Same Host Traffic Leaks in Neutron DVR When Using BGP

Hi everyone,

When Neutron BGP Dynamic Routing and DVR are used, instances in VXLAN tenant networks located in different routers within different projects can directly access each other if they are on the same compute host. (They should ideally communicate via the gateway IP address of the provider network serving as the router's external gateway).

Although the routers are in different projects, because their external gateways are the same, the north-south traffic exiting the routers reaches the fip namespace on the compute node due to the "fast-exit" feature. ([RFE]"Fast exit" for compute node egress flows when using DVR - https://bugs.launchpad.net/neutron/+bug/1577488)

This situation occurs due to the tenant network routes present in the fip namespace on the compute node. The purpose of these routes is to forward traffic arriving at the agent gateway IP address (announced as the next-hop in BGP) towards the VMs via the qrouter namespace. (These are the routes in the main table - see attacment).

While using different provider networks as the external gateway for each router comes to mind as a solution, creating a dedicated external gateway for each router is excessively costly, almost impossible, and illogical. This is because, due to the address scope limitations in BGP usage, it would also necessitate creating a new BGP speaker and establishing a BGP connection for each tenant.

According to SOX cybersecurity compliance, it must be possible to apply ACLs on the access between VXLAN tenant networks. We cannot use Security Groups because we cannot manage ACLs centrally and easily, and as discussed in a bug report we previously submitted, packet loss during live migration increases dramatically as the number of rules grows. Neutron developers informed us that there is no definitive solution for this, and it operates on a best-effort basis. (https://bugs.launchpad.net/neutron/+bug/1970606) Therefore, we need to route the traffic between tenant networks through a physical firewall.

In conclusion, we consider this situation as a bug. What is your assessment?

We think it will be nice to adding a new config flag and based on the value of this flag, the VXLAN tenant networks could be isolated. Moving the tenant network routes added to the fip namespace from the main table to a different table, and adding the agent gateway port as an input interface (iif) condition to the rule, is sufficient. (see attachment).

Thanks.

- Environment Details

OpenStack Version: Zed (cluster installed via Kolla-Ansible)
OS Version: Ubuntu 22.04.4 LTS Hosts (Kernel: 5.15.0-117-generic)
Neutron Version: 21.1.3.dev24
Services: neutron-server, neutron-dhcp-agent, neutron-openvswitch-agent, neutron-l3-agent, neutron-bgp-dragent, neutron-metadata-agent
Controller & Network Nodes: 5 nodes
Networking Backend: OpenvSwitch (DVR mode)
Router HA: Disabled (l3_ha = false)
BGP Dynamic Routing: neutron-bgp-dragent used to announce unique tenant networks.
Tenant Network Type: VXLAN
External Network Type: VLAN