Difference between revisions of "XenServerOVS"
m (Text replace - "__NOTOC__" to "") |
|||
| Line 1: | Line 1: | ||
| − | + | ||
* '''Launchpad Entry''': [[NovaSpec]]:xs-ovs | * '''Launchpad Entry''': [[NovaSpec]]:xs-ovs | ||
* '''Created''': | * '''Created''': | ||
Revision as of 23:30, 17 February 2013
- Launchpad Entry: NovaSpec:xs-ovs
- Created:
- Contributors:
Contents
Summary
Adds support for the Open vSwitch in XenServer. This allows for the transition away from the standard Linux Bridge in XenServer and gives us more granular networking protections without having to utilize iptables, arptables, or ebtables for the host. OVS will also provide better IPv6 protections which will enable us to prevent things like NDP attacks which we currently can't properly protect against with the Liunx bridge.
Release Note
OVS is currently bundled into the XenServer platform. ACLs would be fired on instance create and teardown to protect the guest. If a blanket set of security rules are used, then this can run independent of Nova in dom0.
Rationale
Out of the box, XenServer is built for a single Enterprise and is not really built with the concept of being multi-tennant which is typically what Service Providers require. In order to fully secure the guests from each other, certain networking rules need to be applied to the virtual interfaces of each guest from the hypervisor. This ensures better security and an overall better experience for the guests.
User stories
- As a service provider, I want to ensure customer instances are secure.
- As a user, I want to make sure my instance is protected.
Assumptions
NovaSpec:xs-inject-networking is present in order for script to get it's input data for the rules. IPv6 is currently not supported in OVS today but Citrix is working on getting a new version that will be put in future versions of XenServer.
Design
Determine which ACLs need to be implemented to block all of the proper traffic. Need to prevent ARP poisoning, MAC address spoofing, and unauthorized sniffing of traffic for IPv4. Also need to prevent NDP attacks in IPv6. Script will need to receive MAC, VIF #, IPv4 and IPv6 inputs to be able to generate rules.
Implementation
vif_rules.py is pushed down the XenServer host on provisioning of host nodes. Script to enable or disable rules is ran on VM start, reboot, or shutdown.
Code Changes
Modifications to vif_rules.py and vif scripts in XenServer dom0. This will run independent of compute on the host.
Test/Demo Plan
This need not be added or completed until the specification is nearing beta.
