Quantum: Virtual Network Services (L2+)

Peter Lee – Upcoming Quantum Contributorplee@clearpathnet.com

Re-imagine the cloud network· Infinite number of ports· Pure 100% virtualization of entire network· Free from network hardware constraints· Realization of plugin virtual network services

Further imagine if you can…· Never deal with ports again (auto-generate on-

demand!)· Create pure logical network constructs· Make networks into simple building blocks· Attain true tenant isolation

What if, IP protocol was optional inside the cloud network?

InternetInternet

Virtual Network Service(VM)

Quantum L2 Network

Quantum L2 Network

Quantum L2 Network

VMVM VMVM

VMVMVMVM

VMVM

Quantum L2 Network

EVENT QUEUENotification API

QUANTUMManager

· Virtual Network Service is attached to one or more Quantum L2 Network

· Multiple Virtual Network Service can exist for a tenant

· Each Virtual Network Service has a unique ID

· A given VM can perform function of multiple Virtual Network Services

Legend

InternetInternet

VPN ServiceRouter Service

(VM)

Quantum L2 Network

Quantum L2 Network

VMVM

Quantum L2 Network

Router & Firewall Service

(VM)

Quantum L2 Network

Quantum L2 Network

Quantum L2 Network

VMVM VMVM

VMVMVMVM VMVM

Router Service(VM)

Quantum L2 Network

Quantum L2 Network

VMVM VMVM

VMVM

DHCP Service(VM)

Virtual Network Service (VM)

Quantum L2 Network

InternetInternet

DHCP Service(VM)

Quantum L2 Network

Quantum L2 Network

Quantum L2 Network

VMVM VMVM

VMVMVMVM

VMVM

Quantum L2 Network

EVENT QUEUENotification API

QUANTUMManager

DHCP Configuration Event

· DHCP Service issues IP addresses to VMs

/tenant/X/dhcp POST (list of Network IDs)Generates a new DHCP ID

/tenant/X/dhcp/Y/network/Z/ip (cidr)/tenant/X/dhcp/Y/network/Z/addresses/tenant/X/dhcp/Y/network/Z/gateway_ip/tenant/X/dhcp/Y/network/Z/dns

InternetInternet

Router Service(VM)

Quantum L2 Network

Quantum L2 Network

Quantum L2 Network

VMVM VMVM

VMVMVMVM

VMVM

Quantum L2 Network

EVENT QUEUENotification API

QUANTUMManager

Router Configuration Event

· Router Service routes all traffic from all attached L2 Networks

/tenant/X/router POST (list of Network IDs)Generates a new Router ID

/tenant/X/router/Y/network/Z/ip POST (pass in IP address)Becomes Router’s network interface’s IP address (gateway IP)

InternetInternet

Firewall Service(VM)

Quantum L2 Network

Quantum L2 Network

VMVM VMVM

VMVMVMVM

Quantum L2 Network

EVENT QUEUENotification API

QUANTUMManager

Firewall Configuration Event

· Firewall Service performs rule based actions between L2 networks

/tenant/X/firewall POST (list of Network IDs)Generates a new Firewall ID (Y)

/tenant/X/firewall/Y/filterPOST { priority: 1-32768 source: Network ID dest: Network ID source_ip: <cidr> dest_ip: <cidr> protocol: <string> source_port: <num or range> dest_port: <num or range> action: <ALLOW or DENY or REJECT> log: <true or false>}

/tenant/X/firewall/Y/policyPOST { source: Network ID dest: Network ID}

InternetInternet

Firewall Service(VM)

Quantum L2 Network

Quantum L2 Network

VMVM VMVM

VMVMVMVM

Quantum L2 Network

EVENT QUEUENotification API

QUANTUMManager

Firewall Configuration Event

Continued...

/tenant/X/firewall/Y/natPOST { source: Network ID dest: Network ID source_ip: <cidr> dest_ip: <cidr> masq_ip: <cidr>}

/tenant/X/firewall/Y/forwardPOST { source: Network ID dest: Network ID recv_on_ip: <cidr> send_to_ip: <cidr> recv_on_port: <num or range> send_to_port: <num or range>}

* port range iff range == range

InternetInternet

VPN Service(VM)

Quantum L2 Network

Quantum L2 Network

VMVM VMVM

VMVMVMVM

ServerServer

Quantum L2 Network

· VPN Service provides tunnels to remote L2 Networks

· VPN Service listens on all interfaces

· Does not specify underlying protocol for VPN

/tenant/X/vpn POST (list of Network IDs)Generates a new VPN ID* defines list of local networks accessible via VPN

/tenant/X/vpn/Y/tunnelPOST { local: ip/port remote: ip/port local_cred: <some credential> remote_cred: <some crednetial>}

/tenant/X/vpn/Y/tunnel/Z/linkPOST { source: Network ID dest: Network ID (usually Remote)}

Remote Quantum L2 Network

Remote Quantum L2 Network

Remote Quantum L2 Network

VMVM

Legend

InternetInternet

VPN ID 1Router ID 1

Network ID 1

Network ID 2

VMVM

Network ID 0

Router ID 2Firewall ID 1

Network ID 3

Network ID 4

Network ID 5

VMVM VMVM

VMVMVMVM VMVM

Router ID 3

Network ID 6

Network ID 7

VMVM VMVM

VMVM

DHCP ID 1

Virtual Network Service (VM)

Quantum L2 Network

ServerServer

Network ID 8

Network ID 9

Network ID 10

VMVM

InternetInternet

VPN ID 1Router ID 1Router ID 2Router ID 3DHCP ID 1

Firewall ID 1

Network ID 1

Network ID 2

VMVM

Network ID 0

Network ID 3

Network ID 4

Network ID 5

VMVM VMVM

VMVMVMVM VMVM

Network ID 6

Network ID 7

VMVM VMVM

VMVM

ServerServer

Network ID 8

Network ID 9

Network ID 10

VMVM

Launch ONE VM with all Quantum Virtual Network Services for the tenant!

nova create --quantum-service-vpn=1 --quantum-service-router=1 --quantum-service-router=2 --quantum-service-router=3 --quantum-service-dhcp=1 --quantum-service-firewall=1

EVENT QUEUENotification API

QUANTUMManager

DHCP Event for 1Router Event for 3Firewall Event for 1

We call this: Virtual Cloud Gateway

It also performs the following Virtual Network Services:· QoS· Security Gateway (IDS/IPS, CF, AV)· Universal Application Proxy· VPN (IPSEC/OpenVPN)· Remote Access (Win/Mac/iOS/Android)· Real-time Monitoring

100% managed from the cloud, created on-demand

Questions?