Neutron/SecurityGroups

= Neutron Security Group =

Overview

 * Backward compatible with Nova security groups (EC2 & existing nova deployments)
 * Allows specifications of ingress and egress (Nova security groups defines ingress rules only)
 * Security groups are applied on neutron ports (Nova security groups are for instances)
 * Allows changing security group at runtime (after launching an instance)

Proposals

 * https://blueprints.launchpad.net/quantum/+spec/quantum-security-groups
 * Folsom Summit http://www.slideshare.net/delapsley1/20120417-osdesignsummitsecuritygroupsdlapsleyfinal

Behavior
The basic characteristics of Neutron Security Groups are:


 * For ingress traffic (to an instance)
 * Only traffic matched with security group rules are allowed.
 * When there is no rule defined, all traffic are dropped.
 * For egress traffic (from an instance)
 * Only traffic matched with security group rules are allowed.
 * When there is no rule defined, all egress traffic are dropped.
 * When a new security group is created, rules to allow all egress traffic are automatically added.
 * "default security group" is defined for each tenant.
 * For the default security group a rule which allows intercommunication among hosts associated with the default security group is defined by default.
 * As a result, all egress traffic and intercommunication in the default group are allowed and all ingress from outside of the default group is dropped by default (in the default security group).

Workflow scenarios
There are some options using Neutron security groups with Nova. If there are any other scenarios, please add them.


 * (A) Using Neutron secgroup directly
 * Create a neutron port
 * Associate security group with the port
 * Repeat the above if multiple vNICs are required.
 * Launch a VM passing port-id of the neutron port
 * Now I got the VM where sg rules are applied.
 * (B) Using nova secgroup proxy (same as traditional Nova approach)
 * A user requests nova to launch an instance specifying security groups associated.
 * Nova creates neutron ports.
 * Nova associates neutron security groups with the ports
 * Nova launches an instance with the ports created.


 * Comparisons
 * In scenario (B) we need to consider is how to specify a security group for each vNIC. One option is that a common security group is applied to all vNICs.
 * To use full neutron security group features like IP overlapping or egress filtering, scenario (A) is required.

Implementations

 * Linux Bridge plugin (with iptables) https://blueprints.launchpad.net/quantum/+spec/quantum-security-groups-iptables
 * OVS plugin (with iptables)
 * NVP plugin https://blueprints.launchpad.net/quantum/+spec/security-groups-nvp
 * NEC plugin https://blueprints.launchpad.net/quantum/+spec/nec-security-group
 * PLUMgrid Plugin https://blueprints.launchpad.net/neutron/+spec/plumgrid-plugin-security-groups