[openstack-dev] Proposed Quantum Port Security API/Blueprint
Akihiro MOTOKI
amotoki at gmail.com
Sat Jan 12 10:44:30 UTC 2013
Hi Aaron,
Sorry for the late feedback.
I have some comments on the spec.
- Who can change the port security? If the network physical
infrastructure provides an address
space isolation among logical network, a tenant (a regular use) may
change port security freely.
On the other hand, if the network physical infrastructure requires MAC
uniqueness (for example,
network_type == flat), only admin should change port security.
- Why can we disable port security when a port is associated with a
security group?
The limitation section in the spec document says "if a port is
associated with a security group
one cannot remove the port security setting as port security is
required for security groups to work."
A usual case is a case where a VM wants to another IP address in
addition to its IP address assigned,
but it is likely a user still wants to use security group (to drop
incoming packets to undesired L4 ports).
The current secgroup implementation honors the original security group
implementation in nova
and IP/MAC spoofing rules are added automatically as provider rules.
We can change the provider rules according to port security state for the port.
I hope my understanding it correct.
Thanks,
Akihiro
2013/1/5 Aaron Rosen <arosen at nicira.com>:
> Hi,
>
> I'm starting to work on the following blueprint
> (https://blueprints.launchpad.net/quantum/+spec/port-security-api-base-class)
> and would like to run this spec by the community for feedback.
>
> https://docs.google.com/document/d/18trYtq3wb0eJK2CapktN415FRIVasr7UkTpWn9mLq5M/edit
>
> Thanks,
>
> Aaron
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
--
Akihiro MOTOKI <amotoki at gmail.com>
More information about the OpenStack-dev
mailing list