interconnecting neutron and network operators' bgp vpns
TRANSCRIPT
INTERCONNECTING NEUTRON AND NETWORK OPERATORS' BGP VPNS
Paul Carver Tim Irnich Thomas Morin
TELCO STUFF AHEAD, DON’T BE AFRAID
WHAT ARE BGP VPNS ?
FIRST, WHAT THEY ARE NOT…
No encryption
‘P’ stands for ‘Private’: think Private Addressing
(one can obviously add encryption over a BGP VPN, just like over
any IP network)
Isolation is…
not managed by customers
managed by the operator of the shared physical network
Hence: not like IPSec or SSL VPNs
WHAT ARE BGP VPNS ?
BASE PRINCIPLES OF BGP/MPLS VPNS (SIMPLIFIED)
use MPLS to isolate the traffic of different VPNs on the wire MPLS here: an encapsulation layer stacked onto IP packets of a VPN
MPLS “label” : dataplane field used for isolation:
use the BGP routing protocol to indicate where/how to send packets advertise routes:
“10.11.0.0/16 in VPN 888:42 is reachable via router X using MPLS Label N”
VPN “identifiers”: “Route Target” (e.g. 888:42)
(calling them ‘identifier’ is very simplified, much more flexibility)
only present in the control plane!
initially for L3VPNs, extended for L2/Ethernet (in particular E-VPN)
later extended to other encaps: MPLS/GRE, MPLS/UDP, VXLAN the reason to use “BGP VPNs” rather than “BGP/MPLS VPNs”
WHAT ARE BGP VPNS ?
“OLD”, PROVEN, INTEROPERABLE AND VERY SCALABLE
Late 90’s, then incremental protocol improvements since
Lot’s of deployments
Very interoperable
IETF RFCs starting point references: RFC4364, RFC 7432
multi-vendor deployments common place
How scalable ?
some BGP/MPLS deployment serve millions of VPN sites
toolbox of established practices and protocol extensions to improve
scaling
WHAT ARE BGP VPNS ?
WHAT ARE THEY USED FOR ?
In the past 15+ years: business customers VPNs (e.g. replace leased lines, Frame Relay, etc.)
Later in the 2000’s: increasing use in converged IP/MPLS backbones (e.g. carry services for triple play)
Cloud inter-DC
Interconnect for NFV platforms
between NFV POPs
between NFV platforms and service BGP VPNs
Today, all these
need to be
interconnected
with OpenStack
OpenStack as
the elected
IaaS foundation
for NFV
WHAT IS THE NEED ?
Admin-only API to control the technical details
“VPN Foo of tenant Lambda will use Route Target 13879:11, etc.”
Tenant API to let tenant choose what
“I want to interconnect Neutron network 11e304ec-5b67-4980-
aa57-da10d0f057a6 with my VPN Foo”
Actual implementation is automated, need to accommodate
different solutions that automate differently
The networking-bgpvpn Neutron Stadium project was
created to address this need (June 2015)
NEW API RESOURCES
(already existing
API resources)
Network X Router Y some user in
“Project Lambda”
Openstack Admin
Network
Association creates
associations
to setup
interconnections
BGP VPN
“default VPN”
Type: L3
BGP Route-Target: 1234:42
Tenant: Project Lambda
Router
Association
creates a
BGPVPN
and gives it to
“Project Lambda”
NEUTRON BGP VPN INTERCONNECTIONS SERVICE PLUGIN
OVERVIEW
Neutron
BGP
Peers
dataplane (vswitch/ vrouter)
VMs … …
Backend X (e.g. Neutron+Bagpipe, OpenDaylight,
OpenContrail, Nuage, etc.) API
BGPVPN
Service Plugin
packets carried
over MPLS
to/from VPNs
BGP
VPN
routes
driver for
X…
?
