Interconnecting Neutron and Network Operators' BGP VPNs
0 likesâ˘1,213 views
The document discusses BGP VPNs, their definitions, principles, interoperability, and scalability, outlining their use in various networking scenarios over the past 15 years. It emphasizes the need for an automated admin-only API for interconnecting Neutron networks with BGP VPNs and highlights the development of the networking-bgpvpn project within OpenStack to facilitate these connections. Additionally, it explores the integration with SDN controllers and the ongoing efforts to enhance the BGP VPN project's capabilities and testing, aiming for better feature parity and operational efficiency.
Interconnecting Neutron and Network Operators' BGP VPNs
- 1. INTERCONNECTING NEUTRON AND NETWORK OPERATORS' BGP VPNS Paul Carver Tim Irnich Thomas Morin
- 2. TELCO STUFF AHEAD, DONâT BE AFRAID
- 3. WHAT ARE BGP VPNS ? FIRST, WHAT THEY ARE NOTâŚ ď§ No encryption ď§ âPâ stands for âPrivateâ: think Private Addressing ď§ (one can obviously add encryption over a BGP VPN, just like over any IP network) ď§ Isolation isâŚ ď§ not managed by customers ď§ managed by the operator of the shared physical network ď§ Hence: not like IPSec or SSL VPNs
- 4. WHAT ARE BGP VPNS ? BASE PRINCIPLES OF BGP/MPLS VPNS (SIMPLIFIED) ď§ use MPLS to isolate the traffic of different VPNs on the wire ď§ MPLS here: an encapsulation layer stacked onto IP packets of a VPN ď§ MPLS âlabelâ : dataplane field used for isolation: ď§ use the BGP routing protocol to indicate where/how to send packets ď§ advertise routes: â10.11.0.0/16 in VPN 888:42 is reachable via router X using MPLS Label Nâ ď§ VPN âidentifiersâ: âRoute Targetâ (e.g. 888:42) ď§ (calling them âidentifierâ is very simplified, much more flexibility) ď§ only present in the control plane! ď§ initially for L3VPNs, extended for L2/Ethernet (in particular E-VPN) ď§ later extended to other encaps: MPLS/GRE, MPLS/UDP, VXLAN ď§ the reason to use âBGP VPNsâ rather than âBGP/MPLS VPNsâ
- 5. WHAT ARE BGP VPNS ? âOLDâ, PROVEN, INTEROPERABLE AND VERY SCALABLE ď§ Late 90âs, then incremental protocol improvements since ď§ Lotâs of deployments ď§ Very interoperable ď§ IETF RFCs ď§ starting point references: RFC4364, RFC 7432 ď§ multi-vendor deployments common place ď§ How scalable ? ď§ some BGP/MPLS deployment serve millions of VPN sites ď§ toolbox of established practices and protocol extensions to improve scaling
- 6. WHAT ARE BGP VPNS ? WHAT ARE THEY USED FOR ? ď§ In the past 15+ years: business customers VPNs (e.g. replace leased lines, Frame Relay, etc.) ď§ Later in the 2000âs: increasing use in converged IP/MPLS backbones (e.g. carry services for triple play) ď§ Cloud inter-DC ď§ Interconnect for NFV platforms ď§ between NFV POPs ď§ between NFV platforms and service BGP VPNs Today, all these need to be interconnected with OpenStack OpenStack as the elected IaaS foundation for NFV
- 7. WHAT IS THE NEED ? ď§ Admin-only API to control the technical details ď§ âVPN Foo of tenant Lambda will use Route Target 13879:11, etc.â ď§ Tenant API to let tenant choose what ď§ âI want to interconnect Neutron network 11e304ec-5b67-4980- aa57-da10d0f057a6 with my VPN Fooâ ď§ Actual implementation is automated, need to accommodate different solutions that automate differently The networking-bgpvpn Neutron Stadium project was created to address this need (June 2015)
- 8. NEW API RESOURCES (already existing API resources) Network X Router Ysome user in âProject Lambdaâ Openstack Admin Network Associationcreates associations to setup interconnections BGP VPN âdefault VPNâ Type: L3 BGP Route-Target: 1234:42 Tenant: Project Lambda Router Association creates a BGPVPN and gives it to âProject Lambdaâ
- 9. NEUTRON BGP VPN INTERCONNECTIONS SERVICE PLUGIN OVERVIEW Neutron BGP Peers dataplane (vswitch/ vrouter) VMs⌠⌠Backend X (e.g. Neutron+Bagpipe, OpenDaylight, OpenContrail, Nuage, etc.)API BGPVPN Service Plugin ď ď packets carried over MPLS to/from VPNs ď BGP VPN routes ď ď driver for X⌠?
