18:03:08 <SumitNaiksatam> #startmeeting Networking FWaaS
18:03:09 <openstack> Meeting started Wed Dec  4 18:03:08 2013 UTC and is due to finish in 60 minutes.  The chair is SumitNaiksatam. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:03:10 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:03:13 <garyduan> Hi
18:03:13 <openstack> The meeting name has been set to 'networking_fwaas'
18:03:18 <SumitNaiksatam> Welcome back, hope everyone is recharged after the summit and thanksgiving!
18:03:25 <SumitNaiksatam> garyduan: hi
18:03:42 <SumitNaiksatam> garyduan: is Yi around?
18:04:08 <garyduan> Not sure.
18:04:14 <SumitNaiksatam> garyduan: ok
18:04:21 <SumitNaiksatam> #topic tempest
18:04:29 <SumitNaiksatam> #link https://blueprints.launchpad.net/tempest/+spec/fwaas-api-tempest
18:04:50 <SumitNaiksatam> animesh is still looking at this
18:05:25 <SumitNaiksatam> I believe the suggestion from the neutron team is to target services related tempest tests for I3
18:05:32 <SumitNaiksatam> however we will try to do this sooner
18:05:55 <SumitNaiksatam> as before, if anyone wants to participate, this is a great time to jump in, since we are all learning
18:06:00 <SridarK> Also do we do some sort of integrated scenario tests with all services
18:06:09 <SumitNaiksatam> SridarK: yeah
18:06:13 <RajeshMohan> Sumit: I can help with tempest
18:06:19 <SumitNaiksatam> RajeshMohan: sweet
18:06:20 <SridarK> ok Thanks
18:06:27 <SridarK> same here
18:06:33 <SumitNaiksatam> SridarK: nice
18:06:33 <garyduan> SumitNaiksatam: what is the relation between tempest and gate?
18:06:51 <SridarK> perhaps we can have a mtg with animesh to get some core dump
18:06:55 <SumitNaiksatam> gate uses tempest tests as one of the gating criteria
18:06:56 <garyduan> SumitNaiksatam: and vendor external testbed
18:07:56 <SumitNaiksatam> garyduan: vendor external testbed is the one which vendors will have to run in their setup (hooked up to the product they are exposing in neutron/openstack) and have the tempest tests run against that
18:08:33 <SumitNaiksatam> once the tests run and complete, they should report back the result (i.e. vote on that particular patch set)
18:08:40 <garyduan> SumitNaiksatam: thanks
18:09:46 <SumitNaiksatam> #action SumitNaiksatam to setup coordination between RajeshMohan SridarK Rudra and Animesh regarding FWaaS tempest tests
18:10:23 <SumitNaiksatam> garyduan: i guess you will have to plan 3rd party testing for the varmour driver?
18:11:32 <SumitNaiksatam> anything more on tempest or testing in general?
18:11:51 <SumitNaiksatam> ok
18:12:17 <SumitNaiksatam> for the rest of the meeting lets go in the order of the items we proposed to the PTL to target of Icehouse
18:13:18 <SumitNaiksatam> the PTL has retargeted the blueprints on which we had explicitly mentioned the milestones
18:13:25 <SumitNaiksatam> and those have been pushed to I3
18:13:37 <SumitNaiksatam> #topic Service Insertion for Firewall
18:13:47 <SumitNaiksatam> #link https://blueprints.launchpad.net/neutron/+spec/fwaas-service-insertion
18:14:02 <SumitNaiksatam> this is tied to to bigger insertion discussion and blueprint
18:14:25 <SumitNaiksatam> we want to target this for I1 but both have been targeted for I3
18:15:11 <SumitNaiksatam> i don't have much of an update on this beyond that
18:15:19 <SumitNaiksatam> any thoughts/questions?
18:15:39 <SridarK> SumitNaiksatam: Is there more clarity on the service insertion bp timelines
18:15:43 <RajeshMohan> We shoud start design discussions
18:16:08 <SumitNaiksatam> SridarK: service insertion and chaining blueprint is also targeted for I3
18:16:36 <SridarK> which would be a dependency for FWaaS service insertion
18:16:42 <SridarK> SumitNaiksatam: so we could start some work and have some overlapped activity for FWaaS
18:16:52 <SumitNaiksatam> SridarK: yeah, so its tight
18:17:15 <SumitNaiksatam> SridarK: and increases the odds of this not going through (or us being forced to take a shortcut)
18:17:22 <RajeshMohan> Sumit: so the router-id will come from insertion context?
18:17:40 <SumitNaiksatam> RajeshMohan: to your earlier question - you mean continue the design discussions?
18:17:41 <SridarK> SumitNaiksatam: :-(
18:18:23 <SumitNaiksatam> RajeshMohan: since we already had plenty of discussions on this and I thought we converged on moving forward with the current proposal
18:18:41 <RajeshMohan> Sumit: yes - mainly trying to understand the dependence on service-insertion bp and fwaas bp
18:18:50 <SumitNaiksatam> RajeshMohan: to your latter question, yes
18:19:14 <SumitNaiksatam> btw, I1 is tomorrow, I2 is Jan 23rd I believe
18:20:10 <SumitNaiksatam> RajeshMohan: we can have another session on strategizing as to how we go forward on this
18:21:00 <RajeshMohan> Sumit: Thanks.
18:21:30 <SumitNaiksatam> SridarK: anything more to add (I know the short cut option sucks and wouldn't want to take that)
18:21:50 <SridarK> SumitNaiksatam: As i had mentioned to u earlier - there is strong interest in a L2 realization of FWaaS from one of our customers
18:22:01 <SumitNaiksatam> SridarK: ok
18:22:05 <SridarK> Would like to add that to the list of features and discuss more on the priority.
18:22:19 <SumitNaiksatam> SridarK: lets take that as a separate item in the agenda today
18:22:38 <SridarK> SumitNaiksatam: Thanks
18:22:44 <SumitNaiksatam> #topic service_type framework
18:22:50 <SridarK> SumitNaiksatam: brought it up in the context of service insertion but we can discuss separately
18:23:00 <SumitNaiksatam> SridarK: yeah, thanks
18:23:02 <SumitNaiksatam> #link https://blueprints.launchpad.net/neutron/+spec/fwaas-service-types-integration
18:23:16 <SumitNaiksatam> this has also been retargeted from I2 to I3
18:23:23 <SumitNaiksatam> garyduan: any progress on this?
18:23:30 <garyduan> pretty much done
18:23:37 <SumitNaiksatam> garyduan: sweet
18:23:44 <garyduan> I can submit patch for review
18:23:49 <SumitNaiksatam> garyduan: i would then encourage you to post the patch for review
18:24:03 <garyduan> Ok
18:24:17 <SumitNaiksatam> thanks
18:24:25 <SumitNaiksatam> #topic zones
18:24:35 <SumitNaiksatam> #link https://blueprints.launchpad.net/neutron/+spec/fwaas-zones-api
18:24:43 <SumitNaiksatam> currently this bp is not targeted for any milestone, but we had proposed that we would work on this in I2
18:24:46 <SridarK> SumitNaiksatam: started work on a doc
18:24:53 <SumitNaiksatam> SridarK: ok good
18:25:02 <SumitNaiksatam> however, the bp is not targeted for a milestone
18:25:11 <SridarK> need to discuss more btwn u & RajeshMohan:
18:25:22 <SridarK> yes not clear on the priority of this for Icehouse
18:25:36 <SridarK> will need to see what we can push out
18:25:41 <SumitNaiksatam> ok
18:26:09 <SumitNaiksatam> its okay to have this as a discussion item for Icehouse and then implement in J, if it's fine with everyone
18:26:44 <RajeshMohan> Sumit: I think that is a good idea
18:26:51 <SumitNaiksatam> RajeshMohan: ok good
18:27:06 <SumitNaiksatam> SridarK: good to continue the effort on the doc so as to drive the discussion
18:27:11 <SridarK> SumitNaiksatam: will be good to get it in for I3 but given dependencies and other priorities seem like J is more realistic
18:27:20 <SumitNaiksatam> SridarK: agree
18:27:27 <SridarK> SumitNaiksatam: ok will do
18:27:46 <SumitNaiksatam> SridarK: thanks (i changed the status of the bp to discussion)
18:27:53 <SridarK> ok
18:27:56 <SumitNaiksatam> #topic Service Objects
18:28:05 <SumitNaiksatam> #link https://blueprints.launchpad.net/neutron/+spec/fwaas-customized-service
18:28:13 <garyduan> Yi is working on it
18:28:14 <SumitNaiksatam> we had proposed this for I3, but the blueprint is not targeted for a milestone
18:28:20 <SumitNaiksatam> garyduan: ok
18:28:35 <SumitNaiksatam> seems like he is not around
18:28:43 <garyduan> making good progress
18:29:12 <SumitNaiksatam> garyduan: as a matter of procedure, Yi needs to propose a target milestone for this blueprint
18:29:26 <SumitNaiksatam> the PTL can then decide whether its appropriate and approve accordingly
18:30:11 <garyduan> Ok. I will ask him
18:30:37 <SumitNaiksatam> #action garyduan to sync up with Yi on milestone target for service objects bp
18:30:46 <SumitNaiksatam> #topic revisit firewall to firewall_policy association
18:30:56 <SumitNaiksatam> #link https://blueprints.launchpad.net/neutron/+spec/neutron-fwaas-explicit-commit
18:31:15 <SumitNaiksatam> SridarK: you mentioned that there was some interest/validation from users on this?
