openstack quantum security groups session
Post on 25-May-2015
4.931 Views
Preview:
DESCRIPTION
TRANSCRIPT
Quantum Security Groups Session
Dave Lapsley@davlaps
http://slidesha.re/HQvDTk
http://etherpad.openstack.org/quantum-folsom
Session Goals
• Introduction to Nova Security Groups• Proposal:– Move Security Groups from Nova to Quantum
• Discussion:– Provider Firewalling– Access Control Lists– Other
Proposal: move Security Groups from Nova to Quantum
Naturally fit within network APIAllow plugins to implement them
in a compatible way
Features and Use Cases
Nova Security Groups
• Collection of network access rules that specify what traffic is allowed to ingress a VM
• Associated with a VM at startup– If Security Group not specified, VM belongs to default
Security Group which allows traffic from all other members of the group
• A VM can be associated with many Security Groups• Security Rule specifies:
– Source of traffic (IP subnet in CIDR notation, or another security group)
– Protocol (TCP, UDP, ICMP)– Destination port on VM
Security Group Command Line
EC2
euca-add-group
euca-authorize
euca-delete-group
euca-describe-group
euca-describe-groups
Openstack Novasecgroup-add-group-rule
secgroup-add-rule
secgroup-create
secgroup-delete
secgroup-delete-group-rule
secgroup-delete-rule
secgroup-list
secgroup-list-rules
Example
Openstack$ nova secgroup-create mygroup description+---------+-------------+| Name | Description |+---------+-------------+| mygroup | description |+---------+-------------+$ nova secgroup-add-rule mygroup tcp 22 22 192.168.1.0/24+-------------+-----------+---------+----------------+--------------+| IP Protocol | From Port | To Port | IP Range | Source Group |+-------------+-----------+---------+----------------+--------------+| tcp | 22 | 22 | 192.168.1.0/24 | |+-------------+-----------+---------+----------------+--------------+$ nova secgroup-add-rule mygroup tcp 3306 3306 192.168.1.0/24+-------------+-----------+---------+----------------+--------------+| IP Protocol | From Port | To Port | IP Range | Source Group |+-------------+-----------+---------+----------------+--------------+| tcp | 3306 | 3306 | 192.168.1.0/24 | |+-------------+-----------+---------+----------------+--------------+$ nova boot --flavor 1 –image f16f1d2d-71d6-41b7-98a5-319f142d61f5 --security_groups mygroup server1
+------------------------+--------------------------------------+| OS-DCF:diskConfig | MANUAL || OS-EXT-STS:power_state | 0 || OS-EXT-STS:task_state | scheduling || OS-EXT-STS:vm_state | building || accessIPv4 | || accessIPv6 | || adminPass | 2QCHvG7fJ6Pc || config_drive | || created | 2012-04-17T11:11:07Z || flavor | m1.tiny || hostId | || id | 6d6bb47e-a356-4724-b48e-c248fceb1513 || image | cirros-0.3.0-x86_64-blank || key_name | || metadata | {} || name | server1 || progress | 0 || status | BUILD || tenant_id | 63c4cab49c8b449191d9ea5cfce0f928 || updated | 2012-04-17T11:11:08Z || user_id | d4dc81acfd604f72a56a70879fe565ad |+------------------------+--------------------------------------+
EC2$ euca-add-group -d description mygroupGROUP mygroup description$ euca-authorize -P tcp -s 192.168.1.0/24 -p 22 mygroupGROUP mygroupPERMISSION mygroup ALLOWS tcp 22 22 FROM CIDR 192.168.1.0/24$ euca-authorize -P tcp -s 192.168.1.0/24 -p 3306 mygroupGROUP mygroupPERMISSION mygroup ALLOWS tcp 3306 3306 FROM CIDR 192.168.1.0/24$ euca-describe-groupsGROUP 550d88112b9048fd931f1c66b2c7a932 default defaultGROUP 550d88112b9048fd931f1c66b2c7a932 mygroup descriptionPERMISSION 550d88112b9048fd931f1c66b2c7a932 mygroup ALLOWS tcp 22 22FROM CIDR 192.168.1.0/24PERMISSION 550d88112b9048fd931f1c66b2c7a932 mygroup ALLOWS tcp 33063306 FROM CIDR 192.168.1.0/24$ euca-run-instances tty -g mygroupRESERVATION r-eezz74kc 550d88112b9048fd931f1c66b2c7a932 mygroupINSTANCE i-00000001 ami-00000001 server-1 server-1 pending 0m1.small 2012-04-17T05:51:30.000Z unknown zone aki-00000002ari-00000003
Current Security Group Model
• Features:– Per-Virtual Machine Security Group association– Network egress filtering (network to VM)– Matching on Source subnet, Protocol, and
Destination Port Range
Use Case: Distributed Firewall (current features)
Use Case: Distributed Firewall(current features)
Use Case: Distributed Firewall(current features)
Security Group API
Verb URI Description
GET v1.1/{tenant_id}/os-security-groups List security groups
POST v1.1/{tenant_id}/os-security-groups Create a new security group
GET v1.1/{tenant_id}/os-security-groups/{security_group_id}
Get specific security group
DELETE v1.1/{tenant_id}/os-security-groups/{security_group_id}
Delete security group
POST v1.1/{tenant_id}/os-security-group-rules Create security group rules
DELETE v1.1/{tenant_id}/os-security-group-rules/{security_group_rule_id}
Delete security group rule
GET v1.1/{tenant_id}/servers/{server_id}/os-security-groups
List security groups for a specific server
Proposed Security Group Model
• Features:– Per-Port Security Group association– Network egress/ingress filtering
• Similar to AWS VPC
– Matching on Source subnet, Protocol, and Destination Port Range in both directions
– Stateful egress filtering– Default deny except when no ingress
rules, then accept all on ingress– IPv6 Support
Use Case: Distributed Firewall (proposed features)
Proposed Security Group APIVerb URI Description
GET v1.1/{tenant_id}/os-security-groups List security groups
POST v1.1/{tenant_id}/os-security-groups Create a new security group*
GET v1.1/{tenant_id}/os-security-groups/{security_group_id}
Get specific security group
DELETE v1.1/{tenant_id}/os-security-groups/{security_group_id}
Delete security group
PUT v1.1/{tenant_id}/os-security-groups/{security_group_id}
Update security group*
PUT v1.1/{tenant_id}/os-security-groups/{security_group_id}/associate_port
Associate port with security group
PUT v1.1/{tenant_id}/os-security-groups/{security_group_id}/dissociate_port
Dissociate port from security group
GET v1.1/{tenant_id}/os-security-groups/list_for_port
List security groups for specified port
Architecture
Pre-Essex Architecture
Essex Architecture
Folsom Architecture?
Other Features
Provider Firewalling
• Need to have security groups that are modifiable by tenants
• Desirable to have security groups that are only modifiable by service providers– E.g. preventing a tenant from sending SMTP
traffic– Blocking all incoming traffic on a known trojan
port
• Not ideal fit for security group
Access Control Lists
• Current security group model is somewhat limited
• Would be nice to have a more generic ACL capability
• Features:– Ingress/Egress filtering– Port-based association– More sophisticated matching– Allow/deny– Combination of ACLs
Comments, Questions, Suggestions?
@davlaps
top related