<br><br><div class="gmail_quote">On Wed, Nov 28, 2012 at 4:06 AM, Akihiro MOTOKI <span dir="ltr"><<a href="mailto:motoki@da.jp.nec.com" target="_blank">motoki@da.jp.nec.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
Hi Nachi,<br>
<br>
I will check and test your new patch.<br>
As I raised these issues, I commented inline. There is no
confliciton with Dan's comment.<div class="im"><br>
<br>
(2012/11/28 10:39), Nachi Ueno wrote:<br>
<blockquote type="cite">Hi Dan
<div><br>
</div>
<div>Thank you for your reply</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">2012/11/27 Dan Wendlandt <span dir="ltr"><<a href="mailto:dan@nicira.com" target="_blank">dan@nicira.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
<br>
<div class="gmail_quote">
<div>On Tue, Nov 27, 2012 at 2:34 PM, Nachi
Ueno <span dir="ltr"><<a href="mailto:nachi@nttmcl.com" target="_blank">nachi@nttmcl.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi Aaron, Akihiro, Gary
<div><br>
</div>
<div>I would like to ask your opinion about the
security group specs.</div>
<div><br>
</div>
<div>[Discussion 1] security group rule applied for
port for network:* ports?</div>
<div><br>
</div>
<div>- Dhcp port (looks not needed)</div>
</blockquote>
<div><br>
</div>
</div>
<div>I don't see obvious use cases here, and a tenant
could definitely shoot themselves in the foot by
configuring security groups here. Not supporting them
here would make sense. <br>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote></div>
I totally with Dan. I don't see any useful usecases either.<div class="im"><br>
<br>
<blockquote type="cite">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="gmail_quote">
<div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>- Router port ( I could see many usecases, but
this may be implemented as a service extension such
as VPM)</div>
</blockquote>
<div><br>
</div>
</div>
<div>This is tricky. It make sense to do packet filtering
at router ports, but I would argue that security groups
are the wrong abstraction here. Security groups are
very directional, as their original intent was to
project an "inside" VM from the "outside" world. That
directionality doesn't really make sense on router port
in my experience. </div>
<div>
<div><br>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote></div>
My understanding is similar to Dan.<br>
I see security groups are basically applied to network endpoints
such as VIF of VM.<br>
Router is not an network endpoint and the meaning of 'direction' is
turned for a router port.<br>
It is better packet filtering at router is supported by other scheme
than security groups.<div class="im"><br>
<br>
<blockquote type="cite">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="gmail_quote">
<div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><br>
</div>
<div>IMO, if we take this limitation, these limitation
should be done in securitygroups_db class.</div>
</blockquote>
<div><br>
</div>
</div>
<div>seems reasonable. </div>
<div>
<div><br>
</div>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>OK I'll add check code for this.</div>
</div>
</div>
</blockquote>
<br></div>
Good approach at the current.<br>
Ideally some underlying layer of security group seems a better place
to implement such logic<br>
and securitygroups_db class should dedicate itself to manage
security group and its rule.<div class="im"><br>
<blockquote type="cite">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="gmail_quote">
<div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><br>
</div>
<div>[Discussion 2] Security groups for external
networks</div>
<div>I could see use cases here. ( limit outbound or
inbound connections)</div>
<div>However may be different default setting needed.</div>
<div>
Allow all traffic here ?</div>
</blockquote>
<div><br>
</div>
</div>
<div>Can you be more precise about what you mean here? In
Quantum, external networks are a concept that is
currently only relevant for L3 + Floating IPs. Similar
to the logic above, I don't think it makes sense to
apply security groups on router gateway ports. But if a
VM is connected directly to a "shared=True" public
network that also happens to be "external=True", then
applying security groups there would make sense. </div>
<div>
<div> </div>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>Yes. In addition to the your example, cloud provider
(admin tenant) may create vm which serves some services for
vms on the cloud. <br>
</div>
</div>
</div>
</blockquote>
<br></div>
That's exactly what I think.<br>
We can simply achieve it by excluding ports with 'network:*'.<div class="im"><br>
<br>
<blockquote type="cite">
<div class="gmail_extra">
<div class="gmail_quote">
<div> <br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="gmail_quote">
<div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><br>
</div>
<div>[Discussion 3] Default filtering rule</div>
<div>IMO, we should update definition of wiki
considering some</div>
<div>provider specified rules.</div>
<div> </div>
<div>
<p>
<span>Egress</span><br>
<span> -p udp --sport 68
--dport 67 -d 255.255.255.0 -j RETRUN</span><br>
<span> -p udp --sport 68
--dport 67 -d $DHCP_IP -j RETRUN</span><br>
<span> -m mac
--mac-source !$PORT_MAC -j DROP (arp spoofing)</span><br>
<span> -s
!$PORT_FIXED_IPS -j DROP (ip spoofing)</span><br>
<span> -p udp --sport 67
--dport 68 -J DROP (disallow dhcp)</span><br>
</p>
<ul>
<li>if no there are no egress rule, all egress
traffic allowed except above rules</li>
</ul>
<p>
<span>Ingress</span><br>
<span> -p udp --sport 68
--dport 67 -s $DHCP_IP -j RETURN</span></p>
<p><span><br>
</span></p>
</div>
</blockquote>
<div><br>
</div>
</div>
<div>to summarize, you are saying "prevent L2/L3 spoofing"
and "allow VMs to get IPs via DHCP". The former is
commonly done in conjunction with security groups, since
a VM spoofing a source IP could evade filters. The
latter also makes sense, as it goes along with the
default security group policy that "VM can send
anything outbound, and can always receive a reply to
anything it sent". </div>
</div>
</blockquote>
<div><br>
</div>
<div>Yes. Established session is allowed by default. # we
should note this also</div>
</div>
</div>
</blockquote>
<br></div>
IMO such provider specified rules should not exposed to tenants<br>
even if such rules are registered to security group tables.<br>
At least such rules must not be changed by non-admin user.<br></div></blockquote><div><br></div><div>yes, I think we all agree there.</div><div><br></div><div>dan</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<br>
Ideally some underlying layer of security group seems a better place
to implement such logic<br>
and securitygroups_db class should dedicate itself to manage
security group and its rule.<br>
It makes it easier to manage provider specific rules I think.<br>
<br>
Thanks,<br>
Akihiro<div class="im"><br>
<br>
<blockquote type="cite">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="gmail_quote">
<div><br>
</div>
<div>Dan</div>
<div><br>
</div>
<div><br>
</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<p>
<span>
</span></p>
</div>
<div>Thanks</div>
<span><font color="#888888">
<div>Nachi</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</font></span><br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
</div>
<span><font color="#888888"><br>
<br clear="all">
<div><br>
</div>
-- <br>
~~~~~~~~~~~~~~~~~~~~~~~~~~~<br>
Dan Wendlandt
<div>Nicira, Inc: <a href="http://www.nicira.com" target="_blank">www.nicira.com</a><br>
<div>twitter: danwendlandt<br>
~~~~~~~~~~~~~~~~~~~~~~~~~~~<br>
</div>
</div>
<br>
</font></span><br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
OpenStack-dev mailing list
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</div></div>
<br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br>~~~~~~~~~~~~~~~~~~~~~~~~~~~<br>Dan Wendlandt <div>Nicira, Inc: <a href="http://www.nicira.com" target="_blank">www.nicira.com</a><br><div>twitter: danwendlandt<br>
~~~~~~~~~~~~~~~~~~~~~~~~~~~<br></div></div><br>