[openstack-dev] [quantum] Security groups egress default behaviour
Dan Wendlandt
dan at nicira.com
Tue Feb 26 17:13:20 UTC 2013
Hi Tomoe,
Yes, my understanding of what Amazon does is that each VPC security group
is automatically configured with an explicit "allow all outbound" rule. I
assume Amazon did this so that that VPC groups were implicitly backward
compatible with non-VCP security groups, which perform no egress filtering.
However, if you remove this rule and have a truly empty egress group, all
packets will be dropped, which makes the default-deny semantics symmetric
across both ingress + egress rules.
I personally like the trade-off amazon made here and I think it makes sense
to do something similar in Quantum.
dan
On Tue, Feb 26, 2013 at 3:29 AM, Tomoe Sugihara <tomoe at midokura.com> wrote:
> Hi quantum devs,
>
> I was looking into Quantum Security Groups feature and I have some
> questions regarding default behavior for egress processing.
>
> From the slide[1] linked form the BP and the document[2], it sounds like
> the following:
>
> - by default, all the egress traffic would be allowed
> - once you have a egress rule, the rule processing becomes white list,
> meaning traffic that doesn't match on the rules would be dropped.
>
> This actually sounds similar to what Amazon VPS SG document[3], although
> their implementation doesn't match on the statement in the doc, which I'll
> get to it shortly.
>
> If I understand the spec correctly, when I remove the last egress rule
> from all the SGs bound to a port, the default behavior should change from
> DROP to ALLOW. Symmetrically, when I add a first egress rule in any of the
> SGs to which a VM is bound, the default behavior should change from ALLOW
> to DROP. Am I interpreting this right?
> However, I couldn't find a part to implement this. In fact, this
> processing would be annoying if you have thousands of ports referring to
> multiple SGs because, for each port, you would have to count numbers of
> egress rules for all the SGs, and depending on the count, you would have to
> change the default behavior.
>
> Then, I took a look at Amazon VPC security groups in the console. Contrary
> to their online doc, their implementation seems more intuitive or explicit
> like this:
>
> - When you create a SG, you get a (default) visible outbound rule that
> allows everything
> - When you add/delete egress rules to the SG, the default rule is not
> affected.
>
> Basically, in VPC SG outbound behavior, just as same as the inbound, the
> default is DROP. There's no implicit default behavior.
> You merely get the default rule to allow everything for default SG, as
> well as when you create another SG.
>
> So, I'm wondering what the right behavior for Quantum SG. To me, amazon
> style seems easy to understand for user's perspective and easy to
> implement. And, I now slightly remember that there was a discussion about
> having amazon compatibility flag in OS summit.
>
> I'd appreciate any comments.
>
> Thanks,
> Tomoe
>
>
> [1]
> http://docs.openstack.org/trunk/openstack-network/admin/content/securitygroups.html
> [2]:
> http://www.slideshare.net/delapsley1/20120417-osdesignsummitsecuritygroupsdlapsleyfinal, slide, 13.
> [3]:
> http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Dan Wendlandt
Nicira, Inc: www.nicira.com
twitter: danwendlandt
~~~~~~~~~~~~~~~~~~~~~~~~~~~
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130226/636085b0/attachment.html>
More information about the OpenStack-dev
mailing list