Browse Source

Merge "Spec for VPN service support Qos"

Zuul 1 year ago
parent
commit
ac7d3cffcc
1 changed files with 311 additions and 0 deletions
  1. 311
    0
      specs/rocky/vpn-services-support-qos.rst

+ 311
- 0
specs/rocky/vpn-services-support-qos.rst View File

@@ -0,0 +1,311 @@
1
+..
2
+ This work is licensed under a Creative Commons Attribution 3.0 Unported
3
+ License.
4
+
5
+ http://creativecommons.org/licenses/by/3.0/legalcode
6
+
7
+========================
8
+VPN Services Support QoS
9
+========================
10
+
11
+https://bugs.launchpad.net/neutron/+bug/1727578
12
+
13
+Currently, there is no way to set VPN services' bandwidth. This specification
14
+proposed a way to set the VPN services' bandwidth limit.
15
+
16
+
17
+Problem Description
18
+===================
19
+
20
+Currently, Neutron VPNaaS provides site to site VPN services, but its bandwidth
21
+consumption is not regulated, as the VPN tunnel will cost the bandwidth from
22
+the outside public bandwidth provided by the ISP or other organizations. That
23
+means it is not free. The OpenStack provider or users should pay for the
24
+limited bandwidth. So it is necessary for saving the resources.
25
+
26
+Currently, physical device configurations outside OpenStack environment cannot
27
+be modified by OpenStack, but we can shape the outgoing traffic. VPN services
28
+provide the security guarantee, but it shouldn't abuse the bandwidth of
29
+underlay network that it will affects other traffic.
30
+
31
+Use Case
32
+--------
33
+
34
+Consider that an OpenStack public cloud has been deployed in a real data
35
+center. A cloud enterprise user has a requirement in which one of the
36
+applications should connect to its private network 20.0.0.0/24, but for other
37
+traffic flows, still use the original network functionality provided by
38
+OpenStack. The network topology diagram is shown below::
39
+
40
+                                                                                                             +
41
+                           +--------------------+   +                                                        |DataCenter
42
+                           |VM1                 |   |                                                        |external network
43
+                           |nic IP: 10.0.0.11   |   |                 +-------------------------------+      |        +----+
44
+                           |default via 10.0.0.1+---+                 |Default Router                 |      |        |    |
45
+                           |                    |   +-----------------+Interface: 10.0.0.1            +------+        |    |
46
+                           +--------------------+   |                 |gw: 172.24.4.11                |      |        |    |
47
+    OpenStack                                       |                 |route: 20.0.0.0/24 via 10.0.0.5|      |        |    |
48
+    private                                .        |                 |                               |      |        |    |
49
+    network                                .        |                 +-------------------------------+      |        |    |
50
+                                                    |                                                        |        |    |
51
+    subnet: 10.0.0.0/24                             |                                                        |        |    |
52
+                           +--------------------+   |                                                        |        |    |
53
+                           |VM2                 |   |                                                        +--------+    |Internet
54
+                           |nic IP: 10.0.0.12   |   |                                                        |        |    |
55
+                           |default via 10.0.0.1+---+                                                        |        |    |
56
+                           |                    |   |                                                        |        |    |
57
+                           +--------------------+   |                                                        |        |    |
58
+                                                    |                                                        |        |    |
59
+                                           .        |                 +--------------------------------+     |        |    |       +-------------------------------+
60
+                                           .        |                 |VPN Router                      |     |        |    |       |Vendor GW Router               |
61
+                                                    |                 |Interface: 10.0.0.5             |     |        |    |       |peer vpn service running       |
62
+                                                    +-----------------+gw: 172.24.4.12                 +-----+        |    +-------+hold private subnet 20.0.0.0/24|
63
+                           +--------------------+   |                 |VPN service running             |     |        |    |       |                               |
64
+                           |VMX                 |   |                 |                                |     |        |    |       |                               |
65
+                           |nic IP: 10.0.0.13   |   |                 +--------------------------------+     |        +----+       +-------------------------------+
