Open Stack

Ryan,

My (incomplete) throughts about the flow-classifier are:

1)  ACL’s are more about denying access, while the flow classifier is more about steering selected traffic to a path, so we would need to deny-all except allowed flows.
2)  The networking-sfc team has done a nice job with the drivers so ovn has its own flow-classifier driver which allows us to align the flow-classifier with the matches supported in ovs/ovn, which could be an advantage.

What were your thoughts on the schema it adds a lot of tables and a lot of commands – cannot think of anyway around it

Regards

John

From: Ryan Moats <rmoats at us.ibm.com<mailto:rmoats at us.ibm.com>>
Date: Wednesday, May 25, 2016 at 9:12 PM
To: John McDowall <jmcdowall at paloaltonetworks.com<mailto:jmcdowall at paloaltonetworks.com>>
Cc: Ben Pfaff <blp at ovn.org<mailto:blp at ovn.org>>, "discuss at openvswitch.org<mailto:discuss at openvswitch.org>" <discuss at openvswitch.org<mailto:discuss at openvswitch.org>>, Justin Pettit <jpettit at ovn.org<mailto:jpettit at ovn.org>>, OpenStack Development Mailing List <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>, Russell Bryant <russell at ovn.org<mailto:russell at ovn.org>>
Subject: Re: [OVN] [networking-ovn] [networking-sfc] SFC and OVN


John McDowall <jmcdowall at paloaltonetworks.com<mailto:jmcdowall at paloaltonetworks.com>> wrote on 05/25/2016 07:27:46 PM:

> From: John McDowall <jmcdowall at paloaltonetworks.com<mailto:jmcdowall at paloaltonetworks.com>>
> To: Ryan Moats/Omaha/IBM at IBMUS
> Cc: "discuss at openvswitch.org<mailto:discuss at openvswitch.org>" <discuss at openvswitch.org<mailto:discuss at openvswitch.org>>, "OpenStack
> Development Mailing List" <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>, Ben
> Pfaff <blp at ovn.org<mailto:blp at ovn.org>>, Justin Pettit <jpettit at ovn.org<mailto:jpettit at ovn.org>>, Russell Bryant
> <russell at ovn.org<mailto:russell at ovn.org>>
> Date: 05/25/2016 07:28 PM
> Subject: Re: [OVN] [networking-ovn] [networking-sfc] SFC and OVN
>
> Ryan,
>
> Ok – I will let the experts weigh in on load balancing.
>
> In the meantime I have attached a couple of files to show where I am
> going. The first is sfc_dict.py and is a representation of the dict
> I am passing from SFC to OVN. This will then translate to the
> attached ovn-nb schema file.
>
> One of my concerns is that SFC almost doubles the size of the ovn-nb
> schema but I could not think of any other way of doing it.
>
> Thoughts?
>
> John

The dictionary looks fine for a starting point, and the more I look
at the classifier, the more I wonder if we can't do something with
the current ACL table to avoid duplication in the NB database
definition...

