Open Stack

On Thu, 2017-03-23 at 12:39 -0400, Mathieu Gagné wrote:
> On Thu, Mar 23, 2017 at 10:08 AM,  <sfinucan at redhat.com> wrote:
> > The nova libvirt driver provides support for ebtables-based port
> > filtering (using libvirt's nwfilter) to prevent things like MAC, IP
> > and/or ARP spoofing. I've been looking into deprecating this as
> > part of
> > the move to deprecate all things nova-network'y, but it appears
> > that,
> > in some scenarios, it is possible to use this feature with neutron.
> 
> Isn't ARP spoofing support now part of Neutron, at least for
> Linuxbridge mechanism?
> https://review.openstack.org/#/c/196986/

Correct. In most cases, you'd have to explicitly disable the neutron
variant if you wanted the nova one. It was suggested to me that not
every neutron driver implements this feature and for these cases the
nova one would be beneficial. However, from my understanding of the
nova code, this feature only works with iptables- or OVS/IVS hybrid
interfaces, which _do_ support this feature in neutron [1][2], and it
would have to be an explicit action by the operator.

> We do use the feature you mentioned but there is too much hack or
> code
> change you need to do to benefit from it.
> Especially in our case as you can't use both Neutron network manager
> (with security groups, allowed address pairs, etc.) and Nova iptables
> driver to benefit from libvirt's nwfilter anti-ARP spoofing.
> 
> We are still running Kilo and will be migrating to Mitaka which has
> the ARP spoofing protection built-in in Neutron. So no, in our case,
> I
> don't see a reason to keep this feature around as you can get the
> same
> with Neutron port-security extension.

OK, good to hear.

Stephen

[1] https://review.openstack.org/#/c/196986/
[2] https://review.openstack.org/#/c/171003/