15:03:41 <tmorin1> #startmeeting bgpvpn 15:03:41 <openstack> Meeting started Tue Jul 28 15:03:41 2015 UTC and is due to finish in 60 minutes. The chair is tmorin1. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:03:42 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:03:45 <openstack> The meeting name has been set to 'bgpvpn' 15:03:55 <tmorin1> hi everyone 15:04:11 <tmorin1> hi svinota pcarver doude matrohon 15:04:19 <svinota> hi! 15:04:20 <matrohon> hi 15:04:26 <janscheurich> hi 15:04:29 <pcarver> hi 15:04:29 <tmorin1> hi jan 15:04:35 <doude> hi 15:05:16 <tmorin1> are we waiting for anyone else ? 15:05:35 <tmorin1> doesn't seem so 15:05:41 <tmorin1> #topic API 15:05:53 <tmorin1> we have a few items to close on the API 15:06:12 <tmorin1> first it the API URIs/JSON for the associations 15:06:16 <tmorin1> matrohon ? 15:06:24 <matrohon> ok 15:06:41 <matrohon> so this concern the association 15:07:13 <matrohon> the current proposal for the URI doesn't seem reasonnable regarding the neutron framework 15:07:41 <matrohon> I still have to dig into the framework to have a better idea of what is doable 15:08:16 <janscheurich> Is it a problem to follow the API model used for router interfaces? 15:08:30 <matrohon> but it seem we have to choose between an "action" URI : associate/disassociate_network 15:09:05 <matrohon> janscheurich : this first proposal whould lead to the model used for router interfaces 15:09:38 <tmorin1> janscheurich: the issue is not specific to router association, same issue for network association 15:09:59 <janscheurich> Understood 15:10:23 <matrohon> but the fact is that with the model used for router interfaces doesn't include the network uuid at the end of the URI 15:10:25 <tmorin1> as I understand, if we have an association in the URI, what follows must be an association uuid, and can't be a BGPVPN uuid 15:10:39 <matrohon> tmorin1 : +1 15:11:21 <matrohon> this lead to the second proposal which is to have a network/router_association object with an UUID 15:11:52 <tmorin1> and the network/router uuid as json data 15:11:59 <matrohon> and the action would be driven by the POST/PUT/DELETE operation on this object 15:12:30 <matrohon> tmorin : +1 in both cases, the network/router would be in the json data 15:12:39 <tmorin1> yes 15:13:55 <janscheurich> Sounds doable but looks a lot like normalized relational database design. Good for machines but hard for humans 15:14:48 <tmorin1> janscheurish: hard, I don't know, but more bookeeping/db work for sure 15:16:28 <janscheurich> I haven't seen other places in Neutron APIs where associations are modeled with explicit objects having their own UUIDs. 15:16:31 <matrohon> this might lead to a dedicated table 15:16:56 <matrohon> janscheurich : this is done in lbaasv2 15:17:28 * matrohon : seeking a link 15:18:40 <matrohon> https://github.com/openstack/neutron-lbaas/blob/master/neutron_lbaas/extensions/loadbalancerv2.py#L315 15:19:48 <tmorin1> I would tend to opt for the associate/disassociate_network approach, with the BGPVPN uuid in JSON data 15:20:15 <matrohon> the corresponding uri would be : /lbaas/pools/{pool_id}/members/{member_id} 15:21:23 <matrohon> I don't have a strong preference, so option 1 is fine for me : associate/disassociate_network approach 15:21:25 <pcarver> matrohon: This sort of URL makes sense to me, but I can't offer any input on what can be done under the hood in Neutron's API handling 15:21:59 <pcarver> If LBaaS can do it, then I think it makes sense for BGPVPN to do it the same way 15:22:55 <tmorin1> the sub-resource approahc like in LBaaS makes sense if we want to have others attribute to a router or network Association 15:23:40 <tmorin1> but if we don't, then I'd rather go the simpler path similar as what is done in Neutron for router interfaces (with add_router_interface/remove_router_interface) 15:24:11 <tmorin1> in LBaaS members have their own attributes, so their approach makes sense 15:24:25 <tmorin1> but in our case, associations don't have attributes 15:24:59 <tmorin1> unless we want attributes later... 15:25:10 <matrohon> I tend to agree; if we don't nedd to fine manage the association, let's use the action URI 15:25:13 <janscheurich> I think a LBaaS Pool Member is an object that has a meaning on the API level. I'm not sure we could argue the same for the association between a Router/Network and a BGPVPN 15:25:36 <janscheurich> +1 for the action API 15:26:11 <tmorin1> janscheurich: agreed, but we thus make the assumption that we won't want to give attributes to associations 15:29:05 <tmorin1> ok, lets not fully close the door, but let's assume we'll opt for the action URI approache 15:30:11 <tmorin1> approach 15:30:20 <tmorin1> next topic then ? 