>:</b> 2014<span
lang="ZH-CN">年</span>7<span lang="ZH-CN">月</span>3<span
lang="ZH-CN">日
</span>4:42<br>
<b><span lang="ZH-CN">收件人</span>:</b> OpenStack
Development Mailing List (not for usage questions)<br>
<b><span lang="ZH-CN">抄送</span>:</b> Kyle Mestery
(kmestery); Rajeev; Gary Duan; Carl (OpenStack
Neutron)<br>
<b><span lang="ZH-CN">主题</span>:</b> Re:
[openstack-dev] DVR and FWaaS integration</span><o:p></o:p></p>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">All,<o:p></o:p></p>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">After
talk to Carl and FWaaS team , Both sides suggested to
call a meeting to discuss about this topic in deeper
detail. I heard that Swami is traveling this week. So
I guess the earliest time we can have a meeting is
sometime next week. I will be out of town on monday,
so any day after Monday should work for me. We can do
either IRC, google hang out, GMT or even a face to
face.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">For
anyone interested, please propose your preferred
time. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Thanks<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Yi<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;margin-bottom:12.0pt"> <o:p></o:p></p>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">On
Sun, Jun 29, 2014 at 12:43 PM, Carl Baldwin <<a
moz-do-not-send="true"
href="mailto:carl@ecbaldwin.net" target="_blank">carl@ecbaldwin.net</a>>
wrote:<o:p></o:p></p>
<p>In line...<o:p></o:p></p>
<div>
<p>On Jun 25, 2014 2:02 PM, "Yi Sun" <<a
moz-do-not-send="true"
href="mailto:beyounn@gmail.com" target="_blank">beyounn@gmail.com</a>>
wrote:<br>
><br>
> All,<br>
> During last summit, we were talking about the
integration issues between DVR and FWaaS. After the
summit, I had one IRC meeting with DVR team. But
after that meeting I was tight up with my work and
did not get time to continue to follow up the issue.
To not slow down the discussion, I'm forwarding out
the email that I sent out as the follow up to the
IRC meeting here, so that whoever may be interested
on the topic can continue to discuss about it.<br>
><br>
> First some background about the issue:<br>
> In the normal case, FW and router are running
together inside the same box so that FW can get
route and NAT information from the router component.
And in order to have FW to function correctly, FW
needs to see the both directions of the traffic.<br>
> DVR is designed in an asymmetric way that each
DVR only sees one leg of the traffic. If we build FW
on top of DVR, then FW functionality will be broken.
We need to find a good method to have FW to work
with DVR.<br>
><br>
> ---forwarding email---<br>
> During the IRC meeting, we think that we could
force the traffic to the FW before DVR. Vivek had
more detail; He thinks that since the br-int knowns
whether a packet is routed or switched, it is
possible for the br-int to forward traffic to FW
before it forwards to DVR. The whole forwarding
process can be operated as part of service-chain
operation. And there could be a FWaaS driver that
understands the DVR configuration to setup OVS flows
on the br-int.<o:p></o:p></p>
</div>
<p>I'm not sure what this solution would look like.
I'll have to get the details from Vivek. It seems
like this would effectively centralize the traffic
that we worked so hard to decentralize.<o:p></o:p></p>
<p>It did cause me to wonder about something: would it
be possible to reign the symmetry to the traffic by
directing any response traffic back to the DVR
component which handled the request traffic? I guess
this would require running conntrack on the target
side to track and identify return traffic. I'm not
sure how this would be inserted into the data path
yet. This is a half-baked idea here.<o:p></o:p></p>
<div>
<p>> The concern is that normally firewall and
router are integrated together so that firewall can
make right decision based on the routing result. But
what we are suggesting is to split the firewall and
router into two separated components, hence there
could be issues. For example, FW will not be able to
get enough information to setup zone. Normally Zone
contains a group of interfaces that can be used in
the firewall policy to enforce the direction of the
policy. If we forward traffic to firewall before
DVR, then we can only create policy based on subnets
not the interface. <br>
> Also, I’m not sure if we have ever planed to
support SNAT on the DVR, but if we do, then it
depends on at which point we forward traffic to the
FW, the subnet may not even work for us anymore
(even DNAT could have problem too). <o:p></o:p></p>
</div>
<p>I agree that splitting the firewall from routing
presents some problems that may be difficult to
overcome. I don't know how it would be done while
maintaining the benefits of DVR.<o:p></o:p></p>
<p>Another half-baked idea: could multi-primary state
replication be used between DVR components to enable
firewall operation? Maybe work on the HA router
blueprint -- which is long overdue to be merged Btw --
could be leveraged. The number of DVR "pieces" could
easily far exceed that of active firewall components
normally used in such a configuration so there could
be a major scaling problem. I'm really just thinking
out loud here.<o:p></o:p></p>
<p>Maybe you (or others) have other ideas?<o:p></o:p></p>
<div>
<p>> Another thing that I may have to get detail is
that how we handle the overlap subnet, it seems that
the new namespaces are required.<o:p></o:p></p>
</div>
<p>Can you elaborate here?<o:p></o:p></p>
<p><span style="color:#888888">Carl</span><o:p></o:p></p>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">><br>
> --- end of forwarding ----<br>
><br>
> YI<br>
><br>
><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">>
_______________________________________________<br>
> OpenStack-dev mailing list<br>
> <a moz-do-not-send="true"
href="mailto:OpenStack-dev@lists.openstack.org"
target="_blank">OpenStack-dev@lists.openstack.org</a><br>
> <a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
target="_blank">
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
><o:p></o:p></p>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><o:p></o:p></p>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><br>
<br clear="all">
<o:p></o:p></p>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">--
<br>
Android-x86<br>
<a moz-do-not-send="true"
href="http://www.android-x86.org">http://www.android-x86.org</a>
<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><br>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>OpenStack-dev mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
OpenStack-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>