Fix typos in allowed_address_pairs.rst
TrivialFix Change-Id: I675abcc1bd50862f9bec55c03a40095ba4aa594a
This commit is contained in:
parent
5c0d81b5fe
commit
95ed41f9ed
|
@ -4,9 +4,9 @@
|
|||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==============================
|
||||
=====================
|
||||
Allowed address pairs
|
||||
===============================
|
||||
=====================
|
||||
|
||||
https://blueprints.launchpad.net/dragonflow/+spec/allowed-address-pairs
|
||||
|
||||
|
@ -28,7 +28,7 @@ IP address prefixes) in the same subnet of the port's fixed IP.
|
|||
In current implementation, security modules like port security and security
|
||||
group will require that packets sent/received from a VM port must have the
|
||||
fixed IP/MAC address of this VM port. Besides, L2 and L3 transmission will
|
||||
forward packets only according those fixed addresses. Those modules should
|
||||
forward packets only according to those fixed addresses. Those modules should
|
||||
make some changes to support allowed address pairs.
|
||||
|
||||
Proposed Change
|
||||
|
@ -39,20 +39,20 @@ which is similar with fixed IP/MAC address pair in a port, and functional
|
|||
modules should also handle them like fixed IP/MAC address pair.
|
||||
|
||||
Port Security
|
||||
----------------------
|
||||
-------------
|
||||
Port security module should allow packets with the fixed IP/MAC address pair
|
||||
and also packets with address pairs configured in allowed address pairs field
|
||||
of a port. That is already done in the blueprint of mac-spoofing-protection.
|
||||
|
||||
Security Group
|
||||
----------------------
|
||||
--------------
|
||||
The security group module transforms the remote group field in a rule to
|
||||
flows according IP addresses of VM ports associated with the remote group.
|
||||
flows according to IP addresses of VM ports associated with the remote group.
|
||||
To support allowed address pairs, those IP addresses should include both
|
||||
fixed IP address and the IP addresses in allowed address pairs.
|
||||
|
||||
L2/L3 Lookup
|
||||
----------------------
|
||||
------------
|
||||
One or more VM ports could share a same IP address (and a same MAC address in
|
||||
some scenarios) in allowed address pairs. In L2/L3 lookup table, we could
|
||||
simply send the packets of which destination address is this address to all
|
||||
|
@ -80,7 +80,7 @@ latter "detectation way", and add an option in the configuration for users to
|
|||
choose one of them.
|
||||
|
||||
ARP Responder
|
||||
---------------
|
||||
-------------
|
||||
Because more than one VM ports' allowed address pairs could have a same IP
|
||||
address but different MAC addresses, ARP responder can hardly know which MAC
|
||||
address should be responded to an ARP request to this IP. We could simply
|
||||
|
|
Loading…
Reference in New Issue