yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1649417] [NEW] RFE: Security group rule using address set

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Han Zhou <zhouhan@xxxxxxxxx>
Date: Mon, 12 Dec 2016 22:24:13 -0000
Reply-to: Bug 1649417 <1649417@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Today if we want to create a rule in security group to allow access
to/from a set of remote IPs, there are 2 ways:

1. If the set of remote IPs belongs to a group of Neutron ports, we can
attach those remote Neutron ports to a Neutron security group and use
the "remote group" field in security group rule.

2. If the set of remote IPs can't be mapped to Neutron ports (they can
be IPs from external or legacy networking system), we will have to
white-list each individual IPs (if they cannot be summarized to CIDRs)
in each rule that references to that set of IPs in the remote_ip_prefix
field.

For 2, if the number of remote IPs is huge, it will be inefficient in
Neutron Security group implementation and cause scaling issues. Now that
some back-end SDN systems (e.g. OVN) support concept of "address set",
it will be good to have same model in Neutron security group, so that
the capability of "address set" can be utilized directly for external
IPs.

It can be a simple extension to Neutron's Security Group extension, to
support "Address Set" object and reference it in Neutron security group
rules.

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1649417

Title:
  RFE: Security group rule using address set

Status in neutron:
  New

Bug description:
  Today if we want to create a rule in security group to allow access
  to/from a set of remote IPs, there are 2 ways:

  1. If the set of remote IPs belongs to a group of Neutron ports, we
  can attach those remote Neutron ports to a Neutron security group and
  use the "remote group" field in security group rule.

  2. If the set of remote IPs can't be mapped to Neutron ports (they can
  be IPs from external or legacy networking system), we will have to
  white-list each individual IPs (if they cannot be summarized to CIDRs)
  in each rule that references to that set of IPs in the
  remote_ip_prefix field.

  For 2, if the number of remote IPs is huge, it will be inefficient in
  Neutron Security group implementation and cause scaling issues. Now
  that some back-end SDN systems (e.g. OVN) support concept of "address
  set", it will be good to have same model in Neutron security group, so
  that the capability of "address set" can be utilized directly for
  external IPs.

  It can be a simple extension to Neutron's Security Group extension, to
  support "Address Set" object and reference it in Neutron security
  group rules.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1649417/+subscriptions

Follow ups

[Bug 1649417] Re: RFE: Security group rule using address set
From: Brian Haley, 2024-06-13