Hi Joe,
I have replied, Please check.
Regards
Ashish Singh
Tata Consultancy Services
Cell:- 9030419618
Mailto: ashish.sin...@tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty. IT Services
Business Solutions
Consulting
____________________________________________
-----joehuang <joehu...@huawei.com> wrote: -----
To: Ashish Singh7 <ashish.sin...@tcs.com>
From: joehuang <joehu...@huawei.com>
Date: 10/04/2016 12:19PM
Cc: Ashish singh <ashishsingh...@gmail.com>, "caizhiyuan (A)"
<caizhiyu...@huawei.com>, Dimitri Mazmanov <dimitri.mazma...@ericsson.com>,
Meimei <mei...@huawei.com>, opnfv-tech-discuss
<opnfv-tech-discuss@lists.opnfv.org>, "Sama, Malla Reddy"
<s...@docomolab-euro.com>, Zhipeng Huang <zhipengh...@gmail.com>
Subject: RE: [opnfv-tech-discuss][multisite] Secgroup syncing Approach
Thank you Ashish, comments are put in the document.
Best Regards
Chaoyi Huang (joehuang)
From: Ashish Singh7 [ashish.sin...@tcs.com]
Sent: 29 September 2016 22:04
To: joehuang
Cc: Ashish singh; caizhiyuan (A); Dimitri Mazmanov; Meimei; opnfv-tech-discuss;
Sama, Malla Reddy; Zhipeng Huang
Subject: RE: [opnfv-tech-discuss][multisite] Secgroup syncing Approach
Hi All,
I have updated the document with an approach to solve concurrency problem.
Please have a look and comment accordingly.
Regards
Ashish Singh
Tata Consultancy Services
Cell:- 9030419618
Mailto: ashish.sin...@tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty. IT Services
Business Solutions
Consulting
____________________________________________
-----joehuang <joehu...@huawei.com> wrote: -----
To: Ashish Singh7 <ashish.sin...@tcs.com>
From: joehuang <joehu...@huawei.com>
Date: 09/27/2016 09:10AM
Cc: Ashish singh <ashishsingh...@gmail.com>, "caizhiyuan (A)"
<caizhiyu...@huawei.com>, Dimitri Mazmanov <dimitri.mazma...@ericsson.com>,
Meimei <mei...@huawei.com>, opnfv-tech-discuss
<opnfv-tech-discuss@lists.opnfv.org>, "Sama, Malla Reddy"
<s...@docomolab-euro.com>, Zhipeng Huang <zhipengh...@gmail.com>
Subject: RE: [opnfv-tech-discuss][multisite] Secgroup syncing Approach
Hello, Ashish,
Thank you for the BP and doc, see comments in the doc.
Best Regards
Chaoyi Huang (joehuang)
From: Ashish Singh7 [ashish.sin...@tcs.com]
Sent: 26 September 2016 18:28
To: joehuang
Cc: Ashish singh; caizhiyuan (A); Dimitri Mazmanov; Meimei; opnfv-tech-discuss;
Sama, Malla Reddy; Zhipeng Huang
Subject: RE: [opnfv-tech-discuss][multisite] Secgroup syncing Approach
Hi All,
I have registered a blueprint on "Resouce Syncing" and tied with a supporting
document.
Blueprint:
https://blueprints.launchpad.net/kingbird/+spec/resource-syncing
Google Docs link
https://docs.google.com/document/d/1N6HFAFUT5BbEp1wbnYjgaKdOlyJanwkXccv-_1zsVQc/edit?usp=sharing
Let us use this to discuss the feature and finalize it.
Regards
Ashish Singh
Tata Consultancy Services
Cell:- 9030419618
Mailto: ashish.sin...@tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty. IT Services
Business Solutions
Consulting
____________________________________________
From: joehuang <joehu...@huawei.com>
To: Ashish singh <ashishsingh...@gmail.com>, opnfv-tech-discuss
<opnfv-tech-discuss@lists.opnfv.org>, "caizhiyuan (A)"
<caizhiyu...@huawei.com>, Meimei <mei...@huawei.com>, "Sama, Malla Reddy"
<s...@docomolab-euro.com>, Zhipeng Huang <zhipengh...@gmail.com>, "Dimitri
Mazmanov" <dimitri.mazma...@ericsson.com>, Ashish Singh7
<ashish.sin...@tcs.com>
Date: 09/21/2016 02:23 PM
Subject: RE: [opnfv-tech-discuss][multisite] Secgroup syncing Approach
Hello team,
Last year, use case 4 was discussed, some network related requirements were
identified: https://etherpad.opnfv.org/p/multisite_centralized_servic
global view for tenant level IP address / mac address space management
If a tenant has networks in multiple region, and these networks are routable
(for example, connected with VPN), then, IP address may be duplicated. Need a
global view for IP address space management
If IP v4 used, this issue needs to be considered. For IPv6, it should not be a
problem. IR - disagree with this statement. This requirement is important not
just for prevention of duplicate address.
