Neutron 流量保护支持 - API 和特性

背景

1. 当大量广播、组播或未知单播数据包拥塞网络时，会发生流量风暴。

2. 一些恶意程序可能会发送大量特定类型的流量，例如 ARP、ICMP...

由于以上两点会导致过高的 CPU 和网络成本，以及一些安全问题，大多数物理交换机都提供许多流量保护功能，例如广播抑制、风暴控制、ARP 防攻击速率限制。Neutron 在复杂的实际数据中心中也需要这种能力。

traffic storm protection approaches:

Storm suppression, which enables to limit the size of monitored traffic passing through an Ethernet interface by setting a traffic threshold.When the traffic threshold is exceeded, the interface discards all exceeding traffic.

Storm control, which enables to shut down Ethernet interfaces or block traffic when monitored traffic exceeds the traffic threshold. It also enables an interface to send trap or log messages when monitored traffic reaches a certain traffic threshold, depending on the configuration.

简介

一项提案，允许 Neutron 网络服务的用户在复杂的实际数据中心获得流量保护。

1. 按网络：特定网络上的所有虚拟机/主机都属于特定租户，并获得流量保护

2. 按端口：连接到该端口的虚拟机/主机获得流量保护

概念

流量保护

流量保护策略

Extension API

列出流量保护

Method:GET
URL:v2.0/traffic-protections 
Description:List all Openstack networking traffic protections to which the specified tenant has access.
Request:
GET /v2.0/traffic-protections.json
Accept: application/json
Reponse:
{
 "traffic_protections":[
  {
  "id":"a7734e61-b545-452d-a3cd-0189cbd97abc",
  "name":"any string",
  "tenant_id":"a7734e61-b545-452d-a3cd-0189cbd91112"
    "traffic_protection_policies":[
    {
      "id":"a7734e61-b545-452d-a3cd-0189cbd97qqq",
      "traffic_type":"ARP_BROADCAST",
      "method":"SUPPRESSION",
      "args":{"kbps":688},
      "traffic_protection_id":"a7734e61-b545-452d-a3cd-0189cbd9747a",
      "tenant_id":"a7734e61-b545-452d-a3cd-0189cbd91112"
},
{
    "id":"a7734e61-b545-452d-a3cd-0189cbd97qqq",
    "traffic_type":"BROADCAST",
    "method":"IP_SUPPRESSION",
    "args":{"kbps":1024},
    "traffic_protection_id":"a7734e61-b545-452d-a3cd-0189cbd9747b",
    "tenant_id":"a7734e61-b545-452d-a3cd-0189cbd91112"
}
]
},
]
}

创建流量保护

Method:POST
URL:v2.0/traffic-protections
Description:Creates an Openstack Netwrok traffic-protection
Request:
POST /v2.0/traffic-protections.json
Accept: application/json
{
 "traffic_protection":
  {
  "name":"any string",
}
}
Reponse:
{
 "traffic_protection":
  {
 "id":"a7734e61-b545-452d-a3cd-0189cbd97abc",
 "name":"any string",
 "tenant_id":"a7734e61-b545-452d-a3cd-0189cbd91112"
}
  }

显示流量保护

Method:GET
URL:v2.0/traffic-protection/{tranffic-protection-id}
Description:show the infomation of a specified traffic-protection.
Request:
GET /v2.0/traffic-protections/a7734e61-b545-452d-a3cd-0189cbd97abc
Accept: application/json
Reponse:
{
 "traffic_protection":
  {
  "id":"a7734e61-b545-452d-a3cd-0189cbd97abc",
  "name":"any string",
    "tenant_id":"a7734e61-b545-452d-a3cd-0189cbd91112",
    "traffic_protection_policies":[
         {
      "id":"a7734e61-b545-452d-a3cd-0189cbd97qqq",
      "traffic_type":"ARP_BROADCAST",
      "method":"SUPPRESSION",
      "args":{"kbps":688},
      "traffic_protection_id":"a7734e61-b545-452d-a3cd-0189cbd9747a",
      "tenant_id":"a7734e61-b545-452d-a3cd-0189cbd91112"
          },
          {
    "id":"a7734e61-b545-452d-a3cd-0189cbd97qqq",
    "traffic_type":"BROADCAST",
    "method":"IP_SUPPRESSION",
    "args":{"kbps":1024},
    "traffic_protection_id":"a7734e61-b545-452d-a3cd-0189cbd9747b",
    "tenant_id":"a7734e61-b545-452d-a3cd-0189cbd91112"
          }
]
     }
}

删除流量保护

Method:DELETEv2.0/traffic-protection/{tranffic-protection-id}
URL:v2.0/traffic-protection/{tranffic-protection-id}
Description:Delete a specified traffic-protection.
Request:
DELETE /v2.0/traffic-protection-policies/a7734e61-b545-452d-a3cd-0189cbd97qqq
Contect-Type:application/json
Accept: application/json
Reponse:

列出流量保护策略

Method:GET
URL:v2.0/traffic-protection-policies
Description:List a summary of all OpenStack Networking traffic-protection-policies that the specified tenant can access.
Request:
GET /v2.0/traffic-protection-policies.json
Accept: application/json
Reponse:
{
"traffic_protection_policies":[
 {
  "id":"a7734e61-b545-452d-a3cd-0189cbd97qqq",
  "traffic_type":"ARP_BROADCAST",
  "method":"SUPPRESSION",
  "args":{"kbps":688},
  "traffic_protection_id":"a7734e61-b545-452d-a3cd-0189cbd9747a",
  "tenant_id":"a7734e61-b545-452d-a3cd-0189cbd91112"
}
{
"id":"a7734e61-b545-452d-a3cd-0189cbd97qqq",
"traffic_type":"BROADCAST",
"method":"IP_SUPPRESSION",
"args":{"kbps":1024},
"traffic_protection_id":"a7734e61-b545-452d-a3cd-0189cbd9747b",
"tenant_id":"a7734e61-b545-452d-a3cd-0189cbd91112"
}
]
}

创建流量保护策略

Method:POST
URL:v2.0/traffic-protection-policies
Description:Create an Openstack Network traffic-protection
Request:
POST /v2.0/traffic-protection-policies.json
Accept: application/json
{
"traffic_protection_policy":{
"traffic_type":"BROADCAST",
"method":"SUPPRESSION",
"args":{"kbps":1024},
"traffic_protection_id":"a7734e61-b545-452d-a3cd-0189cbd9747a"
}
}

Reponse:
{
"traffic_protection_policy":{
"id":"a7734e61-b545-452d-a3cd-0189cbd97qqq",
"traffic_type":"BROADCAST",
"method":"SUPPRESSION",
"args":{"kbps":1024},
"traffic_protection_id":"a7734e61-b545-452d-a3cd-0189cbd9747a",
"tenant_id":"a7734e61-b545-452d-a3cd-0189cbd91112"
}
}

显示流量保护策略

Method:GET
URL:v2.0/traffic-protection-policies/{tranffic-protection-policies-id}
Description:show detailed infomation for a specified traffic-protection-policies.
Request:
GET /v2.0/traffic-protection-policy/a7734e61-b545-452d-a3cd-0189cbd97qqq
Accept: application/json
Reponse:
{
"traffic_protection_policy":{
"id":"a7734e61-b545-452d-a3cd-0189cbd97qqq",
"traffic_type":"BROADCAST",
"method":"SUPPRESSION",
"args":{"kbps":688},
"traffic_protection_id":"a7734e61-b545-452d-a3cd-0189cbd9747a",
"tenant_id":"a7734e61-b545-452d-a3cd-0189cbd91112"
}
}

删除流量保护策略

Method:DELETE
URL:DELETEv2.0/traffic-protection-policies/{tranffic-protection-policy-id}
Description:Delete a specified traffic-protection.
Request:
DELETE /v2.0/traffic-protection-policies/a7734e61-b545-452d-a3cd-0189cbd97qqq
Contect-Type:application/json
Accept: application/json
Reponse:

计划