yahoo-eng-team team mailing list archive

[Calum Loudon <calum.loudon@xxxxxxxxxxxxxx>]

Public bug reported:

This RFE is being raised in the context of this use case
https://review.openstack.org/#/c/176301/ from the TelcoWG.

OpenStack implements levels of per-VM security protection (security
groups, anti-spoofing rules).  If you want to deploy a trusted VM which
itself is providing network security functions, as with the above use
case, then it is often necessary to disable some of the native OpenStack
protection so as not to interfere with the protection offered by the VM
or use excessive host resources.

Neutron already allows you to disable security groups on a per-port
basis.  However, the Linux kernel will still perform connection tracking
on those ports.  With default Linux config, VMs will be severely scale
limited without specific host configuration of connection tracking
limits - for example, a Session Border Controller VM may be capable of
handling millions of concurrent TCP connections, but a default host
won't support anything like that.  This bug is therefore a RFE to
request that disabling security group function for a port further
disables kernel connection tracking for IP addresses associated with
that port.

** Affects: neutron
     Importance: Undecided
         Status: New


** Tags: rfe

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1506076

Title:
  Allow connection tracking to be disabled per-port

Status in neutron:
  New

Bug description:
  This RFE is being raised in the context of this use case
  https://review.openstack.org/#/c/176301/ from the TelcoWG.

  OpenStack implements levels of per-VM security protection (security
  groups, anti-spoofing rules).  If you want to deploy a trusted VM
  which itself is providing network security functions, as with the
  above use case, then it is often necessary to disable some of the
  native OpenStack protection so as not to interfere with the protection
  offered by the VM or use excessive host resources.

  Neutron already allows you to disable security groups on a per-port
  basis.  However, the Linux kernel will still perform connection
  tracking on those ports.  With default Linux config, VMs will be
  severely scale limited without specific host configuration of
  connection tracking limits - for example, a Session Border Controller
  VM may be capable of handling millions of concurrent TCP connections,
  but a default host won't support anything like that.  This bug is
  therefore a RFE to request that disabling security group function for
  a port further disables kernel connection tracking for IP addresses
  associated with that port.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1506076/+subscriptions