15:30:39 <tmorin1> #topic static routes in the API 15:30:39 <matrohon> If anybody has some use cases that needs the association object, please ping me, we can still come back to the 2nd approach 15:30:52 <tmorin1> matrohon: agreed 15:31:33 <tmorin1> janscheurich has identified the need for being able to have static routes pointing to Neutron ports 15:31:45 <tmorin1> that would result in the corresponding route to be advertised in a BGP VPN 15:31:59 <janscheurich> Have you seen the new blueprint and Etherpad I created? 15:32:00 <tmorin1> I fully agree that its important to have in the toolbox 15:32:22 <tmorin1> #link https://blueprints.launchpad.net/bgpvpn/+spec/static-routes 15:32:24 <tmorin1> yes 15:32:27 <tmorin1> thanks for creating one 15:32:30 <matrohon> janscheurich : yep, thanks for that 15:32:56 <tmorin1> thanks also for the summary of options at #link https://etherpad.openstack.org/p/bgpvpn_static_routes 15:33:34 <janscheurich> Any immediate comments/suggestions? 15:33:36 <tmorin1> after giving some thinking, I'm thinking that this is very close semantic to what allowed_address_pair is doing 15:34:04 <tmorin1> in fact, if we wanted to allow this now based on allowed_address_pair, we could without any new API call 15:34:38 <tmorin1> allowed_address_pair means: this Neutron port is allowed to send traffic with a source IP in prefix X 15:35:08 <tmorin1> if we assume bidirectional traffic, this means X is reachable through that Neutron port 15:35:58 <tmorin1> my suggestion would be to start by saying that, in the presence of allowed_address_pair the Neutron BGPVPN service would advertise the said prefixes so that the traffic to these prefixes ends up forwarded to that port 15:36:13 <janscheurich> I have been searching for an explanation of allowed_address_pair and its intended use. Do you have any pointers? 15:37:23 <tmorin1> and, if we later find we want a semantic distinct from allowed_address_pair (eg. because we'd want something non bidirectional) we would work on a Neutron generic way of having static routes pointing to Neutron ports independent of the notion of Router / that would have to be discussed with the whole neutron community and would not be specific to BGPVPN 15:37:33 <tmorin1> janscheurich: let me try to find one 15:38:03 <janscheurich> The fact that it is part of the base Neutron Port API indicates that this is old and may be superseded by other security mechanisms such as Neutron Security Groups and Rules. 15:38:22 <tmorin1> #link http://specs.openstack.org/openstack/neutron-specs/specs/api/allowed_address_pairs.html 15:38:33 <tmorin1> but I guess everyone had it already ;) 15:38:51 <matrohon> allowed_addr_pair is firstly made for vrrp, to disable ip anti spoofing rules 15:39:10 <matrohon> which would be need for your feature too 15:40:04 <matrohon> but it doesn't play with SG AFAIK 15:40:09 <tmorin1> janscheurich: I don't believe so, sec groups control what goes to a port, and for egress to where traffic goes, but does not look at source addressess of traffic coming from a port 15:41:01 <janscheurich> OK thanks 15:41:28 <tmorin1> I don't think this has been superseded 15:41:46 <tmorin1> there was a recent fix in the OVS agent related to allowed_address_pair 15:42:17 <tmorin1> e.g. https://review.openstack.org/#/c/194741/ 15:42:20 <tmorin1> #link https://review.openstack.org/#/c/194741/ 15:42:29 <matrohon> janscheurich : what kind of implemention do you consider for the static route feature with bgpvpn? 15:43:21 <janscheurich> tmorin1: Wouldn't the fact that BGPVPN does routing between Network/Subnets outside of the Neutron Router also be hard to swallow by the Neutron community? 15:44:10 <tmorin1> janscheurich: can't tell yet, but how related to static routes ? 15:44:49 <matrohon> janscheurich : +1, which makes hard to overcome the constraint on the current extra route extension 15:44:54 <janscheurich> Implementation: Static routes are inserted into the L3 FIBs and exported through BGP, with the same MPLS label as used for the connected /32 route to the Neutron port. 15:45:44 <janscheurich> In our ODL L3-VPN implementation the addition of static routes to the VPN seems straightforward. 15:45:44 <tmorin1> janscheurich: the fact is that Neutron router could also leverage allowed_address_pair additionally to extra_routes 15:45:58 <tmorin1> janscheurich: +1, in bagpipe driver too 15:46:37 <matrohon> janscheurich : ok, but I mean do you consider a new extension, and do you prefer to leverage existing extensions (allow_addr_pair, extra_route...)? 15:46:55 <janscheurich> matrohon: What constraints on the current extra route extension? 15:47:28 <matrohon> janscheurich : the one you mention on the etherpad 15:47:42 <janscheurich> I think the extra-route extension on the Router should just work in BGPVPN when the Router is associated to the VPN 15:47:55 <tmorin1> janscheurich: +1, I agree with that 15:48:27 <tmorin1> janscheurich: we just need to determine what to do for Network assocations 15:49:10 <janscheurich> I just realized: Allowed address pairs are not sufficient. Think about a static default route! 