Neutron
SDN Controller
BGP
Peers
driver for
backend X
packets carried
over MPLS
to/from VPNs
API
BGPVPN
Service Plugin
REST
BGP
VPN
routes
HOW IT WORKS WITH AN SDN CONTROLLER…
E.G. OPENDAYLIGHT, OPENCONTRAIL, NUAGE NETWORKS, ETC.
driver for SDN
Controller X compute node
VMs VMs
compute node
VMs VMs
vswitch vswitch
NBI
BGP
SBI
Rabbit
MQ
HOW IT WORKS WITH NEUTRON OVS + BAGPIPE …
Neutron
compute node
BGP
Peers
… VMs …
API
BGPVPN
Service Plugin
OpenVSwitch
br-int | br-tun | br-mpls packets carried
over MPLS
towards VPNs
Neutron OVS
agent
BGP
VPN
routes
bagpipe
-bgp
bagpipe
driver
ML2 as Core Plugin
openvswitch
mech driver
bagpipe
extension
DEMO
TIME!
Starting point
an Openstack cloud
peering with BGP/MPLS
routers
pre-existing VPNs in the WAN
for customers Red and Blue
Platform: devstack VM using
ovs/bagpipe driver, lab
router (VM), VPN site (VM)
Let’s let tenant Red
interconnect an Openstack
VM and its VPN, and test the
result from a VPN site
DC network
control / compute (devstack)
VM (tenant ‘Blue’) …
VM (tenant ‘Red’) 192.168.10.x
IP/MPLS WAN
BGP/MPLS provider edge
router
BGP/MPLS border routers
BGP/MPLS provider edge ‘lab-router’
MPLS encapsulation
lnx02 test box 192.168.177.102
INTEGRATION IN NEUTRON & OPENSTACK
networking-bgpvpn leverages drivers/plugin hooks to integrate with other components:
Neutron extension API hooks, service plugin and driver loading
for ovs-bagpipe driver:
registry callbacks
an L2 agent extension
increasing use of neutron-lib
CLI an entrypoint for the neutronclient extension
(CLI part currently being ported to OSC)
Heat plugin
Tempest plugin
Horizon plugin
OpenStack CI hooks for test job configuration
collaboration
with Neutron
devs to bring
improvements
or fixes
An hospitable enough
environment
Other Neutron projects to
take inspiration from
TRYING TO BE A GOOD STADIUM PROJECT
A significant effort is required to match the expectations
raised for Neutron Stadium projects
in particular getting everything ready on CI testing
Downside: less features in last cycle
But pushes/forces us in the right direction
OPENSTACK NET’-BGPVPN AND OPNFV SDNVPN
OPNFV: a mid-stream integration project providing automated install of all required components for a given use case, as well as E2E testing
• BGPVPN is such a use case
• Gives upstream projects additional visibility if their changes break something at system level (i.e. when multiple components interplay)
The OPNFV SDNVPN project aims at
integrating a complete stack for
BGPVPNs
• focusing on cases where an SDN controller is used
• a BaGPipe scenario is planned as well
• Integration with installers: Fuel (Mirantis) and TripleO/Apex (RedHat)
• Provides deployment scenarios derived from odl_l3, both HA and non-HA
WRAP UP
One API allowing tenants to control interconnections with
their BGP VPNs • Public/operator cloud <-> business customers of MPLS VPN offers
• inter-DC, distributed cloud, edge cloud
• NFV multi-POP deployments
Drivers for several SDN controllers and a Neutron driver
CLI interface, Horizon GUI, and Heat bindings
Now / Soon / On the radar: • complete E-VPN part of API
• remaining work to match Neutron Stadium requirements
(e.g. more functional testing!)
• API evolution for finer-grained control of routing
(static routes, preferences, route leaking)
• consider supporting multiple drivers/backends simultaneously
• see MPLS/GRE support land in OpenVSwitch (next MPLS/UDP!)
• expectations of improved feature parity among drivers
a Neutron’s Stadium project working hand in hand with OPNFV
OpenStack / OPNFV
contributors around BGP
VPN…
Antoine Eiche
Bruno Fernando
Édouard Thuleau
Cédric Savignan
Daniel Radez
Darek Smiegel
Henry Gessau
Jean-Philipe Braun
Mathieu Rohon
Michal Skalski
Nikolas Hermanns
Nishant Kumar
Paul Carver
Peter V. Saveliev
Pierre Crégut
R. R. Palleti
Suresh K.
Tim Irnich
Tim Rozet
Thomas Monguillon
Thomas Morin
Vishal Thapar
Wim De Clercq
Yannick Thomas
(hopefully not
missing anyone…)