66
+                           |default via 10.0.0.1+---+                                                        |
67
+                           |                    |   |                                                        |
68
+                           +--------------------+   |                                                        |
69
+                                                    |                                                        |
70
+                                                    +                                                        +
71
+
72
+As this diagram shows, the enterprise user owned many VMs in the private
73
+network and the allocated IPs are from the private subnet 10.0.0.0/24. There
74
+are two routers connected, ``Default Router`` is used for the normal network
75
+functions, such as NAT, Floating IP, Routing. ``VPN Router`` is mainly used for
76
+VPN traffic process, also contains NAT and route for other traffic. Both of the
77
+routers are attached to the external network which is the physical underlay
78
+network in the real data center. The VPN Router in OpenStack and Vendor GW
79
+Router in other site maintain a VPN peer relationship across the Internet.
80
+
81
+There are two scenarios towards the VM outgoing traffic:
82
+
83
+1. VMs in the OpenStack private network access the normal websites, first send
84
+   the network packets to its gateway which is located on the
85
+   ``Default Router``. Then send to the Internet by the data center devices.
86
+2. VMs in the OpenStack private network access the other site private network
87
+   20.0.0.0/24, still first send the network packets to its gateway 10.0.0.1,
88
+   then check the route tables, the nexthop of 20.0.0.0/24 is 10.0.0.5 which
89
+   is located on ``VPN Router``. The network traffic will be sent based on the
90
+   existing VPN tunnel to Vendor private site.
91
+
92
+Like the diagram shows, the QoS Policy should be set on the qg-XX port of the
93
+VPN router for limiting the outgoing VPN traffic.
94
+
95
+This spec focuses on the QoS of VPN outgoing traffic, so for neutron-vpnaas,
96
+this spec will focus on the Router related with VPN services. And for the
97
+general use cases which is that VPN service usually setup across the Internet
98
+in tunnel mode, we will only introduce the QoS support on tunnel type VPN
99
+services.
100
+
101
+
102
+Proposed Change
103
+===============
104
+
105
+We propose the ``VPN Service`` resource accepts the Neutron QoS Policy. Once
106
+the ``ipsec site connection`` is created, the QoS Policy will be applied on the
107
+VPN router's qg-XX port, as the ESP encapsulation will use the qg-XX port's IP
108
+to access other sites.
109
+
110
+So there are three parts that require to work:
111
+
112
+1. DB related changes, including new table ``qos_vpnservice_policy_bindings``
113
+   addition and data model change.
114
+2. API changes, including extend the API to accept the Neutron QoS Policy.
115
+3. Introduce a new l3 agent extension to extend the ability to process the QoS
116
+   policy installation on the router.
117
+
118
+Alternatives
119
+------------
120
+
121
+* Accept the QoS parameters and implement the QoS function on our own.
122
+* Apply QoS Policy on the Router interface directly, but this would affect the
123
+  west-east traffic.
124
+
125
+Data model impact
126
+-----------------
127
+In this spec, the QoS data model and function will be provided by Neutron, so
128
+``vpnservices`` table need to maintain the relationship with Neutron QoS
129
+Policy.
130
+
131
+The following new table is added as part of the VPN QoS feature::
132
+
133
+    CREATE TABLE `qos_vpnservice_policy_bindings` (
134
+      `vpn_service_id` varchar(36) NOT NULL,
135
+      `qos_policy_id` varchar(36) NOT NULL,
136
+      UNIQUE KEY `vpn_service_id` (`vpn_service_id`),
137
+      KEY `qos_policy_id` (`qos_policy_id`),
138
+      CONSTRAINT `qos_vpn_service_policy_bindings_ibfk_1` FOREIGN KEY (
139
+      `qos_policy_id`) REFERENCES `qos_policies` (`id`) ON DELETE CASCADE,
140
+      CONSTRAINT `qos_vpn_service_policy_bindings_ibfk_2` FOREIGN KEY (
141
+      `vpn_service_id`) REFERENCES `vpnservices` (`id`) ON DELETE CASCADE
142
+    );
143
+
144
+REST API impact
145
+---------------
146
+
147
+Proposed attribute::
148
+
149
+        EXTEND_FIELDS = {
150
+            'qos_policy_id':{'allow_post': True, 'allow_put': True,
151
+                             'validate': {'type:uuid': None},
152
+                             'is_visible': True,
153
+                             'default': None}
154
+        }
155
+
156
+
157
+Some samples in ``VPN service`` create/update. Users are allowed to pass
158
+``qos_policy_id``.
159
+
160
+Create/Update ``VPN service`` Request::
161
+
162
+        POST /v2.0/vpn/vpnservices
163
+        {
164
+            "vpnservice": {
165
+                "subnet_id": null,
166
+                "qos_policy_id": "a36c20d0-18e9-42ce-88fd-82a35977ee8c",
167
+                "router_id": "66e3b16c-8ce5-40fb-bb49-ab6d8dc3f2aa",
168
+                "name": "myservice",
169
+                "admin_state_up": true
170
+            }
171
+        }
172
+
173
+        Response:
174
+        {
175
+            "vpnservice": {
176
+                "router_id": "66e3b16c-8ce5-40fb-bb49-ab6d8dc3f2aa",
177
