[openstack-dev] [quantum] Security groups egress default behaviour

Tomoe Sugihara tomoe at midokura.com
Tue Feb 26 11:29:39 UTC 2013 

Hi quantum devs,

I was looking into Quantum Security Groups feature and I have some
questions regarding default behavior for egress processing.

>From the slide[1] linked form the BP and the document[2], it sounds like
the following:

 - by default, all the egress traffic would be allowed
 - once you have a egress rule, the rule processing becomes white list,
meaning traffic that doesn't match on the rules would be dropped.

This actually sounds similar to what Amazon VPS SG document[3], although
their implementation doesn't match on the statement in the doc, which I'll
get to it shortly.

If I understand the spec correctly, when I remove the last egress rule from
all the SGs bound to a port, the default behavior should change from DROP
to ALLOW. Symmetrically, when I add a first egress rule in any of the SGs
to which a VM is bound, the default behavior should change from ALLOW to
DROP. Am I interpreting this right?
However, I couldn't find a part to implement this. In fact, this processing
would be annoying if you have thousands of ports referring to multiple SGs
because, for each port, you would have to count numbers of egress rules for
all the SGs, and depending on the count, you would have to change the
default behavior.

Then, I took a look at Amazon VPC security groups in the console. Contrary
to their online doc, their implementation seems more intuitive or explicit
like this:

- When you create a SG, you get a (default) visible outbound rule that
allows everything
- When you add/delete egress rules to the SG, the default rule is not
affected.

Basically, in VPC SG outbound behavior, just as same as the inbound, the
default is DROP. There's no implicit default behavior.
You merely get the default rule to allow everything for default SG, as well
as when you create another SG.

So, I'm wondering what the right behavior for Quantum SG. To me, amazon
style seems easy to understand for user's perspective and easy to
implement. And, I now slightly remember that there was a discussion about
having amazon compatibility flag in OS summit.

I'd appreciate any comments.

Thanks,
Tomoe


[1]
http://docs.openstack.org/trunk/openstack-network/admin/content/securitygroups.html
[2]:
http://www.slideshare.net/delapsley1/20120417-osdesignsummitsecuritygroupsdlapsleyfinal,
slide, 13.
[3]:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130226/0f20d720/attachment.html>

More information about the OpenStack-dev mailing list