18:03:08 <SumitNaiksatam> #startmeeting Networking FWaaS 18:03:09 <openstack> Meeting started Wed Dec 4 18:03:08 2013 UTC and is due to finish in 60 minutes. The chair is SumitNaiksatam. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:03:10 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:03:13 <garyduan> Hi 18:03:13 <openstack> The meeting name has been set to 'networking_fwaas' 18:03:18 <SumitNaiksatam> Welcome back, hope everyone is recharged after the summit and thanksgiving! 18:03:25 <SumitNaiksatam> garyduan: hi 18:03:42 <SumitNaiksatam> garyduan: is Yi around? 18:04:08 <garyduan> Not sure. 18:04:14 <SumitNaiksatam> garyduan: ok 18:04:21 <SumitNaiksatam> #topic tempest 18:04:29 <SumitNaiksatam> #link https://blueprints.launchpad.net/tempest/+spec/fwaas-api-tempest 18:04:50 <SumitNaiksatam> animesh is still looking at this 18:05:25 <SumitNaiksatam> I believe the suggestion from the neutron team is to target services related tempest tests for I3 18:05:32 <SumitNaiksatam> however we will try to do this sooner 18:05:55 <SumitNaiksatam> as before, if anyone wants to participate, this is a great time to jump in, since we are all learning 18:06:00 <SridarK> Also do we do some sort of integrated scenario tests with all services 18:06:09 <SumitNaiksatam> SridarK: yeah 18:06:13 <RajeshMohan> Sumit: I can help with tempest 18:06:19 <SumitNaiksatam> RajeshMohan: sweet 18:06:20 <SridarK> ok Thanks 18:06:27 <SridarK> same here 18:06:33 <SumitNaiksatam> SridarK: nice 18:06:33 <garyduan> SumitNaiksatam: what is the relation between tempest and gate? 18:06:51 <SridarK> perhaps we can have a mtg with animesh to get some core dump 18:06:55 <SumitNaiksatam> gate uses tempest tests as one of the gating criteria 18:06:56 <garyduan> SumitNaiksatam: and vendor external testbed 18:07:56 <SumitNaiksatam> garyduan: vendor external testbed is the one which vendors will have to run in their setup (hooked up to the product they are exposing in neutron/openstack) and have the tempest tests run against that 18:08:33 <SumitNaiksatam> once the tests run and complete, they should report back the result (i.e. vote on that particular patch set) 18:08:40 <garyduan> SumitNaiksatam: thanks 18:09:46 <SumitNaiksatam> #action SumitNaiksatam to setup coordination between RajeshMohan SridarK Rudra and Animesh regarding FWaaS tempest tests 18:10:23 <SumitNaiksatam> garyduan: i guess you will have to plan 3rd party testing for the varmour driver? 18:11:32 <SumitNaiksatam> anything more on tempest or testing in general? 18:11:51 <SumitNaiksatam> ok 18:12:17 <SumitNaiksatam> for the rest of the meeting lets go in the order of the items we proposed to the PTL to target of Icehouse 18:13:18 <SumitNaiksatam> the PTL has retargeted the blueprints on which we had explicitly mentioned the milestones 18:13:25 <SumitNaiksatam> and those have been pushed to I3 18:13:37 <SumitNaiksatam> #topic Service Insertion for Firewall 18:13:47 <SumitNaiksatam> #link https://blueprints.launchpad.net/neutron/+spec/fwaas-service-insertion 18:14:02 <SumitNaiksatam> this is tied to to bigger insertion discussion and blueprint 18:14:25 <SumitNaiksatam> we want to target this for I1 but both have been targeted for I3 18:15:11 <SumitNaiksatam> i don't have much of an update on this beyond that 18:15:19 <SumitNaiksatam> any thoughts/questions? 18:15:39 <SridarK> SumitNaiksatam: Is there more clarity on the service insertion bp timelines 18:15:43 <RajeshMohan> We shoud start design discussions 18:16:08 <SumitNaiksatam> SridarK: service insertion and chaining blueprint is also targeted for I3 18:16:36 <SridarK> which would be a dependency for FWaaS service insertion 18:16:42 <SridarK> SumitNaiksatam: so we could start some work and have some overlapped activity for FWaaS 18:16:52 <SumitNaiksatam> SridarK: yeah, so its tight 18:17:15 <SumitNaiksatam> SridarK: and increases the odds of this not going through (or us being forced to take a shortcut) 18:17:22 <RajeshMohan> Sumit: so the router-id will come from insertion context? 