Jump to: navigation, search

Neutron/SecurityGroups

< Neutron
Revision as of 21:23, 16 February 2013 by Fungi (talk | contribs) (import cleanup)

Quantum Security Group

Overview

  • Backward compatible with Nova security groups (EC2 & existing nova deployments)
  • Allows specifications of ingress and egress (Nova security groups defines ingress rules only)
  • Security groups are applied on quantum ports (Nova security groups are for instances)
  • Allows changing security group at runtime (after launching an instance)

Proposals

Behavior

The basic characteristics of Quantum Security Groups are:

  • For ingress traffic
    • Only traffic matched with security group rules are allowed.
    • When there is no rule defined, all traffic are dropped.
  • For egress traffic
    • If there is no rules, all traffic are allowed.
    • Otherwise only traffic matchecd with security group rules are allowed and traffic not matched are dropped.
  • "default security group" is defined for each tenant.
    • For the default security group a rule which allows intercommunication among hosts associated with the default security group is defined by default.
    • As a result, all egress traffic and intercommunication in the default group are allowed and all ingress from outside of the default group is dropped by default (in the default security group).

Workflow scenarios

There are some options using Quantum security groups with Nova. If there are any other scenarios, please add them.

  • (A) Using Quantum secgroup directly
    1. Create a quantum port
    2. Associate security group with the port
    3. Repeat the above if multiple vNICs are required.
    4. Launch a VM passing port-id of the quantum port
    5. Now I got the VM where sg rules are applied.
  • (B) Using nova secgroup proxy (same as traditional Nova approach)
    1. A user requests nova to launch an instance specifying security groups associated.
    2. Nova creates quantum ports.
    3. Nova associates quantum security groups with the ports
    4. Nova launches an instance with the ports created.

[Comparisons]

  • In scenario (B) we need to consider is how to specify a security group for each vNIC.
One option is that a common security group is applied to all vNICs.
  • To use full quantum security group features like IP overlapping or egress filtering,
scenario (A) is required.

Implementations

References