> Some of us are looking at a different model. I’d be interested in your 
> thoughts.


Thanks for the link to the drafts. They look extremely similar to the 
approach we've been pursuing for Project Calico, and it's good to see 
that we're not the only people thinking in this direction.

It looks like the main differences between our approach and yours are 
that we've tried to come up with a model that works both for IPv4 and 
IPv6 (although we agree that moving the data center fabric to IPv6 has a 
lot of advantages - e.g. we are planning on using 464XLAT as the 
mechanism to handle IPv4 overlap).  Given this, we've focused our 
policy/security model on ACLs rather than flow labels.  An interesting 
derivative effect of that choice is that any policy or security model 
can be enforced (such as intra-tenant controls, extra-cloud controls, 

As a side note, we have been interested in using flow labels as 
namespace identifiers and for SFC.  Recently, we have moved away from 
that thinking given the guidance that the flow label should be not be 
modified in flight.  If you believe that such modifications will be 
acceptable, we would love to discuss that with you, and see where we can 

As it is, I believe our proposed changes to Nova and Neutron should be 
generic enough to provide a basis for implementing your approach as well 
as supporting our Project Calico ML2 driver. If they aren't, we should 
work together to make whatever changes we have to make to achieve that 

It might also be worth checking out our agent code[0]. It's in the 
middle of a rewrite at the minute so the code is unfinished, but it 
handles a lot of what you'd be doing with your proposed drafts. 
Hopefully it'd be a useful jumping off point.


[0]: https://github.com/Metaswitch/calico/tree/master/calico/felix

OpenStack-dev mailing list

Reply via email to