<div dir="ltr">Hi Aaron,<div><br></div><div>I reported it as a bug with bit more details: <a href="https://bugs.launchpad.net/neutron/+bug/1321864">https://bugs.launchpad.net/neutron/+bug/1321864</a>. The report has examples showing the incompleteness in the overlap check due to cidr notation allowed in the allowed address pairs API.</div>
<div><br></div><div>Cheers,</div><div>Praveen</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, May 20, 2014 at 7:54 PM, Aaron Rosen <span dir="ltr"><<a href="mailto:aaronorosen@gmail.com" target="_blank">aaronorosen@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>arosen@arosen-MacBookPro:~/devstack$ neutron port-show f5117013-ac04-45af-a5d6-e9110213ad6f</div><div>
+-----------------------+----------------------------------------------------------------------------------+</div>
<div>| Field                 | Value                                                                            |</div><div>+-----------------------+----------------------------------------------------------------------------------+</div>

<div>| admin_state_up        | True                                                                             |</div><div>| allowed_address_pairs |                                                                                  |</div>

<div>| binding:vnic_type     | normal                                                                           |</div><div>| device_id             | 99012a6c-a5ed-41c0-92c9-14d40af0c2df                                             |</div>

<div>| device_owner          | compute:None                                                                     |</div><div>| extra_dhcp_opts       |                                                                                  |</div>

<div>| fixed_ips             | {"subnet_id": "505eb39c-32dc-4fe7-a497-f801a0677c54", "ip_address": "10.0.0.22"} |</div><div>| id                    | f5117013-ac04-45af-a5d6-e9110213ad6f                                             |</div>

<div>| mac_address           | fa:16:3e:77:4d:2d                                                                |</div><div>| name                  |                                                                                  |</div>

<div>| network_id            | 1b069199-bfa4-4efc-aebd-4a663d447964                                             |</div><div>| security_groups       | 0d5477cf-f63a-417e-be32-a12557fa4098                                             |</div>

<div>| status                | ACTIVE                                                                           |</div><div>| tenant_id             | c71ebe8d1f6e47bab7d44046ec2f6b39                                                 |</div>

<div>+-----------------------+----------------------------------------------------------------------------------+</div><div>arosen@arosen-MacBookPro:~/devstack$ neutron port-update f5117013-ac04-45af-a5d6-e9110213ad6f --allowed-address-pairs list=true type=dict ip_address=<a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a></div>

<div>Updated port: f5117013-ac04-45af-a5d6-e9110213ad6f</div><div>arosen@arosen-MacBookPro:~/devstack$ neutron port-show f5117013-ac04-45af-a5d6-e9110213ad6f</div><div>+-----------------------+----------------------------------------------------------------------------------+</div>

<div>| Field                 | Value                                                                            |</div><div>+-----------------------+----------------------------------------------------------------------------------+</div>

<div>| admin_state_up        | True                                                                             |</div><div>| allowed_address_pairs | {"ip_address": "<a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a>", "mac_address": "fa:16:3e:77:4d:2d"}                |</div>

<div>| binding:vnic_type     | normal                                                                           |</div><div>| device_id             | 99012a6c-a5ed-41c0-92c9-14d40af0c2df                                             |</div>

<div>| device_owner          | compute:None                                                                     |</div><div>| extra_dhcp_opts       |                                                                                  |</div>

<div>| fixed_ips             | {"subnet_id": "505eb39c-32dc-4fe7-a497-f801a0677c54", "ip_address": "10.0.0.22"} |</div><div>| id                    | f5117013-ac04-45af-a5d6-e9110213ad6f                                             |</div>

<div>| mac_address           | fa:16:3e:77:4d:2d                                                                |</div><div>| name                  |                                                                                  |</div>

<div>| network_id            | 1b069199-bfa4-4efc-aebd-4a663d447964                                             |</div><div>| security_groups       | 0d5477cf-f63a-417e-be32-a12557fa4098                                             |</div>

<div>| status                | ACTIVE                                                                           |</div><div>| tenant_id             | c71ebe8d1f6e47bab7d44046ec2f6b39                                                 |</div>

<div>+-----------------------+----------------------------------------------------------------------------------+</div><div><br></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">
On Tue, May 20, 2014 at 7:52 PM, Aaron Rosen <span dir="ltr"><<a href="mailto:aaronorosen@gmail.com" target="_blank">aaronorosen@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi <span style="font-family:arial,sans-serif;font-size:12.666666984558105px">Praveen, </span><div><span style="font-family:arial,sans-serif;font-size:12.666666984558105px"><br>

</span></div><div><span style="font-family:arial,sans-serif;font-size:12.666666984558105px">I think there is some confusion here. This function doesn't check if there is any overlap that occurs within the cidr block. It only checks that the fixed_ips+mac don't overlap with an allowed address pair. In your example if the host has an ip_address of 10.10.1.1 and you want to allow any ip in <a href="http://10.10.1.0/24" target="_blank">10.10.1.0/24</a> to pass through the port you can just add a rule for <a href="http://10.10.1.0/24" target="_blank">10.10.1.0/24</a> directly without having to break it up. </span></div>

<span><font color="#888888">
<div><span style="font-family:arial,sans-serif;font-size:12.666666984558105px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:12.666666984558105px">Aaron</span></div></font></span></div><div>
<div><div class="gmail_extra">
<br><br><div class="gmail_quote">On Tue, May 20, 2014 at 11:20 AM, Praveen Yalagandula <span dir="ltr"><<a href="mailto:ypraveen@avinetworks.com" target="_blank">ypraveen@avinetworks.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">


<div dir="ltr">Hi Aaron,<div><br></div><div>The main motivation is simplicity. Consider the case where we want to allow ip cidr <a href="http://10.10.1.0/24" target="_blank">10.10.1.0/24</a> to be allowed on a port which has a fixed IP of 10.10.1.1. Now if we do not want to allow overlapping, then one needs to add 8 cidrs to get around this - (<a href="http://10.10.1.128/25" target="_blank">10.10.1.128/25</a>, <a href="http://10.10.1.64/26" target="_blank">10.10.1.64/26</a>, <a href="http://10.10.1.32/27" target="_blank">10.10.1.32/27</a>, ....<a href="http://10.10.1.0/32" target="_blank">10.10.1.0/32</a>); which makes it cumbersome.</div>



<div><br></div><div>In any case, allowed-address-pairs is ADDING on to what is allowed because of the fixed IPs. So, there is no possibility of conflict. The check will probably make sense if we are maintaining denied addresses instead of allowed addresses.</div>



<div><br></div><div>Cheers,</div><div>Praveen</div></div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, May 20, 2014 at 9:34 AM, Aaron Rosen <span dir="ltr"><<a href="mailto:aaronorosen@gmail.com" target="_blank">aaronorosen@gmail.com</a>></span> wrote:<br>



<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Praveen, <div><br></div><div>I think we should fix the update_method instead to properly check for this. I don't see any advantage to allow the fixed_ips/mac to be in the allowed_address_pairs since they are explicitly allowed. What's your motivation for changing this?</div>



<span><font color="#888888">
<div><br></div><div>Aaron</div></font></span></div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, May 19, 2014 at 4:05 PM, Praveen Yalagandula <span dir="ltr"><<a href="mailto:ypraveen@avinetworks.com" target="_blank">ypraveen@avinetworks.com</a>></span> wrote:<br>




<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Aaron,<div><br></div><div>Thanks for the prompt response.</div><div><br></div><div>If the overlap does not have any negative effect, can we please just remove this check? It creates confusion as there are certain code paths where we do not perform this check. For example, the current code does NOT perform this check when we are updating the list of allowed-address-pairs -- I can successfully assign an existing fixed IP address to the allowed-address-pairs. The check is being performed on only one code path - when assigning fixed IPs.</div>





<div><br></div><div>If it sounds right to you, I can submit my patch removing this check.</div><div><br>Thanks,</div><div>Praveen</div><div><br></div></div><div><div><div class="gmail_extra"><br>
<br><div class="gmail_quote">On Mon, May 19, 2014 at 12:32 PM, Aaron Rosen <span dir="ltr"><<a href="mailto:aaronorosen@gmail.com" target="_blank">aaronorosen@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi, <div><br></div><div>Sure, if you look at this method: </div><div><br></div><div><div>    def _check_fixed_ips_and_address_pairs_no_overlap(self, context, port):                 </div>





<div>        address_pairs = self.get_allowed_address_pairs(context, port['id'])                 </div>
<div>        for fixed_ip in port['fixed_ips']:                                                  </div><div>            for address_pair in address_pairs:                                              </div><div>                if (fixed_ip['ip_address'] == address_pair['ip_address']                    </div>






