Download - Openstack Quantum Security Groups Session
![Page 1: Openstack Quantum Security Groups Session](https://reader033.vdocument.in/reader033/viewer/2022060111/5562fe4dd8b42a62598b4d89/html5/thumbnails/1.jpg)
Quantum Security Groups Session
Dave Lapsley@davlaps
http://slidesha.re/HQvDTk
http://etherpad.openstack.org/quantum-folsom
![Page 2: Openstack Quantum Security Groups Session](https://reader033.vdocument.in/reader033/viewer/2022060111/5562fe4dd8b42a62598b4d89/html5/thumbnails/2.jpg)
Session Goals
• Introduction to Nova Security Groups• Proposal:– Move Security Groups from Nova to Quantum
• Discussion:– Provider Firewalling– Access Control Lists– Other
![Page 3: Openstack Quantum Security Groups Session](https://reader033.vdocument.in/reader033/viewer/2022060111/5562fe4dd8b42a62598b4d89/html5/thumbnails/3.jpg)
Proposal: move Security Groups from Nova to Quantum
Naturally fit within network APIAllow plugins to implement them
in a compatible way
![Page 4: Openstack Quantum Security Groups Session](https://reader033.vdocument.in/reader033/viewer/2022060111/5562fe4dd8b42a62598b4d89/html5/thumbnails/4.jpg)
Features and Use Cases
![Page 5: Openstack Quantum Security Groups Session](https://reader033.vdocument.in/reader033/viewer/2022060111/5562fe4dd8b42a62598b4d89/html5/thumbnails/5.jpg)
Nova Security Groups
• Collection of network access rules that specify what traffic is allowed to ingress a VM
• Associated with a VM at startup– If Security Group not specified, VM belongs to default
Security Group which allows traffic from all other members of the group
• A VM can be associated with many Security Groups• Security Rule specifies:
– Source of traffic (IP subnet in CIDR notation, or another security group)
– Protocol (TCP, UDP, ICMP)– Destination port on VM
![Page 6: Openstack Quantum Security Groups Session](https://reader033.vdocument.in/reader033/viewer/2022060111/5562fe4dd8b42a62598b4d89/html5/thumbnails/6.jpg)
Security Group Command Line
EC2
euca-add-group
euca-authorize
euca-delete-group
euca-describe-group
euca-describe-groups
Openstack Novasecgroup-add-group-rule
secgroup-add-rule
secgroup-create
secgroup-delete
secgroup-delete-group-rule
secgroup-delete-rule
secgroup-list
secgroup-list-rules
![Page 7: Openstack Quantum Security Groups Session](https://reader033.vdocument.in/reader033/viewer/2022060111/5562fe4dd8b42a62598b4d89/html5/thumbnails/7.jpg)
Example
Openstack$ nova secgroup-create mygroup description+---------+-------------+| Name | Description |+---------+-------------+| mygroup | description |+---------+-------------+$ nova secgroup-add-rule mygroup tcp 22 22 192.168.1.0/24+-------------+-----------+---------+----------------+--------------+| IP Protocol | From Port | To Port | IP Range | Source Group |+-------------+-----------+---------+----------------+--------------+| tcp | 22 | 22 | 192.168.1.0/24 | |+-------------+-----------+---------+----------------+--------------+$ nova secgroup-add-rule mygroup tcp 3306 3306 192.168.1.0/24+-------------+-----------+---------+----------------+--------------+| IP Protocol | From Port | To Port | IP Range | Source Group |+-------------+-----------+---------+----------------+--------------+| tcp | 3306 | 3306 | 192.168.1.0/24 | |+-------------+-----------+---------+----------------+--------------+$ nova boot --flavor 1 –image f16f1d2d-71d6-41b7-98a5-319f142d61f5 --security_groups mygroup server1
