On Thu, Jul 02, 2015 at 12:42:18PM -0700, Ben Pfaff wrote:
> Here's a proposal for an OVN port security specification. I tried to
> specify it as carefully and completely as possible. This is not
> implemented yet, only specified. Comments are welcome!
Here's a new version that incorporates feedback (clarification, really)
from Aaron and Guru,
port_security: set of strings
This column controls the addresses from which the host attached
to the logical port (``the host’’) is allowed to send packets
and to which it is allowed to receive packets. If this column
is empty, all addresses are permitted.
Each element in the set must contain one or more Ethernet
addresses, optionally masked. An element that contains only
Ethernet addresses restricts the host to sending packets from
and receiving packets to those addresses. It also restricts the
inner source MAC addresses that the host may send in ARP and
IPv6 Neighbor Discovery packets. It does not restrict the logi‐
cal port to any particular L3 addresses. The host is always
allowed to receive packets to multicast and broadcast Ethernet
addresses.
Each element in the set may additionally contain one or more
IPv4 or IPv6 addresses (or both), with optional masks. If a
mask is given, it must be a CIDR mask. In addition to the
restrictions described for Ethernet addresses above, such an
element restricts the IPv4 or IPv6 addresses from the host may
send and to which it may receive to packets to the specified
addresses. A masked address, if the host part is zero, indi‐
cates that the host is allowed to use any addresses in the sub‐
net; if the host part is nonzero, the mask simply indicates the
size of the subnet. In addition:
* If any IPv4 address is given, the host is also allowed to
receive packets to the IPv4 local broadcast address
255.255.255.255 and to IPv4 multicast addresses
(224.0.0.0/4). If an IPv4 address with a mask is given,
the host is also allowed to receive packets to the broad‐
cast address in that specified subnet.
If any IPv4 address is given, the host is additionally
restricted to sending ARP packets with the specified
source address. (RARP is not restricted.)
* If any IPv6 address is given, the host is also allowed to
receive packets to IPv6 multicast addresses (ff00::/8).
If any IPv6 address is given, the host is additionally
restricted to sending IPv6 Neighbor Discovery Solicita‐
tion or Advertisement packets with the specified source
address or, for solicitations, the unspecified address.
If an element includes an IPv4 address, but no IPv6 addresses,
then IPv6 traffic is not allowed. If an element includes an
IPv6 address, but no IPv4 address, then IPv4 and ARP traffic is
not allowed.
Multiple elements act as a disjunction. That is, when multiple
elements exist, any packet that would be permitted by any indi‐
vidual element, as described above, is permitted by the overall
policy.
This column uses the same lexical syntax as the match column in
the OVN Southbound database’s Pipeline table. Multiple
addresses within an element may be space or comma separated.
This column is provided as a convenience to cloud management
systems, but all of the features that it implements can be
implemented as ACLs using the ACL table.
Examples:
80:fa:5b:06:72:b7
The host may send traffic from and receive traffic to the
specified MAC address, and to receive traffic to Ethernet
multicast and broadcast addresses, but not otherwise.
The host may not send ARP or IPv6 Neighbor Discovery
packets with inner source Ethernet addresses other than
the one specified.
00:23:20:00:00:00/ff:ff:ff:00:00:00
Similar to the first example, except that any Ethernet
address in the Nicira OUI is allowed.
80:fa:5b:06:72:b7 192.168.1.10/24
This adds further restrictions to the first example. The
host may send IPv4 packets from or receive IPv4 packets
to only 192.168.1.10, except that it may also receive
IPv4 packets to 192.168.1.255 (based on the subnet mask),
255.255.255.255, and any address n 224.0.0.0/4. The host
may not send ARPs with a source Ethernet address other
than 80:fa:5b:06:72:b7 or source IPv4 address other than
192.168.1.10. The host may not send or receive any IPv6
(including IPv6 Neighbor Discovery) traffic.
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
