<div dir="ltr"><div>[Moving my reply to the correct thread as someone changed the subject line. Attempt 3 :'( ]</div><div><br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Aug 6, 2014 at 4:18 PM, Kevin Benton <span dir="ltr"><<a href="mailto:blak111@gmail.com" target="_blank">blak111@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div class="">><span style="font-family:arial,sans-serif;font-size:13.333333969116211px">Given this information I don't see any reason why the backend system couldn't do enforcement at the logical router and if it did so neither parties would know.</span><div>
<span style="font-family:arial,sans-serif;font-size:13.333333969116211px"><br></span></div></div><div><span style="font-family:arial,sans-serif;font-size:13.333333969116211px">With security groups you are specifying that nothing can contact these devices on those ports unless they come from the allowed IP addresses. If you tried to enforce this at the router you would be violating that specification because devices in the same subnet would be able to communicate on those blocked ports.</span></div>
</div><div class=""><div class="h5"><div class="gmail_extra"><br><br></div></div></div></blockquote><div><br></div><div><div>Sure, though this is a problem of where you are doing your enforcement. If the backend system chooses to implement this optimization in this fashion (which was the example you gave previously [1]). Then, if the topology changes, i.e adding a port to the same network with conflicting security group rules, the backend system can no longer optimize in this same fashion at the router level and a more fine grain filtering will need to be done. How would this be any different with group based policy? </div>
<div><br></div><div>[1] - With the latter, a mapping driver could determine that communication between these two hosts can be prevented by using an ACL on a router or a switch, which doesn't violate the user's intent and buys a performance improvement and works with ports that don't support security groups.</div>
</div><div><br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div class="">
<div class="h5"><div class="gmail_extra"><div class="gmail_quote">On Wed, Aug 6, 2014 at 5:00 PM, Aaron Rosen <span dir="ltr"><<a href="mailto:aaronorosen@gmail.com" target="_blank">aaronorosen@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">
<div>On Wed, Aug 6, 2014 at 3:35 PM, Kevin Benton <span dir="ltr"><<a href="mailto:blak111@gmail.com" target="_blank">blak111@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">By working at the port level you have already eliminated your ability to implement the filtering at different components of the network. They now need to be implemented in stateful rules at the port level and the device has to support security groups.</div>
</blockquote><div><br></div><div><br></div></div><div>Lets take this example where we setup a 2 tier app with web-servers and db-servers that are connected on two different networks attached to a router. We add a security group rules such that web-servers can talk to db-servers on tcp:3306 and a rule to allow tcp:80 into the web-servers from anywhere. </div>
<div><br></div><div>neutron net-create web_net</div><div>neutron subnet-create --name web_subnet web_net <a href="http://10.0.0.0/24" target="_blank">10.0.0.0/24</a></div><div><br></div><div>neutron net-create db_net</div>
<div>neutron subnet-create --name db_subnet db_net <a href="http://10.2.0.0/24" target="_blank">10.2.0.0/24</a></div>
<div><br></div><div>neutron router-create myrouter</div><div>neutron router-interface-add myrouter web_subnet<br></div><div>neutron router-interface-add myrouter db_subnet</div><div><br></div><div>neutron security-group-create web-servers; </div>
<div>neutron security-group-create db-servers; </div><div><br></div><div># add rule to allow web members to talk to the db-servers on TCP 3306 for their db connection;</div><div>neutron security-group-rule-create --protocol TCP --port-range-min 3306 --port-range-max 3306 --remote-group-id web-servers db-servers</div>
<div><br></div><div><div># add rule to allow TCP 80 into the web-server sg</div><div>neutron security-group-rule-create --protocol TCP --port-range-min 80 --port-range-max 80 web-servers db-servers</div></div><div><br></div>
<div># create some ports with desired security profiles. </div><div>neutron port-create --security-group web-servers web_net</div><div><div>neutron port-create --security-group web-servers web_net</div></div><div><br></div>
<div>neutron port-create --security-group db-servers db_net<br></div><div><div>neutron port-create --security-group db-servers db_net</div></div><div><br></div><div><br></div><div>Now to your point: </div><div>
<div><br></div>
<div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">By working at the port level you have already eliminated your ability to implement the filtering at different components of the network. They now need to be implemented in stateful rules at the port level and the device has to support security groups.</div>
<div><br></div></blockquote></div><div><br></div></div><div>Given this information I don't see any reason why the backend system couldn't do enforcement at the logical router and if it did so neither parties would know. The backend system should have the full graph of everything and be able to do enforcement optimizations where ever it likes.</div>
<div><br></div><div>btw: I say the enforcement could be done on the logical router though the backend system could also do this on the physical fabic as well if it wanted to as it should also know that graph. No?</div><div>
<div><div>
<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div class="gmail_extra"><div><div><br>
<br><div class="gmail_quote">On Wed, Aug 6, 2014 at 4:03 PM, Aaron Rosen <span dir="ltr"><<a href="mailto:aaronorosen@gmail.com" target="_blank">aaronorosen@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">
<div><div>On Wed, Aug 6, 2014 at 12:46 PM, Kevin Benton <span dir="ltr"><<a href="mailto:blak111@gmail.com" target="_blank">blak111@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div>><span style="font-family:arial,sans-serif;font-size:13.333333969116211px">I believe the referential security group rules solve this problem (unless I'm not understanding): </span><div>
<span style="font-family:arial,sans-serif;font-size:13.333333969116211px"><br>
</span></div></div><div>I think the disconnect is that you are comparing the way to current mapping driver implements things for the reference implementation with the existing APIs. Under this light, it's not going to look like there is a point to this code being in Neutron since, as you said, the abstraction could happen at a client. However, this changes once new mapping drivers can be added that implement things differently.</div>
<div><br></div><div>Let's take the security groups example. Using the security groups API directly is imperative ("put a firewall rule on this port that blocks this IP") compared to a higher level declarative abstraction ("make sure these two endpoints cannot communicate"). With the former, the ports must support security groups and there is nowhere except for the firewall rules on that port to implement it without violating the user's expectation. With the latter, a mapping driver could determine that communication between these two hosts can be prevented by using an ACL on a router or a switch, which doesn't violate the user's intent and buys a performance improvement and works with ports that don't support security groups.</div>
<div><br></div><div>Group based policy is trying to move the requests into the declarative abstraction so optimizations like the one above can be made.</div></div></blockquote><div><br></div></div></div><div>Hi Kevin, </div>
<div><br>
</div><div>Interesting points. Though, let me ask this. Why do we need to move to a declarative API abstraction in neutron in order to perform this optimization on the backend? For example, In the current neutron model say we want to create a port with a security group attached to it called web that allows TCP:80 in and members who are in a security group called database. >From this mapping I fail to see how it's really any different from the declarative model? The ports in neutron are logical abstractions and the backend system could be implemented in order to determine that the communication between these two hosts could be prevented by using an ACL on a router or switch as well.</div>
<div>
<div><br>Best, </div><div><br></div><div>Aaron</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div></div><br></div></div>
<br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div></div></div><span><font color="#888888">-- <br><div>Kevin Benton</div>
</font></span></div>
<br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div></div></div><br></div></div>
<br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div>Kevin Benton</div>
</div>
</div></div><br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div></div>