[ovs-dev] SFC: How about stages in both pipelines?
Ryan Moats
rmoats at us.ibm.com
Mon Jul 18 04:43:28 UTC 2016
John McDowall <jmcdowall at paloaltonetworks.com> wrote on 07/17/2016 11:23:17
PM:
> From: John McDowall <jmcdowall at paloaltonetworks.com>
> To: Ryan Moats/Omaha/IBM at IBMUS
> Cc: "dev at openvswitch.org" <dev at openvswitch.org>
> Date: 07/17/2016 11:23 PM
> Subject: Re: SFC: How about stages in both pipelines?
>
> Ryan,
>
> We see this use case a lot – essentially a FW between logical
> network segments, and one could be the internet. It is not so much a
> chain but a link in a chain :-0. The complexity is using load-
> balancers to scale the firewall to support the scale of the
> application load. Which ends up looking a like this (excuse my ascii
art).
>
> | —
App
> |——FW —- | | — App
> Internet -> LB1-- |——FW --- |— LB2—--- | — App
> |——FW —- | | — App
> | —
App
>
> Now if OSVS/OVN can do the load balancing the picture becomes
> simpler and more interesting.
>
> Thoughts?
>
> j
First, you've jumped way ahead of me here with your example above
as I'm still trying to crawl :) Still, the important concept
is the fact that you are doing this at network borders...
You did see that Guru landed a set of patches that added
native LB capabilities into OVS/OVN itself? I admit that I've
not looked at them in any great detail to date, but they are
there...
Ryan
> From: Ryan Moats <rmoats at us.ibm.com>
> Date: Sunday, July 17, 2016 at 7:02 PM
> To: John McDowall <jmcdowall at paloaltonetworks.com>
> Cc: "dev at openvswitch.org" <dev at openvswitch.org>
> Subject: Re: SFC: How about stages in both pipelines?
>
> John McDowall <jmcdowall at paloaltonetworks.com> wrote on 07/17/2016
> 08:18:48 PM:
>
> > From: John McDowall <jmcdowall at paloaltonetworks.com>
> > To: Ryan Moats/Omaha/IBM at IBMUS
> > Cc: "dev at openvswitch.org" <dev at openvswitch.org>
> > Date: 07/17/2016 08:18 PM
> > Subject: Re: SFC: How about stages in both pipelines?
> >
> > Ryan,
> >
> > I assume you are thinking about L3 VNF support?
> >
> > If so yes I need to think this through – any ideas would be appreciated
> >
> > Regards
> >
> > John
> >
> > From: Ryan Moats <rmoats at us.ibm.com>
> > Date: Sunday, July 17, 2016 at 6:15 PM
> > To: John McDowall <jmcdowall at paloaltonetworks.com>
> > Cc: "dev at openvswitch.org" <dev at openvswitch.org>
> > Subject: SFC: How about stages in both pipelines?
> >
> > John-
> >
> > To date, I think we've talked about adding an
> > SFC stage to the ingress pipeline for logical
> > switch datapaths and how to enable that via
> > OpenStack/Neutron. Since OVN doesn't have to
> > assume OpenStack as the CMS, I think we should
> > also be adding that stage to the ingress
> > pipeline of the logical router datapath.
> >
> >
> > Ryan
>
> I don't think I'm talking about L3 VNF support (at least
> not that way I've heard the term used previously).
>
> Rather, I'm thinking of how I might support VNFs that work
> at network edges or boundaries (for example, an IDS/IPS for
> traffic from the Internet). Since such VNFs would be
> looking at inter-network traffic only, I don't think it
> makes since to shoehorn them into the logical datapath
> associated with a logical switch as that would require
> making the ACLs more complex to ensure they don't have to
> handle intra-network traffic. Since inter-network traffic
> will pass through at least one logical datapath associated
> with a logical router, I'm thinking adding an SFC stage
> to the logical router's ingress pipeline would support
> this scenario fairly cleanly at the OVN level.
>
> I admit that I've no ideas yet on how to set up
> networking-sfc to support such a scenario, but that
> doesn't mean we can't add the code to OVN to support it.
>
> Ryan
More information about the dev
mailing list