<p dir="ltr">@Gal, your proposal sounds like packet or flow rate limiting of data through a port. What Ryan is proposing is rate limiting of api requests to the server. They are separate topics, each may be a valid need on its own but should be considered separately.</p>
<p dir="ltr">@Ryan, I tend to agree that rate limiting belongs in front of the api servers at the load balancer level. That is not to say we couldn't eventually use our own lbaas for this someday and integrate rate limiting there. Thoughts?</p>
<p dir="ltr">Carl</p>
<div class="gmail_quote">On May 14, 2015 9:26 PM, "Gal Sagie" <<a href="mailto:gal.sagie@gmail.com">gal.sagie@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hello Ryan,<div><br></div><div>We have proposed a spec to liberty to add rate limit functionality to security groups [1].</div><div>We see two big use cases for it, one as you mentioned is DDoS for east-west and another </div><div>is brute force prevention (for example port scanning).</div><div><br></div><div>We are re-writing the spec as an extension to the current API, we also have a proposal</div><div>to enhance the Security Group / FWaaS implementation in order to make it easily extendible by such</div><div>new classes of security rules.</div><div><br></div><div>We are planning to discuss all of that in the SG/FWaaS future directions session [2].</div><div>I or Lionel will update you as soon as we have the fixed spec for review, and feel free to come to the discussion</div><div>as we are more then welcoming everyone to help this effort.</div><div><br></div><div>Gal.</div><div><br></div><div>[1] <a href="https://review.openstack.org/#/c/151247/" target="_blank">https://review.openstack.org/#/c/151247/</a></div><div>[2] <a href="https://etherpad.openstack.org/p/YVR-neutron-sg-fwaas-future-direction" target="_blank">https://etherpad.openstack.org/p/YVR-neutron-sg-fwaas-future-direction</a></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, May 15, 2015 at 2:21 AM, Tidwell, Ryan <span dir="ltr"><<a href="mailto:ryan.tidwell@hp.com" target="_blank">ryan.tidwell@hp.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal">I was batting around some ideas regarding IPAM functionality, and it occurred to me that rate-limiting at an API level might come in handy and as an example might help provide one level of defense against DoS for an external IPAM provider
that Neutron might make calls off to. I’m simply using IPAM as an example here, there are a number of other (ie better) reasons for rate-limiting at the API level. I may just be ignorant (please forgive me if I am
<span style="font-family:Wingdings">J</span> ), but I’m not aware of any rate-limiting functionality at the API level in Neutron. Does anyone know if such a feature exists that could point me at some documentation? If it doesn’t exist, has the Neutron community
broached this subject before? I have to imagine someone has brought this up before and I just was out of the loop. Anyone have thoughts they care to share? Thanks!<span><font color="#888888"><u></u><u></u></font></span></p><span><font color="#888888">
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">-Ryan<u></u><u></u></p>
</font></span></div>
</div>
<br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div>Best Regards ,<br><br>The G. </div>
</div>
<br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div>