<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Jul 24, 2013 at 12:42 AM, Samuel Bercovici <span dir="ltr"><<a href="mailto:SamuelB@radware.com" target="_blank">SamuelB@radware.com</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div link="blue" vlink="purple" lang="EN-US">

<div>

<p class="MsoNormal"><span style="font-family:"Cambria","serif"">Hi,<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-family:"Cambria","serif""><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-family:"Cambria","serif"">This might be apparent but not to me.<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-family:"Cambria","serif"">Can you point to how broadcast can be turned on a network/port?</span></p></div></div></blockquote><div><br></div><div>There  is currently no way to prevent it so it's on by default.  <br>

</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div link="blue" vlink="purple" lang="EN-US"><div><p class="MsoNormal"><span style="font-family:"Cambria","serif""><u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-family:"Cambria","serif""><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-family:"Cambria","serif"">As for the </span>

<span style="font-family:"Cambria","serif""><a href="https://github.com/openstack/neutron/blob/master/neutron/extensions/portsecurity.py" target="_blank"><span style="color:windowtext">https://github.com/openstack/neutron/blob/master/neutron/extensions/portsecurity.py</span></a>,

 in NVP, does this totally disable port security on a port/network or it just disable the MAC/IP checks and still allows the “user defined” port security to take effect?</span></p></div></div></blockquote><div><br></div>

<div>Port security is currently obtained from the fixed_ips and mac_address field on the port. This removes the filtering done on fixed_ips and mac_address fields when disabled. <br> <br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div link="blue" vlink="purple" lang="EN-US"><div><p class="MsoNormal"><span style="font-family:"Cambria","serif""><u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-family:"Cambria","serif"">This looks like an extension only implemented by NVP, do you know if there are similar implementations for other plugins?<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-family:"Cambria","serif""><u></u></span></p></div></div></blockquote><div><br></div><div>No, the other plugins do not currently have a way to disable spoofing dynamically (only globally disabled).  <br>

</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div link="blue" vlink="purple" lang="EN-US"><div><p class="MsoNormal"><span style="font-family:"Cambria","serif""> <u></u></span></p>

<p class="MsoNormal"><span style="font-family:"Cambria","serif"">Regards,<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-family:"Cambria","serif"">            -Sam.<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-family:"Cambria","serif""><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Aaron Rosen [mailto:<a href="mailto:arosen@nicira.com" target="_blank">arosen@nicira.com</a>]

<br>

<b>Sent:</b> Tuesday, July 23, 2013 10:52 PM<br>

<b>To:</b> Samuel Bercovici<br>

<b>Cc:</b> OpenStack Development Mailing List; <a href="mailto:sorlando@nicira.com" target="_blank">sorlando@nicira.com</a>; Avishay Balderman; <a href="mailto:gary.kotton@gmail.com" target="_blank">gary.kotton@gmail.com</a></span></p>

<div><div class="h5"><br>

<b>Subject:</b> Re: [openstack-dev] [Neutron] Chalenges with highly available service VMs - port adn security group options.<u></u><u></u></div></div><p></p><div><div class="h5">

<p class="MsoNormal"><u></u> <u></u></p>

<div>

<p class="MsoNormal">I agree too. I've posted a work in progress of this here if you want to start looking at it: <a href="https://review.openstack.org/#/c/38230/" target="_blank">https://review.openstack.org/#/c/38230/</a><u></u><u></u></p>

<div>

<p class="MsoNormal"><u></u> <u></u></p>

</div>

<div>

<p class="MsoNormal">Thanks, <u></u><u></u></p>

</div>

<div>

<p class="MsoNormal"><br>

Aaron<u></u><u></u></p>

</div>

</div>

<div>

<p class="MsoNormal" style="margin-bottom:12.0pt"><u></u> <u></u></p>

<div>

<p class="MsoNormal">On Tue, Jul 23, 2013 at 4:21 AM, Samuel Bercovici <<a href="mailto:SamuelB@radware.com" target="_blank">SamuelB@radware.com</a>> wrote:<u></u><u></u></p>

<div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Hi,</span><u></u><u></u></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I agree that the AutZ should be separated and the service provider should be able to control this

 based on their model.</span><u></u><u></u></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">For Service VMs who might be serving ~100-~1000 IPs and might use multiple MACs per port, it would

 be better to turn this off altogether that to have an IPTABLE rules with thousands of entries.

</span><u></u><u></u></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">This why I prefer to be able to turn-off IP spoofing and turn-off MAC spoofing altogether.</span><u></u><u></u></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Still from a logical model / declarative reasons an IP that can migrate between different ports should

 be declared as such and maybe also from MAC perspective.</span><u></u><u></u></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Regards,</span><u></u><u></u></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">                -Sam.</span><u></u><u></u></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>

<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Salvatore Orlando [mailto:<a href="mailto:sorlando@nicira.com" target="_blank">sorlando@nicira.com</a>]

<br>

<b>Sent:</b> Sunday, July 21, 2013 9:56 PM</span><u></u><u></u></p>

<div>

<p class="MsoNormal"><br>

<b>To:</b> OpenStack Development Mailing List<u></u><u></u></p>

</div>

<p class="MsoNormal"><b>Subject:</b> Re: [openstack-dev] [Neutron] Chalenges with highly available service VMs - port adn security group options.<u></u><u></u></p>

<div>

<div>

<p class="MsoNormal"> <u></u><u></u></p>

<div>

<p class="MsoNormal"> <u></u><u></u></p>

<div>

<p class="MsoNormal" style="margin-bottom:12.0pt"> <u></u><u></u></p>

<div>

<p class="MsoNormal">On 19 July 2013 13:14, Aaron Rosen <<a href="mailto:arosen@nicira.com" target="_blank">arosen@nicira.com</a>> wrote:<u></u><u></u></p>

<div>

<p class="MsoNormal"> <u></u><u></u></p>

<div>

<p class="MsoNormal" style="margin-bottom:12.0pt"> <u></u><u></u></p>

<div>

<div>

<p class="MsoNormal">On Fri, Jul 19, 2013 at 1:55 AM, Samuel Bercovici <<a href="mailto:SamuelB@radware.com" target="_blank">SamuelB@radware.com</a>> wrote:<u></u><u></u></p>

<div>

<div>

<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Hi,</span><u></u><u></u></p>

<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>

<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I have completely missed this discussion as it does not have quantum/Neutron in the subject (modify it now)</span><u></u><u></u></p>

<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I think that the security group is the right place to control this.</span><u></u><u></u></p>

<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I think that this might be only allowed to admins.</span><u></u><u></u></p>

<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>

</div>

</div>

</div>

<div>

<p class="MsoNormal">I think this shouldn't be admin only since tenant's have control of their own networks they should be allowed to do this. <u></u><u></u></p>

</div>

</div>

</div>

</div>

<div>

<p class="MsoNormal"> <u></u><u></u></p>

</div>

<div>

<p class="MsoNormal">I reiterate my point that the authZ model for a feature should always be completely separated by the business logic of the feature itself.<u></u><u></u></p>

</div>

<div>

<p class="MsoNormal">In my opinion there are grounds both for scoping it as admin only and for allowing tenants to use it; it might be better if we just let the policy engine deal with this.<u></u><u></u></p>

</div>

<div>

<p class="MsoNormal"> <u></u><u></u></p>

</div>

<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">

<div>

<div>

<div>

<div>

<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">

<div>

<div>

<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Let me explain what we need which is more than just disable spoofing.</span><u></u><u></u></p>

<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">1.</span><span style="font-size:7.0pt;color:#1f497d">      

</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Be able to allow MACs which are not defined on the port level to transmit packets (for example VRRP MACs)== turn off MAC spoofing</span><u></u><u></u></p>

</div>

</div>

</blockquote>

<div>

<p class="MsoNormal"> <u></u><u></u></p>

</div>

</div>

<div>

<p class="MsoNormal">For this it seems you would need to implement the port security extension which allows one to enable/disable port spoofing on a port. <u></u><u></u></p>

</div>

</div>

</div>

</div>

</blockquote>

<div>

<p class="MsoNormal"> <u></u><u></u></p>

</div>

<div>

<p class="MsoNormal">This would be one way of doing it. The other would probably be adding a list of allowed VRRP MACs, which should be possible with the blueprint pointed by Aaron. <u></u><u></u></p>

</div>

<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">

<div>

<div>

<div>

<div>

<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">

<div>

<div>

<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">2.</span><span style="font-size:7.0pt;color:#1f497d">      

</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Be able to allow IPs which are not defined on the port level to transmit packets (for example, IP used for HA service that moves between an HA pair) == turn off IP spoofing</span><u></u><u></u></p>

</div>

</div>

</blockquote>

<div>

<p class="MsoNormal"> <u></u><u></u></p>

</div>

</div>

<div>

<p class="MsoNormal">It seems like this would fit your use case perfectly:   <a href="https://blueprints.launchpad.net/neutron/+spec/allowed-address-pairs" target="_blank">https://blueprints.launchpad.net/neutron/+spec/allowed-address-pairs</a><u></u><u></u></p>

</div>

<div>

<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">

<div>

<div>

<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">3.</span><span style="font-size:7.0pt;color:#1f497d">      

</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Be able to allow broadcast message on the port (for example for VRRP broadcast) == allow broadcast.</span><u></u><u></u></p>

<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>

</div>

</div>

</blockquote>

</div>

<div>

<p class="MsoNormal">Quantum does have an abstraction for disabling this so we already allow this by default.  <u></u><u></u></p>

</div>

<div>

<div>

<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">

<div>

<div>

<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>

<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Regards,</span><u></u><u></u></p>

<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">                -Sam.</span><u></u><u></u></p>

<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>

<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>

<p><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Aaron Rosen [mailto:<a href="mailto:arosen@nicira.com" target="_blank">arosen@nicira.com</a>]

<br>

<b>Sent:</b> Friday, July 19, 2013 3:26 AM<br>

<b>To:</b> OpenStack Development Mailing List<br>

<b>Subject:</b> Re: [openstack-dev] Chalenges with highly available service VMs</span><u></u><u></u></p>

<p> <u></u><u></u></p>

<div>

<div>

<p style="margin-bottom:12.0pt">Yup: <u></u><u></u></p>

</div>

<p>I'm definitely happy to review and give hints. <u></u><u></u></p>

<div>

<div>

<p style="margin-bottom:12.0pt">Blueprint:  <a href="https://docs.google.com/document/d/18trYtq3wb0eJK2CapktN415FRIVasr7UkTpWn9mLq5M/edit" target="_blank">

https://docs.google.com/document/d/18trYtq3wb0eJK2CapktN415FRIVasr7UkTpWn9mLq5M/edit</a><br>

<br>

<a href="https://review.openstack.org/#/c/19279/" target="_blank">https://review.openstack.org/#/c/19279/</a>  < patch that merged the feature;

<u></u><u></u></p>

</div>

<div>

<p>Aaron<u></u><u></u></p>

</div>

</div>

</div>

<div>

<p style="margin-bottom:12.0pt"> <u></u><u></u></p>

<div>

<p>On Thu, Jul 18, 2013 at 5:15 PM, Ian Wells <<a href="mailto:ijw.ubuntu@cack.org.uk" target="_blank">ijw.ubuntu@cack.org.uk</a>> wrote:<u></u><u></u></p>

<div>

<p style="margin-bottom:12.0pt">On 18 July 2013 19:48, Aaron Rosen <<a href="mailto:arosen@nicira.com" target="_blank">arosen@nicira.com</a>> wrote:<br>

> Is there something this is missing that could be added to cover your use<br>

> case? I'd be curious to hear where this doesn't work for your case.  One<br>

> would need to implement the port_security extension if they want to<br>

> completely allow all ips/macs to pass and they could state which ones are<br>

> explicitly allowed with the allowed-address-pair extension (at least that is<br>

> my current thought).<u></u><u></u></p>

</div>

<p>Yes - have you got docs on the port security extension?  All I've<br>

found so far are<br>

<a href="http://docs.openstack.org/developer/quantum/api/quantum.extensions.portsecurity.html" target="_blank">http://docs.openstack.org/developer/quantum/api/quantum.extensions.portsecurity.html</a><br>

and the fact that it's only the Nicira plugin that implements it.  I<br>

could implement it for something else, but not without a few hints...<br>

<span style="color:#888888">--<br>

Ian.</span><u></u><u></u></p>

<div>

<div>

<p><br>

_______________________________________________<br>

OpenStack-dev mailing list<br>

<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>

<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><u></u><u></u></p>

</div>

</div>

</div>

<p> <u></u><u></u></p>

</div>

</div>

</div>

<p class="MsoNormal" style="margin-bottom:12.0pt"><br>

_______________________________________________<br>

OpenStack-dev mailing list<br>

<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>

<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><u></u><u></u></p>

</blockquote>

</div>

</div>

</div>

<p class="MsoNormal"> <u></u><u></u></p>

</div>

</div>

<p class="MsoNormal" style="margin-bottom:12.0pt"><br>

_______________________________________________<br>

OpenStack-dev mailing list<br>

<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>

<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><u></u><u></u></p>

</blockquote>

</div>

<p class="MsoNormal"> <u></u><u></u></p>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

<p class="MsoNormal"><u></u> <u></u></p>

</div>

</div></div></div>

</div>

</blockquote></div><br></div></div>