[openstack-dev] [Neutron][IPAM] Address Scopes (was: Uniqueness of subnets within a tenant)

Carl Baldwin carl at ecbaldwin.net
Mon Mar 23 17:17:55 UTC 2015

On Mon, Mar 23, 2015 at 8:56 AM, John Belamaric <jbelamaric at infoblox.com> wrote:
> On 3/22/15, 8:05 PM, "Ian Wells" <ijw.ubuntu at cack.org.uk> wrote:
> Seems to me that an address pool corresponds to a network area that you can
> route across (because routing only works over a network with unique
> addresses and that's what an address pool does for you).  We have those
> areas and we use NAT to separate them (setting aside the occasional isolated
> network area with no external connections).  But NAT doesn't separate
> tenants, it separates externally connected routers: one tenant can have many
> of those routers, or one router can be connected to networks in both
> tenants.  We just happen to frequently use the one external router per
> tenant model, which is why address pools *appear* to be one per tenant.  I
> think, more accurately, an external router should be given an address pool,
> and tenants have nothing to do with it.
> I think conflating address pools with routable space is a mistake. To me,
> this is the concept of "address scope" which I see as distinct from pool.
> For example, a single shared routable space may have several pools, each a
> /8 which is owned by a specific tenant. This is something that I would like
> to see in Liberty, making a the concept of an address scope a first class
> concept. Routers would be able to attach only to networks within the same
> scope, unless NAT was applied.

I agree with both of you.  Ian states that "address pools correspond
to a network area that you can route across."  That is true, for now.
John is also correct that they are not one in the same.  At some
point, we may need a first class "scope" which will formally group
address pools that are carved out of the same scope.  Until that
point, we can only assume that each pool is in its own scope.  I think
this is okay as long as we understand that they are different concepts
but that current API limitations force us to assume this.  I don't
know when this point will be.

Salvatore is also correct that I have a BP lined up to write very soon
about this for Liberty.  I don't know yet how far it will reach.  It
will likely formalize some of the assumptions that we already make
about address scopes.  At that point, it will probably not be much of
a stretch to add the first class scope concept.  It will likely be
used to prevent cross-plugging scopes using a router without NAT.  It
may also generalize how NAT is applied in Neutron.  I don't know.  As
Salvatore said, we should probably have that discussion on that BP.  I
will try to get it out sooner than later.


More information about the OpenStack-dev mailing list