> Some of us are looking at a different model. I’d be interested in your > thoughts.
Fred, Thanks for the link to the drafts. They look extremely similar to the approach we've been pursuing for Project Calico, and it's good to see that we're not the only people thinking in this direction. It looks like the main differences between our approach and yours are that we've tried to come up with a model that works both for IPv4 and IPv6 (although we agree that moving the data center fabric to IPv6 has a lot of advantages - e.g. we are planning on using 464XLAT as the mechanism to handle IPv4 overlap). Given this, we've focused our policy/security model on ACLs rather than flow labels. An interesting derivative effect of that choice is that any policy or security model can be enforced (such as intra-tenant controls, extra-cloud controls, etc). As a side note, we have been interested in using flow labels as namespace identifiers and for SFC. Recently, we have moved away from that thinking given the guidance that the flow label should be not be modified in flight. If you believe that such modifications will be acceptable, we would love to discuss that with you, and see where we can collaborate. As it is, I believe our proposed changes to Nova and Neutron should be generic enough to provide a basis for implementing your approach as well as supporting our Project Calico ML2 driver. If they aren't, we should work together to make whatever changes we have to make to achieve that generality. It might also be worth checking out our agent code[0]. It's in the middle of a rewrite at the minute so the code is unfinished, but it handles a lot of what you'd be doing with your proposed drafts. Hopefully it'd be a useful jumping off point. Cory [0]: https://github.com/Metaswitch/calico/tree/master/calico/felix _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev