standardizing IPv4 networking in SCS #522
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,79 @@ | ||||||||||||||||
| --- | ||||||||||||||||
| title: IPv4 Networking Standard | ||||||||||||||||
| type: Standard | ||||||||||||||||
| status: Proposal | ||||||||||||||||
| track: IaaS | ||||||||||||||||
| --- | ||||||||||||||||
|
|
||||||||||||||||
| ## Introduction | ||||||||||||||||
|
|
||||||||||||||||
| This document outlines the standardized approach for the management and allocation of | ||||||||||||||||
| public IPv4 addresses within Sovereign Cloud Stack (SCS) environments. Its aim is to | ||||||||||||||||
| ensure a consistent, secure, and efficient methodology for IP address provisioning | ||||||||||||||||
| across all SCS cloud services. | ||||||||||||||||
|
|
||||||||||||||||
|
There was a problem hiding this comment. As mentioned by @markus-hentsch a glossary should be added here. Something like:
|
||||||||||||||||
| ## Motivation | ||||||||||||||||
|
|
||||||||||||||||
| The motivation behind establishing this standard is to enhance interoperability, improve | ||||||||||||||||
| security measures, and streamline the operational processes across different SCS clouds. | ||||||||||||||||
|
Comment on lines
+17
to
+18
There was a problem hiding this comment. This is good! What I miss though, is some analysis - probably it belongs in the e.g. in which ways are current security measures not good enough, where are gaps? Thinking about it, this could probably also be moved to a decision record, not sure though. |
||||||||||||||||
| It addresses the need for a unified procedure in handling IPv4 networking to facilitate | ||||||||||||||||
| ease of use for IaaS users and DevOps teams. | ||||||||||||||||
|
|
||||||||||||||||
| ## Design Considerations | ||||||||||||||||
|
|
||||||||||||||||
| ### Options considered | ||||||||||||||||
|
There was a problem hiding this comment. I think it would be also worthwhile to add some other options, if any where considered, and why they where not considered. It's also possible to link a decision record document, once the breakout session around this document has taken place. It also wouldn't hurt if it was explicitly mentioned if no other options where considered and why. There was a problem hiding this comment. As discusses in the IaaS call, we should start with the architecture here. To me every other Option considered depends on the decision for or against an architecture. |
||||||||||||||||
|
|
||||||||||||||||
| #### _Neutron Routers_ | ||||||||||||||||
|
|
||||||||||||||||
| Usage of Neutron Routers: To manage traffic between internal and external networks Neutron Routers **MUST** be used as the default gateway for VMs requiring access to external networks and the internet, thereby facilitating the routing of traffic and enhancing network security. | ||||||||||||||||
|
There was a problem hiding this comment. We may add a line stating that routing between internal networks of the same project SHOULD be done by Neutron routers, so we officially recommend a way but do not forbid other options |
||||||||||||||||
|
|
||||||||||||||||
| CSPs **SHOULD** use OVN or L3agent as High Availability (HA) service deployments. | ||||||||||||||||
|
There was a problem hiding this comment. I miss some reasoning why exactly I need to use OVN or L3 agent, also notice that due to some intricacies L3 agent is not really HA currently in some edge cases, like upgrades/reboots, depending on your exact setup - this technical discussion is probably out of scope for this document though. to be clear I'm totally for using ovn, but we should write something down why we encourage it's use, what are advantages etc. There was a problem hiding this comment. Maybe it would help to list other options and why we would prefer OVN. There was a problem hiding this comment. Just to add some background on this point: this is about high availability of virtual routers, i.e. replicating virtual routers across multiple network nodes and then allowing failover via VRRP in case of a node failure, a feature that is supported by both virtual router implementations included in neutron (OVN and L3agent), but may be mutually exclusive with distributed virtual routing (DVR, the implementation of virtual routers on the compute nodes). So this is not really an endorsement of OVN or L3agent, it is just that those are the two available implementations. There might be proprietary service plugins to replace them, but every driver that is not OVN seems to just use L3agent. This feature is also invisible to tenants, and I'm not sure if it should be part of this specific standard. We should probably have a different discussion about where and how to mandate HA features, maybe in the context of #527. |
||||||||||||||||
| Standard external networks **MUST NOT** be made accessible as _shared networks_. It is advised that external networks are only reachable by the usage of routing and floating IPs. | ||||||||||||||||
|
