Quantum Security Groups Session Dave Lapsley @davlaps http://slidesha.re/HQvDTk http://etherpad.openstack.org/quantum-folsom
Openstack Quantum Security Groups Session
May 25, 2015
Presentation on Quantum Security Groups Proposal given at Folsom Design Summit, San Francisco, CA April 2012.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Quantum Security Groups Session
Dave Lapsley@davlaps
http://slidesha.re/HQvDTk
http://etherpad.openstack.org/quantum-folsom
Session Goals
• Introduction to Nova Security Groups• Proposal:– Move Security Groups from Nova to Quantum
• Discussion:– Provider Firewalling– Access Control Lists– Other
Proposal: move Security Groups from Nova to Quantum
Naturally fit within network APIAllow plugins to implement them
in a compatible way
Features and Use Cases
Nova Security Groups
• Collection of network access rules that specify what traffic is allowed to ingress a VM
• Associated with a VM at startup– If Security Group not specified, VM belongs to default
Security Group which allows traffic from all other members of the group
• A VM can be associated with many Security Groups• Security Rule specifies:
– Source of traffic (IP subnet in CIDR notation, or another security group)
– Protocol (TCP, UDP, ICMP)– Destination port on VM
Security Group Command Line
EC2
euca-add-group
euca-authorize
euca-delete-group
euca-describe-group
euca-describe-groups
Openstack Novasecgroup-add-group-rule
secgroup-add-rule
secgroup-create
secgroup-delete
secgroup-delete-group-rule
secgroup-delete-rule
secgroup-list
secgroup-list-rules
Example
Openstack$ nova secgroup-create mygroup description+---------+-------------+| Name | Description |+---------+-------------+| mygroup | description |+---------+-------------+$ nova secgroup-add-rule mygroup tcp 22 22 192.168.1.0/24+-------------+-----------+---------+----------------+--------------+| IP Protocol | From Port | To Port | IP Range | Source Group |+-------------+-----------+---------+----------------+--------------+| tcp | 22 | 22 | 192.168.1.0/24 | |+-------------+-----------+---------+----------------+--------------+$ nova secgroup-add-rule mygroup tcp 3306 3306 192.168.1.0/24+-------------+-----------+---------+----------------+--------------+| IP Protocol | From Port | To Port | IP Range | Source Group |+-------------+-----------+---------+----------------+--------------+| tcp | 3306 | 3306 | 192.168.1.0/24 | |+-------------+-----------+---------+----------------+--------------+$ nova boot --flavor 1 –image f16f1d2d-71d6-41b7-98a5-319f142d61f5 --security_groups mygroup server1
+------------------------+--------------------------------------+| OS-DCF:diskConfig | MANUAL || OS-EXT-STS:power_state | 0 || OS-EXT-STS:task_state | scheduling || OS-EXT-STS:vm_state | building || accessIPv4 | || accessIPv6 | || adminPass | 2QCHvG7fJ6Pc || config_drive | || created | 2012-04-17T11:11:07Z || flavor | m1.tiny || hostId | || id | 6d6bb47e-a356-4724-b48e-c248fceb1513 || image | cirros-0.3.0-x86_64-blank || key_name | || metadata | {} || name | server1 || progress | 0 || status | BUILD || tenant_id | 63c4cab49c8b449191d9ea5cfce0f928 || updated | 2012-04-17T11:11:08Z || user_id | d4dc81acfd604f72a56a70879fe565ad |+------------------------+--------------------------------------+
EC2$ euca-add-group -d description mygroupGROUP mygroup description$ euca-authorize -P tcp -s 192.168.1.0/24 -p 22 mygroupGROUP mygroupPERMISSION mygroup ALLOWS tcp 22 22 FROM CIDR 192.168.1.0/24$ euca-authorize -P tcp -s 192.168.1.0/24 -p 3306 mygroupGROUP mygroupPERMISSION mygroup ALLOWS tcp 3306 3306 FROM CIDR 192.168.1.0/24$ euca-describe-groupsGROUP 550d88112b9048fd931f1c66b2c7a932 default defaultGROUP 550d88112b9048fd931f1c66b2c7a932 mygroup descriptionPERMISSION 550d88112b9048fd931f1c66b2c7a932 mygroup ALLOWS tcp 22 22FROM CIDR 192.168.1.0/24PERMISSION 550d88112b9048fd931f1c66b2c7a932 mygroup ALLOWS tcp 33063306 FROM CIDR 192.168.1.0/24$ euca-run-instances tty -g mygroupRESERVATION r-eezz74kc 550d88112b9048fd931f1c66b2c7a932 mygroupINSTANCE i-00000001 ami-00000001 server-1 server-1 pending 0m1.small 2012-04-17T05:51:30.000Z unknown zone aki-00000002ari-00000003
