<div dir="ltr">Hi Henry,<div><br></div><div>Thanks for your suggestion. As you wrote, your approach can solve part problem.</div><div>I believe there's a good reason(Maybe Carl's guess is right. It's a programmer's "good" habit to leave something for latecomers :).) for AT coupled with Router, but on the face of it, AT should be separated from Router, at least SNAT. IMHO it's better to provide a unified service including all kinds of AT, such as FIP, SNAT and DNAT.</div><div><br></div><div>BR,</div><div>Germy</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Nov 7, 2014 at 2:42 PM, Germy Lure <span dir="ltr"><<a href="mailto:germy.lure@gmail.com" target="_blank">germy.lure@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Akilesh,<div>Thanks for your response. I have some comments inline.</div><div><br></div><div>BR,</div><div>Germy<br><div class="gmail_extra"><br><div class="gmail_quote"><span class="">On Thu, Nov 6, 2014 at 10:56 PM, Akilesh K <span dir="ltr"><<a href="mailto:akilesh1597@gmail.com" target="_blank">akilesh1597@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div>Hi Geremy,<br><br></div><div>It is necessary to not think of openstack as a way to replace all functionality of your enterprise data center, but rather to better utilize your resources. So I believe you should still continue to use your enterprise devices to do Address Translation outside of OpenStack. Why I say so is Address Translation is not necessarily a 'cloud' service. All you want in your cloud is servers, private and public networks, and firewall to secure them. <br></div></div></blockquote></span><div><font color="#0b5394">As you said, we really need private and public networks. And we also need communication between them, from private to public and the opposite direction. So how to do this without AT? I think this is just the reason that the community introduces AT into Neutron so early, although, it is a little simple IMO.</font></div><span class=""><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div><br></div><div>Anything more than that should be kept external and decoupled to OpenStack. But as I said before OpenStack is to an extent modular and I believe its
getting better. As of now if you are using just 'neutron-l3-agent' it
will do 'snat' to the ip address of your router attaching to 'external
network' , but you can always add an extra service on top of 'neutron-l3-agent' to do address translation alone as per your needs. <br></div></div></blockquote></span><div><font color="#0b5394">Good idea. But I think as a cloud platform, a flexible and extendable architecture is more important. Agent-style or Controller-style is just an implementation for the architecture. People can always deal with such a problem. My ugly extension and your "add an extra service" are both one of those "solution". But they should not be the Neutron's solution. I don't think Neutron's goal is keeping AT external.</font></div><div><div class="h5"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div></div></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Nov 6, 2014 at 6:28 PM, Henry <span dir="ltr"><<a href="mailto:henry4hly@gmail.com" target="_blank">henry4hly@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div bgcolor="#FFFFFF"><div>So, do you mean that we need a better way to control snat ip address? I think it make sense, but maybe simple attribute extension can solve part problem, no need to separate it at this time. For example, add a snat-ip field in the route, like fip.</div><div><br></div><div>However if multiple snat ip is needed, and control which tenant ip is served by each snat ip, separate plugin may be needed.</div><div><br><br>Sent from my iPad</div><div><br>On 2014-11-6, at 下午6:21, Germy Lure <<a href="mailto:germy.lure@gmail.com" target="_blank">germy.lure@gmail.com</a>> wrote:<br><br></div><div></div><blockquote type="cite"><div><div dir="ltr">Hi Carl and Akilesh,<div><br></div><div>Thank you for your response and explanation.</div><div>My manager tells me that enterprises usually use several IP addresses and ports for AT while Neutron just use external gateway port fixed IP for SNAT. I found that if I extended the SNAT attributes, the L3 plugin will be very complex. So I must tolerate this to provider more useful SNAT feature which is really what customer needs.</div><div>I think as a separated service, SNAT will be easier to do this or even it can support those scenarios.</div><div>We known that VPNaaS and FwaaS dependent on L3 route service but not AT which also dependents on L3. From this point, L2 is the core of network service and L3 is the core of other advanced services. ML3 is coming.<br></div><div>Besides, It's strange that L3's API contains a field called "snat_enable". Isn't it?</div><div><br></div><div>BR,</div><div>Germy</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Nov 5, 2014 at 5:37 PM, Akilesh K <span dir="ltr"><<a href="mailto:akilesh1597@gmail.com" target="_blank">akilesh1597@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div><div><div>@Germy Lure,<br></div>I cannot give you a direct answer as I am not a developer. <br><br>But let me point out that openstack can make use of many agents for l3 and above and not just neutron-l3-agent. You may even create your own agent.<br><br>The 'neutron-l3-agent' works that way just to keep things simple. One point to consider is that Tenants may share same network space. So it becomes necessary to tie a router which belongs to a tenant to the tenant's security groups. If you try to distribute routing and firewall service you might end up making it too complicated. <br></div><br></div></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Nov 5, 2014 at 2:40 PM, Carl Baldwin <span dir="ltr"><<a href="mailto:carl@ecbaldwin.net" target="_blank">carl@ecbaldwin.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><p dir="ltr">I don't think I know the precise answer to your question. My best guess is that floating ips were one of the initial core L3 features implemented before other advanced services existed. Implementing them in this way may have been the path of least resistance at the time.</p>
<p dir="ltr">Are you suggesting a change? What change? What advantages would your change bring? Do you see something fundamentally wrong with the current approach? Does it have some deficiency that you can point out? Basically, we need a suggested modification with some good justification to spend time making that modification.</p>
<p dir="ltr">Carl</p>
<div style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><div><div dir="ltr">Hi,<div><br></div><div>Address Translation(FIP, snat and dnat) looks like an advanced service. Why it is integrated into L3 router? Actually, this is not how it's done in practice. They are usually provided by Firewall device but not router.<br></div><div><br></div><div>What's the design concept?</div><div><br></div><div>Thanks&Regards,</div><div>Germy</div></div>
<br></div></div>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></div>
<br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>OpenStack-dev mailing list</span><br><span><a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a></span><br><span><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a></span><br></div></blockquote></div><br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div></div></div><br></div></div></div>
</blockquote></div><br></div>