There was a problem hiding this comment. I think a glossary at the beginning of the document would be useful. There is a lot of terminology related to networks in Neutron. For example: Neutron seems to call a specific kind of external networks "provider networks"1 (I believe this is what the paragraph is referring to?). In some other examples, Neutron calls networks "external" although they have If we are enforcing things here (MUST / MUST NOT), we need to be very clear about what exactly we are referring to in my opinion. Depending on the context, "external networks" might be ambiguous. Same might go for "shared" in case it is not referring to the verbatim attribute but a topology classification. FootnotesThere was a problem hiding this comment. The reason, why we want to forbid this should be stated here as this led to confusion in the IaaS call |
||||||||||||||||
| However, for special use cases like certain storage or VPN solutions it could be useful to allow _direct access networks_. | ||||||||||||||||
|
|
||||||||||||||||
| External networks and subnets **SHOULD** (very strong should) be configured with _--no-dhcp_ (DHCP - Dynamic Host Configuration Protocol). It is more secure to configure it like this, since it gives less space for reflection attacks, e.g. _Denial of Service_ (DOS) attacks. If _dhcp_ is configured, certain firewall configurations **MUST** be made to catch IPs from the _Neutron dhcp agent_ in the public network. | ||||||||||||||||
|
|
||||||||||||||||
| #### _Neutron Plugins_ | ||||||||||||||||
|
|
||||||||||||||||
| Neutron Plugins: A SCS conform CSP **MAY** use RBAC and VPNaaS plugins. | ||||||||||||||||
|
There was a problem hiding this comment. I'm not sure if we should really include a general section about Neutron plugins (or extensions) here. There is a lot of them and most of them are specific to a topic1. It's hard to cover exhaustively in my opinion. The current sentence might imply to the reader that other plugins/extensions are not allowed for IPv4 networking, which I don't think is the goal. Maybe we should limit this document to giving instructions regarding those directly related to IPv4 networking and leave others open but I don't know where to draw the line to be honest. Footnotes
There was a problem hiding this comment. Does a current list of plugins exist? When I look into the code 1 I only see the ML2 Plugin. Also the documentation does not mention a plugin list (anymore). It seems to me, that most of it was removed or moved to I looked into my devstack config and it does not specify any plugins, except the ML2: So all extensions seem to be usable all the time - because I was able to test the My conclusion: We should not state anything about plugins here, as they are poorly documented, not well maintained or even completely customized. We could discuss about letting CSPs add customized plugins. But all of these plugins while touching networking issues should not interfere with the scope of this standard. So exclude this, add a new issue and maybe we will find out enough for a new standard or maybe we just have a short note about Plugins overall on the docs-page. FootnotesThere was a problem hiding this comment. Some background for this as well: Neutron used to include a number of monolithic core plugins, but they have all been converted to drivers for the the ML2 core plugin, as well as service plugins that build on top of that. The available service plugins are defined in neutrons setup.cfg, and CSPs can also configure additional external plugins there. Each plugin implementation has to declare the API extensions that it provides, most of which are defined in neutron-lib. The most prominent ones are A number of API extensions are also implemented by the ML2 core plugin itself, such as subnetpools, security groups, and the different rbac extensions. As such there is no separate plugin for RBAC. |
||||||||||||||||
| (Neutron RBAC needs to be configured explicitly to be able to use it. If configured, Neutron configurations can be shared across OpenStack projects. It also can be beneficial for admins, since an admin could bind external networks only to certain projects.) | ||||||||||||||||
|
There was a problem hiding this comment. I still wonder which RBAC do you mean? Can you point me towards this please? Because it is already confusing to differ between the keystone roles and scopes RBAC that has to be implemented by every OpenStack service and this There was a problem hiding this comment. Neutrons RBAC extension allows sharing of various resources among projects and is the mechanism that neutron uses to implement provider networks, so it's not really an optional feature. Rules can be created with the actions Neutrons default policies allow only the owner of a resource to share it, and allows only admin users to create rules with the wildcard |
||||||||||||||||
|
|
||||||||||||||||
| #### _Security Groups_ | ||||||||||||||||
|
|
||||||||||||||||
| Security Group Policies: Standardized security group policies **SHOULD** be applied to all instances utilizing public IPv4 addresses. These policies must define and enforce access | ||||||||||||||||
| controls to ensure the security of the cloud environment. | ||||||||||||||||
| Security Groups **SHOULD** be enabled by default but **MUST** be capable of being switched off. | ||||||||||||||||
|
There was a problem hiding this comment.
Suggested change
Security Groups don't have an "off switch" per se, they are implicitly disabled once port security is disabled for a port or whole network a port is created in. Is this what you are referring to? There was a problem hiding this comment. @markus-hentsch is correct Security Groups are part of Neutron extensions and thus cannot be switched of: https://github.com/openstack/neutron/blob/master/neutron/extensions/securitygroup.py Security Groups are always there and being used in VMs. Even if a user does not specify anything - in that case the default VM is being used. Nevertheless this topic does not interfere with the scope of this standard and should be included. But as we maybe want to include an architecture definition here, it would be good to reference all the work we do for security groups. And I wonder, what do you mean with DR: https://github.com/SovereignCloudStack/standards/blob/main/Standards/scs-0113-v1-security-groups-decision-record.md |
||||||||||||||||
|
|
||||||||||||||||
| #### _Quota & Monitoring_ | ||||||||||||||||
|
|
||||||||||||||||
| Quota: The standard quota of floating IPs and routers **SHOULD** be rather small, e.g. 3-5 floating IPs. This ensures a more fair distribution of these resources for all cloud users. If a user wants to use more of these resources, the user **SHOULD** be able to pay for more. | ||||||||||||||||
|
There was a problem hiding this comment. Yes the Quota is important and belongs into this standard. We can still argue about the number :) |
||||||||||||||||
|
|
||||||||||||||||
| IP Usage Monitoring: SCS CSPs **SHOULD** implement monitoring solutions to track the utilization of IPv4 addresses. This facilitates efficient management of resources and supports capacity planning efforts. | ||||||||||||||||
|
There was a problem hiding this comment. Is "utilization of IPv4 addresses" referring to all IPv4 addresses (incl. private ones in tenant networks) or just floating IPs? If the latter, please clarify this in the sentence. |
||||||||||||||||
|
|
||||||||||||||||
| #### _External Network Naming_ | ||||||||||||||||
|
|
||||||||||||||||
| All SCS clouds **SHOULD** adopt the naming convention | ||||||||||||||||
| scs-external-net for external networks. This standardization facilitates easier identification and management of external network resources. | ||||||||||||||||
|
There was a problem hiding this comment. We have to clarify why we would need a Naming convention at all. Renaming networks without good reasons is not really helpful. Pre-statement: external networks can be listed with
Pro:
Con:
I am pretty much for investigating those tags! Help from CSPs is wanted (we don't want to accidentally render a network not working anymore :D ) |
||||||||||||||||
|
|
||||||||||||||||
| #### _Floating IPs_ | ||||||||||||||||
|
|
||||||||||||||||
| Floating IPs for Dynamic Allocation: Utilization of Floating IPs to allow dynamic reassignment of public IPv4 addresses to different instances (VMs or Loadbalancers), facilitating high availability and fault tolerance. | ||||||||||||||||
| Floating IPs **MUST** be enabled. | ||||||||||||||||
|
There was a problem hiding this comment. Again the question: Can they be disabled? OR just not set in pools? |
||||||||||||||||
|
|
||||||||||||||||
| ## Open questions | ||||||||||||||||
|
|
||||||||||||||||
| - Naming Convention Flexibility: How rigid should the naming convention for external | ||||||||||||||||
| networks be across various SCS clouds? | ||||||||||||||||
| - Load Balancing: Do we want to dictate a Load Balancer or a set of Load Balancers or nothing at all? E.g. Octavia, Yawol | ||||||||||||||||
|
There was a problem hiding this comment. We should keep a focus and discuss this important question in another issue. |
||||||||||||||||
|
|
||||||||||||||||
| ## Decision | ||||||||||||||||
|
|
||||||||||||||||
| ... | ||||||||||||||||
|
|
||||||||||||||||
| ## Related Documents | ||||||||||||||||
|
|
||||||||||||||||
| Related Documents, OPTIONAL | ||||||||||||||||
|
|
||||||||||||||||
| ## Conformance Tests | ||||||||||||||||
|
|
||||||||||||||||
| Conformance Tests, OPTIONAL | ||||||||||||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not sure how to fix this, so there are multiple problems and options here:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree with @artificial-intelligence on these points.
From my opinion we nee a strict focus on what do we want to standardize in this document. I still miss this focus here. And I would rather go for smaller standards (e.g. the standard for default security group rules will link the DR and the guide for Security Groups) so that we don't mix up to many topics.
I would see the focus on the architecture first here. So describing default networking structure and listing all required neutron plugins.