[ovs-dev] [PATCH 03/13] datapath: Account for "vxlan: Group Policy extension"

Pravin Shelar pshelar at nicira.com
Tue Feb 3 18:07:51 UTC 2015 

On Fri, Jan 30, 2015 at 6:36 AM, Thomas Graf <tgraf at noironetworks.com> wrote:
> Upstream commit:
>     vxlan: Group Policy extension
>
>     Implements supports for the Group Policy VXLAN extension [0] to provide
>     a lightweight and simple security label mechanism across network peers
>     based on VXLAN. The security context and associated metadata is mapped
>     to/from skb->mark. This allows further mapping to a SELinux context
>     using SECMARK, to implement ACLs directly with nftables, iptables, OVS,
>     tc, etc.
>
>     The group membership is defined by the lower 16 bits of skb->mark, the
>     upper 16 bits are used for flags.
>
>     SELinux allows to manage label to secure local resources. However,
>     distributed applications require ACLs to implemented across hosts. This
>     is typically achieved by matching on L2-L4 fields to identify the
>     original sending host and process on the receiver. On top of that,
>     netlabel and specifically CIPSO [1] allow to map security contexts to
>     universal labels.  However, netlabel and CIPSO are relatively complex.
>     This patch provides a lightweight alternative for overlay network
>     environments with a trusted underlay. No additional control protocol
>     is required.
>
>                Host 1:                       Host 2:
>
>           Group A        Group B        Group B     Group A
>           +-----+   +-------------+    +-------+   +-----+
>           | lxc |   | SELinux CTX |    | httpd |   | VM  |
>           +--+--+   +--+----------+    +---+---+   +--+--+
>           \---+---/                     \----+---/
>               |                              |
>           +---+---+                      +---+---+
>           | vxlan |                      | vxlan |
>           +---+---+                      +---+---+
>               +------------------------------+
>
>     Backwards compatibility:
>     A VXLAN-GBP socket can receive standard VXLAN frames and will assign
>     the default group 0x0000 to such frames. A Linux VXLAN socket will
>     drop VXLAN-GBP  frames. The extension is therefore disabled by default
>     and needs to be specifically enabled:
>
>        ip link add [...] type vxlan [...] gbp
>
>     In a mixed environment with VXLAN and VXLAN-GBP sockets, the GBP socket
>     must run on a separate port number.
>
>     Examples:
>      iptables:
>       host1# iptables -I OUTPUT -m owner --uid-owner 101 -j MARK --set-mark 0x200
>       host2# iptables -I INPUT -m mark --mark 0x200 -j DROP
>
>      OVS:
>       # ovs-ofctl add-flow br0 'in_port=1,actions=load:0x200->NXM_NX_TUN_GBP_ID[],NORMAL'
>       # ovs-ofctl add-flow br0 'in_port=2,tun_gbp_id=0x200,actions=drop'
>
>     [0] https://tools.ietf.org/html/draft-smith-vxlan-group-policy
>     [1] http://lwn.net/Articles/204905/
>
>     Signed-off-by: Thomas Graf <tgraf at suug.ch>
>     Signed-off-by: David S. Miller <davem at davemloft.net>
>
> Upstream: 351149 ("vxlan: Group Policy extension")
> Signed-off-by: Thomas Graf <tgraf at noironetworks.com>

Acked-by: Pravin B Shelar <pshelar at nicira.com>

More information about the dev mailing list