Good morning, In last week's meeting I had an action item[0] to take a look at the Amazon EC2/VPC API and determine what differences there are between Neutron's and theirs.
In some spec reviews, I have been commenting about trying to keep the Neutron security group API from "drifting" too far from the Amazon EC2 API, since the concept of the "security group" came from Amazon and I believe that we should not be bolting on more functionality to an Amazon concept. Rather, I would like to see Neutron create new APIs to further differentiate OpenStack from Amazon AWS, since that gives us elbow room to innovate without having to worry about compatibility, and possibly gives us cover on the legal front since there are a lot of court cases flying around about patents on APIs[1]. In many instances, I believe that much of the new functionality that people are seeking to create should be put into the Firewall-As-A-Service API, but that's a discussion for another e-mail. Anyway, over a cup of coffee today I went and did some reading about the differences between the Neutron security group API and Amazon's. Here are my preliminary findings. Amazon's Security Group API comes in two types: * EC2-Classic * EC2-VPC Security groups in the VPC API are documented at: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html There is a useful section on the differences between the EC2-Classic and EC2-VPC. A more in depth documentation for the AWS Security Group API is located here: Data Types: http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_SecurityGroup.html http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_IpPermission.html http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_PrefixListId.html http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_UserIdGroupPair.html API methods: http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupEgress.html I used the following for the Security Group API on the Neutron side: http://developer.openstack.org/api-ref-networking-v2-ext.html Overall, the attributes are *named differently* but contain similar concepts. Both Security Group APIs contain: * IP Prefix/CIDR * From port * To port * Protocol One difference is that the AWS API distinguishes between Ingress and Egress at the API endpoint, rather than being an attribute. https://ec2.amazonaws.com/?Action=AuthorizeSecurityGroupEgress https://ec2.amazonaws.com/?Action=AuthorizeSecurityGroupIngress Another difference is that the Neutron Security Group API does have an interesting attribute named remote_group_id that doesn't have any real documentation, but I am making a guess that it possibly matches up to the UserIdGroupPair type in AWS. Perhaps someone could shed some light on that, and then document it (not sure where yet). The AWS API and Neutron also share an attribute that can list an IP prefix to match - remote_prefix_id in Neutron, and PrefixListIds in EC2. However it appears that the PrefixListIds type can contain multiple prefixes. Neutron has an ethertype for selecting IPv4 or IPv6, while Amazon does not, since Amazon does not have IPv6 in EC2 (they do have IPv6 in the elastic loadbalancer product[2]). This is at least my preliminary findings. Do feel free to double check my work and see if there is anything that I have overlooked or made a mistake on. [0]: http://eavesdrop.openstack.org/meetings/networking/2015/networking.2015-06-22-21.00.html [1]: https://en.wikipedia.org/wiki/Oracle_America,_Inc._v._Google,_Inc. [2]: https://aws.amazon.com/about-aws/whats-new/2011/05/24/elb-ipv6-zoneapex-securitygroups/ -- Sean M. Collins __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev