VRF's in linux : reusing infrastructure


One Line Summary

Proposal to implment VRF lite using existing linux constructs


In the context of internet scale routing a requirement that always comes up is the need to partition the available routing tables into disjoint routing planes. A specific use case is the multi-tenancy problem where each tenant has their own unique routing tables and in the very least need different default gateways.

This is an attempt to build the ability to create virtual router domains aka VRF’s (VRF-lite to be specific) in the linux packet forwarding stack. The main observation is that through the use of rules and socket binding to interfaces, all the facilities that we are there in the infrastructure. What is missing is a handle that identifies traffic that is associated with a VRF that preserves the notions of ECMP, and general routing principles.

The driver is a cross between functionality that the IPVLAN driver and the VXLan drivers provide where a device is created and packets into/out of the routing domain are shuttled through this device. The device is then used as a handle to identify the applicable rules. The VRF device is thus the layer3 equivalent of a vlan device.

High Level aspects of proposal :
Simple overlay driver (minimal changes to current stack)
Uses the existing fib tables and fib rules infrastructure
Modeled closely after the ipvlan driver
Uses current API and infrastructure.
Applications can use SO_BINDTODEVICE or cmsg device indentifiers to pick VRF (ping, traceroute just work)
Standard IP Rules work, and since they are aggregated against the device, scale is manageable
Completely orthogonal to Namespaces and only provides separation in the routing plane (and ARP)
Debugging is built-in as tcpdump and counters on the VRF device works as is.


VRF, l3context, routing, rules