Open Stack

On Jul 4, 2013, at 8:26 PM, Ian Wells <ijw.ubuntu at cack.org.uk> wrote:

> On 4 July 2013 23:42, Robert Collins <robertc at robertcollins.net> wrote:
>> Seems like a tweak would be to identify virtual IPs as separate to the
>> primary IP on a port:
>> you don't need to permit spoofing of the actual host IP for each host in
>> the HA cluster; you just need to permit spoofing of the virtual IP. This
>> would be safer than disabling the spoofing rules, and avoid configuration
>> errors such as setting the primary IP of one node in the cluster to be a
>> virtual IP on another node - neutron would reject that as the primary IP
>> would be known as that.
> 
> With apologies for diverting the topic somewhat, but for the use cases
> I have, I would actually like to be able to disable the antispoofing
> in its entirety.
> 
> It used to be essential back when we had nova-network and all tenants
> ended up on one network.  It became less useful when tenants could
> create their own networks and could use them as they saw fit.
> 
> It's still got its uses - for instance, it's nice that the metadata
> server can be sure that a request is really coming from where it
> claims - but I would very much like it to be possible to, as an
> option, explicitly disable antispoof - perhaps on a per-network basis
> at network creation time - and I think we could do this without
> breaking the security model beyond all hope of usefulness.

Per network and per port makes sense.

After all, this is conceptually the same as enabling or disabling
port security on your switch.

Vish

> -- 
> Ian.
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev