nova team mailing list archive

Thread
Date

Re: Network filtering for libvirt and for non-libvirt hypervisors

To: Soren Hansen <soren@xxxxxxxxxx>
From: Jay Pipes <jaypipes@xxxxxxxxx>
Date: Thu, 16 Sep 2010 11:35:23 -0400
Cc: nova@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4C90AF11.9060908@ubuntu.com>

On Wed, Sep 15, 2010 at 7:33 AM, Soren Hansen <soren@xxxxxxxxxx> wrote:
> I have a spec[1] and a corresponding branch[2] about making basic use of
> libvirt's nwfilter support. It basically just adds a snippet to the
> libvirt templates that enables a number of network filtering techniques.
> Specifically, it prevents MAC spoofing, ARP spoofing, and IP spoofing. I
> didn't bother making this configurable, since it seems like the sort of
> thing everyone will always want. As such, there's no API call to enable
> it, nor is there a setting in the datamodel that enables/disables it.

\o/ +1 for specs and blueprints :)

> While this is a great feature to have, it raises a few questions about
> the non-libvirt hypervisors.
>
> Ideally, of course, we don't want the choice of hypervisors to affect
> the utility of Nova. Lacking decent network filtering IMO limits a cloud
> computing platform's utility significantly.

Agreed.

> So, what to do? Should we more clearly define the contract to which a
> hypervisor driver is meant to adhere and list the above mentioned
> spoofing protections as requirements? We could assign specific people as
> designated maintainers of the different hypervisor drivers, and make it
> their responsibility to make their driver conformant to the contract.

Not sure.  I'll wait to hear from the vendors on this one.

-jay

> Other suggestions?
>
> I also have another spec[3] and a corresponding branch[4] that
> implements EC2 style security groups using libvirt's nwfilter. This is a
> bigger chunk of work, but it seems like it should follow the same pattern.
>
> [1]: https://blueprints.launchpad.net/nova/+spec/austin-nwfilter
> [2]: https://code.launchpad.net/~soren/nova/nwfilter
> [3]: https://blueprints.launchpad.net/nova/+spec/austin-ec2-security-groups
> [4]: https://code.launchpad.net/~soren/nova/ec2-security-groups
>
> --
> Soren Hansen
> Ubuntu Developer    http://www.ubuntu.com/
> OpenStack Developer http://www.openstack.org/
>
> _______________________________________________
> Mailing list: https://launchpad.net/~nova
> Post to     : nova@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~nova
> More help   : https://help.launchpad.net/ListHelp
>

Follow ups

Re: Network filtering for libvirt and for non-libvirt hypervisors
From: Joshua McKenty, 2010-09-16

References

Network filtering for libvirt and for non-libvirt hypervisors
From: Soren Hansen, 2010-09-15