Current Security Group Model
• Features:– Per-Virtual Machine Security Group association– Network egress filtering (network to VM)– Matching on Source subnet, Protocol, and
Destination Port Range
Use Case: Distributed Firewall (current features)
Use Case: Distributed Firewall(current features)
Use Case: Distributed Firewall(current features)
Security Group API
Verb URI Description
GET v1.1/{tenant_id}/os-security-groups List security groups
POST v1.1/{tenant_id}/os-security-groups Create a new security group
GET v1.1/{tenant_id}/os-security-groups/{security_group_id}
Get specific security group
DELETE v1.1/{tenant_id}/os-security-groups/{security_group_id}
Delete security group
POST v1.1/{tenant_id}/os-security-group-rules Create security group rules
DELETE v1.1/{tenant_id}/os-security-group-rules/{security_group_rule_id}
Delete security group rule
GET v1.1/{tenant_id}/servers/{server_id}/os-security-groups
List security groups for a specific server
Proposed Security Group Model
• Features:– Per-Port Security Group association– Network egress/ingress filtering
• Similar to AWS VPC
– Matching on Source subnet, Protocol, and Destination Port Range in both directions
– Stateful egress filtering– Default deny except when no ingress
rules, then accept all on ingress– IPv6 Support
Use Case: Distributed Firewall (proposed features)
Proposed Security Group APIVerb URI Description
GET v1.1/{tenant_id}/os-security-groups List security groups
POST v1.1/{tenant_id}/os-security-groups Create a new security group*
GET v1.1/{tenant_id}/os-security-groups/{security_group_id}
Get specific security group
DELETE v1.1/{tenant_id}/os-security-groups/{security_group_id}
Delete security group
PUT v1.1/{tenant_id}/os-security-groups/{security_group_id}
Update security group*
PUT v1.1/{tenant_id}/os-security-groups/{security_group_id}/associate_port
Associate port with security group
PUT v1.1/{tenant_id}/os-security-groups/{security_group_id}/dissociate_port
Dissociate port from security group
GET v1.1/{tenant_id}/os-security-groups/list_for_port
List security groups for specified port
Architecture
Pre-Essex Architecture
Essex Architecture
Folsom Architecture?
Other Features
Provider Firewalling
• Need to have security groups that are modifiable by tenants
• Desirable to have security groups that are only modifiable by service providers– E.g. preventing a tenant from sending SMTP
traffic– Blocking all incoming traffic on a known trojan
port
• Not ideal fit for security group
Access Control Lists
• Current security group model is somewhat limited
• Would be nice to have a more generic ACL capability
• Features:– Ingress/Egress filtering– Port-based association– More sophisticated matching– Allow/deny– Combination of ACLs
Comments, Questions, Suggestions?
@davlaps
Related Documents
![L2-Invariants for Quantum Groups - kuweb.math.ku.dk/noter/filer/phd08dk.pdfcompact quantum groups [Kye06] and L2-Betti numbers of coamenable quantum groups [Kye07], which are included](https://static.cupdf.com/doc/110x72/5f03a3d47e708231d40a0bc7/l2-invariants-for-quantum-groups-kuwebmathkudknoterfiler-compact-quantum.jpg)
![Homomorphisms of quantum groups - uni-muenster.dequantum groups (see [9]) and, more generally, between amenable quantum groups. For locally compact groups, however, they are not appropriate](https://static.cupdf.com/doc/110x72/6116fd6f2cf4dd2b942d062b/homomorphisms-of-quantum-groups-uni-quantum-groups-see-9-and-more-generally.jpg)
