Quantum Security Groups Session

Dave Lapsley@davlaps

http://slidesha.re/HQvDTk

http://etherpad.openstack.org/quantum-folsom

Session Goals

• Introduction to Nova Security Groups• Proposal:– Move Security Groups from Nova to Quantum

• Discussion:– Provider Firewalling– Access Control Lists– Other

Proposal: move Security Groups from Nova to Quantum

Naturally fit within network APIAllow plugins to implement them

in a compatible way

Features and Use Cases

Nova Security Groups

• Collection of network access rules that specify what traffic is allowed to ingress a VM

• Associated with a VM at startup– If Security Group not specified, VM belongs to default

Security Group which allows traffic from all other members of the group

• A VM can be associated with many Security Groups• Security Rule specifies:

– Source of traffic (IP subnet in CIDR notation, or another security group)

– Protocol (TCP, UDP, ICMP)– Destination port on VM

Security Group Command Line

EC2

euca-add-group

euca-authorize

euca-delete-group

euca-describe-group

euca-describe-groups

Openstack Novasecgroup-add-group-rule

secgroup-add-rule

secgroup-create

secgroup-delete

secgroup-delete-group-rule

secgroup-delete-rule

secgroup-list

secgroup-list-rules

Example

Openstack$ nova secgroup-create mygroup description+---------+-------------+| Name | Description |+---------+-------------+| mygroup | description |+---------+-------------+$ nova secgroup-add-rule mygroup tcp 22 22 192.168.1.0/24+-------------+-----------+---------+----------------+--------------+| IP Protocol | From Port | To Port | IP Range | Source Group |+-------------+-----------+---------+----------------+--------------+| tcp | 22 | 22 | 192.168.1.0/24 | |+-------------+-----------+---------+----------------+--------------+$ nova secgroup-add-rule mygroup tcp 3306 3306 192.168.1.0/24+-------------+-----------+---------+----------------+--------------+| IP Protocol | From Port | To Port | IP Range | Source Group |+-------------+-----------+---------+----------------+--------------+| tcp | 3306 | 3306 | 192.168.1.0/24 | |+-------------+-----------+---------+----------------+--------------+$ nova boot --flavor 1 –image f16f1d2d-71d6-41b7-98a5-319f142d61f5 --security_groups mygroup server1

+------------------------+--------------------------------------+| OS-DCF:diskConfig | MANUAL || OS-EXT-STS:power_state | 0 || OS-EXT-STS:task_state | scheduling || OS-EXT-STS:vm_state | building || accessIPv4 | || accessIPv6 | || adminPass | 2QCHvG7fJ6Pc || config_drive | || created | 2012-04-17T11:11:07Z || flavor | m1.tiny || hostId | || id | 6d6bb47e-a356-4724-b48e-c248fceb1513 || image | cirros-0.3.0-x86_64-blank || key_name | || metadata | {} || name | server1 || progress | 0 || status | BUILD || tenant_id | 63c4cab49c8b449191d9ea5cfce0f928 || updated | 2012-04-17T11:11:08Z || user_id | d4dc81acfd604f72a56a70879fe565ad |+------------------------+--------------------------------------+

EC2$ euca-add-group -d description mygroupGROUP mygroup description$ euca-authorize -P tcp -s 192.168.1.0/24 -p 22 mygroupGROUP mygroupPERMISSION mygroup ALLOWS tcp 22 22 FROM CIDR 192.168.1.0/24$ euca-authorize -P tcp -s 192.168.1.0/24 -p 3306 mygroupGROUP mygroupPERMISSION mygroup ALLOWS tcp 3306 3306 FROM CIDR 192.168.1.0/24$ euca-describe-groupsGROUP 550d88112b9048fd931f1c66b2c7a932 default defaultGROUP 550d88112b9048fd931f1c66b2c7a932 mygroup descriptionPERMISSION 550d88112b9048fd931f1c66b2c7a932 mygroup ALLOWS tcp 22 22FROM CIDR 192.168.1.0/24PERMISSION 550d88112b9048fd931f1c66b2c7a932 mygroup ALLOWS tcp 33063306 FROM CIDR 192.168.1.0/24$ euca-run-instances tty -g mygroupRESERVATION r-eezz74kc 550d88112b9048fd931f1c66b2c7a932 mygroupINSTANCE i-00000001 ami-00000001 server-1 server-1 pending 0m1.small 2012-04-17T05:51:30.000Z unknown zone aki-00000002ari-00000003

Current Security Group Model

• Features:– Per-Virtual Machine Security Group association– Network egress filtering (network to VM)– Matching on Source subnet, Protocol, and

Destination Port Range

Use Case: Distributed Firewall (current features)

Use Case: Distributed Firewall(current features)

Use Case: Distributed Firewall(current features)

Security Group API

Verb URI Description

GET v1.1/{tenant_id}/os-security-groups List security groups

POST v1.1/{tenant_id}/os-security-groups Create a new security group

GET v1.1/{tenant_id}/os-security-groups/{security_group_id}

Get specific security group

DELETE v1.1/{tenant_id}/os-security-groups/{security_group_id}

Delete security group

POST v1.1/{tenant_id}/os-security-group-rules Create security group rules

DELETE v1.1/{tenant_id}/os-security-group-rules/{security_group_rule_id}

Delete security group rule

GET v1.1/{tenant_id}/servers/{server_id}/os-security-groups

List security groups for a specific server

Proposed Security Group Model

• Features:– Per-Port Security Group association– Network egress/ingress filtering

• Similar to AWS VPC

– Matching on Source subnet, Protocol, and Destination Port Range in both directions

– Stateful egress filtering– Default deny except when no ingress

rules, then accept all on ingress– IPv6 Support

Use Case: Distributed Firewall (proposed features)

Proposed Security Group APIVerb URI Description

GET v1.1/{tenant_id}/os-security-groups List security groups

POST v1.1/{tenant_id}/os-security-groups Create a new security group*

GET v1.1/{tenant_id}/os-security-groups/{security_group_id}

Get specific security group

DELETE v1.1/{tenant_id}/os-security-groups/{security_group_id}

Delete security group

PUT v1.1/{tenant_id}/os-security-groups/{security_group_id}

Update security group*

PUT v1.1/{tenant_id}/os-security-groups/{security_group_id}/associate_port

Associate port with security group

PUT v1.1/{tenant_id}/os-security-groups/{security_group_id}/dissociate_port

Dissociate port from security group

GET v1.1/{tenant_id}/os-security-groups/list_for_port

List security groups for specified port

Architecture

Pre-Essex Architecture

Essex Architecture

Folsom Architecture?

Other Features

Provider Firewalling

• Need to have security groups that are modifiable by tenants

• Desirable to have security groups that are only modifiable by service providers– E.g. preventing a tenant from sending SMTP

traffic– Blocking all incoming traffic on a known trojan

port

• Not ideal fit for security group

Access Control Lists

• Current security group model is somewhat limited

• Would be nice to have a more generic ACL capability

• Features:– Ingress/Egress filtering– Port-based association– More sophisticated matching– Allow/deny– Combination of ACLs

Comments, Questions, Suggestions?

@davlaps