14:02:40 <igordc> #startmeeting network_common_flow_classifier 14:02:41 <openstack> Meeting started Tue Aug 22 14:02:40 2017 UTC and is due to finish in 60 minutes. The chair is igordc. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:02:42 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 14:02:45 <openstack> The meeting name has been set to 'network_common_flow_classifier' 14:03:45 <davidsha> Hi 14:04:15 <igordc> hi davidsha, all 14:04:35 <igordc> agenda: 14:04:40 <igordc> https://wiki.openstack.org/wiki/Neutron/CommonClassificationFramework#Discussion_Topic_22_August_2017 14:04:46 <igordc> #topic CCF v0 - first wave of code (update) 14:05:33 <davidsha> Myself and Thaynara are working on Unit tests for the Service plugin at the moment. 14:06:25 <davidsha> We're also working on addressing bcafarel comments on the patchset about tenant_id problems. 14:06:51 <igordc> davidsha: great 14:07:26 <igordc> https://review.openstack.org/#/c/487182/1/neutron_classifier/db/models.py 14:07:31 <igordc> right? 14:08:42 <davidsha> igordc: Thats the one, We're also going to break off some pieces of this patch into other patches to make it more digestible and easier to review. 14:09:15 <davidsha> The Database migration code will be the first to be moved into it's own patch. 14:09:33 <igordc> good stuff 14:10:06 <igordc> davidsha: can we still make it before pike is released? (not that it's too important, but would be a good milestone to sync with) 14:10:15 <tmorin> hi everyone, sorry for joining late 14:10:26 <igordc> hey tmorin, long time no see! 14:10:26 <davidsha> tmorin: welcome, no problem. 14:11:00 <davidsha> igordc: I'm hoping the smaller patches will help make that milestone. 14:11:37 <igordc> great, tmorin any questions about the state of the code? 14:12:13 <tmorin> I just came to catch up 14:12:27 <igordc> very well, let's mve on 14:12:35 <igordc> #topic PTG update 14:12:36 <tmorin> I saw the v0 patch, haven't had time to have a look yet 14:12:54 <igordc> Thaynara and davidsha will push a new patch soon 14:13:17 <igordc> so about the PTG... davidsha you're likely not going there either correct? 14:14:30 <davidsha> igordc: Ya, my travel approval was rejected unfortunately, I'm going to see if there is an appeal, but we're too close now for that to be viable. 14:15:20 <igordc> davidsha: right, so neither of us going, so it will be a bit more difficult to engage on brainstorming discussions 14:15:27 <igordc> tmorin are you going to the PTG? 14:17:09 <igordc> https://etherpad.openstack.org/p/neutron-queens-ptg 14:17:47 <igordc> I had a CCF topic for the PTG, mainly to talk about what v1 has to have and to start/accelerate dev of consuming services 14:17:53 <tmorin> igordc: yes, I'll be in Denver 14:18:26 <igordc> I say we can still do a good deal of the work via the mailing list 14:18:44 <tmorin> I can put it on my list and be there to talk CCF with whoever would like to 14:18:59 <igordc> the most important part is that the CCF provides the plugging points and supports the protocols/fields that consuming services want 14:19:36 <igordc> I'll be on vacation but might join the etherpads just to follow and ask questions 14:20:08 <reedip_> I added FwaaS team, and I think xgerman or SridarK would be discussin the same with you. I will also ping yushiro for this 14:20:23 <davidsha> tmorin: If you could that would be great, as igordc mentioned it's the protocols services need and make sure the plug points work 14:20:52 <tmorin> I can take the action of starting this discussion in Denver 14:21:09 <tmorin> we need to identify who of "consuming services" will be there 14:21:28 <reedip_> I wont be there so I will check virtually 14:21:30 <davidsha> tmorin: Thanks. 14:21:39 <tmorin> reedip_: so that would be these three and someone from fwaas ? 14:21:52 <reedip_> all three are from fwaas tmorin 14:22:39 <davidsha> pcarver from SFC was heavily involved back in Atlanta if I remember correctly. 