Allowed Address Pair: support matching ANY MAC address
Related-Bug: #1946251 Change-Id: I553ac57fc1e0325236282a6d218b0726a6693633
This commit is contained in:
parent
89c638cd71
commit
077328f988
|
@ -0,0 +1,93 @@
|
||||||
|
..
|
||||||
|
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||||
|
License.
|
||||||
|
|
||||||
|
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||||
|
|
||||||
|
======================================================
|
||||||
|
Allowed Address Pair: support matching ANY MAC address
|
||||||
|
======================================================
|
||||||
|
|
||||||
|
Include the URL of your launchpad RFE:
|
||||||
|
|
||||||
|
https://bugs.launchpad.net/neutron/+bug/1946251
|
||||||
|
|
||||||
|
Allowed address pairs API allows to match against a subset of IP addresses, or
|
||||||
|
even all of them, by virtue of netmasks being part of 'ip_address' field
|
||||||
|
format. For example, using '0.0.0.0/0' means allowing any IP address used with
|
||||||
|
the corresponding MAC address. This proposal suggests extending the API so that
|
||||||
|
a user can allow any MAC address used with the corresponding IP address.
|
||||||
|
|
||||||
|
|
||||||
|
Problem Description
|
||||||
|
===================
|
||||||
|
|
||||||
|
An end user would like to configure their topology so that a port enforces
|
||||||
|
security group rules but allows any MAC addresses. To achieve this, the user:
|
||||||
|
|
||||||
|
#. creates a security group with appropriate rules;
|
||||||
|
#. creates a port and assigns it to the security group;
|
||||||
|
#. adds allowed address pair for ANY MAC address and some IP address(es).
|
||||||
|
|
||||||
|
Right now, the only way to disable MAC address enforcement is to set
|
||||||
|
port_security_enabled attribute to false. But this attribute also disables
|
||||||
|
security group rule enforcement. In this scenario, only anti-spoofing
|
||||||
|
enforcement should be disabled.
|
||||||
|
|
||||||
|
|
||||||
|
Proposed Change
|
||||||
|
===============
|
||||||
|
|
||||||
|
The proposal is to extend 'allowed_address_pairs' attribute for ports so that
|
||||||
|
its 'mac_address' field accepts a special value "ANY" that would disable MAC
|
||||||
|
anti-spoofing mechanism. IP address enforcement may still continue, based on
|
||||||
|
the corresponding 'ip_address' field value of the pair.
|
||||||
|
|
||||||
|
Having multiple address pairs with "ANY" 'mac_address' field value is
|
||||||
|
supported. Having a list of pairs where some but not all 'mac_address' field
|
||||||
|
values are "ANY" is supported.
|
||||||
|
|
||||||
|
A new Networking API extension will be introduced to indicate support for the
|
||||||
|
new special value. This support is backend specific, which means that ML2 may
|
||||||
|
need to offload decision to enable the extension to underlying drivers.
|
||||||
|
|
||||||
|
Database model for allowed address pairs will not need adjustment to accept the
|
||||||
|
new special value because it already accepts all strings.
|
||||||
|
|
||||||
|
Client library may need to be adjusted to support the new special value "ANY"
|
||||||
|
for the 'mac_address' field in the API validator module.
|
||||||
|
|
||||||
|
For agent-based setups, there are two cases to handle where the firewall driver
|
||||||
|
chosen implements anti-spoofing / allowed_address_pair handling itself, and
|
||||||
|
where this task is left to the agent. The firewall driver indicates the former
|
||||||
|
by setting provides_arp_spoofing_protection attribute to True. In this
|
||||||
|
scenario, the driver will have to implement handling of the new "ANY" value set
|
||||||
|
for a MAC-IP pair. A new firewall driver flag (support_any_mac_anti_spoofing)
|
||||||
|
will be added to indicate support for the new feature, defaults to False. If
|
||||||
|
the flag is not set, the agent will filter out ANY address pairs before passing
|
||||||
|
them to the firewall driver. It will also log a warning about the issue. Each
|
||||||
|
driver that handles anti-spoofing itself will need to opt in receiving "ANY"
|
||||||
|
address pairs by setting the support_any_mac_anti_spoofing flag to True.
|
||||||
|
|
||||||
|
|
||||||
|
Alternatives
|
||||||
|
~~~~~~~~~~~~
|
||||||
|
|
||||||
|
Instead of using a new special value "ANY", we could introduce a masking scheme
|
||||||
|
for 'mac_address' field. For example, "de:ad:/32" would indicate "any MAC
|
||||||
|
address that starts with de:ad: prefix". But it's debatable whether using any
|
||||||
|
mask but /0 is generally useful, since MAC addresses are opaque values with no
|
||||||
|
inherent ordering or grouping (that said, traditionally vendors reuse the same
|
||||||
|
prefixes for their devices).
