Hi Aaron, Sorry for the late feedback.
I have some comments on the spec. - Who can change the port security? If the network physical infrastructure provides an address space isolation among logical network, a tenant (a regular use) may change port security freely. On the other hand, if the network physical infrastructure requires MAC uniqueness (for example, network_type == flat), only admin should change port security. - Why can we disable port security when a port is associated with a security group? The limitation section in the spec document says "if a port is associated with a security group one cannot remove the port security setting as port security is required for security groups to work." A usual case is a case where a VM wants to another IP address in addition to its IP address assigned, but it is likely a user still wants to use security group (to drop incoming packets to undesired L4 ports). The current secgroup implementation honors the original security group implementation in nova and IP/MAC spoofing rules are added automatically as provider rules. We can change the provider rules according to port security state for the port. I hope my understanding it correct. Thanks, Akihiro 2013/1/5 Aaron Rosen <[email protected]>: > Hi, > > I'm starting to work on the following blueprint > (https://blueprints.launchpad.net/quantum/+spec/port-security-api-base-class) > and would like to run this spec by the community for feedback. > > https://docs.google.com/document/d/18trYtq3wb0eJK2CapktN415FRIVasr7UkTpWn9mLq5M/edit > > Thanks, > > Aaron > > _______________________________________________ > OpenStack-dev mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Akihiro MOTOKI <[email protected]> -- Mailing list: https://launchpad.net/~quantum-core Post to : [email protected] Unsubscribe : https://launchpad.net/~quantum-core More help : https://help.launchpad.net/ListHelp
