[ovs-dev] SFC: How about stages in both pipelines?

John McDowall jmcdowall at paloaltonetworks.com
Mon Jul 18 04:23:17 UTC 2016 

Ryan,

We see this use case a lot - essentially a FW between logical network segments, and one could be the internet. It is not so much a chain but a link in a chain :-0. The complexity is using load-balancers to scale the firewall to support the scale of the application load. Which ends up looking a like this (excuse my ascii art).

                                                                              | - App
                                |--FW -- |                     | - App
Internet -> LB1--  |--FW ---  |- LB2----  | - App
                               |--FW -- |                      | - App
                                                                              | - App


Now if OSVS/OVN can do the load balancing the picture  becomes simpler and more interesting.

Thoughts?

j
From: Ryan Moats <rmoats at us.ibm.com<mailto:rmoats at us.ibm.com>>
Date: Sunday, July 17, 2016 at 7:02 PM
To: John McDowall <jmcdowall at paloaltonetworks.com<mailto:jmcdowall at paloaltonetworks.com>>
Cc: "dev at openvswitch.org<mailto:dev at openvswitch.org>" <dev at openvswitch.org<mailto:dev at openvswitch.org>>
Subject: Re: SFC: How about stages in both pipelines?


John McDowall <jmcdowall at paloaltonetworks.com<mailto:jmcdowall at paloaltonetworks.com>> wrote on 07/17/2016 08:18:48 PM:

> From: John McDowall <jmcdowall at paloaltonetworks.com<mailto:jmcdowall at paloaltonetworks.com>>
> To: Ryan Moats/Omaha/IBM at IBMUS
> Cc: "dev at openvswitch.org<mailto:dev at openvswitch.org>" <dev at openvswitch.org<mailto:dev at openvswitch.org>>
> Date: 07/17/2016 08:18 PM
> Subject: Re: SFC: How about stages in both pipelines?
>
> Ryan,
>
> I assume you are thinking about L3 VNF support?
>
> If so yes I need to think this through - any ideas would be appreciated
>
> Regards
>
> John
>
> From: Ryan Moats <rmoats at us.ibm.com<mailto:rmoats at us.ibm.com>>
> Date: Sunday, July 17, 2016 at 6:15 PM
> To: John McDowall <jmcdowall at paloaltonetworks.com<mailto:jmcdowall at paloaltonetworks.com>>
> Cc: "dev at openvswitch.org<mailto:dev at openvswitch.org>" <dev at openvswitch.org<mailto:dev at openvswitch.org>>
> Subject: SFC: How about stages in both pipelines?
>
> John-
>
> To date, I think we've talked about adding an
> SFC stage to the ingress pipeline for logical
> switch datapaths and how to enable that via
> OpenStack/Neutron. Since OVN doesn't have to
> assume OpenStack as the CMS, I think we should
> also be adding that stage to the ingress
> pipeline of the logical router datapath.
>
>
> Ryan

I don't think I'm talking about L3 VNF support (at least
not that way I've heard the term used previously).

Rather, I'm thinking of how I might support VNFs that work
at network edges or boundaries (for example, an IDS/IPS for
traffic from the Internet).  Since such VNFs would be
looking at inter-network traffic only, I don't think it
makes since to shoehorn them into the logical datapath
associated with a logical switch as that would require
making the ACLs more complex to ensure they don't have to
handle intra-network traffic.  Since inter-network traffic
will pass through at least one logical datapath associated
with a logical router, I'm thinking adding an SFC stage
to the logical router's ingress pipeline would support
this scenario fairly cleanly at the OVN level.

I admit that I've no ideas yet on how to set up
networking-sfc to support such a scenario, but that
doesn't mean we can't add the code to OVN to support it.

Ryan

More information about the dev mailing list