<div>                    and port['mac_address'] == address_pair['mac_address']):                </div><div>                    raise addr_pair.AddressPairMatchesPortFixedIPAndMac()                   </div>






<div>                                                                           </div></div><div><br></div><div>it checks that the allowed_address_pairs don't overlap with fixed_ips and mac_address on the port. The only reason we do this additional check is that having the same fixed_ip and mac_address pair as an allowed_address_pair would have no effect since the fixed_ip/mac on the port inherently allows that traffic through. </div>






<div><br>Best, </div><span><font color="#888888"><div><br>Aaron</div><div><br></div></font></span></div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, May 19, 2014 at 12:22 PM, Praveen Yalagandula <span dir="ltr"><<a href="mailto:ypraveen@avinetworks.com" target="_blank">ypraveen@avinetworks.com</a>></span> wrote:<br>






<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Aaron,<div><br></div><div>In OVS and ML2 plugins, on port-update, there is a check to make sure that allowed-address-pairs and fixed-ips don't overlap. Can you please explain why that is needed?</div>







<div><br></div><div>------------- icehouse final: neutron/plugins/ml2/plugin.py ------------</div>







<div>







<p><span>677 </span>            <span>elif</span> changed_fixed_ips:</p>
<p><span>678 </span>                self._check_fixed_ips_and_address_pairs_no_overlap(</p>
<p><span>679 </span>                    context, updated_port)</p></div><div>-----------------------</div><div><br>Thanks,</div><div>Praveen</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">
On Wed, Jul 17, 2013 at 3:45 PM, Aaron Rosen <span dir="ltr"><<a href="mailto:arosen@nicira.com" target="_blank">arosen@nicira.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">







<div dir="ltr"><div><div>Hi Ian, <br><br></div>For shared networks if the network is set to port_security_enabled=True then the tenant will not be able to remove port_security_enabled from their port if they are not the owner of the network. I believe this is the correct behavior we want. In addition, only admin's are able to create shared networks by default. <br>








<br>I've created the following blueprint <a href="https://blueprints.launchpad.net/neutron/+spec/allowed-address-pairs" target="_blank">https://blueprints.launchpad.net/neutron/+spec/allowed-address-pairs</a> and doc: <a href="https://docs.google.com/document/d/1hyB3dIkRF623JlUsvtQFo9fCKLsy0gN8Jf6SWnqbWWA/edit?usp=sharing" target="_blank">https://docs.google.com/document/d/1hyB3dIkRF623JlUsvtQFo9fCKLsy0gN8Jf6SWnqbWWA/edit?usp=sharing</a> which will provide us a way to do this. It would be awesome if you could check it out and let me know what you think.<br>








<br>Thanks, <br><br></div>Aaron<br>
</div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Jul 16, 2013 at 10:34 AM, Ian Wells <span dir="ltr"><<a href="mailto:ijw.ubuntu@cack.org.uk" target="_blank">ijw.ubuntu@cack.org.uk</a>></span> wrote:<br>








<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>On 10 July 2013 21:14, Vishvananda Ishaya <<a href="mailto:vishvananda@gmail.com" target="_blank">vishvananda@gmail.com</a>> wrote:<br>









>> It used to be essential back when we had nova-network and all tenants<br>
>> ended up on one network.  It became less useful when tenants could<br>
>> create their own networks and could use them as they saw fit.<br>
>><br>
>> It's still got its uses - for instance, it's nice that the metadata<br>
>> server can be sure that a request is really coming from where it<br>
>> claims - but I would very much like it to be possible to, as an<br>
>> option, explicitly disable antispoof - perhaps on a per-network basis<br>
>> at network creation time - and I think we could do this without<br>
>> breaking the security model beyond all hope of usefulness.<br>
><br>
> Per network and per port makes sense.<br>
><br>
> After all, this is conceptually the same as enabling or disabling<br>
> port security on your switch.<br>
<br>
</div>Bit late on the reply to this, but I think we should be specific on<br>
the network, at least at creation time, on what disabling is allowed<br>
at port level (default off, may be off, must be on as now).  Yes, it's<br>
exactly like disabling port security, and you're not always the<br>
administrator of your own switch; if we extend the analogy you<br>
probably wouldn't necessarily want people turning antispoof off on an<br>
explicitly shared-tenant network.<br>
<div><div>--<br>
Ian.<br>
<br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</div></div></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div>
<br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div>