Hello everyone: I would like to test the waters on some new functionality we think is needed to protect OpenStack deployments from some overload situations due to an excessive user or DDOS scenario. We wrote this up in the style of an RFE. Please let us know your thoughts and we can proceed with a formal RFE with more detail if there are no concerns raised.
*What is being requested* This request is to extend the QOS APIs to include the ability to provide connection rate limiting *Why is it being requested* There are many scenarios where a VM may be intentionally malicious or become harmful to the network due to its rate of initializing TCP connections. The reverse direction of a VM being attacked with an excessive amount of TCP connection requests either intentionally or due to overload is also problematic. *Implementation Choices There might be a number of ways to implement this, but one of the easiest would appear to be to extend the APIs being developed under: https://review.openstack.org/#/c/187513/. An additional rule type "connections per-second" could be added. The dataplane implementation itself may be realized with netfilter and conntrack. *Alternatives It would be possible to extend the security groups in a similar fashion, but due to the addition of rate limiting, QoS seems a more nature fit. *Who needs it* Cloud operators have experienced this issue in real deployments in a number of cases. [http://www.cisco.com/web/europe/images/email/signature/logo05.jpg] John Joyce PRINCIPAL ENGINEER.ENGINEERING joy...@cisco.com Phone: +1 978 936 0227 Cisco Systems Limited 1414 Massachusetts Ave. BOXBOROUGH MASSACHUSETTS 01719 US Cisco.com<http://www.cisco.com> [Think before you print.]Think before you print. This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message. For corporate legal information go to: http://www.cisco.com/web/about/doing_business/legal/cri/index.html
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev