<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi Nachi,<br>
<br>
I will check and test your new patch.<br>
As I raised these issues, I commented inline. There is no
confliciton with Dan's comment.<br>
<br>
(2012/11/28 10:39), Nachi Ueno wrote:<br>
<blockquote
cite="mid:CABJepwi6BbVuUjnaZSZ0a=oxLow+Jz-DWsyV-QA0ybjgPQzoEA@mail.gmail.com"
type="cite">Hi Dan
<div><br>
</div>
<div>Thank you for your reply</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">2012/11/27 Dan Wendlandt <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:dan@nicira.com" target="_blank">dan@nicira.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
<br>
<div class="gmail_quote">
<div class="im">On Tue, Nov 27, 2012 at 2:34 PM, Nachi
Ueno <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:nachi@nttmcl.com" target="_blank">nachi@nttmcl.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi Aaron, Akihiro, Gary
<div><br>
</div>
<div>I would like to ask your opinion about the
security group specs.</div>
<div><br>
</div>
<div>[Discussion 1] security group rule applied for
port for network:* ports?</div>
<div><br>
</div>
<div>- Dhcp port (looks not needed)</div>
</blockquote>
<div><br>
</div>
</div>
<div>I don't see obvious use cases here, and a tenant
could definitely shoot themselves in the foot by
configuring security groups here. Not supporting them
here would make sense. <br>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
I totally with Dan. I don't see any useful usecases either.<br>
<br>
<blockquote
cite="mid:CABJepwi6BbVuUjnaZSZ0a=oxLow+Jz-DWsyV-QA0ybjgPQzoEA@mail.gmail.com"
type="cite">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="gmail_quote">
<div class="im">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>- Router port ( I could see many usecases, but
this may be implemented as a service extension such
as VPM)</div>
</blockquote>
<div><br>
</div>
</div>
<div>This is tricky. It make sense to do packet filtering
at router ports, but I would argue that security groups
are the wrong abstraction here. Security groups are
very directional, as their original intent was to
project an "inside" VM from the "outside" world. That
directionality doesn't really make sense on router port
in my experience. </div>
<div class="im">
<div><br>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
My understanding is similar to Dan.<br>
I see security groups are basically applied to network endpoints
such as VIF of VM.<br>
Router is not an network endpoint and the meaning of 'direction' is
turned for a router port.<br>
It is better packet filtering at router is supported by other scheme
than security groups.<br>
<br>
<blockquote
cite="mid:CABJepwi6BbVuUjnaZSZ0a=oxLow+Jz-DWsyV-QA0ybjgPQzoEA@mail.gmail.com"
type="cite">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="gmail_quote">
<div class="im">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><br>
</div>
<div>IMO, if we take this limitation, these limitation
should be done in securitygroups_db class.</div>
</blockquote>
<div><br>
</div>
</div>
<div>seems reasonable. </div>
<div class="im">
<div><br>
</div>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>OK I'll add check code for this.</div>
</div>
</div>
</blockquote>
<br>
Good approach at the current.<br>
Ideally some underlying layer of security group seems a better place
to implement such logic<br>
and securitygroups_db class should dedicate itself to manage
security group and its rule.<br>
<blockquote
cite="mid:CABJepwi6BbVuUjnaZSZ0a=oxLow+Jz-DWsyV-QA0ybjgPQzoEA@mail.gmail.com"
type="cite">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="gmail_quote">
<div class="im">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><br>
</div>
<div>[Discussion 2] Security groups for external
networks</div>
<div>I could see use cases here. ( limit outbound or
inbound connections)</div>
<div>However may be different default setting needed.</div>
<div>
Allow all traffic here ?</div>
</blockquote>
<div><br>
</div>
</div>
<div>Can you be more precise about what you mean here? In
Quantum, external networks are a concept that is
currently only relevant for L3 + Floating IPs. Similar
to the logic above, I don't think it makes sense to
apply security groups on router gateway ports. But if a
VM is connected directly to a "shared=True" public
network that also happens to be "external=True", then
applying security groups there would make sense. </div>
<div class="im">
<div> </div>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>Yes. In addition to the your example, cloud provider
(admin tenant) may create vm which serves some services for
vms on the cloud. <br>
</div>
</div>
</div>
</blockquote>
<br>
That's exactly what I think.<br>
We can simply achieve it by excluding ports with 'network:*'.<br>
<br>
<blockquote
cite="mid:CABJepwi6BbVuUjnaZSZ0a=oxLow+Jz-DWsyV-QA0ybjgPQzoEA@mail.gmail.com"
type="cite">
<div class="gmail_extra">
<div class="gmail_quote">
<div> <br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="gmail_quote">
<div class="im">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><br>
</div>
<div>[Discussion 3] Default filtering rule</div>
<div>IMO, we should update definition of wiki
considering some</div>
<div>provider specified rules.</div>
<div> </div>
<div>
<p
style="padding-top:0.5em;margin-bottom:0px;font-family:'Arial
Unicode
MS',Arial,sans-serif;margin-top:0px;padding-bottom:0.5em">
<span
style="white-space:pre-wrap;font-family:'Lucida
Console','Lucida Sans
Typewriter',Monaco,monospace">Egress</span><br>
<span
style="white-space:pre-wrap;font-family:'Lucida
Console','Lucida Sans
Typewriter',Monaco,monospace"> -p udp --sport 68
--dport 67 -d 255.255.255.0 -j RETRUN</span><br>
<span
style="white-space:pre-wrap;font-family:'Lucida
Console','Lucida Sans
Typewriter',Monaco,monospace"> -p udp --sport 68
--dport 67 -d $DHCP_IP -j RETRUN</span><br>
<span
style="white-space:pre-wrap;font-family:'Lucida
Console','Lucida Sans
Typewriter',Monaco,monospace"> -m mac
--mac-source !$PORT_MAC -j DROP (arp spoofing)</span><br>
<span
style="white-space:pre-wrap;font-family:'Lucida
Console','Lucida Sans
Typewriter',Monaco,monospace"> -s
!$PORT_FIXED_IPS -j DROP (ip spoofing)</span><br>
<span
style="white-space:pre-wrap;font-family:'Lucida
Console','Lucida Sans
Typewriter',Monaco,monospace"> -p udp --sport 67
--dport 68 -J DROP (disallow dhcp)</span><br>
</p>
<ul style="font-family:'Arial Unicode
MS',Arial,sans-serif">
<li>if no there are no egress rule, all egress
traffic allowed except above rules</li>
</ul>
<p
style="padding-top:0.5em;margin-bottom:0px;font-family:'Arial
Unicode
MS',Arial,sans-serif;margin-top:0px;padding-bottom:0.5em">
<span
style="white-space:pre-wrap;font-family:'Lucida
Console','Lucida Sans
Typewriter',Monaco,monospace">Ingress</span><br>
<span
style="white-space:pre-wrap;font-family:'Lucida
Console','Lucida Sans
Typewriter',Monaco,monospace"> -p udp --sport 68
--dport 67 -s $DHCP_IP -j RETURN</span></p>
<p
style="padding-top:0.5em;margin-bottom:0px;font-family:'Arial
Unicode
MS',Arial,sans-serif;margin-top:0px;padding-bottom:0.5em"><span
style="white-space:pre-wrap;font-family:'Lucida
Console','Lucida Sans
Typewriter',Monaco,monospace"><br>
</span></p>
</div>
</blockquote>
<div><br>
</div>
</div>
<div>to summarize, you are saying "prevent L2/L3 spoofing"
and "allow VMs to get IPs via DHCP". The former is
commonly done in conjunction with security groups, since
a VM spoofing a source IP could evade filters. The
latter also makes sense, as it goes along with the
default security group policy that "VM can send
anything outbound, and can always receive a reply to
anything it sent". </div>
</div>
</blockquote>
<div><br>
</div>
<div>Yes. Established session is allowed by default. # we
should note this also</div>
</div>
</div>
</blockquote>
<br>
IMO such provider specified rules should not exposed to tenants<br>
even if such rules are registered to security group tables.<br>
At least such rules must not be changed by non-admin user.<br>
<br>
Ideally some underlying layer of security group seems a better place
to implement such logic<br>
and securitygroups_db class should dedicate itself to manage
security group and its rule.<br>
It makes it easier to manage provider specific rules I think.<br>
<br>
Thanks,<br>
Akihiro<br>
<br>
<blockquote
cite="mid:CABJepwi6BbVuUjnaZSZ0a=oxLow+Jz-DWsyV-QA0ybjgPQzoEA@mail.gmail.com"
type="cite">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="gmail_quote">
<div><br>
</div>
<div>Dan</div>
<div><br>
</div>
<div><br>
</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<p
style="padding-top:0.5em;margin-bottom:0px;font-family:'Arial
Unicode
MS',Arial,sans-serif;margin-top:0px;padding-bottom:0.5em">
<span
style="white-space:pre-wrap;font-family:'Lucida
Console','Lucida Sans
Typewriter',Monaco,monospace">
</span></p>
</div>
<div>Thanks</div>
<span><font color="#888888">
<div>Nachi</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</font></span><br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:OpenStack-dev@lists.openstack.org"
target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
</div>
<span class="HOEnZb"><font color="#888888"><br>
<br clear="all">
<div><br>
</div>
-- <br>
~~~~~~~~~~~~~~~~~~~~~~~~~~~<br>
Dan Wendlandt
<div>Nicira, Inc: <a moz-do-not-send="true"
href="http://www.nicira.com" target="_blank">www.nicira.com</a><br>
<div>twitter: danwendlandt<br>
~~~~~~~~~~~~~~~~~~~~~~~~~~~<br>
</div>
</div>
<br>
</font></span><br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
OpenStack-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>