[openstack-dev] Proposed Quantum Port Security API/Blueprint

Akihiro MOTOKI amotoki at gmail.com
Sat Jan 12 10:44:30 UTC 2013

Hi Aaron,

Sorry for the late feedback.

I have some comments on the spec.

- Who can change the port security? If the network physical
infrastructure provides an address
space isolation among logical network, a tenant (a regular use) may
change port security freely.
On the other hand, if the network physical infrastructure requires MAC
uniqueness (for example,
network_type == flat), only admin should change port security.

- Why can we disable port security when a port is associated with a
security group?
The limitation section in the spec document says "if a port is
associated with a security group
one cannot remove the port security setting as port security is
required for security groups to work."
A usual case is a case where a VM wants to another IP address in
addition to its IP address assigned,
but it is likely a user still wants to use security group (to drop
incoming packets to undesired L4 ports).

The current secgroup implementation honors the original security group
implementation in nova
and IP/MAC spoofing rules are added automatically as provider rules.
We can change the provider rules according to port security state for the port.

I hope my understanding it correct.


2013/1/5 Aaron Rosen <arosen at nicira.com>:
> Hi,
> I'm starting to work on the following blueprint
> (https://blueprints.launchpad.net/quantum/+spec/port-security-api-base-class)
> and would like to run this spec by the community for feedback.
> https://docs.google.com/document/d/18trYtq3wb0eJK2CapktN415FRIVasr7UkTpWn9mLq5M/edit
> Thanks,
> Aaron
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Akihiro MOTOKI <amotoki at gmail.com>

More information about the OpenStack-dev mailing list