Expanding on what Jon wrote – the NVE needs to know what to do with traffic that it has no explicit policy for. The envisioned implementation approach appears to include lazy evaluation of policy propagation (e.g., VM can arrive at NVE before policy for traffic) – if that is done, it may be useful NVE forward traffic for which it has no policy information (yet) to an explicit gateway, or one of several explicit gateways, that will have the policy. Although that forwarding may be a default action at the NVE, the explicit gateway to which such traffic is sent need not be the “Default Gateway” for IP traffic - those are two different concepts.
Thanks, --David From: Jon Hudson [mailto:[email protected]] Sent: Monday, April 17, 2017 7:46 PM To: Linda Dunbar <[email protected]> Cc: Black, David <[email protected]>; [email protected]; [email protected]; [email protected]; NVO3 <[email protected]> Subject: Re: questions about the RFC8014 Section 5.4 Well I don't remember what was intended but I can say what I would expect as a User 1.) a default policy must exist so that any VMs that appear out of or in lack of a policy be put into that default policy group. 2.) a default policy group that exists in a group of policies that allow for distributed gateways, should itself default to a multiple gateway policy as it is the base or default policy that reflects a group of distributed gateway participants. However this seems to me to be more implementation territory an not something necessary to standardize. Jon On Apr 17, 2017, at 4:26 PM, Linda Dunbar <[email protected]<mailto:[email protected]>> wrote: David, Jon, Larry, Marc, and Thomas: One of our implantation engineers asked a question about the Section 5.4 Distributed Inter-VN Gateways. Hope you can help with the answer. The Section 5.4 states: “Explicit gateways could be the central point for such enforcement, with all inter-VN traffic forwarded to such gateways for processing. Alternatively, the NVA can provide such information directly to NVEs by either providing a mapping for a target Tenant System (TS) on another VN or indicating that such communication is disallowed by policy.” “The NVO3 architecture supports distributed gateways for the case of inter-VN communication. Such support requires that NVO3 control protocols include mechanisms for the maintenance and distribution of policy information about what type of cross-VN communication is allowed so that NVEs acting as distributed gateways can tunnel traffic from one VN to another as appropriate.” The question is: if NVE doesn’t have the up-to-date policies for some VMs attached (most likely the newly moved-in VMs), should NVE forward the data frames to the “Default Gateway” (as the time needed to query the NVA for the needed policy might take too long)? It is almost like what is described in the “Split-NVE Control Plane Requirements” (draft-ietf-nvo3-hpvr2nve-cp-req-06) with the interpretation of “tGateway” being on the NVE and “nGateway” on the centralized Gateway. Any answer is greatly appreciated. Linda Dunbar
_______________________________________________ nvo3 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nvo3
