[ovs-dev] [v2] proposed OVN port security specification (was: Re: Allowed Address Pairs - OVN)

Ben Pfaff blp at nicira.com
Fri Jul 3 00:39:09 UTC 2015


On Thu, Jul 02, 2015 at 12:42:18PM -0700, Ben Pfaff wrote:
> Here's a proposal for an OVN port security specification.  I tried to
> specify it as carefully and completely as possible.  This is not
> implemented yet, only specified.  Comments are welcome!

Here's a new version that incorporates feedback (clarification, really)
from Aaron and Guru,

       port_security: set of strings
              This  column controls the addresses from which the host attached
              to the logical port (``the host’’) is allowed  to  send  packets
              and  to  which it is allowed to receive packets.  If this column
              is empty, all addresses are permitted.

              Each element in the  set  must  contain  one  or  more  Ethernet
              addresses,  optionally  masked.   An  element that contains only
              Ethernet addresses restricts the host to  sending  packets  from
              and receiving packets to those addresses.  It also restricts the
              inner source MAC addresses that the host may  send  in  ARP  and
              IPv6 Neighbor Discovery packets.  It does not restrict the logi‐
              cal port to any particular L3 addresses.   The  host  is  always
              allowed  to  receive packets to multicast and broadcast Ethernet
              addresses.

              Each element in the set may additionally  contain  one  or  more
              IPv4  or  IPv6  addresses  (or both), with optional masks.  If a
              mask is given, it must be a  CIDR  mask.   In  addition  to  the
              restrictions  described  for  Ethernet  addresses above, such an
              element restricts the IPv4 or IPv6 addresses from the  host  may
              send  and  to  which  it may receive to packets to the specified
              addresses.  A masked address, if the host part  is  zero,  indi‐
              cates  that the host is allowed to use any addresses in the sub‐
              net; if the host part is nonzero, the mask simply indicates  the
              size of the subnet.  In addition:

              *      If any IPv4 address is given, the host is also allowed to
                     receive packets  to  the  IPv4  local  broadcast  address
                     255.255.255.255   and   to   IPv4   multicast   addresses
                     (224.0.0.0/4).  If an IPv4 address with a mask is  given,
                     the host is also allowed to receive packets to the broad‐
                     cast address in that specified subnet.

                     If any IPv4 address is given, the  host  is  additionally
                     restricted  to  sending  ARP  packets  with the specified
                     source address.  (RARP is not restricted.)

              *      If any IPv6 address is given, the host is also allowed to
                     receive packets to IPv6 multicast addresses (ff00::/8).

                     If  any  IPv6  address is given, the host is additionally
                     restricted to sending IPv6 Neighbor  Discovery  Solicita‐
                     tion  or  Advertisement packets with the specified source
                     address or, for solicitations, the unspecified address.

              If an element includes an IPv4 address, but no  IPv6  addresses,
              then  IPv6  traffic  is  not allowed.  If an element includes an
              IPv6 address, but no IPv4 address, then IPv4 and ARP traffic  is
              not allowed.

              Multiple  elements act as a disjunction.  That is, when multiple
              elements exist, any packet that would be permitted by any  indi‐
              vidual  element, as described above, is permitted by the overall
              policy.

              This column uses the same lexical syntax as the match column  in
              the   OVN   Southbound   database’s  Pipeline  table.   Multiple
              addresses within an element may be space or comma separated.

              This column is provided as a  convenience  to  cloud  management
              systems,  but  all  of  the  features  that it implements can be
              implemented as ACLs using the ACL table.

              Examples:

              80:fa:5b:06:72:b7
                     The host may send traffic from and receive traffic to the
                     specified MAC address, and to receive traffic to Ethernet
                     multicast and broadcast  addresses,  but  not  otherwise.
                     The  host  may  not  send  ARP or IPv6 Neighbor Discovery
                     packets with inner source Ethernet addresses  other  than
                     the one specified.

              00:23:20:00:00:00/ff:ff:ff:00:00:00
                     Similar  to  the  first example, except that any Ethernet
                     address in the Nicira OUI is allowed.

              80:fa:5b:06:72:b7 192.168.1.10/24
                     This adds further restrictions to the first example.  The
                     host  may  send IPv4 packets from or receive IPv4 packets
                     to only 192.168.1.10, except that  it  may  also  receive
                     IPv4 packets to 192.168.1.255 (based on the subnet mask),
                     255.255.255.255, and any address n 224.0.0.0/4.  The host
                     may  not  send  ARPs with a source Ethernet address other
                     than 80:fa:5b:06:72:b7 or source IPv4 address other  than
                     192.168.1.10.   The host may not send or receive any IPv6
                     (including IPv6 Neighbor Discovery) traffic.



More information about the dev mailing list