For security and other reasons it's important to know which IP Addresses (IPv4
and IPv6) are used in which region.
Can we also extend such requirement to MAC address tracking?
Can we also extend such requirement to mapping for floating and public IP
Addresses
A service to clone security groups across regions
No appropriate service to security groups across multiple region if the tenant
has resources distributed, has to set the security groups in different region
manually.
And during the discussion thread with netready, one more issue identified
http://lists.opnfv.org/pipermail/opnfv-tech-discuss/2016-July/011499.html:
VxLAN pool cross site management for VxLAN segmentation allocation
All these issues needs to be addressed, we can discuss them together.
Tricircle( now Tricircle team is working on the cleaning to make Tricircle
dedicated for networking automation across Neutron, mentioned below) could be
the reference, the design blueprint has just been updated for your reference:
https://docs.google.com/document/d/1zcxwl8xMEpxVCqLTce2-dUOtB-ObmzJTbV1uSQ6qTsY/,
local network and shared VLAN network and L3 has been implemented in Newton
release. Of course, in NFV area, L2 networking should be enough in most
scenario.
And the spec for Tricircle Local Neutron Plugin is in review:
https://review.openstack.org/#/c/368529/
Best Regards
Chaoyi Huang (joehuang)
From: joehuang
Sent: 09 September 2016 16:59
To: Ashish singh; opnfv-tech-discuss; caizhiyuan (A); Meimei; Sama, Malla
Reddy; Zhipeng Huang; Dimitri Mazmanov; Ashish Singh7
Subject: RE: [opnfv-tech-discuss][multisite] Secgroup syncing Approach
Hello, Ashish,
I think sync itself (if excluding the remote sec-group) is not complex, the
complexity is to ensure the rules set in different region of Neutron will not
conflict with each other. Otherwise, it'll become mess.
So I agree with you "We must use neutron to perform all our operations as with
neutron we have total control over it." (Is my understanding correct?)
That's the way of Tricircle(please forgive me to explain a little: Tricircle
now is only a project about networking automation across Neutron. And the
Nova/Cinder API-Gateway part will be moved to Trio2o, a new created project:
https://docs.google.com/presentation/d/1kpVo5rsL6p_rq9TvkuczjommJSsisDiKJiurbhaQg7E/edit),And
the SEG sync has been implemented in the Tricircle, and we are now doing the
tricircle splitting and cleaning.
If we implement seg sync in Kingbird, we have to write lots of duplicated code
which has already done in Neutron, for example, SEG CRUD, rule CRUD,
validation, rule checking, default rule management, etc.
Best Regards
Chaoyi Huang(joehuang)
From: Ashish singh [ashishsingh...@gmail.com]
Sent: 08 September 2016 23:57
To: opnfv-tech-discuss; caizhiyuan (A); Meimei; Sama, Malla Reddy; Zhipeng
Huang; Ashish singh; Dimitri Mazmanov; joehuang; Ashish Singh7
Subject: [opnfv-tech-discuss][multisite] Secgroup syncing Approach
Hi All,
I have drafted a basic approach for security group synching in release D and it
is as follows.
- Get list of secgroups with rules for a tenant from all the regions which do
not have remote group references(currently, we ignore remote secgroup
references as there can be lot nested dependencies).
- Traverse each region and do the following
- Get the list of secgroup which are present in all the regions except
the current region, These are the secgroups which we need to sync in current
region: say it GRP_TO_BE_SYNCED
- There can be case where the secgroup from GRP_TO_BE_SYNCED may have
the same rules as the secgroup in current region(If not initially but which
will obviously happen after a sync job).
- Traverse through the GRP_TO_BE_SYNCED and check if there are such
secgroups(rules overlapping groups), if there, ignore it. After this filtering,
the remaining secgroup will be the final list of secgroup which should be
created for the current region.
- Create the secgroup with the final list of secgroups in the region.
- Repeat the process for all the tenant in batches.
The default security group is not syned, as I feel region specific default
secgroup has to there in each region.
We must use neutron to perform all our operations as with neutron we have total
control over it.
For creating a security group we need the following information
--tenant-id TENANT_ID
The owner tenant ID.
--description DESCRIPTION
Description of security group rule.
--direction {ingress,egress}
Direction of traffic: ingress/egress.
--ethertype ETHERTYPE
IPv4/IPv6
--protocol PROTOCOL Protocol of packet. Allowed values are [icmp, icmpv6,
tcp, udp] and integer representations [0-255]
--port-range-min PORT_RANGE_MIN
Starting port range. For ICMP it is type.
--port-range-max PORT_RANGE_MAX Ending port range. For ICMP it is code.
--remote-ip-prefix REMOTE_IP_PREFIX
CIDR to match on.
We have all these details with us available.
Let us take this forward, Please review/comment.
--
Best Regards,
Ashish Singh
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you_______________________________________________
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