15:49:41 <tmorin1> janscheurich: allowed_address_pair does allow to specific a 0/0 prefix 15:50:45 <janscheurich> OK, I didn't see the CIDR in the description and all examples just had full IP addresses 15:51:05 <tmorin1> janscheurich: yes 15:51:32 <matrohon> I recently discovered that CIDR was usable too with allow_addr_pair :) 15:51:41 <janscheurich> have you ever played around with allowed address pairs? 15:52:34 <tmorin1> would we agree on giving some thought to the allowed_address_pair option and try to cover other topics before the end ? 15:52:42 <tmorin1> janscheurich: no 15:53:24 <tmorin1> janscheurich: but it is for sure needed to let traffic through in the case of static routes (even if we end up expressing static routes in a different way) 15:53:24 <matrohon> the best that I know is the l2pop issue with this feature : https://bugs.launchpad.net/neutron/+bug/1445089 15:53:26 <openstack> Launchpad bug 1445089 in neutron "allowed-address-pairs broken with l2pop/arp responder and LinuxBridge/VXLAN" [Undecided,Confirmed] - Assigned to yalei wang (yalei-wang) 15:53:26 <uvirtbot> Launchpad bug 1445089 in neutron "allowed-address-pairs broken with l2pop/arp responder and LinuxBridge/VXLAN" [Undecided,Confirmed] 15:53:27 <uvirtbot> Launchpad bug 1445089 in neutron "allowed-address-pairs broken with l2pop/arp responder and LinuxBridge/VXLAN" [Undecided,Confirmed] https://launchpad.net/bugs/1445089 15:54:01 <janscheurich> I agree the automatic export of allowed address pairs as static routes in a VPN would be elegant, but I am a bit concerned because the Neutron Router doesn't seem to do that, and we would get very different behavior of the system depending on the whether the Router or Network association model is chosen. 15:54:52 <tmorin1> janscheurich: I understand your concern, but a the same time, we know we will have something different for netwokr associations that the Neutron router does not use... 15:55:39 <tmorin1> (and nothing prevents from proposing that Neutron routers leverage allowed_address_pairs additionally to static routes, by the way) 15:56:30 <janscheurich> What about allowed address pairs that specify also a MAC address? 15:56:31 <tmorin1> can we decide to not decide now ? ;) 15:56:55 <tmorin1> janscheurich: I guess we would only take into account the ones that specify an IP prefix 15:57:08 <tmorin1> well, for l3 bgpvpn at least 15:57:22 <tmorin1> l2 bgpvpn could leverage the MAC addresses 15:57:28 <janscheurich> Sure: Let's continue the discussion in the Etherpad. But I would at least like to sketch an additional alternative that avoid the re-interpretation of allowed_address_pairs 15:58:01 <tmorin1> janscheurich: agreed, but let's try not to do something that would be alien for the rest of Neutron... 15:58:12 <tmorin1> #topic API, VXLAN VNID 15:58:18 <tmorin1> not much time to discuss 15:58:29 <janscheurich> extra-routes on a BGPVPN should be acceptable, or not? 15:59:27 <tmorin1> I don't know, they could collide with the routes defined on a Router if a Router is associated to the BGPVPN 15:59:32 <tmorin1> maybe that is an issue to consider 15:59:37 <janscheurich> Sure 16:00:01 <tmorin1> I think that if we do something new, we should also try to make it reusable with other Neutron components 16:00:11 <tmorin1> VPNaaS could have a similar use for it 16:00:17 <tmorin1> ditto for service chaining stuff 16:00:25 <matrohon> janscheurich : you mean we should look at extra_routes defined for the associated router and export them in the attach bgpvpn 16:00:44 <tmorin1> which is why I'd rather use allowed_address_pairs, if that can work, as an initial first step 16:01:15 <janscheurich> Yes, that's for sure. I was suggesting to add a similar extra-routes attribute to the BGPVPN object itself 16:02:05 <tmorin1> janscheurich: but that would not be reusable by the rest of Neutron 16:02:42 <tmorin1> jansheurich: if we go for something new, I'd rather look at an option like a extension driver for aPort or Network 16:02:50 <tmorin1> s/aPort/Port 16:03:21 <tmorin1> ok, we are out of time 16:03:32 <tmorin1> let's pursue the discuss in the etherpad 16:03:40 <janscheurich> OK 16:03:54 <tmorin1> #topic other 16:04:17 <tmorin1> Just wanted to mention we are merging first contrib by svinota 16:04:25 <tmorin1> API change for RDs 16:04:28 <tmorin1> thanks svinota 16:04:33 <svinota> tmorin1, thanks 16:04:38 <tmorin1> I mean merging soon, not yet done :) 16:05:14 <svinota> :) 16:05:16 <tmorin1> I also updated jenkins jobs to avoid some breakage on dependencies 16:05:28 <tmorin1> ok, we should free the room I guess 16:05:52 <tmorin1> matrohon will drive the meetings the following weeks 16:06:00 <matrohon> ok 16:06:30 <tmorin1> ok, bye everyone ! 16:06:33 <janscheurich> Bye then 16:06:36 <matrohon> bye 16:06:49 <tmorin1> #endmeeting