[openstack-dev] [Neutron] [QOS] Request for Additional QoS capabilities

[John Joyce (joycej)]

Hello everyone:
      I would like to test the waters on some new functionality we think is 
needed to protect OpenStack deployments from some overload situations due to an 
excessive user or DDOS scenario.   We wrote this up in the style of an RFE.   
Please let us know your thoughts and we can proceed with a formal RFE with more 
detail if there are no concerns raised.


*What is being requested*
This request is to extend the QOS APIs to include the ability to provide 
connection rate limiting
*Why is it being requested*
There are many scenarios where a VM may be intentionally malicious or become 
harmful to the network due to its rate of initializing TCP connections.   The 
reverse direction of a VM being attacked with an excessive amount of TCP 
connection requests either intentionally or due to overload is also problematic.
*Implementation Choices
   There might be a number of ways to implement this,  but one of the easiest 
would appear to be to extend the APIs being developed under:  
https://review.openstack.org/#/c/187513/. An additional rule type "connections 
per-second" could be added.
The dataplane implementation itself may be realized with netfilter and 
conntrack.
*Alternatives
It would be possible to extend the security groups in a similar fashion,  but 
due to the addition of rate limiting, QoS seems a more nature fit.
*Who needs it*
Cloud operators have experienced this issue in real deployments in a number of 
cases.

[http://www.cisco.com/web/europe/images/email/signature/logo05.jpg]

John Joyce
PRINCIPAL ENGINEER.ENGINEERING
joy...@cisco.com
Phone: +1 978 936 0227

Cisco Systems Limited
1414 Massachusetts Ave.
BOXBOROUGH
MASSACHUSETTS
01719
US
Cisco.com<http://www.cisco.com>





[Think before you print.]Think before you print.

This email may contain confidential and privileged material for the sole use of 
the intended recipient. Any review, use, distribution or disclosure by others 
is strictly prohibited. If you are not the intended recipient (or authorized to 
receive for the recipient), please contact the sender by reply email and delete 
all copies of this message.
For corporate legal information go to:
http://www.cisco.com/web/about/doing_business/legal/cri/index.html




__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev