[openstack-dev] [Quantum-core] Proposed Quantum Port Security API/Blueprint

Aaron Rosen arosen at nicira.com
Mon Jan 14 20:39:09 UTC 2013

Hi Akihiro,

Thanks for your feedback. Responses inline.

On Sat, Jan 12, 2013 at 2:44 AM, Akihiro MOTOKI <amotoki at gmail.com> wrote:

> Hi Aaron,
> Sorry for the late feedback.
> I have some comments on the spec.
> - Who can change the port security? If the network physical
> infrastructure provides an address
> space isolation among logical network, a tenant (a regular use) may
> change port security freely.
> On the other hand, if the network physical infrastructure requires MAC
> uniqueness (for example,
> network_type == flat), only admin should change port security.
> Correct, I was thinking about building a flag
(require_port_security_on_shared_networks and
require_port_security_on_provider_networks) in which it would force all
ports created on that network to use port security (and would require the
admin to remove that setting). Do you think this is something we should
build in?

> - Why can we disable port security when a port is associated with a
> security group?
> The limitation section in the spec document says "if a port is
> associated with a security group
> one cannot remove the port security setting as port security is
> required for security groups to work."

The reason for this is if we allow the vm to change it's source ip then it
would be possible for them to get around the security group applied to the

> A usual case is a case where a VM wants to another IP address in
> addition to its IP address assigned,
> but it is likely a user still wants to use security group (to drop
> incoming packets to undesired L4 ports).

In this use case you are talking about, are you meaning on the same vif
using ip aliases? If so then the user should update the port to include
this ipaddress and then add the desired security group settings for the
communication they want. It's not possible to support port security on a
port for only one ipaddress and not the other because of the reason i
mentioned previously. The user could create another port with out port
security though.

> The current secgroup implementation honors the original security group
> implementation in nova
> and IP/MAC spoofing rules are added automatically as provider rules.
> We can change the provider rules according to port security state for the
> port.
> I hope my understanding it correct.
> Thanks,
> Akihiro
> 2013/1/5 Aaron Rosen <arosen at nicira.com>:
> > Hi,
> >
> > I'm starting to work on the following blueprint
> > (
> https://blueprints.launchpad.net/quantum/+spec/port-security-api-base-class
> )
> > and would like to run this spec by the community for feedback.
> >
> >
> https://docs.google.com/document/d/18trYtq3wb0eJK2CapktN415FRIVasr7UkTpWn9mLq5M/edit
> >
> > Thanks,
> >
> > Aaron
> >
> > _______________________________________________
> > OpenStack-dev mailing list
> > OpenStack-dev at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> --
> Akihiro MOTOKI <amotoki at gmail.com>
> --
> Mailing list: https://launchpad.net/~quantum-core
> Post to     : quantum-core at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~quantum-core
> More help   : https://help.launchpad.net/ListHelp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130114/f4a60f8a/attachment.html>

More information about the OpenStack-dev mailing list