18:17:40 <SumitNaiksatam> RajeshMohan: to your earlier question - you mean continue the design discussions? 18:17:41 <SridarK> SumitNaiksatam: :-( 18:18:23 <SumitNaiksatam> RajeshMohan: since we already had plenty of discussions on this and I thought we converged on moving forward with the current proposal 18:18:41 <RajeshMohan> Sumit: yes - mainly trying to understand the dependence on service-insertion bp and fwaas bp 18:18:50 <SumitNaiksatam> RajeshMohan: to your latter question, yes 18:19:14 <SumitNaiksatam> btw, I1 is tomorrow, I2 is Jan 23rd I believe 18:20:10 <SumitNaiksatam> RajeshMohan: we can have another session on strategizing as to how we go forward on this 18:21:00 <RajeshMohan> Sumit: Thanks. 18:21:30 <SumitNaiksatam> SridarK: anything more to add (I know the short cut option sucks and wouldn't want to take that) 18:21:50 <SridarK> SumitNaiksatam: As i had mentioned to u earlier - there is strong interest in a L2 realization of FWaaS from one of our customers 18:22:01 <SumitNaiksatam> SridarK: ok 18:22:05 <SridarK> Would like to add that to the list of features and discuss more on the priority. 18:22:19 <SumitNaiksatam> SridarK: lets take that as a separate item in the agenda today 18:22:38 <SridarK> SumitNaiksatam: Thanks 18:22:44 <SumitNaiksatam> #topic service_type framework 18:22:50 <SridarK> SumitNaiksatam: brought it up in the context of service insertion but we can discuss separately 18:23:00 <SumitNaiksatam> SridarK: yeah, thanks 18:23:02 <SumitNaiksatam> #link https://blueprints.launchpad.net/neutron/+spec/fwaas-service-types-integration 18:23:16 <SumitNaiksatam> this has also been retargeted from I2 to I3 18:23:23 <SumitNaiksatam> garyduan: any progress on this? 18:23:30 <garyduan> pretty much done 18:23:37 <SumitNaiksatam> garyduan: sweet 18:23:44 <garyduan> I can submit patch for review 18:23:49 <SumitNaiksatam> garyduan: i would then encourage you to post the patch for review 18:24:03 <garyduan> Ok 18:24:17 <SumitNaiksatam> thanks 18:24:25 <SumitNaiksatam> #topic zones 18:24:35 <SumitNaiksatam> #link https://blueprints.launchpad.net/neutron/+spec/fwaas-zones-api 18:24:43 <SumitNaiksatam> currently this bp is not targeted for any milestone, but we had proposed that we would work on this in I2 18:24:46 <SridarK> SumitNaiksatam: started work on a doc 18:24:53 <SumitNaiksatam> SridarK: ok good 18:25:02 <SumitNaiksatam> however, the bp is not targeted for a milestone 18:25:11 <SridarK> need to discuss more btwn u & RajeshMohan: 18:25:22 <SridarK> yes not clear on the priority of this for Icehouse 18:25:36 <SridarK> will need to see what we can push out 18:25:41 <SumitNaiksatam> ok 18:26:09 <SumitNaiksatam> its okay to have this as a discussion item for Icehouse and then implement in J, if it's fine with everyone 18:26:44 <RajeshMohan> Sumit: I think that is a good idea 18:26:51 <SumitNaiksatam> RajeshMohan: ok good 18:27:06 <SumitNaiksatam> SridarK: good to continue the effort on the doc so as to drive the discussion 18:27:11 <SridarK> SumitNaiksatam: will be good to get it in for I3 but given dependencies and other priorities seem like J is more realistic 18:27:20 <SumitNaiksatam> SridarK: agree 18:27:27 <SridarK> SumitNaiksatam: ok will do 18:27:46 <SumitNaiksatam> SridarK: thanks (i changed the status of the bp to discussion) 18:27:53 <SridarK> ok 18:27:56 <SumitNaiksatam> #topic Service Objects 18:28:05 <SumitNaiksatam> #link https://blueprints.launchpad.net/neutron/+spec/fwaas-customized-service 18:28:13 <garyduan> Yi is working on it 18:28:14 <SumitNaiksatam> we had proposed this for I3, but the blueprint is not targeted for a milestone 18:28:20 <SumitNaiksatam> garyduan: ok 18:28:35 <SumitNaiksatam> seems like he is not around 18:28:43 <garyduan> making good progress 18:29:12 <SumitNaiksatam> garyduan: as a matter of procedure, Yi needs to propose a target milestone for this blueprint 18:29:26 <SumitNaiksatam> the PTL can then decide whether its appropriate and approve accordingly 18:30:11 <garyduan> Ok. I will ask him 18:30:37 <SumitNaiksatam> #action garyduan to sync up with Yi on milestone target for service objects bp 18:30:46 <SumitNaiksatam> #topic revisit firewall to firewall_policy association 18:30:56 <SumitNaiksatam> #link https://blueprints.launchpad.net/neutron/+spec/neutron-fwaas-explicit-commit 18:31:15 <SumitNaiksatam> SridarK: you mentioned that there was some interest/validation from users on this? 18:31:41 <SridarK> SumitNaiksatam: Yes there was strong interest from our customer 18:31:54 <SridarK> were also interested in hooking in audit / logging 18:31:59 <SumitNaiksatam> SridarK: ok 18:32:15 <SridarK> so we can add that to the list of folks who think this is important to have 18:32:28 <SumitNaiksatam> RajeshMohan, garyduan: how about your customers/people using your products? 18:33:09 <RajeshMohan> Sumit: As we have told you before, commit is important feature for firewall 18:33:30 <SumitNaiksatam> RajeshMohan: good, but can we get validation from some users? 18:33:35 <garyduan> We'd like to see commit feature in FWaaS 18:33:51 <SumitNaiksatam> one of the suggestions made during the summit was that we have to provide validation from users to push this forward 18:34:04 <RajeshMohan> Sumit: Can Paypal help here? 18:34:21 <SumitNaiksatam> i think us making this case is not moving the ball forward on this, we need the users to speak up as well 18:34:30 <SumitNaiksatam> RajeshMohan: thats a good suggestion 18:34:43 <SumitNaiksatam> RajeshMohan: they seem to be more inclined towards using SG 18:35:05 <SumitNaiksatam> probably thats a shorter term thing, but thats the impression i got 18:35:22 <RajeshMohan> Sumit: ok 18:35:25 <SumitNaiksatam> some validation from your direct customers/users will help 18:35:52 <SumitNaiksatam> that way we can organize a discussion between the PTL, us, and the users and try to move forward on this 18:36:00 <SumitNaiksatam> until then, I see this as stuck 18:36:30 <SumitNaiksatam> does everyone agree? 18:37:21 <SumitNaiksatam> ok i will take that as a yes! :-) 18:37:32 <SumitNaiksatam> #topic vendor drivers 18:37:45 <SridarK> sorry got bounced out 18:37:50 <RajeshMohan> Sumit: I thought the discussion in summit was on approach. I thought everyone sees the need for it. Was I wrong? 18:38:53 <SumitNaiksatam> #undo 18:38:54 <openstack> Removing item from minutes: <ircmeeting.items.Topic object at 0x26b6390> 18:39:09 <SumitNaiksatam> RajeshMohan: not sure everyone was convinced of the need either, the pushback was that it is in some way not RESTful 18:39:55 <RajeshMohan> There were alternate approaches (like duplicating policy) and I assumed that others see the need for it 18:40:01 <SumitNaiksatam> i have sought clarification on this in the review, but i am yet to get a good answer on this 18:40:35 <RajeshMohan> ok - we can cite existing products that have commit feature 18:40:57 <garyduan> I mentioned once, maybe for simplicity, once we commit, we commit to all firewall 18:41:13 <SumitNaiksatam> RajeshMohan: yes, that, and more importantly we need some actual user voices to push for this 18:41:50 <SumitNaiksatam> garyduan: we can discuss those level semantics as a second step, but we first need to get agreement on the commit/apply operation 18:42:06 <garyduan> sure 18:42:13 <SumitNaiksatam> #topic vendor drivers 18:42:32 <SumitNaiksatam> garyduan SridarK RajeshMohan: anything you guys planning on pushing in icehouse? 18:42:57 <SridarK> SumitNaiksatam: We will have a dependency on zones so unlikely in icehouse 18:43:12 <SumitNaiksatam> SridarK: ok 18:43:35 <RajeshMohan> Sumit: Same here. Zones and commit are must before we publish our driver 18:43:43 <SumitNaiksatam> RajeshMohan: ok 18:43:47 <garyduan> For us, it's mostly refactoring 18:44:00 <RajeshMohan> Sumit: Will talk to product management on commit on get back to you 18:44:01 <SumitNaiksatam> garyduan: ok, which milestone are you targeting? 18:44:06 <SumitNaiksatam> RajeshMohan: thanks 18:44:11 <garyduan> as part of service framework, 18:44:22 <SumitNaiksatam> garyduan: okay, so I3? 18:44:33 <garyduan> SumitNaiksatam: yes. we have a bp 18:44:39 <SumitNaiksatam> garyduan: ok 18:44:50 <SumitNaiksatam> i want to give SridarK time for the discussion on L2 firewall 18:44:57 <SumitNaiksatam> #topic L2 firewall 18:45:02 <SumitNaiksatam> SridarK: please go ahead 18:45:15 <SridarK> SumitNaiksatam: Thanks 18:45:32 <SridarK> do u think this is something we can target post service insertion 18:45:42 <sc68cal> SridarK: I'm here too for this 18:45:43 <SridarK> i think it is a valid and common deployment case 18:46:04 <sc68cal> if any q's about our usecase 18:46:11 <SridarK> so68cal: thanks Sean - pls add more 18:46:13 <SridarK> as reqd 18:46:27 <SumitNaiksatam> SridarK sc68cal: thanks 18:46:57 <SumitNaiksatam> SridarK: absolutely, this is the reason for the proposal on service insertion to tackle these different possibilitites 18:47:21 <SumitNaiksatam> sc68cal: as a user i think we need your input/support on the service insertion/chaining proposal 18:47:37 <sc68cal> The main issue we have is that with the layer-3 agent still a SPOF, we're using provider networks for L3 services for instances. We'd like to have our cake and eat it too, still be able to take advantage of certain APIs that currently require the l3 agent 18:47:48 <SumitNaiksatam> based on that we can support many different possibilities for services 18:47:51 <SridarK> SumitNaiksatam: And this is a good demonstration of the use cases service insertion/chaining can address 18:48:29 <SumitNaiksatam> sc68cal: ok 18:48:39 <SumitNaiksatam> SridarK: agree 18:49:00 <SridarK> Also to add to so68cal - beyond solving specific needs this is a common use case that will be of interest to many 18:49:06 <sc68cal> https://blueprints.launchpad.net/neutron/+spec/fwaas-provider-network 18:49:19 <sc68cal> we did a very quick writeup 18:49:42 <SumitNaiksatam> SridarK sc68cal: I would recommend adding a blueprint for the reference implementation of L2 firewall with a dependency on the service insertion/chaining blueprint 18:50:08 <SridarK> SumitNaiksatam: will do so 18:50:12 <SridarK> SumitNaiksatam: sounds good 18:50:47 <sc68cal> SumitNaiksatam: ok - should we take that blueprint I linked, and add a dep for the service insertion blueprint? 18:51:29 <SumitNaiksatam> sc68cal: that might work too, but i think that particular is not very clear about the L2 aspect of the firewall 18:51:38 <SumitNaiksatam> perhaps this needs more than one bp 18:51:53 <SumitNaiksatam> you can coordinate with SridarK 18:51:57 <sc68cal> ok will do 18:52:04 <SumitNaiksatam> we can have a separate session to dig deeper into this, all are welcome 18:52:21 <SumitNaiksatam> #topic open discussion 18:52:35 <SumitNaiksatam> anything else that anyone wants to bring up? 18:53:49 <SridarK> SumitNaiksatam: hopefully things on neutron will settle down so we can get some of feature needs addressed 18:53:50 <SumitNaiksatam> alrighty…thats a wrap then, thanks everyone, until next time, bye! 18:53:57 <RajeshMohan> bye 18:54:03 <SridarK> thanks bye 18:54:10 <SumitNaiksatam> SridarK: absolutely, we also need to chip in on that front! :-) 18:54:22 <SridarK> yes for sure 18:54:26 <SumitNaiksatam> #endmeeting