<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Arial;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Helvetica Neue";
panose-1:2 0 5 3 0 0 0 2 0 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:Calibri;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">Hi,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">This is actually something that we have implemented within the VMware NSX plugins(s). We actually called it provider rules. This was done as an extension to the plugin. We have seen a large
number of people ask for this functionality. It basically gives an admin the option of having ‘deny’ rules which override the tenant ones. It is on the port level.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">One of the options that we took into account was the FWaaS option. Sadly, for us this was not a model that worked with the platform so we went to use the extension route. As far as I understand
that is still in discussion there. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">Thanks<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">Gary<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-family:Calibri;color:black">From: </span>
</b><span style="font-family:Calibri;color:black">Kevin Benton <kevin@benton.pub><br>
<b>Reply-To: </b>OpenStack List <openstack-dev@lists.openstack.org><br>
<b>Date: </b>Monday, October 31, 2016 at 11:59 PM<br>
<b>To: </b>OpenStack List <openstack-dev@lists.openstack.org><br>
<b>Subject: </b>Re: [openstack-dev] [neutron] Cloud Provider Security Groups<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I believe the FWaaS v2 work is attempting to capture this concept of provider-set rules to address this very use-case.
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">One of the items from the spec[1] sounds closely related:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">'Adds an explicit action attribute to rules so that "deny" and "reject" actions can be specified in addition to the existing "allow" action. This is particularly important for tenant or service provider network admins that specify firewall
policies meant to apply to all of a tenant's or service provider's instances, regardless of application.'<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">1. <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_openstack_neutron-2Dspecs_blob_master_specs_newton_fwaas-2Dapi-2D2.0.rst&d=CwMFaQ&c=Sqcl0Ez6M0X8aeM67LKIiDJAXVeAw-YihVMNtXt-uEs&r=VlZxHpZBmzzkWT5jqz9JYBk8YTeq9N3-diTlNj4GyNc&m=YhLOoKUyhqMU9YigP_T0rft7pH3rgPYfBYjj5wPtnnM&s=0nvFFveAWcm1IMEE2kYE7L4qJt2J9X8uNjy365xegsM&e=">https://github.com/openstack/neutron-specs/blob/master/specs/newton/fwaas-api-2.0.rst</a><o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Mon, Oct 31, 2016 at 5:28 PM, David G. Bingham <<a href="mailto:dbingham@godaddy.com" target="_blank">dbingham@godaddy.com</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<div id="m_7767359750337862623magicdomid4">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:black">Yo Neutron devs :-)<o:p></o:p></span></p>
</div>
<div id="m_7767359750337862623magicdomid5">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:black"><o:p> </o:p></span></p>
</div>
<div id="m_7767359750337862623magicdomid1323">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:black">I was wondering if something like the following subject has come up: "Cloud-provider Security Groups”.<o:p></o:p></span></p>
</div>
<div id="m_7767359750337862623magicdomid1323">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:black"><o:p> </o:p></span></p>
</div>
<div id="m_7767359750337862623magicdomid1323">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:black">*Goal of this email*: Gauge the community’s need and see if this has come up in past.<o:p></o:p></span></p>
</div>
<div id="m_7767359750337862623magicdomid2020">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:black">*Requirement*: Apply a provider-managed global set of network flows to all instances.<o:p></o:p></span></p>
</div>
<div id="m_7767359750337862623magicdomid2021">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:black">*Use Case*: For our private cloud, have need to dynamically allow network traffic flows from other internal network sources across all instances.<o:p></o:p></span></p>
</div>
<div id="m_7767359750337862623magicdomid2022">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:black">*Basic Idea*: Provide an *admin-only* accessible security group ruleset that would persist and apply these "cloud-provider" security group rules to all instances of
a cloud. This *may* be in the form of new "provider" API or an extension to existing API only accessible via "admin". When instances are created, this global SG ruleset would be applied to each VM/ironic instance. This feature likely should be capable of being
enabled/disabled depending on the provider's need.<o:p></o:p></span></p>
</div>
<div id="m_7767359750337862623magicdomid2027">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:black"><o:p> </o:p></span></p>
</div>
<div id="m_7767359750337862623magicdomid2027">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:black">*Real example*: Company security team wants to audit consistent security software installations (i.e. HIPS) across our entire fleet of servers for compliance reporting.
Each vm/ironic instance is required to have this software installed and up to date. Security audit team actually audits each and every server to ensure it is running, patched and up to date. These auditing tools source from a narrow set of internal IPs/ports
and each instance must allow access to these auditing tools.<o:p></o:p></span></p>
</div>
<div id="m_7767359750337862623magicdomid21">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:black"><o:p> </o:p></span></p>
</div>
<div id="m_7767359750337862623magicdomid2032">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:black">--- What we do today to hack a "cloud-provider" flow in a private cloud ---<o:p></o:p></span></p>
</div>
<div id="m_7767359750337862623magicdomid1802">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:black">1) We've locked down the default rules (only admins can modify which makes effectively kills a lot of canned neutron tools).<o:p></o:p></span></p>
</div>
<div id="m_7767359750337862623magicdomid1803">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:black">2) We've written an external script that iterates over all projects in our private cloud (~10k projects)<o:p></o:p></span></p>
</div>
<div id="m_7767359750337862623magicdomid1804">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:black">3) For each project:<o:p></o:p></span></p>
</div>
<div id="m_7767359750337862623magicdomid1805">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:black">3a) Fetch default SGs for that project and do a comparison of its default rules against *target* default rules<o:p></o:p></span></p>
</div>
<div id="m_7767359750337862623magicdomid1806">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:black">3b) Create any new missing rules, delete any removed rules<o:p></o:p></span></p>
</div>
<div id="m_7767359750337862623magicdomid1807">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:black">3c) Next project<o:p></o:p></span></p>
</div>
<div id="m_7767359750337862623magicdomid1808">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:black">This process is cumbersome, takes 20+ hours to run (over ~10k projects) and has to be throttled such that it doesn't over-hammer neutron while its still serving production
traffic.<o:p></o:p></span></p>
</div>
<div id="m_7767359750337862623magicdomid30">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:black"><o:p> </o:p></span></p>
</div>
<div id="m_7767359750337862623magicdomid1809">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:black">--- What we'd like to do in future ---<o:p></o:p></span></p>
</div>
<div id="m_7767359750337862623magicdomid1810">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:black">1) Call Security Group API that would modify a "cloud-provider" ruleset.<o:p></o:p></span></p>
</div>
<div id="m_7767359750337862623magicdomid1811">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:black">2) When updated, agents on HVs detect the "cloud-provider" change and then apply the rules across all instances.<o:p></o:p></span></p>
</div>
<div id="m_7767359750337862623magicdomid1812">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:black">Naturally there are going to be a lot of technical hurdles to make this happen while a cloud is currently in-flight.<o:p></o:p></span></p>
</div>
<div id="m_7767359750337862623magicdomid35">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:black"><o:p> </o:p></span></p>
</div>
<div id="m_7767359750337862623magicdomid1813">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:black">Other uses for “Provider SGs":<o:p></o:p></span></p>
</div>
<div id="m_7767359750337862623magicdomid1814">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:black">* We want to enable new shared features (i.e. monitoring aaS) that all our internal projects can take advantage of. When the monitoring team adds/modifies IPs to scale,
we'd apply these cloud-provider rules on behalf of all projects in the private cloud without users having concern themselves about the monitoring team's changes.<o:p></o:p></span></p>
</div>
<div id="m_7767359750337862623magicdomid1815">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:black">* We want to allow access to some internal sites to our VPN users on specific ports. These VPN ranges are dynamically changed by the VPN team. Our teams should not need
to go into individual projects to add a new rule when VPN team changes ranges.<o:p></o:p></span></p>
</div>
<div id="m_7767359750337862623magicdomid1816">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:black">* This list could go on and on and naturally makes much more sense in a *private cloud* scenario, but there may be cases for public providers.<o:p></o:p></span></p>
</div>
<div id="m_7767359750337862623magicdomid1534">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:black"><o:p> </o:p></span></p>
</div>
<div id="m_7767359750337862623magicdomid1534">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:black">I’d be happy to create a spec.<o:p></o:p></span></p>
</div>
<div id="m_7767359750337862623magicdomid1534">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:black"><o:p> </o:p></span></p>
</div>
<div id="m_7767359750337862623magicdomid1817">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:black">Seen this before? Thoughts? Good, Bad or Ugly? :-)<o:p></o:p></span></p>
</div>
<div id="m_7767359750337862623magicdomid1553">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:black"><o:p> </o:p></span></p>
</div>
<div id="m_7767359750337862623magicdomid1818">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:black">Thanks,<o:p></o:p></span></p>
</div>
<div id="m_7767359750337862623magicdomid1819">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:black">David Bingham (wwriverrat on irc)<o:p></o:p></span></p>
</div>
<div id="m_7767359750337862623magicdomid1820">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:black">GoDaddy<o:p></o:p></span></p>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">
OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>