14:22:39 <igordc> great tmorin thanks 14:23:27 <igordc> davidsha: yes, I don't see his name on the etherpad but he might go, I'll check with him on the sfc meeting 14:23:38 <igordc> and hi reedip_ 14:23:48 <reedip_> hi igordc 14:24:23 <tmorin> reedip_: ok! 14:25:40 <igordc> cool if you all can please socialize the ccf, and write down all the missing gaps and proposed directions, that would be awesome... I'll try to check the etherpad and IRC 14:26:54 <davidsha> I have seen the drivers propose the use of CCF for a few RFEs already, so I can try and find the RFE authors and sync with them. 14:27:36 <igordc> awesome davidsha, that's great 14:28:06 <davidsha> One was for Security groups and the other may have been DragonFlow, I'll talk to mlavelle about it and see what they were planning. 14:29:05 <igordc> davidsha: the dragonflow one was related to fwaas wasn't it? 14:29:30 <davidsha> igordc: I can't recall off the top of my head. 14:30:24 <davidsha> tmorin: you mentioned at the PTG about using BGP resources as classifications to be consumed by SFC or am I mistaken? 14:31:05 <tmorin> davidsha: yes, but the good solution to the target problem may end up being different 14:31:51 <tmorin> the problem is : how to specify in some API that we want the traffic from a given BGPVPN and matching a given classifier, to be put into an SFC port chain 14:32:29 <tmorin> having a "source BGPVPN" in the classifier could have been a solution, but we ended up concluding it was not a good one when discussing the CCF spec 14:33:08 <igordc> tmorin: as a source bgpvpn it looks OK to be put in a classification 14:33:15 <tmorin> my current thinking is that the best would be to extend the BGPVPN API to associate a (Common Flow Classifier ID, SFC port-chain ID) tuple to indicate that the traffic from this BGPVPN matching the classifier should go into the chain. 14:33:20 <igordc> tmorin: as a destination, not really 14:34:23 <tmorin> igordc: right for source vs. dest, but we (you, me, ihar) ended up concluding we should add that and rely instead on the consuming service API to combine a CCF with its own resources 14:35:08 <igordc> tmorin: OK so in your current thinking, bgpvpn's users would still use the CCF but no changes in SFC would be needed (only in bgpvpn) 14:36:02 <tmorin> igordc: yes, and only the port-chain and CCF APIs would be used (not the current SFC classifier API, nor an extension of it) 14:36:41 <igordc> tmorin: the problem is that networking-sfc manages classifying the traffic... and port-chains require classifications 14:37:26 <igordc> tmorin: this could be done, but look like a workaround from networking-sfc's perspective 14:37:30 <igordc> looks* 14:37:40 <tmorin> (for ref, the discussion I'm referring to was: https://review.openstack.org/#/c/333993/15/specs/pike/common-classification-framework.rst@319 ) 14:37:51 <igordc> let me just switch topic btw 14:38:00 <igordc> #topic Open discussion 14:38:08 <tmorin> igordc: ok, perhaps this needs more thinking 14:39:38 <igordc> tmorin: I have to re-read the flow of arguments, including mine, but one thing is still clear I think: that the CCF doesn't actually classify 14:39:49 <igordc> tmorin: so either bgpvpn or sfc will 14:40:29 <igordc> we then have the 2 options you mentioned today: sfc classifies based on 2+ classification types from the CCF (while bgpvpn only instantiates the bgpvpns) 14:40:40 <tmorin> igordc: yes (to be exact in the case of bgpvpn, we delegate the actual classifiction of packet to BGP VPN routers thanks to BGP FlowSpec VPN routes) 14:41:02 <igordc> or sfc classification is bypassed and instead executed by bgpvpn (plus instantiating the bgpvpns and consuming from the CCF) 14:41:39 <tmorin> given the delegation mentioned above, the second option would be natural (I think) 14:42:29 <tmorin> the bgpvpn driver then simply needs to push the classified traffic to the ports of the first ingress port-pair 14:42:30 <igordc> tmorin: and you'd then be able to route the matching packets to the first SF of the port chain right? 14:42:41 <igordc> exactly 14:42:45 <tmorin> yes :) 14:43:25 <igordc> I think this is a discussion between bgpvpn and sfc then 14:44:00 <igordc> and from the conclusions we can know whether bgpvpn classication type is required 14:44:22 <tmorin> that makes sense 14:45:50 <igordc> your last option also looks better to my own subjective perception, but am just a bit concerned with the scope of networking-sfc then, seeing as the classification-part is bypassed 14:46:24 <davidsha> reedip_: you linked this before I think, this is the list of protocols for security groups correct? https://github.com/openstack/neutron-lib/blob/99d4f1f35f8d915f48bfaa677f690b29bc4b0dbe/neutron_lib/constants.py#L202 14:46:37 <reedip_> checking 14:46:42 <reedip_> davidsha : yep 14:46:54 <reedip_> but I found that this is only for the iptables implementation 14:47:26 <reedip_> But if we have nftables or any other implementation, then the protocol list might change, isnt it? 14:48:23 <igordc> reedip_: not sure 14:48:35 <davidsha> reedip_: Well the backend doesn't really matter to us, it's just supporting the classification definitions that already exist in Security Groups is what I'm thinking. 