+------------------------+--------------------------------------+| OS-DCF:diskConfig | MANUAL || OS-EXT-STS:power_state | 0 || OS-EXT-STS:task_state | scheduling || OS-EXT-STS:vm_state | building || accessIPv4 | || accessIPv6 | || adminPass | 2QCHvG7fJ6Pc || config_drive | || created | 2012-04-17T11:11:07Z || flavor | m1.tiny || hostId | || id | 6d6bb47e-a356-4724-b48e-c248fceb1513 || image | cirros-0.3.0-x86_64-blank || key_name | || metadata | {} || name | server1 || progress | 0 || status | BUILD || tenant_id | 63c4cab49c8b449191d9ea5cfce0f928 || updated | 2012-04-17T11:11:08Z || user_id | d4dc81acfd604f72a56a70879fe565ad |+------------------------+--------------------------------------+
EC2$ euca-add-group -d description mygroupGROUP mygroup description$ euca-authorize -P tcp -s 192.168.1.0/24 -p 22 mygroupGROUP mygroupPERMISSION mygroup ALLOWS tcp 22 22 FROM CIDR 192.168.1.0/24$ euca-authorize -P tcp -s 192.168.1.0/24 -p 3306 mygroupGROUP mygroupPERMISSION mygroup ALLOWS tcp 3306 3306 FROM CIDR 192.168.1.0/24$ euca-describe-groupsGROUP 550d88112b9048fd931f1c66b2c7a932 default defaultGROUP 550d88112b9048fd931f1c66b2c7a932 mygroup descriptionPERMISSION 550d88112b9048fd931f1c66b2c7a932 mygroup ALLOWS tcp 22 22FROM CIDR 192.168.1.0/24PERMISSION 550d88112b9048fd931f1c66b2c7a932 mygroup ALLOWS tcp 33063306 FROM CIDR 192.168.1.0/24$ euca-run-instances tty -g mygroupRESERVATION r-eezz74kc 550d88112b9048fd931f1c66b2c7a932 mygroupINSTANCE i-00000001 ami-00000001 server-1 server-1 pending 0m1.small 2012-04-17T05:51:30.000Z unknown zone aki-00000002ari-00000003
![Page 8: Openstack Quantum Security Groups Session](https://reader033.vdocument.in/reader033/viewer/2022060111/5562fe4dd8b42a62598b4d89/html5/thumbnails/8.jpg)
Current Security Group Model
• Features:– Per-Virtual Machine Security Group association– Network egress filtering (network to VM)– Matching on Source subnet, Protocol, and
Destination Port Range
![Page 9: Openstack Quantum Security Groups Session](https://reader033.vdocument.in/reader033/viewer/2022060111/5562fe4dd8b42a62598b4d89/html5/thumbnails/9.jpg)
Use Case: Distributed Firewall (current features)
![Page 10: Openstack Quantum Security Groups Session](https://reader033.vdocument.in/reader033/viewer/2022060111/5562fe4dd8b42a62598b4d89/html5/thumbnails/10.jpg)
Use Case: Distributed Firewall(current features)
![Page 11: Openstack Quantum Security Groups Session](https://reader033.vdocument.in/reader033/viewer/2022060111/5562fe4dd8b42a62598b4d89/html5/thumbnails/11.jpg)
Use Case: Distributed Firewall(current features)
![Page 12: Openstack Quantum Security Groups Session](https://reader033.vdocument.in/reader033/viewer/2022060111/5562fe4dd8b42a62598b4d89/html5/thumbnails/12.jpg)
Security Group API
Verb URI Description
GET v1.1/{tenant_id}/os-security-groups List security groups
POST v1.1/{tenant_id}/os-security-groups Create a new security group
GET v1.1/{tenant_id}/os-security-groups/{security_group_id}
Get specific security group
DELETE v1.1/{tenant_id}/os-security-groups/{security_group_id}
Delete security group
POST v1.1/{tenant_id}/os-security-group-rules Create security group rules
DELETE v1.1/{tenant_id}/os-security-group-rules/{security_group_rule_id}
Delete security group rule
GET v1.1/{tenant_id}/servers/{server_id}/os-security-groups
List security groups for a specific server
![Page 13: Openstack Quantum Security Groups Session](https://reader033.vdocument.in/reader033/viewer/2022060111/5562fe4dd8b42a62598b4d89/html5/thumbnails/13.jpg)
Proposed Security Group Model
• Features:– Per-Port Security Group association– Network egress/ingress filtering
• Similar to AWS VPC
– Matching on Source subnet, Protocol, and Destination Port Range in both directions
– Stateful egress filtering– Default deny except when no ingress
rules, then accept all on ingress– IPv6 Support
![Page 14: Openstack Quantum Security Groups Session](https://reader033.vdocument.in/reader033/viewer/2022060111/5562fe4dd8b42a62598b4d89/html5/thumbnails/14.jpg)
Use Case: Distributed Firewall (proposed features)
![Page 15: Openstack Quantum Security Groups Session](https://reader033.vdocument.in/reader033/viewer/2022060111/5562fe4dd8b42a62598b4d89/html5/thumbnails/15.jpg)
Proposed Security Group APIVerb URI Description
GET v1.1/{tenant_id}/os-security-groups List security groups
POST v1.1/{tenant_id}/os-security-groups Create a new security group*
GET v1.1/{tenant_id}/os-security-groups/{security_group_id}
Get specific security group
DELETE v1.1/{tenant_id}/os-security-groups/{security_group_id}
Delete security group
PUT v1.1/{tenant_id}/os-security-groups/{security_group_id}
Update security group*
PUT v1.1/{tenant_id}/os-security-groups/{security_group_id}/associate_port
Associate port with security group
PUT v1.1/{tenant_id}/os-security-groups/{security_group_id}/dissociate_port
Dissociate port from security group
GET v1.1/{tenant_id}/os-security-groups/list_for_port
List security groups for specified port
![Page 16: Openstack Quantum Security Groups Session](https://reader033.vdocument.in/reader033/viewer/2022060111/5562fe4dd8b42a62598b4d89/html5/thumbnails/16.jpg)
Architecture
![Page 17: Openstack Quantum Security Groups Session](https://reader033.vdocument.in/reader033/viewer/2022060111/5562fe4dd8b42a62598b4d89/html5/thumbnails/17.jpg)
Pre-Essex Architecture
![Page 18: Openstack Quantum Security Groups Session](https://reader033.vdocument.in/reader033/viewer/2022060111/5562fe4dd8b42a62598b4d89/html5/thumbnails/18.jpg)
Essex Architecture
![Page 19: Openstack Quantum Security Groups Session](https://reader033.vdocument.in/reader033/viewer/2022060111/5562fe4dd8b42a62598b4d89/html5/thumbnails/19.jpg)
Folsom Architecture?
![Page 20: Openstack Quantum Security Groups Session](https://reader033.vdocument.in/reader033/viewer/2022060111/5562fe4dd8b42a62598b4d89/html5/thumbnails/20.jpg)
Other Features
![Page 21: Openstack Quantum Security Groups Session](https://reader033.vdocument.in/reader033/viewer/2022060111/5562fe4dd8b42a62598b4d89/html5/thumbnails/21.jpg)
Provider Firewalling
• Need to have security groups that are modifiable by tenants
• Desirable to have security groups that are only modifiable by service providers– E.g. preventing a tenant from sending SMTP
traffic– Blocking all incoming traffic on a known trojan
port
• Not ideal fit for security group
![Page 22: Openstack Quantum Security Groups Session](https://reader033.vdocument.in/reader033/viewer/2022060111/5562fe4dd8b42a62598b4d89/html5/thumbnails/22.jpg)
Access Control Lists
• Current security group model is somewhat limited
• Would be nice to have a more generic ACL capability
• Features:– Ingress/Egress filtering– Port-based association– More sophisticated matching– Allow/deny– Combination of ACLs
![Page 23: Openstack Quantum Security Groups Session](https://reader033.vdocument.in/reader033/viewer/2022060111/5562fe4dd8b42a62598b4d89/html5/thumbnails/23.jpg)
Comments, Questions, Suggestions?
@davlaps