Thanks for bringing this up, For security group, we may need to handle following things,
As you mentioned, Anti-spoofing rules need to be updated, when secondary IP is associate/dissociate to NIC. And Security group rule can base on cidr and it can base on account/security group, For example a security group rule can allow all VMs in another account/security group to access VMs in this security group. In this case, When secondary IP is associate/dissociate to NIC. The related security group rule based on account/security group need to be resent to reflect the IP change in this security group. Anthony > -----Original Message----- > From: Jayapal Reddy Uradi [mailto:jayapalreddy.ur...@citrix.com] > Sent: Tuesday, January 15, 2013 5:17 AM > To: cloudstack-dev@incubator.apache.org > Subject: RE: Functional Specification for the multiple IPs per NIC > > Please find the updated FS in below link. > https://cwiki.apache.org/confluence/display/CLOUDSTACK/Multiple+IP+addr > ess+per+NIC > > I want to discuss the MIPN case for shared networks. > > I observed VM specific security groups iptables rules in basic zone, in > which we are allowing egress traffic from the guest VM primary (dhcp) > address only. > If we add another IP to the NIC we should update the security groups to > allow the egress traffic from the new ip. > > Example Current rule: It allows traffic from the i-2-3 VM's > 10.147.41.239 IP only. > 0 0 i-2-3-TEST-eg all -- * * 10.147.41.239 > 0.0.0.0/0 PHYSDEV match --physdev-in vif7.0 --physdev-is- > bridged > > We should update security group rules each time we associate secondary > IP to NIC. > > Please let me know if you have any comments or suggestion for the > above . > > Thanks, > Jayapal > > > > > > -----Original Message----- > > From: John Kinsella [mailto:j...@stratosec.co] > > Sent: Wednesday, December 19, 2012 10:59 PM > > To: cloudstack-dev@incubator.apache.org > > Subject: Re: Functional Specification for the multiple IPs per NIC > > > > 'morning Hari. I can think of at least one use case where allowing > the "user" > > to specify the IP would be required - when migrating an IP from one > CAP to > > ACS or from one VM to another. > > > > Anyways - I think what the real answer to your question is would be > to have > > a granular security model around the API calls. At that point you > could specify > > what users/groups have the ability to assign specific IPs to a > specific instance. > > So I'd vote to implement for now, and attack a granular api security > model > > sooner rather than later. > > > > John > > > > On Dec 18, 2012, at 4:15 PM, Hari Kannan <hari.kan...@citrix.com> > > wrote: > > > > > Regarding " User can specify the IP address from the guest subnet > if > > > not CS picks the IP from the guest subnet " comment in the FS > > > > > > I don't see a need to do this - because, it is a shared network, > how > > > does he know what is used up and what is not? So, he could go > through > > > a sequence of steps only to get an error message back that it is > not > > > possible (and keep doing this until success) > > > > > > One possibility is telling him what is available - it may not be a > big > > > deal to reveal the used/unused IPs in isolated network (although it > > > would be hard to show from a large CIDR what is used/available), > but > > > we wont even be able to tell him what is used/unused in a shared > > > network - > > > > > > Any thoughts? > > > > > > Hari Kannan > > > > > > -----Original Message----- > > > From: John Kinsella [mailto:j...@stratosec.co] > > > Sent: Tuesday, December 18, 2012 10:36 AM > > > To: cloudstack-dev@incubator.apache.org > > > Subject: Re: Functional Specification for the multiple IPs per NIC > > > > > > Is there any logic behind 30? At some point, we're going to be > asked, > > > so I'd like to have a decent answer. :) > > > > > > On the rest of this, I'd like to get some level of consensus on the > design. > > What looks best to me: > > > * Improve UserData/CloudInit support in CloudStack (I'm willing to > > > work on this, consider it important) - allow expiration of data, > wider > > > variety of data supported > > > * Create the multi-IPs-per-NIC code to get IPs via CloudInit (Need > to > > > think through Windows equivalent) > > > * Update the password changing script to use CloudInit > > > > > > Thoughts? Or Jayapal have you already started work on the multi-IP > > feature? > > > > > > On Dec 18, 2012, at 2:03 AM, Jayapal Reddy Uradi > > <jayapalreddy.ur...@citrix.com> wrote: > > > > > >> Regarding IP limit, it can be made as configurable using global > settings and > > default value will be 30. > > >> > > >> > > >> Thanks, > > >> Jayapal > > >> > > >>> -----Original Message----- > > >>> From: Chiradeep Vittal [mailto:chiradeep.vit...@citrix.com] > > >>> Sent: Monday, December 17, 2012 12:59 PM > > >>> To: CloudStack DeveloperList > > >>> Subject: Re: Functional Specification for the multiple IPs per > NIC > > >>> > > >>> In basic/shared networks the allocation is bounded by what is > > >>> already > > >>> "used- up". To prevent tenants from hogging all the available ips, > > >>> there needs to be limits. > > >>> > > >>> On 12/15/12 8:38 AM, "John Kinsella" <j...@stratosec.co> wrote: > > >>> > > >>>> I'd remove the limitation of having 30 IPs per interface. Modern > > >>>> OSes can support way more. > > >>>> > > >>>> Why no support for basic networking? I can see a small hosting > > >>>> provider with a basic setup wanting to manage web servers... > > >>>> > > >>>> John > > >>>> > > >>>> On Dec 14, 2012, at 9:37 AM, Jayapal Reddy Uradi > > >>>> <jayapalreddy.ur...@citrix.com> wrote: > > >>>> > > >>>>> Hi All, > > >>>>> > > >>>>> Current guest VM by default having one NIC and one IP address > > assigned. > > >>>>> If your wants extra IP for the guest VM, there no provision > from > > >>>>> the CS. > > >>>>> > > >>>>> Using multiple IP address per NIC feature CS can associate IP > > >>>>> address for the NIC, user can take that IP and assign it to > the VM. > > >>>>> > > >>>>> Please find the FS for the more details. > > >>>>> > > >>>>> > > >>>>> > > https://cwiki.apache.org/confluence/display/CLOUDSTACK/Multiple+IP > > >>>>> + > > >>>>> a > > >>> dd > > >>>>> res > > >>>>> s+per+NIC > > >>>>> > > >>>>> Please provide your comments on the FS. > > >>>>> > > >>>>> > > >>>>> Thanks, > > >>>>> jayapal > > >>>> > > >>>> Stratosec - Secure Infrastructure as a Service > > >>>> o: 415.315.9385 > > >>>> @johnlkinsella > > >>>> > > >> > > >> > > > > > > Stratosec - Secure Infrastructure as a Service > > > o: 415.315.9385 > > > @johnlkinsella > > > > > > > > > > Stratosec - Secure Infrastructure as a Service > > o: 415.315.9385 > > @johnlkinsella
