<div dir="ltr">Kevin, thank you for your help. Currently, we already have a similar patch for Pike release. We started this discuss that to pay attention to the degradation of flexibility and discuss to need to create a RFE.<br></div><div class="gmail_extra"><br><div class="gmail_quote">2018-03-22 11:48 GMT+03:00 Kevin Benton <span dir="ltr"><<a href="mailto:kevin@benton.pub" target="_blank">kevin@benton.pub</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I understand. I think you will likely need to run a bit of custom code for Pike if you want to override the default behavior of the port security extension. You should be able to use something like the following (untested) code as a service plugin. Install it somewhere on the server and then put the import path to it in the service_plugins configuration.<div><br></div><div><br></div><div><br></div><div><br></div><div>from neutron_lib.api.definitions import port_security</div><div><div>from neutron_lib.callbacks import events</div></div><div><div>from neutron_lib.callbacks import registry</div><div>from neutron_lib.callbacks import resources</div></div><div>from neutron_lib.services import base<br></div><div><br></div><div><br></div><div><div>@registry.has_registry_receive<wbr>rs</div></div><div>class NetdefaultPortSecurity(base.Se<wbr>rvicePluginBase):</div><div><br></div><div> @registry.receives(resources.N<wbr>ETWORK, [events.BEFORE_CREATE])</div><div> def force_default_portsec_false(se<wbr>lf, rtype, event, trigger, context, network, **kwargs):</div><div> network[port_security.PORTSECU<wbr>RITY] = False</div><div><br></div><div><div> @classmethod</div><div> def get_plugin_type(cls):</div><div> return 'portsecdefaultoverride'</div><div><br></div><div> def get_plugin_description(self):</div><div> return "workaround"</div></div><div><br><div><br></div><div><br></div><div>To have this fixed in future versions I suggest filing an RFE to allow all security to be disabled completely if the port security extension isn't loaded.</div></div><div><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Mar 19, 2018 at 9:34 AM, Vadim Ponomarev <span dir="ltr"><<a href="mailto:ponomarev@selectel.ru" target="_blank">ponomarev@selectel.ru</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>If I understood correctly, you talk about rules which are generated by security_group extension as default from the fixed_ips + allowed_address_pairs list. In our openstack installation we disabled the security_group and the allowed_address_pairs extensions to simplify the configuration the HA clusters.</div><div><br></div><div>Currently we configure the neutron as follows:</div><div>1. prevent_arp_spoofing = False </div><div>2. disable security_group extension</div><div>3. disable allowed_address_pairs extension</div><div><br></div><div>Actually, if port_security will be like a "central regulator" which controll all mechanisms, it's perfectly in our case. But, we will lose flexibility, because we can't changed default value for this option. And, even if we disable the port_security extension in the neutron, the prevent ARP-spoofing mechanism will work as default [1].</div><div><br></div><div>It's very important question, how do we may disable globally the prevent ARP spoofing in the Pike release? To create all networks without specifying an option port_security_enabled=False.</div><div><br></div><div>Changes that were proposed by Tatiana, just let save current flexability.<br><br>[1] <a href="https://github.com/openstack/neutron/blob/stable/pike/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py#L907" target="_blank">https://github.com/opensta<wbr>ck/neutron/blob/stable/pike/ne<wbr>utron/plugins/ml2/drivers/open<wbr>vswitch/agent/ovs_neutron_agen<wbr>t.py#L907</a></div></div><div class="m_-3020101144614209453gmail-m_-3315549987390821537HOEnZb"><div class="m_-3020101144614209453gmail-m_-3315549987390821537h5"><div class="gmail_extra"><br><div class="gmail_quote">2018-03-19 16:24 GMT+03:00 Kevin Benton <span dir="ltr"><<a href="mailto:kevin@benton.pub" target="_blank">kevin@benton.pub</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">Disabling ARP spoofing protection alone will not let the standby instance source traffic using the active instance's IP. IP filtering rules independent of ARP enforcement rules ensure the source IP is in the fixed_ips or allowed_address_pairs. <div dir="auto"><br></div><div dir="auto">Are you already using allowed address pairs to add the shared IP to both?