- 10. Neutron SDN Controller BGP Peers driver for backend X packets carried over MPLS to/from VPNs API BGPVPN Service Plugin ď ď REST BGP VPN routes ď ď HOW IT WORKS WITH AN SDN CONTROLLER⌠E.G. OPENDAYLIGHT, OPENCONTRAIL, NUAGE NETWORKS, ETC. driver for SDN Controller X compute node VMs VMs compute node VMs VMs vswitch vswitch ď NBI BGP SBI
- 11. Rabbit MQ HOW IT WORKS WITH NEUTRON OVS + BAGPIPE ⌠Neutron compute node BGP Peers âŚVMs ⌠API BGPVPN Service Plugin ď OpenVSwitch br-int | br-tun | br-mpls packets carried over MPLS towards VPNs ď Neutron OVS agent BGP VPN routes ď ď ď bagpipe -bgp bagpipe driver ML2 as Core Plugin openvswitch mech driver bagpipe extension
- 12. DEMO TIME! ď§ Starting point ď§ an Openstack cloud ď§ peering with BGP/MPLS routers ď§ pre-existing VPNs in the WAN for customers Red and Blue ď§ Platform: devstack VM using ovs/bagpipe driver, lab router (VM), VPN site (VM) ď§ Letâs let tenant Red interconnect an Openstack VM and its VPN, and test the result from a VPN site DC network control / compute (devstack) VM (tenant âBlueâ) ⌠VM (tenant âRedâ) 192.168.10.x IP/MPLS WAN BGP/MPLS provider edge router BGP/MPLS border routers BGP/MPLS provider edge âlab-routerâ MPLS encapsulation lnx02 test box 192.168.177.102
- 13. INTEGRATION IN NEUTRON & OPENSTACK networking-bgpvpn leverages drivers/plugin hooks to integrate with other components: ď§ Neutron ď§ extension API hooks, service plugin and driver loading ď§ for ovs-bagpipe driver: ď§ registry callbacks ď§ an L2 agent extension ď§ increasing use of neutron-lib ď§ CLI ď§ an entrypoint for the neutronclient extension (CLI part currently being ported to OSC) ď§ Heat plugin ď§ Tempest plugin ď§ Horizon plugin ď§ OpenStack CI hooks for test job configuration collaboration with Neutron devs to bring improvements or fixes An hospitable enough environment ď Other Neutron projects to take inspiration from
- 14. TRYING TO BE A GOOD STADIUM PROJECT ď§ A significant effort is required to match the expectations raised for Neutron Stadium projects ď§ in particular getting everything ready on CI testing ď§ Downside: less features in last cycle ď§ But pushes/forces us in the right direction
- 15. OPENSTACK NETâ-BGPVPN AND OPNFV SDNVPN ď§ OPNFV: a mid-stream integration project providing automated install of all required components for a given use case, as well as E2E testing ⢠BGPVPN is such a use case ⢠Gives upstream projects additional visibility if their changes break something at system level (i.e. when multiple components interplay) ď§ The OPNFV SDNVPN project aims at integrating a complete stack for BGPVPNs ⢠focusing on cases where an SDN controller is used ⢠a BaGPipe scenario is planned as well ⢠Integration with installers: Fuel (Mirantis) and TripleO/Apex (RedHat) ⢠Provides deployment scenarios derived from odl_l3, both HA and non-HA
- 16. WRAP UP ď§ One API allowing tenants to control interconnections with their BGP VPNs ⢠Public/operator cloud <-> business customers of MPLS VPN offers ⢠inter-DC, distributed cloud, edge cloud ⢠NFV multi-POP deployments ď§ Drivers for several SDN controllers and a Neutron driver ď§ CLI interface, Horizon GUI, and Heat bindings ď§ Now / Soon / On the radar: ⢠complete E-VPN part of API ⢠remaining work to match Neutron Stadium requirements (e.g. more functional testing!) ⢠API evolution for finer-grained control of routing (static routes, preferences, route leaking) ⢠consider supporting multiple drivers/backends simultaneously ⢠see MPLS/GRE support land in OpenVSwitch (next MPLS/UDP!) ⢠expectations of improved feature parity among drivers ď§ a Neutronâs Stadium project working hand in hand with OPNFV OpenStack / OPNFV contributors around BGP VPN⌠Antoine Eiche Bruno Fernando Ădouard Thuleau CĂŠdric Savignan Daniel Radez Darek Smiegel Henry Gessau Jean-Philipe Braun Mathieu Rohon Michal Skalski Nikolas Hermanns Nishant Kumar Paul Carver Peter V. Saveliev Pierre CrĂŠgut R. R. Palleti Suresh K. Tim Irnich Tim Rozet Thomas Monguillon Thomas Morin Vishal Thapar Wim De Clercq Yannick Thomas