rules referencing security group members expose VMs in overlapping IP scenarios

Relevant mail thread: http://lists.openstack.org/pipermail/openstack-dev/2015-June/066225.html

From the discussion in the thread that Kevin linked.

"Our security group grouping model implies that you are allowing specific neutron ports. That happens to be rendered into iptables rules based on the IP addresses, which violates the API intent whenever ports land in different overlapping subnets."

We attach security groups to an L2 thing but we expect it to apply across L3 routing boundaries. I think this is a fundamental flaw in the design of security groups. Or, at least, it is fundamentally at odds with the ability to create networks that overlap ip addresses. I think it is just a bad idea to try to consider an L2 object beyond the scope of the L2 network to which it is connected. A solution which involves tracing L3 connectivity has already been called "horrific" in the neutron team meeting [1]. +1k to that. I hope that we're not going to seriously consider it. It will be very painful to write, maintain, and scale.

[1] http://eavesdrop.openstack.org/meetings/networking/2015/networking.2015-06-08-21.01.log.html#l-62

I think we should examine the use cases around having networks with overlapping IP addresses and develop some guidelines for how to use it safely with multiple security groups. I just can't see how we can solve this problem in all cases.

>We attach security groups to an L2 thing but we expect it to apply across L3 routing boundaries. I think this is a fundamental flaw in the design of security groups.

I think it's the only feature of security groups that makes it somewhat user-friendly. It's an awesome concept to not have to keep track of the IP addresses of all of your instances. Our implementation just happens to not take overlapping IPs into account. That's not a problem with the API, it's a problem with how we rendered the groups into rules.

why the VMs should be isolated from each other if they are in different SGs, even if the rules is the same.

SG just control the pkg in/out the VM, if the different SGs have the same rules, I think VMs should have the same pkgs control, they could communicate each other if they are in the same network, like the port1 and port3 in this case.

They should be isolated because there is no rule that allows the traffic. The API rules are based on allowing a security group, so only members of that security group should be allowed to communicate with the VM.

got it, thanks Kevin for your detailed explanation.

I attached a visual representation of the issue.

Is this bug going to be solved?

This bug is > 240 days without activity. We are unsetting assignee and milestone and setting status to Incomplete in order to allow its expiry in 60 days.

If the bug is still valid, then update the bug status.

[Expired for neutron because there has been no activity for 60 days.]