14:48:40 <igordc> reedip_: do you know if SCTP is actually used in neutron? 14:49:09 <reedip_> igordc : its in the neutron_lib/constants, right ? 14:49:33 <davidsha> Yup, It's there 14:49:50 <igordc> reedip_: yes, but I don't see any actual use either there or in /neutron 14:49:56 <igordc> reedip_: perhaps some stadium project 14:49:59 <igordc> same goes for DCCP 14:50:19 <reedip_> well : https://github.com/openstack/neutron/blob/7c1e21a3f35e80e176dfc025eb6f4a0024cb137c/neutron/agent/linux/iptables_firewall.py#L643 14:50:42 <igordc> reedip_: alright indirectly via IPTABLES_PROTOCOL_MAP 14:50:51 <reedip_> yes ... 14:51:31 <igordc> reedip_: but I still don't see protocol-specific work 14:51:31 <davidsha> So there are 22 in that list of protocols and we have 5 of them in Version 0 14:52:00 <igordc> reedip_: at least for classification purposes 14:52:08 <reedip_> igordc : I can only find the implementation and usage of the protocols in 5 places 14:52:10 <reedip_> http://codesearch.openstack.org/?q=IPTABLES_PROTOCOL_MAP&i=nope&files=&repos= 14:52:32 <reedip_> seems that it is only used in iptables_firewall.py 14:52:38 <igordc> reedip_: yep got the same in github 14:52:57 <reedip_> so unless we have a separate agent, iptables will work well with the following 5 protocols 14:53:25 <reedip_> But yes, DCCP and SCTP wont be useful in generic terms 14:53:43 <reedip_> so you can avoid it. Maybe you can keep a list of Necessary protocols and additional protocols 14:53:57 <reedip_> the Necessary Protocols may have TCP, UDP , ICMP ICMPv6 14:54:10 <reedip_> while the additional protocols can be dependent on the consumer of the CCF 14:54:10 <tmorin> igordc: people are using protocols other than UDP or TCP out there, hence protos such as SCTP just need to be supported 14:54:18 <igordc> right, I'd like to have more information about the need of certain protocols before anyone commits to work on their support in the CCF, otherwise we might just be wasting time 14:54:42 <igordc> unless someone really wants to contribute those protocols, I'm fine with that 14:55:11 <igordc> tmorin: but are they compatible with any neutron API extension? 14:55:45 <tmorin> I know that at least SCTP is important for Telco NFV application related to the historic phone system (SS7) 14:55:45 <igordc> tmorin: or do they just have to be compatible with the backends that might be receiving, as an example, SCTP and DCCP traffic from VMs 14:56:10 <igordc> tmorin: ohh that :p 14:56:13 <tmorin> igordc: I don't get your question 14:56:18 <tmorin> igordc: :D 14:56:47 <reedip_> now I amm confused 14:56:50 <reedip_> :) 14:56:54 <igordc> tmorin: in other words, are these protocols actually going to be object of a consumed Classification? 14:57:32 <tmorin> yes, they can: for instance, you could want to open only a given SCTP port range 14:57:50 <igordc> + reedip_ 14:57:50 <igordc> we can continue offline, time's about to run out 14:57:50 <igordc> I'd just like to introduce you to Thaynara , who's been co-authoring the code with David 14:58:08 <reedip_> hi Thaynara 14:58:13 <reedip_> saw the patch 0 version 14:58:15 <tmorin> similarly: direct a given SCPT port range into a chain, apply QoS profiles distinctively depending on SCTP port, etc. 14:58:24 <Thaynara> Hi guys 14:58:33 <tmorin> hi ! 14:58:57 <igordc> tmorin: I understand, do you know of any neutron project doing it? 14:59:29 <igordc> I am fortunate enough to hear daily discussions about the CCF from these 2 hehe 14:59:32 <tmorin> I haven't checked 14:59:39 <reedip_> FWaaS would be using it soon ... but otherswise not enough consumers 15:00:00 <igordc> reedip_: hmm OK so some potential there 15:00:04 <igordc> aright, time's up 15:00:06 <igordc> bye all! 15:00:09 <igordc> #endmeeting