18:31:41 <SridarK> SumitNaiksatam: Yes there was strong interest from our customer
18:31:54 <SridarK> were also interested in hooking in audit / logging
18:31:59 <SumitNaiksatam> SridarK: ok
18:32:15 <SridarK> so we can add that to the list of folks who think this is important to have
18:32:28 <SumitNaiksatam> RajeshMohan, garyduan: how about your customers/people using your products?
18:33:09 <RajeshMohan> Sumit: As we have told you before, commit is important feature for firewall
18:33:30 <SumitNaiksatam> RajeshMohan: good, but can we get validation from some users?
18:33:35 <garyduan> We'd like to see commit feature in FWaaS
18:33:51 <SumitNaiksatam> one of the suggestions made during the summit was that we have to provide validation from users to push this forward
18:34:04 <RajeshMohan> Sumit: Can Paypal help here?
18:34:21 <SumitNaiksatam> i think us making this case is not moving the ball forward on this, we need the users to speak up as well
18:34:30 <SumitNaiksatam> RajeshMohan: thats a good suggestion
18:34:43 <SumitNaiksatam> RajeshMohan: they seem to be more inclined towards using SG
18:35:05 <SumitNaiksatam> probably thats a shorter term thing, but thats the impression i got
18:35:22 <RajeshMohan> Sumit: ok
18:35:25 <SumitNaiksatam> some validation from your direct customers/users will help
18:35:52 <SumitNaiksatam> that way we can organize a discussion between the PTL, us, and the users and try to move forward on this
18:36:00 <SumitNaiksatam> until then, I see this as stuck
18:36:30 <SumitNaiksatam> does everyone agree?
18:37:21 <SumitNaiksatam> ok i will take that as a yes! :-)
18:37:32 <SumitNaiksatam> #topic vendor drivers
18:37:45 <SridarK> sorry got bounced out
18:37:50 <RajeshMohan> Sumit: I thought the discussion in summit was on approach. I thought everyone sees the need for it. Was I wrong?
18:38:53 <SumitNaiksatam> #undo
18:38:54 <openstack> Removing item from minutes: <ircmeeting.items.Topic object at 0x26b6390>
18:39:09 <SumitNaiksatam> RajeshMohan: not sure everyone was convinced of the need either, the pushback was that it is in some way not RESTful
18:39:55 <RajeshMohan> There were alternate approaches (like duplicating policy) and I assumed that others see the need for it
18:40:01 <SumitNaiksatam> i have sought clarification on this in the review, but i am yet to get a good answer on this
18:40:35 <RajeshMohan> ok - we can cite existing products that have commit feature
18:40:57 <garyduan> I mentioned once, maybe for simplicity, once we commit, we commit to all firewall
18:41:13 <SumitNaiksatam> RajeshMohan: yes, that, and more importantly we need some actual user voices to push for this
18:41:50 <SumitNaiksatam> garyduan: we can discuss those level semantics as a second step, but we first need to get agreement on the commit/apply operation
18:42:06 <garyduan> sure
18:42:13 <SumitNaiksatam> #topic vendor drivers
18:42:32 <SumitNaiksatam> garyduan SridarK RajeshMohan: anything you guys planning on pushing in icehouse?
