On Tue, Aug 2, 2016 at 12:05 PM, Russell Bryant <russ...@ovn.org> wrote:
> > > On Tue, Aug 2, 2016 at 3:02 PM, Darrell Ball <dlu...@gmail.com> wrote: > >> >> >> On Tue, Aug 2, 2016 at 10:23 AM, Mickey Spiegel <mickeys....@gmail.com> >> wrote: >> >>> On Tue, Aug 2, 2016 at 9:26 AM, Darrell Ball <dlu...@gmail.com> wrote: >>> >>>> >>>> >>>> On Tue, Aug 2, 2016 at 4:52 AM, Russell Bryant <russ...@ovn.org> wrote: >>>> >>>>> On Sat, Jul 30, 2016 at 4:19 PM, Mickey Spiegel <mickeys....@gmail.com >>>>> > >>>>> wrote: >>>>> >>>>> > On Fri, Jul 29, 2016 at 10:28 AM, Mickey Spiegel < >>>>> emspi...@us.ibm.com> >>>>> > wrote: >>>>> > > >>>>> > > -----"dev" <dev-boun...@openvswitch.org> wrote: ----- >>>>> > >> To: Mickey Spiegel <mickeys....@gmail.com> >>>>> > >> From: Russell Bryant >>>>> > >> Sent by: "dev" >>>>> > >> Date: 07/29/2016 10:02AM >>>>> > >> Cc: ovs dev <dev@openvswitch.org> >>>>> > >> Subject: Re: [ovs-dev] [PATCH] ovn: Add second ACL stage >>>>> > >> >>>>> > >> On Fri, Jul 29, 2016 at 12:47 AM, Mickey Spiegel < >>>>> mickeys....@gmail.com >>>>> > > >>>>> > >> wrote: >>>>> > >> >>>>> > >>> >>>>> > >>> This patch adds a second logical switch ingress ACL stage, and >>>>> > >>> correspondingly a second logical switch egress ACL stage. This >>>>> > >>> allows for more than one ACL-based feature to be applied in the >>>>> > >>> ingress and egress logical switch pipelines. The features >>>>> > >>> driving the different ACL stages may be configured by different >>>>> > >>> users, for example an application deployer managing security >>>>> > >>> groups and a network or security admin configuring network ACLs >>>>> > >>> or firewall rules. >>>>> > >>> >>>>> > >>> Each ACL stage is self contained. The "action" for the >>>>> > >>> highest-"priority" matching row in an ACL stage determines a >>>>> > >>> packet's treatment. A separate "action" will be determined in >>>>> > >>> each ACL stage, according to the ACL rules configured for that >>>>> > >>> ACL stage. The "priority" values are only relevant within the >>>>> > >>> context of an ACL stage. >>>>> > >>> >>>>> > >>> ACL rules that do not specify an ACL stage are applied to the >>>>> > >>> default "acl" stage. >>>>> > >>> >>>>> > >>> Signed-off-by: Mickey Spiegel <mickeys....@gmail.com> >>>>> > >> >>>>> > >> >>>>> > >> Could you expand on why priorities in a single stage aren't >>>>> enough to >>>>> > >> satisfy the use case? >>>>> > > >>>>> > > If two features are configured independently with a mix of >>>>> > > prioritized allow and drop rules, then with a single stage, a >>>>> > > new set of ACL rules must be produced that achieves the same >>>>> > > behavior. This is sometimes referred to as an "ACL merge" >>>>> > > algorithm, for example: >>>>> > > >>>>> > >>>>> http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00800c9470.shtml#wp39514 >>>>> > > >>>>> > > In the worst case, for example when the features act on different >>>>> > > packet fields (e.g. one on IP address and another on L4 port), >>>>> > > the number of rules required can approach >>>>> > > (# of ACL1 rules) * (# of ACL2 rules). >>>>> > > >>>>> > > While it is possible to code up such an algorithm, it adds >>>>> > > significant complexity and complicates whichever layer >>>>> > > implements the merge algorithm, either OVN or the CMS above. >>>>> > > >>>>> > > By using multiple independent pipeline stages, all of this >>>>> > > software complexity is avoided, achieving the proper result >>>>> > > in a simple and straightforward manner. >>>>> > > >>>>> > > Recent network hardware ASICs tend to have around 8 or 10 ACL >>>>> > > stages, though they tend to evaluate these in parallel given >>>>> > > all the emphasis on low latency these days. >>>>> > >>>>> > Throwing in an example to illustrate the difference between one >>>>> > ACL stage and two ACL stages: >>>>> > >>>>> > If two separate ACL stages: >>>>> > Feature 1 >>>>> > acl from-lport 100 (tcp == 80) allow-related >>>>> > acl from-lport 100 (tcp == 8080) allow-related >>>>> > acl from-lport 100 (udp) allow-related >>>>> > acl from-lport 100 (ip4.src == 10.1.1.0/24 && tcp) allow-related >>>>> > >>>>> > Feature 2 >>>>> > acl2 from-lport 300 (ip4.dst == 172.16.10.0/24) allow-related >>>>> > acl2 from-lport 300 (ip4.dst == 192.168.20.0/24) allow-related >>>>> > acl2 from-lport 200 (ip4.dst == 172.16.0.0/20) drop >>>>> > acl2 from-lport 200 (ip4.dst == 192.168.0.0/16) drop >>>>> > acl2 from-lport 100 (ip4.dst == 172.16.0.0/16) allow-related >>>>> > >>>>> > Combined in one stage, to get the equivalent behavior, this would >>>>> require: >>>>> > from-lport 300 (ip4.dst == 172.16.10.0/24 && tcp == 80) >>>>> allow-related >>>>> > from-lport 300 (ip4.dst == 172.16.10.0/24 && tcp == 8080) >>>>> allow-related >>>>> > from-lport 300 (ip4.dst == 172.16.10.0/24 && udp) allow-related >>>>> > from-lport 300 (ip4.dst == 172.16.10.0/24 && ip4.src == 10.1.1.0/24 >>>>> && >>>>> > tcp) allow-related >>>>> > from-lport 300 (ip4.dst == 192.168.20.0/24 && tcp == 80) >>>>> allow-related >>>>> > from-lport 300 (ip4.dst == 192.168.20.0/24 && tcp == 8080) >>>>> allow-related >>>>> > from-lport 300 (ip4.dst == 192.168.20.0/24 && udp) allow-related >>>>> > from-lport 300 (ip4.dst == 192.168.20.0/24 && ip4.src == >>>>> 10.1.1.0/24 && >>>>> > tcp) allow-related >>>>> > from-lport 200 (ip4.dst == 172.16.0.0/20) drop >>>>> > from-lport 200 (ip4.dst == 192.168.0.0/16) drop >>>>> > from-lport 100 (ip4.dst == 172.16.0.0/16 && tcp == 80) >>>>> allow-related >>>>> > from-lport 100 (ip4.dst == 172.16.0.0/16 && tcp == 8080) >>>>> allow-related >>>>> > from-lport 100 (ip4.dst == 172.16.0.0/16 && udp) allow-related >>>>> > from-lport 100 (ip4.dst == 172.16.0.0/16 && ip4.src == 10.1.1.0/24 >>>>> && >>>>> > tcp) allow-related >>>>> > >>>>> >>>>> Or have an address set, "addrset1", which contains {172.16.10.0/24, >>>>> 192.168.20.0/24, 172.16.0.0/20, 192.168.0.0/16, 172.16.0.0/16}. >>>>> >>>>> acl from-lport 100 (ip4.dst == $addrset1 && tcp && tcp.dst == {80, >>>>> 8080}) >>>>> allow-related >>>>> acl from-lport 100 (ip4.dst == $addrset1 && udp) allow-related >>>>> acl from-lport 100 (ip4.dst == $addrset1 && ip4.src == 10.1.1.0/24 >>>>> && >>>>> tcp) allow-related >>>>> >>>>> >>>>> > >>>>> > If there are more IP addresses in feature 2, then the number >>>>> > of ACL rules will climb geometrically: >>>>> > (4 feature 1 rules * # feature 2 allow-related rules + # feature 2 >>>>> drop >>>>> > rules) >>>>> > >>>>> > With 2 separate ACL stages, the rules just go straight into >>>>> > the corresponding ACL table, no merge required: >>>>> > (# feature 1 rules + # feature 2 rules) >>>>> > >>>>> >>>>> Thanks for elaborating. I'm not opposed. It seems harmless if not >>>>> being >>>>> used. >>>>> >>>> >>>> >>>> There are presently no unit tests for ACLs in the system tests >>>> (system-ovn.at). >>>> The first step should be to add unit tests for single stage ACLs. >>>> and then add a delta of tests if other stages are desired. >>>> >>>> It will be good to test the coordination between multiple stages >>>> coming directly from northbound APIs and check what happens when >>>> multistage ACLs are setup and torn down stage by stage, particularly >>>> when the datapath ends up in a more permissive state for some period of >>>> time. >>>> >>> >> This feature proposal has a problem for both setup and teardown where >> the staging will result in a more permissive state for periods of time. >> >> Here is a simple example based on your example above: >> If one only wants to allow TCP and src IP 20.20.20.20 and the stage with >> TCP is >> added first with the stage with src IP 20.20.20.20 lagging, one will have >> the >> following >> >> 200 TCP permit >> 100 DROP ALL >> >> which permits all TCP - not what we want. >> >> We cannot enforce a transaction across multiple databases (NB, SB, >> ovn-controller) >> > > I don't understand this. Rules for both stages could be added in the same > transaction. It's all in the same table of the northbound database. > > I am assuming that the rules would be entered into the Northbound database in the same transaction. That part is fine. However, there is no enforcement of a transaction across multiple databases in OVN. So there is no requirement that northd and ovn-controller maintain that NB DB transaction across different tables which generating their respective output (i.e. SB DB and openflow rules). > >> >> >>> >>>> >>>> >>>>> >>>>> Can you update the docs to indicate the specific accepted values for >>>>> "stage"? >>>> >>>> >>>> >>>> This would significantly complicate the usage of northbound ACL APIs, >>>> since multi-staging would be exposed at the top (northbound) OVN layer. >>>> >>> >>> The default behavior when "stage" is not specified is to apply the ACL >>> to the >>> existing "acl" stage. If you don't care about the second ACL stage, >>> continue >>> to use ACLs as you do today and it will work. There is no complication. >>> >> >> You need a set of guidelines. >> You just cannot assume the northbound API usage will avoid this feature. >> How does one know this feature should be avoided or when to use it. >> Assuming one decides to use it, how does one know how to use it. >> >> >> >>> >>> >>>> This would need a clear set of guidelines how northbound >>>> multistage ACLs would be used by a CMS, at the user level. >>>> >>> >>> The CMS typically does not expose ACLs directly to the user. For example, >>> with OpenStack, Security Groups use the default "acl" stage. OpenStack >>> FWaaS v2 would use the "acl2" stage. These are two separate OpenStack >>> features with separate OpenStack northbound APIs to the user. >>> >> >> >> First of all, every OVN feature should not be tied to Openstack.] >> > > It was just used as an example of how it would be used ... > > -- > Russell Bryant > _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev