joint presentation given at OpenStack summit Barcelona (Oct. 2016) with Paul Carver and Tim Irnich talk video: https://www.youtube.com/watch?v=LCDeR7MwTzE demo: https://www.youtube.com/watch?v=5iRoZcmQyuU

1. INTERCONNECTING NEUTRON
AND NETWORK OPERATORS'
BGP VPNS
Paul Carver Tim Irnich Thomas Morin

2. TELCO STUFF AHEAD, DON’T BE AFRAID

3. WHAT ARE BGP VPNS ?
FIRST, WHAT THEY ARE NOT…
 No encryption
 ‘P’ stands for ‘Private’: think Private Addressing
 (one can obviously add encryption over a BGP VPN, just like over
any IP network)
 Isolation is…
 not managed by customers
 managed by the operator of the shared physical network
 Hence: not like IPSec or SSL VPNs

4. WHAT ARE BGP VPNS ?
BASE PRINCIPLES OF BGP/MPLS VPNS (SIMPLIFIED)
 use MPLS to isolate the traffic of different VPNs on the wire
 MPLS here: an encapsulation layer stacked onto IP packets of a VPN
 MPLS “label” : dataplane field used for isolation:
 use the BGP routing protocol to indicate where/how to send packets
 advertise routes:
“10.11.0.0/16 in VPN 888:42 is reachable via router X using MPLS Label N”
 VPN “identifiers”: “Route Target” (e.g. 888:42)
 (calling them ‘identifier’ is very simplified, much more flexibility)
 only present in the control plane!
 initially for L3VPNs, extended for L2/Ethernet (in particular E-VPN)
 later extended to other encaps: MPLS/GRE, MPLS/UDP, VXLAN
 the reason to use “BGP VPNs” rather than “BGP/MPLS VPNs”

5. WHAT ARE BGP VPNS ?
“OLD”, PROVEN, INTEROPERABLE AND VERY SCALABLE
 Late 90’s, then incremental protocol improvements since
 Lot’s of deployments
 Very interoperable
 IETF RFCs
 starting point references: RFC4364, RFC 7432
 multi-vendor deployments common place
 How scalable ?
 some BGP/MPLS deployment serve millions of VPN sites
 toolbox of established practices and protocol extensions to improve
scaling

6. WHAT ARE BGP VPNS ?
WHAT ARE THEY USED FOR ?
 In the past 15+ years:
business customers VPNs
(e.g. replace leased lines, Frame Relay,
etc.)
 Later in the 2000’s: increasing use in
converged IP/MPLS backbones (e.g. carry
services for triple play)
 Cloud inter-DC
 Interconnect for NFV platforms
 between NFV POPs
 between NFV platforms and service BGP VPNs
Today, all these
need to be
interconnected
with OpenStack
OpenStack as
the elected
IaaS foundation
for NFV

7. WHAT IS THE NEED ?
 Admin-only API to control the technical details
 “VPN Foo of tenant Lambda will use Route Target 13879:11, etc.”
 Tenant API to let tenant choose what
 “I want to interconnect Neutron network 11e304ec-5b67-4980-
aa57-da10d0f057a6 with my VPN Foo”
 Actual implementation is automated, need to accommodate
different solutions that automate differently
The networking-bgpvpn Neutron Stadium project was
created to address this need (June 2015)

8. NEW API RESOURCES
(already existing
API resources)
Network X Router Ysome user in
“Project Lambda”
Openstack Admin
Network
Associationcreates
associations
to setup
interconnections
BGP VPN
“default VPN”
Type: L3
BGP Route-Target: 1234:42
Tenant: Project Lambda
Router
Association
creates a
BGPVPN
and gives it to
“Project Lambda”

9. NEUTRON BGP VPN INTERCONNECTIONS SERVICE PLUGIN
OVERVIEW
Neutron
BGP
Peers
dataplane
(vswitch/ vrouter)
VMs… …
Backend X
(e.g. Neutron+Bagpipe, OpenDaylight,
OpenContrail, Nuage, etc.)API
BGPVPN
Service Plugin


packets carried
over MPLS
to/from VPNs

BGP
VPN
routes


driver for
X…
?

10. Neutron
SDN Controller
BGP
Peers
driver for
backend X
packets carried
over MPLS
to/from VPNs
API
BGPVPN
Service Plugin

 REST
BGP
VPN
routes


HOW IT WORKS WITH AN SDN CONTROLLER…
E.G. OPENDAYLIGHT, OPENCONTRAIL, NUAGE NETWORKS, ETC.
driver for SDN
Controller X
compute node
VMs VMs
compute node
VMs VMs
vswitch vswitch

NBI
BGP
SBI

11. Rabbit
MQ
HOW IT WORKS WITH NEUTRON OVS + BAGPIPE …
Neutron
compute node
BGP
Peers
…VMs …
API
BGPVPN
Service Plugin

OpenVSwitch
br-int | br-tun | br-mpls
packets carried
over MPLS
towards VPNs

Neutron OVS
agent
BGP
VPN
routes



bagpipe
-bgp
bagpipe
driver
ML2 as Core Plugin
openvswitch
mech driver
bagpipe
extension

12. DEMO
TIME!
 Starting point
 an Openstack cloud
 peering with BGP/MPLS
routers
 pre-existing VPNs in the WAN
for customers Red and Blue
 Platform: devstack VM using
ovs/bagpipe driver, lab
router (VM), VPN site (VM)
 Let’s let tenant Red
interconnect an Openstack
VM and its VPN, and test the
result from a VPN site
DC network
control / compute
(devstack)
VM
(tenant
‘Blue’)
…
VM
(tenant
‘Red’)
192.168.10.x
IP/MPLS
WAN
BGP/MPLS
provider edge
router
BGP/MPLS
border routers
BGP/MPLS
provider edge
‘lab-router’
MPLS
encapsulation
lnx02
test box
192.168.177.102

13. INTEGRATION IN NEUTRON & OPENSTACK
networking-bgpvpn leverages drivers/plugin hooks
to integrate with other components:
 Neutron
 extension API hooks, service plugin and driver loading
 for ovs-bagpipe driver:
 registry callbacks
 an L2 agent extension
 increasing use of neutron-lib
 CLI
 an entrypoint for the neutronclient extension
(CLI part currently being ported to OSC)
 Heat plugin
 Tempest plugin
 Horizon plugin
 OpenStack CI hooks for test job configuration
collaboration
with Neutron
devs to bring
improvements
or fixes
An hospitable enough
environment

Other Neutron projects to
take inspiration from

14. TRYING TO BE A GOOD STADIUM PROJECT
 A significant effort is required to match the expectations
raised for Neutron Stadium projects
 in particular getting everything ready on CI testing
 Downside: less features in last cycle
 But pushes/forces us in the right direction

15. OPENSTACK NET’-BGPVPN AND OPNFV SDNVPN
 OPNFV: a mid-stream integration project providing
automated install of all required components for a
given use case, as well as E2E testing
• BGPVPN is such a use case
• Gives upstream projects additional visibility if
their changes break something at system level
(i.e. when multiple components interplay)
 The OPNFV SDNVPN project aims at
integrating a complete stack for
BGPVPNs
• focusing on cases where an SDN controller
is used
• a BaGPipe scenario is planned as well
• Integration with installers:
Fuel (Mirantis) and TripleO/Apex (RedHat)
• Provides deployment scenarios derived from odl_l3,
both HA and non-HA

16. WRAP UP
 One API allowing tenants to control interconnections with
their BGP VPNs
• Public/operator cloud <-> business customers of MPLS VPN offers
• inter-DC, distributed cloud, edge cloud
• NFV multi-POP deployments
 Drivers for several SDN controllers and a Neutron driver
 CLI interface, Horizon GUI, and Heat bindings
 Now / Soon / On the radar:
• complete E-VPN part of API
• remaining work to match Neutron Stadium requirements
(e.g. more functional testing!)
• API evolution for finer-grained control of routing
(static routes, preferences, route leaking)
• consider supporting multiple drivers/backends simultaneously
• see MPLS/GRE support land in OpenVSwitch (next MPLS/UDP!)
• expectations of improved feature parity among drivers
 a Neutron’s Stadium project working hand in hand with OPNFV
OpenStack / OPNFV
contributors around BGP
VPN…
Antoine Eiche
Bruno Fernando
Édouard Thuleau
Cédric Savignan
Daniel Radez
Darek Smiegel
Henry Gessau
Jean-Philipe Braun
Mathieu Rohon
Michal Skalski
Nikolas Hermanns
Nishant Kumar
Paul Carver
Peter V. Saveliev
Pierre Crégut
R. R. Palleti
Suresh K.
Tim Irnich
Tim Rozet
Thomas Monguillon
Thomas Morin
Vishal Thapar
Wim De Clercq
Yannick Thomas