standards icon indicating copy to clipboard operation
standards copied to clipboard
verified publisher icon SovereignCloudStack

standardizing IPv4 networking in SCS

Open cah-patrickthiem opened this issue 1 year ago • 4 comments

This is the initial draft document to standardize IPv4 networking in the context of SCS.

cah-patrickthiem avatar Mar 14 '24 14:03 cah-patrickthiem

(EDIT: comment moved here: https://github.com/SovereignCloudStack/issues/issues/167#issuecomment-2044933327)

markus-hentsch avatar Apr 09 '24 11:04 markus-hentsch

Current status of this topic & some open questions:

  • this standard will be a rather more general standard, with important topics directly associated with IPv4 handling and linking to other standards for more in depth explanations (e.g. Security Group standard)

Key suggestions:

  • IPv6 MUST be available
  • IPv4 SHOULD be available
  • subnet pools SHOULD be used for IPv6
  • Border Gateway Protocol (BGP): IPv6 MUST - IPv4 MAY - SHOULD
  • Neutron Routers MUST be used
  • OVN or L3agent SHOULD be used as high availability service deployments
  • Standard external networks MUST NOT be made accessible as shared networks
    • needs further investigation regarding "port security"
  • External networks and subnets MUST be configured with --no-dhcp
  • SCS conform CSPs MAY use RBAC and VPNaaS Neutron plugins
    • need to investigate further on what plugins & extensions are really available and up to date
    • RBAC MUST set to admin only mode
  • security Groups SHOULD be enabled by default
  • standard quota of floating IPs and routers MAY be rather small
    • min quota SHOULD be > 1 floating IP
    • same for router usage
  • SCS CSPs SHOULD implement monitoring solutions to track the utilization of IPv4 floating IPs
    • probably makes more sense to specify the tool from the SCS side which should be used
      • we would need to build it ourselves probably
  • SCS clouds SHOULD adopt the naming convention scs-external-net for external - we decided to drop that entirely
  • Floating IPs MUST be enabled
  • multiple subnets MAY be used in the standard external network

Open Questions:

  • Should IPv4 and IPv6 networks be standardized in one document?

Todos:

  • check port security
  • investigate on Neutron router plugins and extensions
  • create architectural overview regarding IPv4 networking in SCS

cah-patrickthiem avatar Apr 10 '24 09:04 cah-patrickthiem

I'm trying to restructure the standard a bit and add some background and justification to the proposals. It's not yet at a point where want to make a PR but I'm keeping the draft in a hedgedoc: https://input.scs.community/rRwNRXloTXu6cmG_19cr_g

EDIT: I moved the draft to its own PR: https://github.com/SovereignCloudStack/standards/pull/572

kgube avatar Apr 15 '24 08:04 kgube

For the record, that topic was discussed recently in a SCS IaaS meeting, initiated by kgube. One of the questions was, if we want to define all network topics in one single network standard and the answer was clearly a no. Next we will figure out what network aspect will get its own standard document and what aspect might still be missing.

cah-patrickthiem avatar May 17 '24 10:05 cah-patrickthiem