neutron

[RFE]need a way to disable anti-spoofing rules and yet keep security groups

Bug #1633280 reported by Rui Zang on 2016-10-14

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Expired	Wishlist	Unassigned

Bug Description

Basically all NFV use-cases would require this split. The current approach for NFV is to turn things off and have the VNFs protect themselves rather than the infra-structure supports security. Even in simple deployments, like cloud bursting, you'll need to be able to allow the customer to control his addressing. The customer might want to do so by having the router (which does the IPSEC tunnel termination) either use ICMP RA (in case of v6/SLAAC) or DHCP (v4/v6) to control addressing - as opposed to have openstack control the addressing. In this case, the VNF only deals with addressing but it has to protect itself without security groups.

Tags:

Rui Zang (rui-zang) on 2016-10-14

Changed in neutron:
assignee:	nobody → Rui Zang (rui-zang)

Rui Zang (rui-zang) on 2016-10-14

tags:

added: rfe

Revision history for this message

Anindita Das (anindita-das) wrote on 2016-10-18:

Can you please add [RFE] in the title and add reproduction steps of the current approach?

Changed in neutron:
status:	New → Incomplete

Rui Zang (rui-zang) on 2016-10-19

summary:	- need a way to disable anti-spoofing rules and yet keep security groups + [RFE]need a way to disable anti-spoofing rules and yet keep security + groups
Changed in neutron:
status:	Incomplete → New

Anindita Das (anindita-das) on 2016-10-19

Changed in neutron:
status:	New → Opinion

Revision history for this message

Armando Migliaccio (armando-migliaccio) wrote on 2017-02-01:

spec: https://review.openstack.org/#/c/388398/

Changed in neutron:
status:	Opinion → Confirmed
assignee:	Rui Zang (rui-zang) → nobody
importance:	Undecided → Wishlist

Revision history for this message

Armando Migliaccio (armando-migliaccio) wrote on 2017-03-15:

Let's discuss this in more detail. I think anti-spoofing rules were added after security groups and it should be possible to have one without the other. However, what's not clear to me is this paragraph:

Even in simple deployments, like cloud bursting, you'll need to be able to allow the customer to control his addressing. The customer might want to do so by having the router (which does the IPSEC tunnel termination) either use ICMP RA (in case of v6/SLAAC) or DHCP (v4/v6) to control addressing - as opposed to have openstack control the addressing.

If openstack doesn't control the address space, how are security groups supposed to be implemented?

Changed in neutron:
status:	Confirmed → Triaged
status:	Triaged → Incomplete
status:	Incomplete → Triaged

Revision history for this message

Kevin Benton (kevinbenton) wrote on 2017-03-16:

wouldn't allowed address pairs allow you to use any IP you want without disabling port security?

Kevin Benton (kevinbenton) on 2017-03-30

Changed in neutron:
status:	Triaged → Incomplete

Revision history for this message

Launchpad Janitor (janitor) wrote on 2017-05-30:

[Expired for neutron because there has been no activity for 60 days.]

Changed in neutron:
status:	Incomplete → Expired

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Related blueprints

separate control for anti-spoofing rules

Remote bug watches

Bug watches keep track of this bug in other bug trackers.