<br><br><div class="gmail_quote">On Tue, Nov 27, 2012 at 2:34 PM, Nachi Ueno <span dir="ltr"><<a href="mailto:nachi@nttmcl.com" target="_blank">nachi@nttmcl.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi Aaron, Akihiro, Gary<div><br></div><div>I would like to ask your opinion about the security group specs.</div><div><br></div><div>[Discussion 1] security group rule applied for port for network:* ports?</div><div><br>
</div>
<div>- Dhcp port (looks not needed)</div></blockquote><div><br></div><div>I don't see obvious use cases here, and a tenant could definitely shoot themselves in the foot by configuring security groups here. Not supporting them here would make sense. </div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>- Router port ( I could see many usecases, but this may be implemented as a service extension such as VPM)</div>
</blockquote><div><br></div><div>This is tricky. It make sense to do packet filtering at router ports, but I would argue that security groups are the wrong abstraction here. Security groups are very directional, as their original intent was to project an "inside" VM from the "outside" world. That directionality doesn't really make sense on router port in my experience. </div>
<div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><br></div><div>IMO, if we take this limitation, these limitation should be done in securitygroups_db class.</div>
</blockquote><div><br></div><div>seems reasonable. </div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><br></div><div>[Discussion 2] Security groups for external networks</div><div>I could see use cases here. ( limit outbound or inbound connections)</div><div>However may be different default setting needed.</div><div>
Allow all traffic here ?</div></blockquote><div><br></div><div>Can you be more precise about what you mean here? In Quantum, external networks are a concept that is currently only relevant for L3 + Floating IPs. Similar to the logic above, I don't think it makes sense to apply security groups on router gateway ports. But if a VM is connected directly to a "shared=True" public network that also happens to be "external=True", then applying security groups there would make sense. </div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><br></div><div>[Discussion 3] Default filtering rule</div><div>IMO, we should update definition of wiki considering some</div>
<div>provider specified rules.</div><div> </div><div><p style="padding-top:0.5em;margin-bottom:0px;font-family:'Arial Unicode MS',Arial,sans-serif;margin-top:0px;padding-bottom:0.5em">
<span style="white-space:pre-wrap;font-family:'Lucida Console','Lucida Sans Typewriter',Monaco,monospace">Egress</span><br><span style="white-space:pre-wrap;font-family:'Lucida Console','Lucida Sans Typewriter',Monaco,monospace"> -p udp --sport 68 --dport 67 -d 255.255.255.0 -j RETRUN</span><br>
<span style="white-space:pre-wrap;font-family:'Lucida Console','Lucida Sans Typewriter',Monaco,monospace"> -p udp --sport 68 --dport 67 -d $DHCP_IP -j RETRUN</span><br><span style="white-space:pre-wrap;font-family:'Lucida Console','Lucida Sans Typewriter',Monaco,monospace"> -m mac --mac-source !$PORT_MAC -j DROP (arp spoofing)</span><br>
<span style="white-space:pre-wrap;font-family:'Lucida Console','Lucida Sans Typewriter',Monaco,monospace"> -s !$PORT_FIXED_IPS -j DROP (ip spoofing)</span><br><span style="white-space:pre-wrap;font-family:'Lucida Console','Lucida Sans Typewriter',Monaco,monospace"> -p udp --sport 67 --dport 68 -J DROP (disallow dhcp)</span><br>
</p><ul style="font-family:'Arial Unicode MS',Arial,sans-serif"><li>if no there are no egress rule, all egress traffic allowed except above rules</li></ul><p style="padding-top:0.5em;margin-bottom:0px;font-family:'Arial Unicode MS',Arial,sans-serif;margin-top:0px;padding-bottom:0.5em">
<span style="white-space:pre-wrap;font-family:'Lucida Console','Lucida Sans Typewriter',Monaco,monospace">Ingress</span><br><span style="white-space:pre-wrap;font-family:'Lucida Console','Lucida Sans Typewriter',Monaco,monospace"> -p udp --sport 68 --dport 67 -s $DHCP_IP -j RETURN</span></p>
<p style="padding-top:0.5em;margin-bottom:0px;font-family:'Arial Unicode MS',Arial,sans-serif;margin-top:0px;padding-bottom:0.5em"><span style="white-space:pre-wrap;font-family:'Lucida Console','Lucida Sans Typewriter',Monaco,monospace"><br>
</span></p></div></blockquote><div><br></div><div>to summarize, you are saying "prevent L2/L3 spoofing" and "allow VMs to get IPs via DHCP". The former is commonly done in conjunction with security groups, since a VM spoofing a source IP could evade filters. The latter also makes sense, as it goes along with the default security group policy that "VM can send anything outbound, and can always receive a reply to anything it sent". </div>
<div><br></div><div>Dan</div><div><br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><p style="padding-top:0.5em;margin-bottom:0px;font-family:'Arial Unicode MS',Arial,sans-serif;margin-top:0px;padding-bottom:0.5em">
<span style="white-space:pre-wrap;font-family:'Lucida Console','Lucida Sans Typewriter',Monaco,monospace">
</span></p></div><div>Thanks</div><span class="HOEnZb"><font color="#888888"><div>Nachi</div><div><br></div><div><br></div><div><br></div>
</font></span><br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br>~~~~~~~~~~~~~~~~~~~~~~~~~~~<br>Dan Wendlandt <div>Nicira, Inc: <a href="http://www.nicira.com" target="_blank">www.nicira.com</a><br><div>twitter: danwendlandt<br>
~~~~~~~~~~~~~~~~~~~~~~~~~~~<br></div></div><br>