neutron

Enable trust control for SR-IOV ports

Registered by Souvik Dey

Summary
=======
Enable trust mode control for SR-IOV ports

Motivation
========
With the new ixgbe driver(version 4.4.0-k-rh7.3) in Linux4.4 onward, It started supporting Trust mode on the VFs. This allows the VM to change the MAC address of the VF on the host at run time. Also, this helps in making multicast promiscuous mode. There should be a away to use this parameter in Openstack too to eliminate multiple limitations mentioned above.

Description
=========
Support for SR-IOV ports appeared in Neutron Juno and allows VMs to access network via SR-IOV VFs. SR-IOV ports in Linux now allow a new parameter TRUST to be set on the VF . This can be done, for example, using the ip-link(8) tool:

    ip link set dev eth0 vf 2 trust on

This command enables trust on for Virtual Function 2 on Physical Device ‘eth0’ and allows the VM to change the MAC address and enable multicast promiscuous mode on the VF.

This feature is useful in below scenarios:
1. SR-IOV bonding configurations inside guests with VLANs on the interfaces. For example, when the bond shifts from active slave to standby slave, the bond interface carries the MAC of the original active. This MAC needs to be configured down on the VF else all tx packets will be dropped due MAC spoof checking. This can be also achieved if we set fail_over_mac as active which changes the bond MAC on port switchover. But with VLANs on top of bond there will be issues if the bond MAC changes as the MAC of the VLAN interfaces will still have the old MACs.

2. Currently only a list of 30 multicast addresses can be supported per VF. This restricts the number of IPv6 IPs which can be used/interfaces, as for each IP there will be a different multicast MAC allocated by the kernel. This in turn also restricts the number of VLAN than can created while using IPv6.

Proposed Change
===============

The proposal is to introduce a new parameter trust_mode which can only be set for direct types ports. For ‘direct’ types of ports trust_mode = True would mean that trust is set to on the VF.

Actual setting for the VF will be done by the sriovnicagent using the ip-link(8) tool.

Default value for the trust_node will be False, which will make trust set to off, so the change will not affect a default behavior.

UX
===
Currently none. Once the creation of SR-IOV ports is supported from Horizon then all attributes should also be supported.

Testing
======
Tempest tests are not planned currently as SR-IOV hardware is not always available. 3rd party CI testing could be considered, though probably the feature is relatively minor for that.

Outside Dependencies
==================

And user will have a facility to control trust settings on specific Neutron ports.

    python-neutronclient does not need to be modified

Requirements Update Required
========================
NA

Doc Impact
=========
User Doc: User documentation will be updated with information about Trust mode control for ‘direct’ ports and its security considerations.
Developer Doc : None

Blueprint information

Status:
Complete
Approver:
None
Priority:
Undefined
Drafter:
Souvik Dey
Direction:
Needs approval
Assignee:
SUYASH KARMARKAR
Definition:
Superseded
Series goal:
None
Implementation:
Unknown
Milestone target:
None
Completed by
Souvik Dey

Related branches

Sprints

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.