neutron

[RFE] API: allow to disable anti-spoofing but not SGs

Bug #1946251 reported by Ihar Hrachyshka on 2021-10-06

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	New	Wishlist	Unassigned

Bug Description

Right now, port security API - seems to [1] - disable both ACL filtering (SGs) and anti-spoofing (allowed address pairs logic). An argument may be made to allow to disable anti-spoofing but still implement ACL filtering on a port. (This actually happened in one of synthetic NFV test environments in-house.) In this case, the user story would look like as follows:

0. A user creates a SG with TCP blocked.
1. A user creates a port using this SG.
2. A user uses a new API to mark the port to allow MAC spoofing.
3. A user sends TCP traffic using a different MAC through the port and sees it blocked.
4. A user sends UDP traffic using a different MAC through the port and see it's not blocked.

Allowed-address-pairs API allows to specify masks for IP addresses, effectively allowing to match against ANY IP address using /0 mask. But MAC address part of the API doesn't support masks or other ways to list groups of addresses. Perhaps the feature request may be fulfilled by extending the API to allow a way to list groups of MAC addresses in anti-spoofing mechanism (either via a hardcoded special value like "ANY" or via a mask). This doesn't necessarily mean it's the optimal way to do it, throwing it here just as an idea to explore.

[1] https://bugs.launchpad.net/neutron/+bug/1946250

See original description

Tags:

Ihar Hrachyshka (ihar-hrachyshka) on 2021-10-06

description:

updated

Revision history for this message

Lajos Katona (lajos-katona) wrote on 2021-10-07:

#1

Hi Ihar, we will have drivers meeting on Friday 1400UTC (https://meetings.opendev.org/#Neutron_drivers_Meeting) where we will discuss this proposal, you can join the discussion on IRC #openstack-neutron.

Rodolfo Alonso (rodolfo-alonso-hernandez) on 2021-10-08

summary:	- API: allow to disable anti-spoofing but not SGs + [RFE] API: allow to disable anti-spoofing but not SGs
Changed in neutron:
importance:	Undecided → Low
importance:	Low → Wishlist
assignee:	nobody → Ihar Hrachyshka (ihar-hrachyshka)

Revision history for this message

Miguel Lavalle (minsel) wrote on 2021-10-14:

#2

Read the discussion log here: https://meetings.opendev.org/meetings/neutron_drivers/2021/neutron_drivers.2021-10-08-14.14.log.html. I am ok with the idea of disabling anti-spoofing while keeping security groups. Since the agreement was to develop a spec, we can hash out the API details there.

Lajos Katona (lajos-katona) on 2021-10-15

tags:

added: rfe-approved

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-10-29: Related fix proposed to neutron-specs (master)

#3

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron-specs/+/815994

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-01-27: Related fix merged to neutron-specs (master)

#4

Reviewed: https://review.opendev.org/c/openstack/neutron-specs/+/815994
Committed: https://opendev.org/openstack/neutron-specs/commit/077328f988915f279e55bea8ac6222f7ec2bd7b0
Submitter: "Zuul (22348)"
Branch: master

commit 077328f988915f279e55bea8ac6222f7ec2bd7b0
Author: Ihar Hrachyshka <email address hidden>
Date: Fri Oct 29 16:09:51 2021 -0400

Allowed Address Pair: support matching ANY MAC address

Related-Bug: #1946251
Change-Id: I553ac57fc1e0325236282a6d218b0726a6693633

Revision history for this message

Ihar Hrachyshka (ihar-hrachyshka) wrote on 2025-01-20:

#5

Spec was merged but never implemented. I won't have time for this any more.

Changed in neutron:
assignee:	Ihar Hrachyshka (ihar-hrachyshka) → nobody

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.