yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1946251] [NEW] API: allow to disable anti-spoofing but not SGs

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Ihar Hrachyshka <1946251@xxxxxxxxxxxxxxxxxx>
Date: Wed, 06 Oct 2021 16:48:56 -0000
Reply-to: Bug 1946251 <1946251@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

Right now, port security API - seems to [1] - disable both ACL filtering
(SGs) and anti-spoofing (allowed address pairs logic). An argument may
be made to allow to disable anti-spoofing but still implement ACL
filtering on a port. (This actually happened in one of synthetic NFV
test environments in-house.) In this case, the user story would look
like as follows:

0. A user creates a SG with TCP blocked.
1. A user creates a port using this SG.
2. A user uses a new API to mark the port to allow MAC spoofing.
3. A user sends TCP traffic using a different MAC through the port and sees it blocked.
4. A user sends UDP traffic using a different MAC through the port and see it's not blocked.

Allowed-address-pairs API allows to specify masks for IP addresses,
effectively allowing to match against ANY IP address using /0 mask. But
MAC address part of the API doesn't support masks or other ways to list
groups of addresses. Perhaps the feature request may be fulfilled by
extending the API to allow a way to list groups of MAC addresses in
anti-spoofing mechanism (either via a hardcoded special value like "ANY"
or via a mask). This doesn't necessarily mean it's the optimal way to do
it, throwing it here just as an idea to explore.

[1] https://bugs.launchpad.net/neutron/+bug/1946250

** Affects: neutron
Importance: Undecided
Status: New

** Tags: api rfe sg-fw

** Description changed:

0. A user creates a SG with TCP blocked.
1. A user creates a port using this SG.
2. A user uses a new API to mark the port to allow MAC spoofing.
- 3. A user sends TCP traffic through the port and sees it blocked.
- 4. A user sends UDP traffic through the port and see it's not blocked.
+ 3. A user sends TCP traffic using a different MAC through the port and sees it blocked.
+ 4. A user sends UDP traffic using a different MAC through the port and see it's not blocked.

[1] https://bugs.launchpad.net/neutron/+bug/1946250

--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1946251

Title:
API: allow to disable anti-spoofing but not SGs

Status in neutron:
New

Bug description:
Right now, port security API - seems to [1] - disable both ACL
filtering (SGs) and anti-spoofing (allowed address pairs logic). An
argument may be made to allow to disable anti-spoofing but still
implement ACL filtering on a port. (This actually happened in one of
synthetic NFV test environments in-house.) In this case, the user
story would look like as follows:

Allowed-address-pairs API allows to specify masks for IP addresses,
effectively allowing to match against ANY IP address using /0 mask.
But MAC address part of the API doesn't support masks or other ways to
list groups of addresses. Perhaps the feature request may be fulfilled
by extending the API to allow a way to list groups of MAC addresses in
anti-spoofing mechanism (either via a hardcoded special value like
"ANY" or via a mask). This doesn't necessarily mean it's the optimal
way to do it, throwing it here just as an idea to explore.

[1] https://bugs.launchpad.net/neutron/+bug/1946250

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1946251/+subscriptions