[Expired for neutron because there has been no activity for 60 days.]
** Changed in: neutron
Status: Incomplete => Expired
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1432856
Title:
Security groups aren’t network topology aware
Status in neutron:
Expired
Bug description:
Security group rules for a host include all hosts that are members of
the security group even though some can be unaccessible because they
aren’t attached to the same router. This introduces two problems.
First, it will create unneeded iptables rules on nodes and additional
work on neutron-server and agent-side. Second, in the case of
overlapping networks, the rules that result from a host on a
completely separate network may end up allowing traffic from an
untrusted host on the same network.
e.g. Security group SG1 has rules to allow traffic from other members
of the same group. Members of SG1 include 10.0.0.2 and 10.0.0.3, which
are on two separate networks with overlapping IPs. The iptables rules
on 10.0.0.2 will then permit traffic from 10.0.0.3 even though
10.0.0.3 could be an untrusted node on its own network.
Workaround: Use separate security groups per each network. This will
decrease load from calculations significantly on neutron-server and
also will decrease number of iptables rules on nodes.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1432856/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
