[#NETVIRT-125] Security Groups (all implementations) - port_security extension and default DHCP/ICMP drop rules

[NETVIRT-125] Security Groups (all implementations) - port_security extension and default DHCP/ICMP drop rules Created: 08/Sep/16 Updated: 03/May/18 Resolved: 03/Dec/16
Status:	Resolved
Project:	netvirt
Component/s:	General
Affects Version/s:	Boron
Fix Version/s:	None

Type:

Bug

Reporter:

Alon Kochba

Assignee:

Unassigned

Resolution:

Done

Votes:

Labels:

None

Remaining Estimate:

Not Specified

Time Spent:

Not Specified

Original Estimate:

Not Specified

Environment:

Operating System: All
Platform: All

External issue ID:

6668

Description

These rules are configured when using transparent security groups - they are inherited from the generic SG implementation, and are automatically configured for all implementations.
The part that is bothering us are the drop flows - why would any drop flows be configured, when the default OpenStack behavior is drop for everything?
It would make sense to only explicitly allow certain traffic (such as DHCP requests in ingress and DHCP responses in egress).

In addition, when extension_drivers = port_security is NOT configured in the neutron ml2_conf.ini, this causes DHCP to NOT WORK.
This is because it is assumed that the qdhcp ports will always have port_security disabled by default. The problem is that this requires the port_security extension driver to actually be configured.
We need to handle the case where it is not configured, and also consider getting rid of default drop rules - the point of transparent SG was that users that don't care about security don't have to deal with it.

cookie=0x6900000, duration=1376.923s, table=40, n_packets=0, n_bytes=0, priority=63010,udp,metadata=0x20000000000/0x1fffff0000000000,tp_src=68,tp_dst=67 actions=resubmit(,17)
cookie=0x6900000, duration=1376.921s, table=40, n_packets=0, n_bytes=0, priority=63010,udp6,metadata=0x20000000000/0x1fffff0000000000,tp_src=546,tp_dst=547 actions=resubmit(,17)
cookie=0x6900000, duration=1376.920s, table=40, n_packets=3, n_bytes=1122, priority=63010,udp,metadata=0x20000000000/0x1fffff0000000000,tp_src=67,tp_dst=68 actions=drop
cookie=0x6900000, duration=1376.919s, table=40, n_packets=0, n_bytes=0, priority=63010,udp6,metadata=0x20000000000/0x1fffff0000000000,tp_src=547,tp_dst=546 actions=drop
cookie=0x6900000, duration=1376.917s, table=40, n_packets=0, n_bytes=0, priority=63020,icmp6,metadata=0x20000000000/0x1fffff0000000000,icmp_type=134,icmp_code=0 actions=drop
cookie=0x6900000, duration=1376.917s, table=40, n_packets=0, n_bytes=0, priority=63010,icmp6,metadata=0x20000000000/0x1fffff0000000000 actions=resubmit(,17)
cookie=0x6900000, duration=1376.915s, table=40, n_packets=10, n_bytes=420, priority=63010,arp,metadata=0x20000000000/0x1fffff0000000000,arp_sha=fa:16:3e:94:72:e8 actions=resubmit(,17)
cookie=0x6900000, duration=1568.523s, table=40, n_packets=0, n_bytes=0, priority=0 actions=goto_table:41
cookie=0x6900000, duration=1568.524s, table=41, n_packets=3, n_bytes=804, priority=0 actions=resubmit(,17)

Comments

Comment by Aswin Suryanarayanan [ 09/Sep/16 ]

The service binding and default flows are removed from transparent SG [1].

So with this if portsecurity extension is not configured , SG mode should be transparent in ODL.

[1]https://git.opendaylight.org/gerrit/#/c/45418/

Comment by Alon Kochba [ 03/Nov/16 ]

(In reply to Aswin Suryanarayanan from comment #1)
> The service binding and default flows are removed from transparent SG [1].
>
> So with this if portsecurity extension is not configured , SG mode should be
> transparent in ODL.
>
> [1]https://git.opendaylight.org/gerrit/#/c/45418/

Hi Aswin,

It seems you merged 45418 so I assume this ticket is off your radar.
However I think it's important we fix the case where port_security is disabled for learn/stateful SG use cases as well - do you want to keep this ticket as reminder?

Comment by Aswin Suryanarayanan [ 10/Nov/16 ]

Alon,

>In addition, when extension_drivers = port_security is NOT configured in the >neutron ml2_conf.ini, this causes DHCP to NOT WORK.

When this is not configured the is_port security enabled will return false(I hope that is the default value). If so I think no rules will be configured, it should be similar as transparent as we check for is_port security enabled

Comment by Alon Kochba [ 22/Nov/16 ]

(In reply to Aswin Suryanarayanan from comment #3)
> Alon,
>
> >In addition, when extension_drivers = port_security is NOT configured in the >neutron ml2_conf.ini, this causes DHCP to NOT WORK.
>
> When this is not configured the is_port security enabled will return false(I
> hope that is the default value). If so I think no rules will be configured,
> it should be similar as transparent as we check for is_port security enabled

Aswin, missed your reply.
The problem is that when it isn't enabled, there is no port_security field at all (so no default value).

It seems Isaku attempted to fix it for old netvirt, we probably need the same in new netvirt.
https://git.opendaylight.org/gerrit/#/c/48355

Comment by Aswin Suryanarayanan [ 03/Dec/16 ]

This is now addressed. SG will not be inserted for network ports.

https://git.opendaylight.org/gerrit/#/c/48902/

Generated at Wed Feb 07 20:20:46 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.

[NETVIRT-125] Security Groups (all implementations) - port_security extension and default DHCP/ICMP drop rules Created: 08/Sep/16 Updated: 03/May/18 Resolved: 03/Dec/16