nova team mailing list archive

[Joshua McKenty <jmckenty@xxxxxxxxx>]

Just a nit, there are some edge cases (ARP Proxy comes to mind) when
filtering ARP spoofing can be problematic. (We actually ran ARP Proxy for
the public IPs for nova on some dev clusters for a time.) So I'm not sure a
"zero configuration" solution is ideal. But I'd be happy with a config flag.

Joshua

On Thu, Sep 16, 2010 at 5:35 PM, Jay Pipes <jaypipes@xxxxxxxxx> wrote:

> On Wed, Sep 15, 2010 at 7:33 AM, Soren Hansen <soren@xxxxxxxxxx> wrote:
> > I have a spec[1] and a corresponding branch[2] about making basic use of
> > libvirt's nwfilter support. It basically just adds a snippet to the
> > libvirt templates that enables a number of network filtering techniques.
> > Specifically, it prevents MAC spoofing, ARP spoofing, and IP spoofing. I
> > didn't bother making this configurable, since it seems like the sort of
> > thing everyone will always want. As such, there's no API call to enable
> > it, nor is there a setting in the datamodel that enables/disables it.
>
> \o/ +1 for specs and blueprints :)
>
> > While this is a great feature to have, it raises a few questions about
> > the non-libvirt hypervisors.
> >
> > Ideally, of course, we don't want the choice of hypervisors to affect
> > the utility of Nova. Lacking decent network filtering IMO limits a cloud
> > computing platform's utility significantly.
>
> Agreed.
>
> > So, what to do? Should we more clearly define the contract to which a
> > hypervisor driver is meant to adhere and list the above mentioned
> > spoofing protections as requirements? We could assign specific people as
> > designated maintainers of the different hypervisor drivers, and make it
> > their responsibility to make their driver conformant to the contract.
>
> Not sure.  I'll wait to hear from the vendors on this one.
>
> -jay
>
> > Other suggestions?
> >
> > I also have another spec[3] and a corresponding branch[4] that
> > implements EC2 style security groups using libvirt's nwfilter. This is a
> > bigger chunk of work, but it seems like it should follow the same
> pattern.
> >
> > [1]: https://blueprints.launchpad.net/nova/+spec/austin-nwfilter
> > [2]: https://code.launchpad.net/~soren/nova/nwfilter
> > [3]:
> https://blueprints.launchpad.net/nova/+spec/austin-ec2-security-groups
> > [4]: https://code.launchpad.net/~soren/nova/ec2-security-groups
> >
> > --
> > Soren Hansen
> > Ubuntu Developer    http://www.ubuntu.com/
> > OpenStack Developer http://www.openstack.org/
> >
> > _______________________________________________
> > Mailing list: https://launchpad.net/~nova
> > Post to     : nova@xxxxxxxxxxxxxxxxxxx
> > Unsubscribe : https://launchpad.net/~nova
> > More help   : https://help.launchpad.net/ListHelp
> >
>
> _______________________________________________
> Mailing list: https://launchpad.net/~nova
> Post to     : nova@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~nova
> More help   : https://help.launchpad.net/ListHelp
>