Re: [openstack-dev] [Neutron] Security groups with OVS instead of iptables?
It is possible to enforce security groups on OVS provided you have Openflow Controller instead of neutron agent managing the OVS switches. On Tue, Sep 3, 2013 at 10:29 AM, Scott Devoid wrote: > +1 for an answer to this. > > The reference documentation suggests running Neutron OVS with a total of 6 > software switches between the VM and public NAT addresses. [1] > What are the performances differences folks see with this configuration > vs. the 2 software switch configuration for linux bridge? > > [1] > http://docs.openstack.org/grizzly/openstack-network/admin/content/under_the_hood_openvswitch.html#d6e1178 > > > On Tue, Sep 3, 2013 at 8:34 AM, Lorin Hochstein > wrote: > >> (Also asked at >> https://ask.openstack.org/en/question/4718/security-groups-with-ovs-instead-of-iptables/ >> ) >> >> The only security group implementations in neutron seem to be >> iptables-based. Is it technically possible to implement security groups >> using openvswitch flow rules, instead of iptables rules? >> >> It seems like this would cut down on the complexity associated with the >> current OVSHybridIptablesFirewallDriver implementation, where we need to >> create an extra linux bridge and veth pair to work around the >> iptables-openvswitch issues. (This also breaks if the user happens to >> install the openvswitch brcompat module). >> >> Lorin >> -- >> Lorin Hochstein >> Lead Architect - Cloud Services >> Nimbis Services, Inc. >> www.nimbisservices.com >> >> ___ >> OpenStack-dev mailing list >> OpenStack-dev@lists.openstack.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> > > ___ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > -- Ravi ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Neutron] Security groups with OVS instead of iptables?
I am not entirely sure that any of the open source plugins available in the neutron source tree currently provides the ability of ensuring security groups through OVS flow management. But I might be missing some out-of-tree plugin, of which I have little to no knowledge. To answer the initial question - yet it's technically possible, but it's also cumbersome. Nova security group rules can easily generate a situation in which thousands of rules are generated. If not properly handled by adopting appropriate strategies, such as masking bits for nw addresses, the number can easily spiral. This means that it is likely that most packes will miss the kernel-level flow table and require a context switch to user mode (it might be even worse if you store the rules on the controller and you ask your switch to fetch them with openflow) - in this case the performance would be even worse than the double bridge we traverse now. Said that, it's not impossible. It's just that so far nobody has seriously tackled this issue. Regards, Salvatore On 3 September 2013 23:54, Ravi Chunduru wrote: > It is possible to enforce security groups on OVS provided you have > Openflow Controller instead of neutron agent managing the OVS switches. > > > On Tue, Sep 3, 2013 at 10:29 AM, Scott Devoid wrote: > >> +1 for an answer to this. >> >> The reference documentation suggests running Neutron OVS with a total of >> 6 software switches between the VM and public NAT addresses. [1] >> What are the performances differences folks see with this configuration >> vs. the 2 software switch configuration for linux bridge? >> >> [1] >> http://docs.openstack.org/grizzly/openstack-network/admin/content/under_the_hood_openvswitch.html#d6e1178 >> >> >> On Tue, Sep 3, 2013 at 8:34 AM, Lorin Hochstein > > wrote: >> >>> (Also asked at >>> https://ask.openstack.org/en/question/4718/security-groups-with-ovs-instead-of-iptables/ >>> ) >>> >>> The only security group implementations in neutron seem to be >>> iptables-based. Is it technically possible to implement security groups >>> using openvswitch flow rules, instead of iptables rules? >>> >>> It seems like this would cut down on the complexity associated with the >>> current OVSHybridIptablesFirewallDriver implementation, where we need to >>> create an extra linux bridge and veth pair to work around the >>> iptables-openvswitch issues. (This also breaks if the user happens to >>> install the openvswitch brcompat module). >>> >>> Lorin >>> -- >>> Lorin Hochstein >>> Lead Architect - Cloud Services >>> Nimbis Services, Inc. >>> www.nimbisservices.com >>> >>> ___ >>> OpenStack-dev mailing list >>> OpenStack-dev@lists.openstack.org >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>> >>> >> >> ___ >> OpenStack-dev mailing list >> OpenStack-dev@lists.openstack.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> > > > -- > Ravi > > ___ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Neutron] Security groups with OVS instead of iptables?
+1 for an answer to this. The reference documentation suggests running Neutron OVS with a total of 6 software switches between the VM and public NAT addresses. [1] What are the performances differences folks see with this configuration vs. the 2 software switch configuration for linux bridge? [1] http://docs.openstack.org/grizzly/openstack-network/admin/content/under_the_hood_openvswitch.html#d6e1178 On Tue, Sep 3, 2013 at 8:34 AM, Lorin Hochstein wrote: > (Also asked at > https://ask.openstack.org/en/question/4718/security-groups-with-ovs-instead-of-iptables/ > ) > > The only security group implementations in neutron seem to be > iptables-based. Is it technically possible to implement security groups > using openvswitch flow rules, instead of iptables rules? > > It seems like this would cut down on the complexity associated with the > current OVSHybridIptablesFirewallDriver implementation, where we need to > create an extra linux bridge and veth pair to work around the > iptables-openvswitch issues. (This also breaks if the user happens to > install the openvswitch brcompat module). > > Lorin > -- > Lorin Hochstein > Lead Architect - Cloud Services > Nimbis Services, Inc. > www.nimbisservices.com > > ___ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [Neutron] Security groups with OVS instead of iptables?
(Also asked at https://ask.openstack.org/en/question/4718/security-groups-with-ovs-instead-of-iptables/ ) The only security group implementations in neutron seem to be iptables-based. Is it technically possible to implement security groups using openvswitch flow rules, instead of iptables rules? It seems like this would cut down on the complexity associated with the current OVSHybridIptablesFirewallDriver implementation, where we need to create an extra linux bridge and veth pair to work around the iptables-openvswitch issues. (This also breaks if the user happens to install the openvswitch brcompat module). Lorin -- Lorin Hochstein Lead Architect - Cloud Services Nimbis Services, Inc. www.nimbisservices.com ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev