Difference between revisions of "XenServerOVS"
Line 17: | Line 17: | ||
== User stories == | == User stories == | ||
+ | |||
+ | 1. As a service provider, I want to ensure customer instances are secure. | ||
+ | 2. As a user, I want to make sure my instance is protected. | ||
== Assumptions == | == Assumptions == | ||
− | + | [[NovaSpec]]:xs-inject-networking is present in order for script to get it's input data for the rules. | |
− | |||
− | |||
== Design == | == Design == | ||
− | + | Determine which ACLs need to be implemented to block all of the proper traffic. Need to prevent ARP poisoning, MAC address spoofing, and unauthorized sniffing of traffic for IPv4. Also need to prevent NDP attacks in IPv6. | |
== Implementation == | == Implementation == | ||
− | + | vif_rules.py is pushed down the [[XenServer]] host on provisioning of host nodes. Script to enable or disable rules is ran on VM start, reboot, or shutdown. | |
− | |||
− | |||
− | |||
− | |||
=== Code Changes === | === Code Changes === | ||
− | + | Modifications to vif_rules.py and vif scripts in [[XenServer]] dom0 | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
== Test/Demo Plan == | == Test/Demo Plan == | ||
This need not be added or completed until the specification is nearing beta. | This need not be added or completed until the specification is nearing beta. | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
---- | ---- | ||
[[Category:Spec]] | [[Category:Spec]] |
Revision as of 20:29, 31 January 2011
- Launchpad Entry: NovaSpec:xs-ovs
- Created:
- Contributors:
Summary
Adds support for the Open vSwitch in XenServer. This allows for the transition away from the standard Linux Bridge in XenServer and gives us more granular networking protections without having to utilize iptables, arptables, or ebtables for the host. OVS will also provide better IPv6 protections which will enable us to prevent things like NDP attacks which we currently can't properly protect against with the Liunx bridge.
Release Note
OVS is currently bundled into the XenServer platform. ACLs would be fired on instance create and teardown to protect the guest. If a blanket set of security rules are used, then this can run independent of Nova in dom0.
Rationale
Out of the box, XenServer is built for a single Enterprise and is not really built with the concept of being multi-tennant which is typically what Service Providers require. In order to fully secure the guests from each other, certain networking rules need to be applied to the virtual interfaces of each guest from the hypervisor. This ensures better security and an overall better experience for the guests.
User stories
1. As a service provider, I want to ensure customer instances are secure. 2. As a user, I want to make sure my instance is protected.
Assumptions
NovaSpec:xs-inject-networking is present in order for script to get it's input data for the rules.
Design
Determine which ACLs need to be implemented to block all of the proper traffic. Need to prevent ARP poisoning, MAC address spoofing, and unauthorized sniffing of traffic for IPv4. Also need to prevent NDP attacks in IPv6.
Implementation
vif_rules.py is pushed down the XenServer host on provisioning of host nodes. Script to enable or disable rules is ran on VM start, reboot, or shutdown.
Code Changes
Modifications to vif_rules.py and vif scripts in XenServer dom0
Test/Demo Plan
This need not be added or completed until the specification is nearing beta.