</div></div><div class="m_-3020101144614209453gmail-m_-3315549987390821537m_8313719850736153053HOEnZb"><div class="m_-3020101144614209453gmail-m_-3315549987390821537m_8313719850736153053h5"><br><div class="gmail_quote"><div dir="ltr">On Mon, Mar 19, 2018, 22:13 Vadim Ponomarev <<a href="mailto:ponomarev@selectel.ru" target="_blank">ponomarev@selectel.ru</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Yes, there's really a need for mechanisms of high availability like corosync, vrrp etc. Another simple example: we have two servers with the active/standby HA configuration (for example keepalived + haproxy) and we have third-party monitoring system for these servers. The monitoring system gets some load metrics and when one of the servers is unavailable, the monitoring system scales architecture (adds new server to cluster) in this way saving the HA architecture. In your case, this monitoring system must do the following steps: create new instance, add new instance's MAC address to allowed_address_pairs and only after that reconfigure all other nodes. Otherwise cluster will not work. The solution to the problem is simple - disable the prevent ARP spoofing mechnism.</div><div><br></div><div>Ok, we may used port_security options for this network with the HA cluster. For this case we must reconfigure our monitoring systems, create allowed_address_pairs for all current servers and (it's hardest) train our users how that done.</div><div><br></div><div>Currently, we don't use the prevent ARP spoofing option (prevent_arp_spoofing = False) and honestly I don't understand why this option is enabled as default in private networks. Each such network belongs to one user, who controls all instances. Who would decide to perform a MITM attack in his own network?</div></div><div class="gmail_extra"><br><div class="gmail_quote">2018-03-19 12:53 GMT+03:00 Kevin Benton <span dir="ltr"><<a href="mailto:kevin@benton.pub" rel="noreferrer" target="_blank">kevin@benton.pub</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">Do you need to spoof arbitrary addresses? If not (i.e. a set you know ahead of time), you can put entries in the allowed_address_pairs field of the port that will allow you to send traffic using other MAC/IPs.</div><div class="m_-3020101144614209453gmail-m_-3315549987390821537m_8313719850736153053m_-4276900680007173409m_-5424143872223975507HOEnZb"><div class="m_-3020101144614209453gmail-m_-3315549987390821537m_8313719850736153053m_-4276900680007173409m_-5424143872223975507h5"><div class="gmail_extra"><br><div class="gmail_quote">On Mar 19, 2018 8:42 PM, "Vadim Ponomarev" <<a href="mailto:ponomarev@selectel.ru" rel="noreferrer" target="_blank">ponomarev@selectel.ru</a>> wrote:<br type="attribution"><blockquote class="m_-3020101144614209453gmail-m_-3315549987390821537m_8313719850736153053m_-4276900680007173409m_-5424143872223975507m_-4251210864703811718quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi,<div><br>I support, that is a problem. It's unclear, how after removing the option prevent_arp_spoofing, I can manage the prevent ARP spoofing mechanism. Example: I use security groups but I don't want to use ARP spoofing protection. How do I can disable the protection?<br></div></div><div class="gmail_extra"><div class="m_-3020101144614209453gmail-m_-3315549987390821537m_8313719850736153053m_-4276900680007173409m_-5424143872223975507m_-4251210864703811718elided-text"><br><div class="gmail_quote">2018-03-14 10:26 GMT+03:00 Tatiana Kholkina <span dir="ltr"><<a href="mailto:holkina@selectel.ru" rel="noreferrer noreferrer" target="_blank">holkina@selectel.ru</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Sure, there is an ability to enable ARP spoofing for the port/network, but it is impossible to make it enabled by default for all ports.<div>It looks a bit complicated to me and I think it would be better to have an ability to set default port security via config file.</div><div><br></div><div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Best regards,</span></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Tatiana</span></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">2018-03-13 15:10 GMT+03:00 Claudiu Belu <span dir="ltr"><<a href="mailto:cbelu@cloudbasesolutions.com" rel="noreferrer noreferrer" target="_blank">cbelu@cloudbasesolutions.com</a>></span><wbr>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<div style="direction:ltr;font-family:Tahoma;color:rgb(0,0,0);font-size:10pt">Hi,<br>
<br>
Indeed ARP spoofing is prevented by default, but AFAIK, if you want it enabled for a port / network, you can simply disable the security groups on that neutron network / port.<br>
<br>
Best regards,<br>
<br>
Claudiu Belu<br>
<br>
<div style="font-family:"Times New Roman";color:rgb(0,0,0);font-size:16px">
<hr>
<div id="m_-3020101144614209453gmail-m_-3315549987390821537m_8313719850736153053m_-4276900680007173409m_-5424143872223975507m_-4251210864703811718m_1915042392102507057m_6589341003032362246m_-9048447337040272059divRpF369882" style="direction:ltr"><font size="2" face="Tahoma" color="#000000"><b>From:</b> Татьяна Холкина [<a href="mailto:holkina@selectel.ru" rel="noreferrer noreferrer" target="_blank">holkina@selectel.ru</a>]<br>
<b>Sent:</b> Tuesday, March 13, 2018 12:54 PM<br>
<b>To:</b> <a href="mailto:openstack-dev@lists.openstack.org" rel="noreferrer noreferrer" target="_blank">openstack-dev@lists.openstack.<wbr>org</a><br>
<b>Subject:</b> [openstack-dev] [neutron] Prevent ARP spoofing<br>
</font><br>
</div><div><div class="m_-3020101144614209453gmail-m_-3315549987390821537m_8313719850736153053m_-4276900680007173409m_-5424143872223975507m_-4251210864703811718m_1915042392102507057m_6589341003032362246h5">
<div></div>
<div>
<div dir="ltr">Hi,
<div>I'm using an ocata release of OpenStack where the option prevent_arp_spoofing can be managed via conf. But later in pike it was removed and it was decided to prevent spoofing by default.<br>
</div>
<div>There are cases where security features should be disabled. As I can see now we can use a port_security option for these cases. But this option should be set for a particular port or network on create. The default value is set to True [1] and it<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);float:none;display:inline">t
is impossible to change it</span>. I'd like to suggest to get default value for port_security [2] from config option.</div>
<div>It would be nice to know your opinion.<br>
</div>
<div><br>
</div>
<div>[1] <a href="https://github.com/openstack/neutron-lib/blob/stable/queens/neutron_lib/api/definitions/port_security.py#L21" rel="noreferrer noreferrer" target="_blank">https://github.com/opensta<wbr>ck/neutron-lib/blob/stable/que<wbr>ens/neutron_lib/api/definition<wbr>s/port_security.py#L21</a></div>
<div>[2] <span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);float:none;display:inline"><a href="https://github.com/openstack/neutron/blob/stable/queens/neutron/objects/extensions/port_security.py#L24" rel="noreferrer noreferrer" target="_blank">https://github.com/opensta<wbr>ck/neutron/blob/stable/queens/<wbr>neutron/objects/extensions/por<wbr>t_security.py#L24</a></span></div>
<div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);float:none;display:inline"><br>
</span></div>
<div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);float:none;display:inline">Best
regards,</span></div>
<div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);float:none;display:inline">Tatiana</span></div>
</div>
</div>
</div></div></div>
</div>
</div>
<br>______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer noreferrer noreferrer" target="_blank">OpenStack-dev-request@lists.op<wbr>enstack.org?subject:unsubscrib<wbr>e</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer noreferrer noreferrer" target="_blank">http://lists.openstack.org/cgi<wbr>-bin/mailman/listinfo/openstac<wbr>k-dev</a><br>
<br></blockquote></div><br></div>
<br>______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer noreferrer noreferrer" target="_blank">OpenStack-dev-request@lists.op<wbr>enstack.org?subject:unsubscrib<wbr>e</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer noreferrer noreferrer" target="_blank">http://lists.openstack.org/cgi<wbr>-bin/mailman/listinfo/openstac<wbr>k-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div></div><div class="m_-3020101144614209453gmail-m_-3315549987390821537m_8313719850736153053m_-4276900680007173409m_-5424143872223975507m_-4251210864703811718signature-text">-- <br><div class="m_-3020101144614209453gmail-m_-3315549987390821537m_8313719850736153053m_-4276900680007173409m_-5424143872223975507m_-4251210864703811718m_1915042392102507057gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><font face="tahoma, sans-serif" color="#999999"><span style="font-size:12.8px">Best regards,</span><br>Vadim Ponomarev<br>Developer of network automation department at Selectel Ltd.<br><br><span style="font-size:12.8px">----</span><br><span style="font-size:12.8px">This message may contain confidential information that can't be distributed without the consent of the sender or the authorized person </span><span style="font-size:12.8px">Selectel Ltd</span><span style="font-size:12.8px">.</span></font></div></div></div></div></div>
</div></div><div class="m_-3020101144614209453gmail-m_-3315549987390821537m_8313719850736153053m_-4276900680007173409m_-5424143872223975507m_-4251210864703811718elided-text">
______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer noreferrer noreferrer" target="_blank">OpenStack-dev-request@lists.op<wbr>enstack.org?subject:unsubscrib<wbr>e</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer noreferrer noreferrer" target="_blank">http://lists.openstack.org/cgi<wbr>-bin/mailman/listinfo/openstac<wbr>k-dev</a><br>
</div></blockquote></div><br></div>
</div></div><br>______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer noreferrer" target="_blank">OpenStack-dev-request@lists.op<wbr>enstack.org?subject:unsubscrib<wbr>e</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer noreferrer" target="_blank">http://lists.openstack.org/cgi<wbr>-bin/mailman/listinfo/openstac<wbr>k-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="m_-3020101144614209453gmail-m_-3315549987390821537m_8313719850736153053m_-4276900680007173409m_-5424143872223975507gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><font face="tahoma, sans-serif" color="#999999"><span style="font-size:12.8px">Best regards,</span><br>Vadim Ponomarev<br>Developer of network automation department at Selectel Ltd.<br><br><span style="font-size:12.8px">----</span><br><span style="font-size:12.8px">This message may contain confidential information that can't be distributed without the consent of the sender or the authorized person </span><span style="font-size:12.8px">Selectel Ltd</span><span style="font-size:12.8px">.</span></font></div></div></div></div></div>
</div>
______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer noreferrer" target="_blank">OpenStack-dev-request@lists.op<wbr>enstack.org?subject:unsubscrib<wbr>e</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer noreferrer" target="_blank">http://lists.openstack.org/cgi<wbr>-bin/mailman/listinfo/openstac<wbr>k-dev</a><br>
</blockquote></div>
</div></div><br>______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.op<wbr>enstack.org?subject:unsubscrib<wbr>e</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi<wbr>-bin/mailman/listinfo/openstac<wbr>k-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="m_-3020101144614209453gmail-m_-3315549987390821537m_8313719850736153053gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><font face="tahoma, sans-serif" color="#999999"><span style="font-size:12.8px">Best regards,</span><br>Vadim Ponomarev<br>Developer of network automation department at Selectel Ltd.<br><br><span style="font-size:12.8px">----</span><br><span style="font-size:12.8px">This message may contain confidential information that can't be distributed without the consent of the sender or the authorized person </span><span style="font-size:12.8px">Selectel Ltd</span><span style="font-size:12.8px">.</span></font></div></div></div></div></div>
</div>
</div></div><br>______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.op<wbr>enstack.org?subject:unsubscrib<wbr>e</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi<wbr>-bin/mailman/listinfo/openstac<wbr>k-dev</a><br>
<br></blockquote></div><br></div></div></div></div>
<br>______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.<wbr>openstack.org?subject:<wbr>unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><font face="tahoma, sans-serif" color="#999999"><span style="font-size:12.8px">Best regards,</span><br>Vadim Ponomarev<br>Developer of network automation department at Selectel Ltd.<br><br><span style="font-size:12.8px">----</span><br><span style="font-size:12.8px">This message may contain confidential information that can't be distributed without the consent of the sender or the authorized person </span><span style="font-size:12.8px">Selectel Ltd</span><span style="font-size:12.8px">.</span></font></div></div></div></div></div>
</div>