[openstack-dev] [Neutron][IPAM] Uniqueness of subnets within a tenant

Carl Baldwin carl at ecbaldwin.net
Tue Mar 10 17:24:04 UTC 2015

Neutron currently does not enforce the uniqueness, or non-overlap, of
subnet cidrs within the address scope for a single tenant.  For
example, if a tenant chooses to use on more than one
subnet, he or she is free to do so.  Problems will arise when trying
to connect a router between these subnets but that is left up to the
tenant to work out.

In the current IPAM rework, we had decided to allow this overlap in
the reference implementation for backward compatibility.  However,
we've hit a snag.  It would be convenient to use the subnet cidr as
the handle with which to refer to a previously allocated subnet when
talking to IPAM.  If overlap is allowed, this is not possible and we
need to come up with another identifier such as Neutron's subnet_id or
another unique IPAM specific ID.  It could be a burden on an external
IPAM system -- which does not allow overlap -- to work with a
completely separate identifier for a subnet.

I do not know of anyone using this capability (or mis-feature) of
Neutron.  I would hope that tenants are aware of the issues with
trying to route between subnets with overlapping address spaces and
would avoid it.  Is this potential overlap something that we should
really be worried about?  Could we just add the assumption that
subnets do not overlap within a tenant's scope?

An important thing to note is that this topic is different than
allowing overlap of cidrs between tenants.  Neutron will continue to
allow overlap of addresses between tenants and support the isolation
of these address spaces.  The IPAM rework will support this.

Carl Baldwin

More information about the OpenStack-dev mailing list