Due to a ransomware attack, the wiki was reverted to a July 2022 version. . We apologize for the lack of a more recent valid backup.
...
OpenstackNode application is in charge of managing and bootstrapping compute and gateway nodes. The node bootstrap procedure includes the following steps. It leverages OVSDB to configure OVS on a node.
- Connect to OVSDB at each nodecompute gateway nodes.
- Create an integration bridge, typically “br"br-int”int", and set its OpenFlow controller to ONOS cluster.
- Create an tunneling bridge named as "br-tun", if the nodes run in OVS-DPDK mode.
- Add VXLAN port to br-int with "flow" key and "flow" remote IP IP.
- Add VLAN interface to br-int if specified.
OpenstackNetworking
OpenstackNetworking application is in charge of managing virtual network states and providing a network connectivity to virtual machines by setting flow rules to compute and gateway node's OVS. As it plays a role of Neutron ML2 mechanism driver and L3 plugin backend, it exposes REST APIs that networking-onos(https://github.com/openstack/networking-onos) calls. More specifically, when a user (or Nova agent) requests a virtual network changes to OpenStack, the reqeust request is post-commited committed to openstackNetworking OpenstackNetworking app via networking-onos driver. When a port is added or removed to/from OVS, openstackNetworking OpenstackNetworking app identifies the port by its port name, which includes port UUID, and then installs or removes flow rules based on the virtual network states related to the port including network, subnet, router and gateways. All kinds of East-West traffic is handled at compute nodes and only North-South traffic is forwarded to gateway nodes, which have an access to both internal and external network, and NATed there to public IP before leaving the virtual world. The application is also in charge of replying to ARP and DHCP requests from virtual machines. For the subnet gateway and DHCP server, it replies with pre-defined fake MAC address.
vRouter
SONA makes use of vRouter application at gateway node for providing a network connectivity between SONA controlled virtual network and legacy external networks. For more details of vRouter and SDN-IP use cases, refer to SDN-IP this page. One notable thing here is that SONA allows more than one gateway nodes for load distribution and HA. As a gateway node does not keep any states locally, packets for a same session does not have to be handled in a same node. More specifically, 1:1 NAT rule for floating IP is installed proactively to all gateway nodes when floating IP is associated to fixed IP by user request. 1:n NAT rules are installed reactively when a gateway node receives unknown external packets. Gateway nodes are realized by OpenFlow select group at each compute node and all outbound packets are sent to this gateway node group indirectly instead of one particular gateway node directly. If there’s an outage of one gateway node, the node is automatically excluded from the group. Each gateway node establishes a peering with external router and the external router enables multi-path so that inbound traffic is distributed as well. Any gateway node fails to keep peering with the router is excluded from available routes.
SONA Pipeline
VNI Table (table=0)
Forwards ARP and DHCP to controller and tags src VNI to packets based on in-port of a packet. There is one VM at port 3 in the following example.
| Code Block |
|---|
priority=40000,arp actions=CONTROLLER:65535,clear_actions
priority=40000,udp,tp_src=68,tp_dst=67 actions=CONTROLLER:65535,clear_actions
priority=30000,ip,in_port=3 actions=set_field:0x3f->tun_id,goto_table:1
priority=0 actions=goto_table:1 |
ACL Table (table=1)
Forwards only allowed packets to the next table based on security group configurations. 192.168.0.3 and 192.168.1.3 are allowed to access each other in the following example.
| Code Block |
|---|
priority=30000,ip,nw_src=192.168.0.3,nw_dst=192.168.1.3 actions=goto_table:3
priority=30000,ip,nw_src=192.168.1.3,nw_dst=192.168.0.3 actions=goto_table:3
priority=0 actions=drop |
Connection Tracking (CT) Table (table=2)
TBD
Jump Table (table=3)
Forwards routing packet, which is identified by its destination MAC address of pre-defined one, to routing table, and switching packet to switching table.
| Code Block |
|---|
priority=30000,dl_dst=fe:00:00:00:00:02 actions=goto_table:4
priority=0 actions=goto_table:5 |
Routing Table (table=4)
Forwards East-West routing packets to the switching table and North-South packets to a gateway group. For the first two rules in the following example are for allowing a VM to access to its subnet gateway, which are added when the subnet is added to a Neutron router. The last two rules are for allowing external access, which are added when an external gateway is set to the router. The rules in the middle are for East-West routing. Any outbound packets without proper routing configurations are dropped here.
| Code Block |
|---|
priority=28000,ip,tun_id=0x3f,nw_src=192.168.0.0/24,nw_dst=192.168.0.0/24 actions=set_field:0x3f->tun_id,goto_table:5
priority=28000,ip,tun_id=0x26,nw_src=192.168.1.0/24,nw_dst=192.168.1.0/24 actions=set_field:0x26->tun_id,goto_table:5
priority=28000,ip,tun_id=0x3f,nw_src=192.168.0.0/24,nw_dst=192.168.1.0/24 actions=set_field:0x26->tun_id,goto_table:5
priority=28000,ip,tun_id=0x26,nw_src=192.168.0.0/24,nw_dst=192.168.1.0/24 actions=set_field:0x26->tun_id,goto_table:5
priority=28000,ip,tun_id=0x26,nw_src=192.168.1.0/24,nw_dst=192.168.0.0/24 actions=set_field:0x3f->tun_id,goto_table:5
priority=28000,ip,tun_id=0x3f,nw_src=192.168.1.0/24,nw_dst=192.168.0.0/24 actions=set_field:0x3f->tun_id,goto_table:5
priority=25000,ip,tun_id=0x26,dl_dst=fe:00:00:00:00:02,nw_src=192.168.1.0/24 actions=group:2901605683
priority=25000,ip,tun_id=0x3f,dl_dst=fe:00:00:00:00:02,nw_src=192.168.0.0/24 actions=group:2901605683 |
Switching Table (table=5)
Forwards packets to final destination. If the location of the destination is not the local machine, take it to the vxlan port. If the destination is a subnet gateway, take it to the gateway node group.
| Code Block |
|---|
priority=30000,ip,tun_id=0x3f,nw_dst=192.168.0.3 actions=set_field:fa:16:3e:2a:85:30->eth_dst,output:3
priority=30000,ip,tun_id=0x26,nw_dst=192.168.1.3 actions=set_field:10.1.1.163->tun_dst,output:1
priority=30000,ip,tun_id=0x3f,nw_dst=192.168.0.1 actions=group:2901605683
priority=30000,ip,tun_id=0x26,nw_dst=192.168.1.1 actions=group:2901605683 |
Group table
Group table for gateway node group.
...