+                "status": "PENDING_CREATE",
178
+                "name": "myservice",
179
+                "external_v6_ip": "2001:db8::1",
180
+                "admin_state_up": true,
181
+                "subnet_id": null,
182
+                "project_id": "10039663455a446d8ba2cbb058b0f578",
183
+                "tenant_id": "10039663455a446d8ba2cbb058b0f578",
184
+                "external_v4_ip": "172.32.1.11",
185
+                "id": "5c561d9d-eaea-45f6-ae3e-08d1a7080828",
186
+                "description": "",
187
+                "qos_policy_id": "a36c20d0-18e9-42ce-88fd-82a35977ee8c"
188
+            }
189
+        }
190
+
191
+        PUT /v2.0/vpn/vpnservices/{service_id}
192
+        {
193
+            "vpnservice": {
194
+                "name": "NEW VPN SERVICE NAME",
195
+                "description": "Updated description",
196
+                "qos_policy_id": "a36c20d0-18e9-42ce-88fd-82a35977ee8c"
197
+            }
198
+        }
199
+
200
+        Response:
201
+        {
202
+            "vpnservice": {
203
+                "router_id": "881b7b30-4efb-407e-a162-5630a7af3595",
204
+                "status": "ACTIVE",
205
+                "name": "NEW VPN SERVICE NAME",
206
+                "admin_state_up": true,
207
+                "subnet_id": null,
208
+                "project_id": "26de9cd6cae94c8cb9f79d660d628e1f",
209
+                "tenant_id": "26de9cd6cae94c8cb9f79d660d628e1f",
210
+                "id": "41bfef97-af4e-4f6b-a5d3-4678859d2485",
211
+                "description": "Updated description",
212
+                "qos_policy_id": "a36c20d0-18e9-42ce-88fd-82a35977ee8c"
213
+            }
214
+        }
215
+
216
+
217
+QoS Policy Application Details
218
+------------------------------
219
+
220
+The reason for introducing this, for example, we change the use case below, we
221
+deploy the vpn service on the ``Default Router``, delete the ``VPN Router``.
222
+That means the general traffic and VPN traffic will pass through the
223
+``Default Router``, then we apply the Neutron QoS policy on the qg-XX port of
224
+the ``Default Router``, it will limit all the bandwidth, so the VPN's bandwidth
225
+may have a lower performance, or we can say it is not consistent with
226
+expectations.
227
+
228
+Currently, Neutron provides the QoS function but not for some interest streams.
229
+Here we will focus on the VPN traffic. For this function, we will combine
230
+the ``iptables`` and ``tc`` together. The reason for choosing them is that,
231
+``iptables`` could mark the VPN interest stream by the ipsec VPN transform
232
+protocols(such as esp, ah-esp protocols), the interface that the packets
233
+will go out and the local encapsulated IP if running in tunnel mode. Also we
234
+need to shape the vpn traffic before send out to the underlay network, so some
235
+new ``iptables`` rules will be installed on mangle table in the router's
236
+namespace. Also the ``fwmark`` is eaiser to extend, such as ipchains.
237
+
238
+And we will introduce a new ``tc`` wrapper which will use ``htb`` and it will
239
+provides classification algorithm. Then developers can easily implement other
240
+complex traffic control. That means we will extend the current tc_lib in
241
+Neutron repo. And ``vpn_qos`` will based on this.
242
+
243
+Just like above description, a new L3 agent extension will be introduced like
244
+fip_qos done. We suggest to name it ``vip_qos``, it will install the
245
+appropriate ``iptables`` rules in the router's namespace which binds with
246
+``VPN service``. Then users or managers could use the QoS function to the
247
+``Default Router`` and not affect other network streams.
248
+
249
+
250
+Security impact
251
+---------------
252
+None
253
+
254
+Notifications impact
255
+--------------------
256
+No expected change.
257
+
258
+Other end user impact
259
+---------------------
260
+Users will be able to specify qos_policy during create/update ``VPN service``.
261
+
262
+Performance Impact
263
+------------------
264
+It will save the bandwidth of the underlay network in data center.
265
+
266
+Other deployer impact
267
+---------------------
268
+None
269
+
270
+Developer impact
271
+----------------
272
+Developer may use the new ``tc`` wrapper to do other things, as it is powerful
273
+to support other stream control functionality.
274
+But there may be a conflict with openstack/neutron-classifier, as it provides
275
+defining the traffic. So we may reconsider that if possible.
276
+
277
+Implementation
278
+==============
279
+
280
+Assignee(s)
281
+-----------
282
+zhaobo
283
+
284
+Work Items
285
+----------
286
+* Add the DB model and extend the table column.
287
+* Extend VPN API to accept QoS policy.
288
+* Extend new tc wrapper which support classification algorithm based on
289
+  traffic classifier feature.
290
+* Extend new L3 agent extension ``vip_qos``.
291
+* Add API validation code to validate access/existence of the qos_policy which
292
+  created in Neutron.
293
+* Add UTs to Neutron-vpnaas.
294
+* Add API tests.
295
+* Update CLI to accept QoS fields.
296
+* Documentation work.
297
+
298
+Dependencies
299
+============
300
+None
301
+
302
+Testing
303
+=======
304
+Unit tests, functional tests, API tests and scenario tests are necessary.
305
+
306
+Documentation Impact
307
+====================
308
+The Neutron API reference will need to be updated.
309
+
310
+References
311
+==========

Loading…
Cancel
Save