Difference between revisions of "Neutron/SecurityGroups"
< Neutron
| Line 54: | Line 54: | ||
== Implementations == | == Implementations == | ||
| − | * Linux Bridge (with iptables) https://blueprints.launchpad.net/quantum/+spec/quantum-security-groups-iptables | + | * Linux Bridge plugin (with iptables) https://blueprints.launchpad.net/quantum/+spec/quantum-security-groups-iptables |
| − | * NVP https://blueprints.launchpad.net/quantum/+spec/security-groups-nvp | + | * OVS plugin (with iptables) |
| + | * NVP plugin https://blueprints.launchpad.net/quantum/+spec/security-groups-nvp | ||
| + | * NEC plugin https://blueprints.launchpad.net/quantum/+spec/nec-security-group | ||
== References == | == References == | ||
* Amazon VPC Security Groups : http://docs.amazonwebservices.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html | * Amazon VPC Security Groups : http://docs.amazonwebservices.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html | ||
| + | * Amazon VPC FAQ http://aws.amazon.com/vpc/faqs/#S1 | ||
Revision as of 07:38, 15 February 2013
Quantum Security Group
<<TableOfContents()>>
Overview
- Backward compatible with Nova security groups (EC2 & existing nova deployments)
- Allows specifications of ingress and egress (Nova security groups defines ingress rules only)
- Security groups are applied on quantum ports (Nova security groups are for instances)
- Allows changing security group at runtime (after launching an instance)
Proposals
- https://blueprints.launchpad.net/quantum/+spec/quantum-security-groups
- Folsom Summit http://www.slideshare.net/delapsley1/20120417-osdesignsummitsecuritygroupsdlapsleyfinal
Behavior
The basic characteristics of Quantum Security Groups are:
- For ingress traffic
- Only traffic matched with security group rules are allowed.
- When there is no rule defined, all traffic are dropped.
- For egress traffic
- If there is no rules, all traffic are allowed.
- Otherwise only traffic matchecd with security group rules are allowed and traffic not matched are dropped.
- "default security group" is defined for each tenant.
- For the default security group a rule which allows intercommunication among hosts associated with the default security group is defined by default.
- As a result, all egress traffic and intercommunication in the default group are allowed and all ingress from outside of the default group is dropped by default (in the default security group).
Workflow scenarios
There are some options using Quantum security groups with Nova. If there are any other scenarios, please add them.
- (A) Using Quantum secgroup directly
- Create a quantum port
- Associate security group with the port
- Repeat the above if multiple vNICs are required.
- Launch a VM passing port-id of the quantum port
- Now I got the VM where sg rules are applied.
- (B) Using nova secgroup proxy (same as traditional Nova approach)
- A user requests nova to launch an instance specifying security groups associated.
- Nova creates quantum ports.
- Nova associates quantum security groups with the ports
- Nova launches an instance with the ports created.
[Comparisons]
- In scenario (B) we need to consider is how to specify a security group for each vNIC.
One option is that a common security group is applied to all vNICs.
- To use full quantum security group features like IP overlapping or egress filtering,
scenario (A) is required.
Implementations
- Linux Bridge plugin (with iptables) https://blueprints.launchpad.net/quantum/+spec/quantum-security-groups-iptables
- OVS plugin (with iptables)
- NVP plugin https://blueprints.launchpad.net/quantum/+spec/security-groups-nvp
- NEC plugin https://blueprints.launchpad.net/quantum/+spec/nec-security-group
References
- Amazon VPC Security Groups : http://docs.amazonwebservices.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html
- Amazon VPC FAQ http://aws.amazon.com/vpc/faqs/#S1
