<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On 19 July 2013 13:14, Aaron Rosen <span dir="ltr"><<a href="mailto:arosen@nicira.com" target="_blank">arosen@nicira.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote"><div class="im">On Fri, Jul 19, 2013 at 1:55 AM, Samuel Bercovici <span dir="ltr"><<a href="mailto:SamuelB@radware.com" target="_blank">SamuelB@radware.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Hi,<u></u><u></u></span></p>
<p><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">I have completely missed this discussion as it does not have quantum/Neutron in the subject (modify it now)<u></u><u></u></span></p>
<p><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">I think that the security group is the right place to control this.<u></u><u></u></span></p>
<p><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">I think that this might be only allowed to admins.<u></u><u></u></span></p>
<p><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> </span></p></div></div></blockquote></div><div>I think this shouldn't be admin only since tenant's have control of their own networks they should be allowed to do this. </div>
</div></div></div></blockquote><div><br></div><div>I reiterate my point that the authZ model for a feature should always be completely separated by the business logic of the feature itself.</div><div>In my opinion there are grounds both for scoping it as admin only and for allowing tenants to use it; it might be better if we just let the policy engine deal with this.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div class="im">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div><p>
<span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u></span></p>
<p><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Let me explain what we need which is more than just disable spoofing.<u></u><u></u></span></p>
<p><u></u><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><span>1.<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'">
</span></span></span><u></u><span dir="LTR"></span><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Be able to allow MACs which are not defined on the port level to transmit packets (for example VRRP MACs)== turn off MAC spoofing</span></p>
</div></div></blockquote><div><br></div></div><div>For this it seems you would need to implement the port security extension which allows one to enable/disable port spoofing on a port. </div></div></div></div></blockquote>
<div><br></div><div>This would be one way of doing it. The other would probably be adding a list of allowed VRRP MACs, which should be possible with the blueprint pointed by Aaron. </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div class="im"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple"><div><p><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u><u></u></span></p>
<p><u></u><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><span>2.<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'">
</span></span></span><u></u><span dir="LTR"></span><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Be able to allow IPs which are not defined on the port level to transmit packets (for example, IP used for HA service that
moves between an HA pair) == turn off IP spoofing</span></p></div></div></blockquote><div><br></div></div><div>It seems like this would fit your use case perfectly: <a href="https://blueprints.launchpad.net/neutron/+spec/allowed-address-pairs" target="_blank">https://blueprints.launchpad.net/neutron/+spec/allowed-address-pairs</a></div>
<div class="im">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div><p><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u><u></u></span></p>
<p><u></u><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><span>3.<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'">
</span></span></span><u></u><span dir="LTR"></span><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Be able to allow broadcast message on the port (for example for VRRP broadcast) == allow broadcast.<u></u><u></u></span></p>
<p><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> </span></p></div></div></blockquote></div><div>Quantum does have an abstraction for disabling this so we already allow this by default. </div>
<div><div class="h5">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div><p>
<span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u></span></p>
<p><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Regards,<u></u><u></u></span></p>
<p><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"> -Sam.<u></u><u></u></span></p>
<p><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p><b><span style="font-size:10pt;font-family:Tahoma,sans-serif">From:</span></b><span style="font-size:10pt;font-family:Tahoma,sans-serif"> Aaron Rosen [mailto:<a href="mailto:arosen@nicira.com" target="_blank">arosen@nicira.com</a>]
<br>
<b>Sent:</b> Friday, July 19, 2013 3:26 AM<br>
<b>To:</b> OpenStack Development Mailing List<br>
<b>Subject:</b> Re: [openstack-dev] Chalenges with highly available service VMs<u></u><u></u></span></p>
<p><u></u> <u></u></p>
<div>
<div>
<p style="margin-bottom:12pt">Yup: <u></u><u></u></p>
</div>
<p>I'm definitely happy to review and give hints. <u></u><u></u></p>
<div>
<div>
<p style="margin-bottom:12pt">Blueprint: <a href="https://docs.google.com/document/d/18trYtq3wb0eJK2CapktN415FRIVasr7UkTpWn9mLq5M/edit" target="_blank">
https://docs.google.com/document/d/18trYtq3wb0eJK2CapktN415FRIVasr7UkTpWn9mLq5M/edit</a><br>
<br>
<a href="https://review.openstack.org/#/c/19279/" target="_blank">https://review.openstack.org/#/c/19279/</a> < patch that merged the feature;
<u></u><u></u></p>
</div>
<div>
<p>Aaron<u></u><u></u></p>
</div>
</div>
</div>
<div>
<p style="margin-bottom:12pt"><u></u> <u></u></p>
<div>
<p>On Thu, Jul 18, 2013 at 5:15 PM, Ian Wells <<a href="mailto:ijw.ubuntu@cack.org.uk" target="_blank">ijw.ubuntu@cack.org.uk</a>> wrote:<u></u><u></u></p>
<div>
<p style="margin-bottom:12pt">On 18 July 2013 19:48, Aaron Rosen <<a href="mailto:arosen@nicira.com" target="_blank">arosen@nicira.com</a>> wrote:<br>
> Is there something this is missing that could be added to cover your use<br>
> case? I'd be curious to hear where this doesn't work for your case. One<br>
> would need to implement the port_security extension if they want to<br>
> completely allow all ips/macs to pass and they could state which ones are<br>
> explicitly allowed with the allowed-address-pair extension (at least that is<br>
> my current thought).<u></u><u></u></p>
</div>
<p>Yes - have you got docs on the port security extension? All I've<br>
found so far are<br>
<a href="http://docs.openstack.org/developer/quantum/api/quantum.extensions.portsecurity.html" target="_blank">http://docs.openstack.org/developer/quantum/api/quantum.extensions.portsecurity.html</a><br>
and the fact that it's only the Nicira plugin that implements it. I<br>
could implement it for something else, but not without a few hints...<br>
<span><span style="color:rgb(136,136,136)">--</span></span><span style="color:rgb(136,136,136)"><br>
<span>Ian.</span></span><u></u><u></u></p>
<div>
<div>
<p><br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><u></u><u></u></p>
</div>
</div>
</div>
<p><u></u> <u></u></p>
</div>
</div>
</div>
<br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div></div></div><br></div></div>
<br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div></div>