Isolation in Advanced Zone Functional Spec

Bug Reference

https://issues.apache.org/jira/browse/CLOUDSTACK-1456

Branch

Haven't branch out yet.

Introduction

Purpose

Implement isolation in advanced zone. Focus on shared network. The target is:
1. All the user VM cannot reach other user VM.
2. All the user VM can reach DHCP server and Gateway.

The mechanism we chose to implement this feature is Private VLAN.

References

• http://tools.ietf.org/html/rfc5517
• http://blog.ine.com/2008/07/14/private-vlans-revisited/

Document History

Glossary

Feature Specifications

• The isolated port(I-port) in private vlan concept fit prefect for our requirement. Basically we just need to make every user VM connect to I-port of the switch(vswitch or open vswitch), every dhcp server connect to P-port of the switch, then it would be enough for isolation and communication.
• But open vswitch(used by XenServer and KVM) cannot support PVLAN concept. vSwitch(for VMware) support it by default.
• So we need extra effort to simulate PVLAN on open vswitch(ovs) for Xen and KVM.
  • We would modify flow table, to:
  • 1. For every traffic leave user VM, tagged with secondary isolate vlan tag.
  • 2. Allow secondary isolated vlan tagged traffic reach DHCP server, by change the vlan tag to primary vlan tag.
  • 3. The gateway should know nothing about PVLAN, and the switch connect to the gateway should translate all the secondary vlan to primary vlan for communicating with gateway.

Requirement

• Need PVLAN supported switch(refer to http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a0080094830.shtml) to connect to host.
• Only one switch would connect to gateway, other switches need to be connect to this switch via trunk port.

Use cases

• Once feature is enabled for certain shared network, all the user VMs in the network won't be able to access to each other. But the communicating with DHCP server and gateway remain the same.

Architecture and Design description

• Straightforward for VMware to enable PVLAN feature.
• For OVS, flow table need following modifications:
  1. For each VM:
  Outgoing tag with pvlan: priority=50,dl_src=<VM MAC> actions=mod_vlan_vid:<secondary isolated vlan>,output:<trunk port>
  2. For each VM in the same host as DHCP server:
  <a> Allow communitcation with DHCP server(e.g. DNS): priority=100,dl_src=<VM MAC>,dl_dst=<DHCP MAC> actions=NORMAL
  <b> Allow DHCP request: priority=60,udp,dl_src=<VM MAC>,nw_dst=255.255.255.255,tp_dst=67 actions=NORMAL
  3. For each host:
  <a> ARP for DHCP server: priority=160,arp,dl_vlan=<secondary isolated vlan>, nw_dst=<DHCP IP> actions=mod_vlan_vid:<primary vlan>,NORMAL
  <b> ARP for DHCP server: priority=150,arp,nw_dst=<DHCP IP> actions=NORMAL
  4. For each host has DHCP server:
  <a> Accept packets from outside(e.g. DNS): priority=100,dl_vlan=<secondary isolated vlan>,dl_dst=<DHCP MAC> actions=mod_vlan_vid:<primary vlan>,NORMAL
  <b> Accept DHCP request from outside: priority=60,udp,dl_vlan=<secondary isolated vlan>,nw_dst=255.255.255.255,tp_dst=67 actions=mod_vlan_vid:<primary vlan>,NORMAL
• The migration and host restart would affect the rules, need to be reprogrammed.

Web Services APIs

list changes to existing web services APIs and new APIs introduced with signatures and throughout documentation

UI flow

• either demonstrate it visually here or link to relevant mockups

IP Clearance

• what dependencies will you be adding to the project?

Appendix

Appendix A:

Appendix B: