| 2021-10-06 16:53:24 |
Ihar Hrachyshka |
description |
Right now, port security API - seems to [1] - disable both ACL filtering (SGs) and anti-spoofing (allowed address pairs logic). An argument may be made to allow to disable anti-spoofing but still implement ACL filtering on a port. (This actually happened in one of synthetic NFV test environments in-house.) In this case, the user story would look like as follows:
0. A user creates a SG with TCP blocked.
1. A user creates a port using this SG.
2. A user uses a new API to mark the port to allow MAC spoofing.
3. A user sends TCP traffic through the port and sees it blocked.
4. A user sends UDP traffic through the port and see it's not blocked.
Allowed-address-pairs API allows to specify masks for IP addresses, effectively allowing to match against ANY IP address using /0 mask. But MAC address part of the API doesn't support masks or other ways to list groups of addresses. Perhaps the feature request may be fulfilled by extending the API to allow a way to list groups of MAC addresses in anti-spoofing mechanism (either via a hardcoded special value like "ANY" or via a mask). This doesn't necessarily mean it's the optimal way to do it, throwing it here just as an idea to explore.
[1] https://bugs.launchpad.net/neutron/+bug/1946250 |
Right now, port security API - seems to [1] - disable both ACL filtering (SGs) and anti-spoofing (allowed address pairs logic). An argument may be made to allow to disable anti-spoofing but still implement ACL filtering on a port. (This actually happened in one of synthetic NFV test environments in-house.) In this case, the user story would look like as follows:
0. A user creates a SG with TCP blocked.
1. A user creates a port using this SG.
2. A user uses a new API to mark the port to allow MAC spoofing.
3. A user sends TCP traffic using a different MAC through the port and sees it blocked.
4. A user sends UDP traffic using a different MAC through the port and see it's not blocked.
Allowed-address-pairs API allows to specify masks for IP addresses, effectively allowing to match against ANY IP address using /0 mask. But MAC address part of the API doesn't support masks or other ways to list groups of addresses. Perhaps the feature request may be fulfilled by extending the API to allow a way to list groups of MAC addresses in anti-spoofing mechanism (either via a hardcoded special value like "ANY" or via a mask). This doesn't necessarily mean it's the optimal way to do it, throwing it here just as an idea to explore.
[1] https://bugs.launchpad.net/neutron/+bug/1946250 |
|
