Hi, The allowed address pair extension was added to the neutron api to allow protocols like VRRP to work. All it dictates are mac_address/ip_address(cidrs) that are allowed to pass through a neutron port.
rest inline On Wed, Jul 1, 2015 at 10:47 AM, Ben Pfaff <b...@nicira.com> wrote: > On Wed, Jul 01, 2015 at 12:25:58PM -0500, Kyle Mestery wrote: > > On Wed, Jul 1, 2015 at 12:11 PM, Ben Pfaff <b...@nicira.com> wrote: > > > Where's the spec for allowed address pairs? It's probably pretty easy > > > to implement in OVN. > > > > > The API developer documentation is here [1]. The BP with a link to a > google > > doc (this was implemented in 2013) is here [2]. > > > > [1] > > > http://specs.openstack.org/openstack/neutron-specs/specs/api/allowed_address_pairs.html > > [2] https://blueprints.launchpad.net/neutron/+spec/allowed-address-pairs > > It's not as explicit about the meaning as I would like. Is the > following correct? > > A packet is allowed if one of the following is true: > > 1. Its MAC address is 'mac_address' and, if it is an IP packet, its > IP address is one of those in 'fixed_ips'. > > 2. Its MAC address is in 'allowed_address_pairs' and, if it is an IP > packet, its IP address is in the same 'allowed_address_pairs' > pair. > > Correct. Also fwiw the difference between fixed_ips and allowed_address_pairs is that the dhcp-server on the network will hand out the addresses for a port that matches it's fixed_ips +mac_address (the allowed-address-pairs are just additional addresses that are allowed to pass through). > How is IPv6 handled? I suppose that 'fixed_ips' and the 'ip_address' > part of an 'allowed_address_pairs' pair can be an IPv6? > Correct it could be an ipv6 address as well. > > What happens to an IPv6 packet if 'mac_address' matches but 'fixed_ips' > only lists IPv4 addresses? Conversely, what happens to an IPv4 packet > if 'mac_address' matches but 'fixed_ips' only lists IPv6 addresses? > The packet is dropped in both cases if only the mac_address matches but the ip doesn't match. > > Are ARP packets supposed to have their inner IPv4 and MAC addresses > filtered by these rules? How about IPv6 ND packets? > This is a good question. Today we are only enforcing that the l2/l3 fields match. That said, I think it probably makes sense for us to filter on this too. > > (All of the possibilities above, in either direction, are implementable > in OVN, but I didn't know what precedent had been set in Neutron or > whether that precedent was set for good reason or for convenience, so > I've only implemented L2 port security so far.) > > Thanks a lot; this is a discussion I've been meaning to have for a > while. > _______________________________________________ > dev mailing list > dev@openvswitch.org > http://openvswitch.org/mailman/listinfo/dev > _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
