[openstack-dev] Fwd: FW: [Neutron] Group Based Policy and the way forward
Kevin Benton
blak111 at gmail.com
Wed Aug 6 22:35:44 UTC 2014
By working at the port level you have already eliminated your ability to
implement the filtering at different components of the network. They now
need to be implemented in stateful rules at the port level and the device
has to support security groups.
On Wed, Aug 6, 2014 at 4:03 PM, Aaron Rosen <aaronorosen at gmail.com> wrote:
>
>
>
> On Wed, Aug 6, 2014 at 12:46 PM, Kevin Benton <blak111 at gmail.com> wrote:
>
>> >I believe the referential security group rules solve this problem
>> (unless I'm not understanding):
>>
>> I think the disconnect is that you are comparing the way to current
>> mapping driver implements things for the reference implementation with the
>> existing APIs. Under this light, it's not going to look like there is a
>> point to this code being in Neutron since, as you said, the abstraction
>> could happen at a client. However, this changes once new mapping drivers
>> can be added that implement things differently.
>>
>> Let's take the security groups example. Using the security groups API
>> directly is imperative ("put a firewall rule on this port that blocks this
>> IP") compared to a higher level declarative abstraction ("make sure these
>> two endpoints cannot communicate"). With the former, the ports must support
>> security groups and there is nowhere except for the firewall rules on that
>> port to implement it without violating the user's expectation. With the
>> latter, a mapping driver could determine that communication between these
>> two hosts can be prevented by using an ACL on a router or a switch, which
>> doesn't violate the user's intent and buys a performance improvement and
>> works with ports that don't support security groups.
>>
>> Group based policy is trying to move the requests into the declarative
>> abstraction so optimizations like the one above can be made.
>>
>
> Hi Kevin,
>
> Interesting points. Though, let me ask this. Why do we need to move to a
> declarative API abstraction in neutron in order to perform this
> optimization on the backend? For example, In the current neutron model say
> we want to create a port with a security group attached to it called web
> that allows TCP:80 in and members who are in a security group called
> database. From this mapping I fail to see how it's really any different
> from the declarative model? The ports in neutron are logical abstractions
> and the backend system could be implemented in order to determine that the
> communication between these two hosts could be prevented by using an ACL on
> a router or switch as well.
>
> Best,
>
> Aaron
>
>
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
--
Kevin Benton
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140806/b6e9c41c/attachment.html>
More information about the OpenStack-dev
mailing list