18:42:57 <SridarK> SumitNaiksatam: We will have a dependency on zones so unlikely in icehouse
18:43:12 <SumitNaiksatam> SridarK: ok
18:43:35 <RajeshMohan> Sumit: Same here. Zones and commit are must before we publish our driver
18:43:43 <SumitNaiksatam> RajeshMohan: ok
18:43:47 <garyduan> For us, it's mostly refactoring
18:44:00 <RajeshMohan> Sumit: Will talk to product management on commit on get back to you
18:44:01 <SumitNaiksatam> garyduan: ok, which milestone are you targeting?
18:44:06 <SumitNaiksatam> RajeshMohan: thanks
18:44:11 <garyduan> as part of service framework,
18:44:22 <SumitNaiksatam> garyduan: okay, so I3?
18:44:33 <garyduan> SumitNaiksatam: yes. we have a bp
18:44:39 <SumitNaiksatam> garyduan: ok
18:44:50 <SumitNaiksatam> i want to give SridarK time for the discussion on L2 firewall
18:44:57 <SumitNaiksatam> #topic L2 firewall
18:45:02 <SumitNaiksatam> SridarK: please go ahead
18:45:15 <SridarK> SumitNaiksatam: Thanks
18:45:32 <SridarK> do u think this is something we can target post service insertion
18:45:42 <sc68cal> SridarK: I'm here too for this
18:45:43 <SridarK> i think it is a valid and common deployment case
18:46:04 <sc68cal> if any q's about our usecase
18:46:11 <SridarK> so68cal: thanks Sean - pls add more
18:46:13 <SridarK> as reqd
18:46:27 <SumitNaiksatam> SridarK sc68cal: thanks
18:46:57 <SumitNaiksatam> SridarK: absolutely, this is the reason for the proposal on service insertion to tackle these different possibilitites
18:47:21 <SumitNaiksatam> sc68cal: as a user i think we need your input/support on the service insertion/chaining proposal
18:47:37 <sc68cal> The main issue we have is that with the layer-3 agent still a SPOF, we're using provider networks for L3 services for instances. We'd like to have our cake and eat it too, still be able to take advantage of certain APIs that currently require the l3 agent
18:47:48 <SumitNaiksatam> based on that we can support many different possibilities for services
18:47:51 <SridarK> SumitNaiksatam: And this is a good demonstration of the use cases service insertion/chaining can address
18:48:29 <SumitNaiksatam> sc68cal: ok
18:48:39 <SumitNaiksatam> SridarK: agree
18:49:00 <SridarK> Also to add to so68cal - beyond solving specific needs this is a common use case that will be of interest to many
18:49:06 <sc68cal> https://blueprints.launchpad.net/neutron/+spec/fwaas-provider-network
18:49:19 <sc68cal> we did a very quick writeup
18:49:42 <SumitNaiksatam> SridarK sc68cal: I would recommend adding a blueprint for the reference implementation of L2 firewall with a dependency on the service insertion/chaining blueprint
18:50:08 <SridarK> SumitNaiksatam: will do so
18:50:12 <SridarK> SumitNaiksatam: sounds good
18:50:47 <sc68cal> SumitNaiksatam: ok - should we take that blueprint I linked, and add a dep for the service insertion blueprint?
18:51:29 <SumitNaiksatam> sc68cal: that might work too, but i think that particular is not very clear about the L2 aspect of the firewall
18:51:38 <SumitNaiksatam> perhaps this needs more than one bp
18:51:53 <SumitNaiksatam> you can coordinate with SridarK
18:51:57 <sc68cal> ok will do
18:52:04 <SumitNaiksatam> we can have a separate session to dig deeper into this, all are welcome
18:52:21 <SumitNaiksatam> #topic open discussion
18:52:35 <SumitNaiksatam> anything else that anyone wants to bring up?
18:53:49 <SridarK> SumitNaiksatam: hopefully things on neutron will settle down so we can get some of feature needs addressed
18:53:50 <SumitNaiksatam> alrighty…thats a wrap then, thanks everyone, until next time, bye!
18:53:57 <RajeshMohan> bye
18:54:03 <SridarK> thanks bye
18:54:10 <SumitNaiksatam> SridarK: absolutely, we also need to chip in on that front! :-)
18:54:22 <SridarK> yes for sure
18:54:26 <SumitNaiksatam> #endmeeting