Ryan

> From: Ryan Moats <rmoats at us.ibm.com<mailto:rmoats at us.ibm.com>>
> Date: Wednesday, May 25, 2016 at 7:27 AM
> To: John McDowall <jmcdowall at paloaltonetworks.com<mailto:jmcdowall at paloaltonetworks.com>>
> Cc: "discuss at openvswitch.org<mailto:discuss at openvswitch.org>" <discuss at openvswitch.org<mailto:discuss at openvswitch.org>>, OpenStack
> Development Mailing List <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>, Ben Pfaff <
> blp at ovn.org<mailto:blp at ovn.org>>, Justin Pettit <jpettit at ovn.org<mailto:jpettit at ovn.org>>, Russell Bryant <russell at ovn.org<mailto:russell at ovn.org>
> >
> Subject: Re: [OVN] [networking-ovn] [networking-sfc] SFC and OVN
>
> John McDowall <jmcdowall at paloaltonetworks.com<mailto:jmcdowall at paloaltonetworks.com>> wrote on 05/24/2016
> 06:33:05 PM:
>
> > From: John McDowall <jmcdowall at paloaltonetworks.com<mailto:jmcdowall at paloaltonetworks.com>>
> > To: Ryan Moats/Omaha/IBM at IBMUS
> > Cc: "discuss at openvswitch.org<mailto:discuss at openvswitch.org>" <discuss at openvswitch.org<mailto:discuss at openvswitch.org>>, "OpenStack
> > Development Mailing List" <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
> > Date: 05/24/2016 06:33 PM
> > Subject: Re: [OVN] [networking-ovn] [networking-sfc] SFC and OVN
> >
> > Ryan,
> >
> > Thanks for getting back to me and pointing me in a more OVS like
> > direction. What you say makes sense, let me hack something together.
> > I have been a little distracted getting some use cases together. The
> > other area is how to better map the flow-classifier I have been
> > thinking about it a little, but I will leave it till after we get
> > the chains done.
> >
> > Your load-balancing comment was very interesting – I saw some
> > patches for load-balancing a few months ago but nothing since. It
> > would be great if we could align with load-balancing as that would
> > make a really powerful solution.
> >
> > Regards
> >
> > John
>
> John-
>
> For the load balancing, I believe that you'll want to look at
> openvswitch's select group, as that should let you set up multiple
> buckets for each egress port in the port pairs that make up a port
> group.
>
> As I understand it, Table 0 identifies the logical port and logical
> flow. I'm worried that this means we'll end up with separate bucket
> rules for each ingress port of the port pairs that make up a port
> group, leading to a cardinality product in the number of rules.
> I'm trying to think of a way where Table 0 could identify the packet
> as being part of a particular port group, and then I'd only need one
> set of bucket rules to figure out the egress side.  However, the
> amount of free metadata space is limited and so before we go down
> this path, I'm going to pull Justin, Ben and Russell in to see if
> they buy into this idea or if they can think of an alternative.
>
> Ryan
>
> >
> > From: Ryan Moats <rmoats at us.ibm.com<mailto:rmoats at us.ibm.com>>
> > Date: Monday, May 23, 2016 at 9:06 PM
> > To: John McDowall <jmcdowall at paloaltonetworks.com<mailto:jmcdowall at paloaltonetworks.com>>
> > Cc: "discuss at openvswitch.org<mailto:discuss at openvswitch.org>" <discuss at openvswitch.org<mailto:discuss at openvswitch.org>>, OpenStack
> > Development Mailing List <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
> > Subject: Re: [OVN] [networking-ovn] [networking-sfc] SFC and OVN
> >
> > John McDowall <jmcdowall at paloaltonetworks.com<mailto:jmcdowall at paloaltonetworks.com>> wrote on 05/18/2016
> > 03:55:14 PM:
> >
> > > From: John McDowall <jmcdowall at paloaltonetworks.com<mailto:jmcdowall at paloaltonetworks.com>>
> > > To: Ryan Moats/Omaha/IBM at IBMUS
> > > Cc: "discuss at openvswitch.org<mailto:discuss at openvswitch.org>" <discuss at openvswitch.org<mailto:discuss at openvswitch.org>>, "OpenStack
> > > Development Mailing List" <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
> > > Date: 05/18/2016 03:55 PM
> > > Subject: Re: [OVN] [networking-ovn] [networking-sfc] SFC and OVN
> > >
> > > Ryan,
> > >
> > > OK all three repos and now aligned with their masters. I have done
> > > some simple level system tests and I can steer traffic to a single
> > > VNF.  Note: some additional changes to networking-sfc to catch-up
> > > with their changes.
> > >
> > > https://github.com/doonhammer/networking-sfc<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_doonhammer_networking-2Dsfc&d=CwMGaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=vZ6VUDaavDpfOdPQrz1ED54jEjvAE36A8TVJroVlrOQ&m=0T7hW53tsu4PwbApb_PlWdyNjpl4k6lBgUq3-Aj3tTc&s=Tuf_JX3hZ8fJSQseumKQ9cBtNPxMpuDFnaBU34Wez38&e=>
> > > https://github.com/doonhammer/networking-ovn<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_doonhammer_networking-2Dovn&d=CwMGaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=vZ6VUDaavDpfOdPQrz1ED54jEjvAE36A8TVJroVlrOQ&m=0T7hW53tsu4PwbApb_PlWdyNjpl4k6lBgUq3-Aj3tTc&s=bVdEq5WznPpgkVCU24JSbbahL8sTg8lM3_TdSq96Hig&e=>
> > > https://github.com/doonhammer/ovs<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_doonhammer_ovs&d=CwMGaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=vZ6VUDaavDpfOdPQrz1ED54jEjvAE36A8TVJroVlrOQ&m=0T7hW53tsu4PwbApb_PlWdyNjpl4k6lBgUq3-Aj3tTc&s=1r6YLsZYMUnpf8NvpPdDnEt1gJeLjv3U6UAlKnVCrsc&e=>
> > >
> > > The next tasks I see are:
> > >
> > > 1. Decouple networking-sfc and networking-ovn. I am thinking that I
> > > will pass a nested port-chain dictionary holding port-pairs/port-
> > > pair-groups/flow-classifiers from networking-sfc to networking-ovn.
> > > 2. Align the interface between networking-ovn and ovs/ovn to match
> > > the nested dictionary in 1.
> > > 3. Modify the ovn-nb schema and ovn-northd.c to march the port-
> chain model.
> > > 4. Add ability to support chain of port-pairs
> > > 5. Think about flow-classifiers and how best to map them, today I
> > > just map the logical-port and ignore everything else.
> > >
> > > Any other suggestions/feedback?
> > >
> > > Regards
> > >
> > > John
> >
> > John-
> >
> > (Sorry for sending this twice, but I forgot that text/html is not liked
> > by the mailing lists ...)
> >
> > My apologies for not answering this sooner - I was giving a two day
> > training on Tues/Wed last week and came back to my son graduating
> > from HS the next day, so things have been a bit of a whirlwind here.
> >
> > Looking at the github repos, I like the idea of passing a dictionary
> > from networking-sfc to networking-ovn. The flow classifiers should
> > be relatively straightforward to map to ovs match rules (famous last
> > words)...
> >
> > I've probably missed an orbit here, but in the ovn-northd implementation,
> > I was expecting to find service chains in the egress and router pipelines
> > in addition to the ingress pipeline (see below for why I think a service
> > chain stage in the egress pipeline makes sense ...)
> >
> > Also, in the ovn-northd implementation, I'm a little disturbed to see the
> > ingress side of the service chain sending packets to output ports - I
> > think that a more scalable (and more "ovs-like" approach) would be to
> > match the egress side of a port pair in the chaining stage of the
> > ingress pipeline, with an action that  set the input port register.
> > Then the egress pipeline would have a chaining stage where the output
> > port register would be set based on the ingress port of the next port
> > pair in the chain and the packet being punted to the proper output port
> > in the last table.  That should automagically build your function chain
> > and provide the basis for bucketizing multiple ingress ports for the
> > next port group to support hash based load balancing.
> >
> > Does that make sense?
> >
> > Ryan[attachment "ovn-nb.ovsschema.sfc" deleted by Ryan Moats/
> Omaha/IBM] [attachment "sfc_dict.py" deleted by Ryan Moats/Omaha/IBM]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160526/2c3f075c/attachment.html>