|
||||||
|
|
||||||
|
Instead of reusing the existing allowed address pairs API attribute, we could
|
||||||
|
introduce a new port level attribute that would disable MAC address
|
||||||
|
anti-spoofing without disabling security group rules. Since SG API still allows
|
||||||
|
to match against particular IP addresses, this approach would be functionally
|
||||||
|
identical to this. That said, I think it's generally better to avoid
|
||||||
|
introducing new attributes to base resources, and it's better to keep
|
||||||
|
anti-spoofing related functionality under the same attribute.
|
||||||
|
|
||||||
|
|
||||||
|
References
|
||||||
|
==========
|
|
@ -1,82 +0,0 @@
|
||||||
..
|
|
||||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
|
||||||
License.
|
|
||||||
|
|
||||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
|
||||||
|
|
||||||
====================================
|
|
||||||
Example Spec - The title of your RFE
|
|
||||||
====================================
|
|
||||||
|
|
||||||
Include the URL of your launchpad RFE:
|
|
||||||
|
|
||||||
https://bugs.launchpad.net/neutron/+bug/example-id
|
|
||||||
|
|
||||||
Introduction paragraph -- why are we doing this feature? A single paragraph of
|
|
||||||
prose that **deployers, and developers, and operators** can understand.
|
|
||||||
|
|
||||||
Do you even need to file a spec? Most features can be done by filing an RFE bug
|
|
||||||
and moving on with life. In most cases, filing an RFE and documenting your
|
|
||||||
design in the devref folder of neutron docs is sufficient. If the feature
|
|
||||||
seems very large or contentious, then the drivers team may request a spec, or
|
|
||||||
you can always file one if desired.
|
|
||||||
|
|
||||||
|
|
||||||
Problem Description
|
|
||||||
===================
|
|
||||||
|
|
||||||
A detailed description of the problem:
|
|
||||||
|
|
||||||
* For a new feature this should be a list of use cases. Ensure that you are clear
|
|
||||||
about the actors in each use case: End User vs Deployer. Ensure that you identify
|
|
||||||
which area of the core is being affected; for something completely new, it
|
|
||||||
should be clear why you are considering it being part of the core.
|
|
||||||
|
|
||||||
* For a major reworking of something existing it would describe the
|
|
||||||
problems in that feature that are being addressed.
|
|
||||||
|
|
||||||
Note that the RFE filed for this feature will have a description already. This
|
|
||||||
section is not meant to simply duplicate that; you can simply refer to that
|
|
||||||
description if it is sufficient, and use this space to capture changes to
|
|
||||||
the description based on bug comments or feedback on the spec.
|
|
||||||
|
|
||||||
|
|
||||||
Proposed Change
|
|
||||||
===============
|
|
||||||
|
|
||||||
How do you propose to solve this problem?
|
|
||||||
|
|
||||||
This section is optional, and provides an area to discuss your high-level
|
|
||||||
design at the same time as use cases, if desired. Note that by high-level,
|
|
||||||
we mean the "view from orbit" rough cut at how things will happen.
|
|
||||||
|
|
||||||
This section should 'scope' the effort from a feature standpoint: how is the
|
|
||||||
'neutron end-to-end system' going to look like after this change? What Neutron
|
|
||||||
areas do you intend to touch and how do you intend to work on them? The list
|
|
||||||
below is not meant to be a template to fill in, but rather a jumpstart on the
|
|
||||||
sorts of areas to consider in your proposed change description.
|
|
||||||
|
|
||||||
* Am I going to see new CLI commands?
|
|
||||||
* Is OpenStack CLI covered in addition to neutronclient?
|
|
||||||
* How do you intend to support or affect aspects like:
|
|
||||||
* Address Management, e.g. IPv6, DHCP
|
|
||||||
* Routing, e.g. DVR/HA
|
|
||||||
* Plugins, ML2 Drivers, e.g. OVS, LinuxBridge
|
|
||||||
* Agents, e.g. metadata
|
|
||||||
* High level services, e.g. \*-aas.
|
|
||||||
* Scheduling, quota, and policy management, e.g. admin vs user rights
|
|
||||||
* API and extensions
|
|
||||||
* Clients
|
|
||||||
* Impact on services or out-of-tree plugins/drivers
|
|
||||||
* What do you intend to not support in the initial release?
|
|
||||||
|
|
||||||
You do not need to detail API or data model changes. Details at that level of
|
|
||||||
granularity belong in the neutron devref docs.
|
|
||||||
|
|
||||||
|
|
||||||
References
|
|
||||||
==========
|
|
||||||
|
|
||||||
Please add any useful references here. You are not required to have any
|
|
||||||
reference. Moreover, this specification should still make sense when your
|
|
||||||
references are unavailable.
|
|
Loading…
Reference in New Issue