jmcdowall at paloaltonetworks.com
Tue Mar 22 15:47:44 UTC 2016
Thanks for replying. I did chat briefly to one of the authors of SFC last week and will talk with them more.
I will admit I am coming at the general service insertion problem from a very specific use case; easily protecting east-west traffic between applications by dynamically inserting a NGFW as a VNF; so my viewpoint is slightly slanted ;-).
To answer your specific questions:
1. I think the Service Chaining/Insertion API will work for this effort too as the concept of port-pairs fits well with what I have done. As the API I have created is just "syntactical sugar” changing it is not a big deal. The two issues I see are 1) the classifier, as the firewall is a (DPI) classifier this step may not be necessary or it could act as a pre-filter, and 2) the ability to steer traffic to a specific application through the VNF. In general though I think we could make it work.
2. There has to be some changes at the networking layer to steer traffic into new paths defined by the API, and as Russell points out the majority of the work is in OVN. The changes to Open vSwitch are only in the ovn-nb layer and are additive, i.e. They do not change the current behavior only layer on top. In Openstack I have tried to isolate the changes to follow the neutron plugin model. Is there a better way to do it? If OVN had a plugin model would that help?
[Palo Alto Networks Ignite 2016]<http://go.paloaltonetworks.com/ignitereg>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev