+1, I had another email to discuss about FW (FWaaS) and DVR integration. Traditionally, we run firewall with router so that firewall can use route and NAT info from router. since DVR is asymmetric when handling traffic, it is hard to run stateful firewall on top of DVR just like a traditional firewall does . When the NAT is in the picture, the situation can be even worse.Another approach would be to use a single IP address per router per compute node. This avoids the multi-tenant issue mentioned above, at the cost of consuming more IP addresses, potentially one default SNAT IP address for each VM on the compute server (which is the case when every VM on the compute node is from a different tenant and/or using a different router). At that point you might as well give each VM a floating IP.Hence the approach taken with the initial DVR implementation is to keep default SNAT as a centralized service.In contrast to moving service to distributed CN, we should take care of keeping them as centralized, especially FIP and FW. I know a lot of customer prefer using some dedicated servers to act as network nodes, which have more NICs(as external connection) than compute nodes, in these cases FIP must be centralized instead of being distributed. As for FW, if we want stateful ACL then DVR can do nothing, except that we think security group is already some kind of FW.
Yi
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
