Not sure I understand the thread below. Security groups today are provided on the hypervisor level (dom0 / kvm host). There is currently a conundrum - on XenServer Open vSwitch (OVS) is the defacto vswitch. OVS however cannot do stateful packet inspection. This might entail switching to Linux bridge, however this is under discussion with Citrix. - on vSphere, the vSwitch does not support SPI either and will require a plugin such as vShield or Cisco VSG. One alternative to what Paul is describing is to provide L2 isolation on a shared VLAN using PVLAN. However there too there's questions on hardware support (requires VMWare dvSwitch and requires hardware switches to understand PVLAN)
On 3/5/13 12:34 AM, "Mills, Joseph" <j...@midokura.jp> wrote: >Hi Anthony, > >Any thoughts? We are looking forward to hearing back from you about this. >Just to recap: > >(1) Your current changes add Security Group capabilities for the Virtual >Router in advance-shared only, is this correct? > >(2) Your future plan is to add Security Groups to Virtual Router in >advanced-isolated, but will NOT be supportable by other network service >providers, is this correct? > >(3) Any reason you have decided to implement Security Groups differently >than the other network services? Particularly with respect to >pluggability? > >Thanks, >Joe > >On Fri, Mar 1, 2013 at 12:16 PM, Dave Cahill <dcah...@midokura.com> wrote: > >> Hi Anthony, >> >> Adding you in CC in case you missed this message. >> >> We're trying to understand in more detail your plan for Security Groups >> support. >> >> Thanks, >> Dave. >> >> On Fri, Feb 15, 2013 at 3:19 PM, Mills, Joseph <j...@midokura.jp> wrote: >> >> > *Hi Anthony, >> > >> > Thanks for the quick response. Just to check my understanding: >> > >> > CloudStack has 4 networking models: >> > Basic (Only in Basic Zone) >> > Isolated (Only in Advanced Zone) >> > Shared (Only in Advanced Zone) >> > VPC (Only in Advanced Zone) >> > >> > Zones can be Security Group enabled, or Security Group disabled - this >> is a >> > tickbox in the UI when creating a Zone. >> > >> > Network Offerings can have the Security Groups Capability enabled or >>not >> - >> > this is a tickbox in the UI when creating a NetworkOffering. >> > >> > You have code that is almost ready to commit (CLOUDSTACK-737, >>currently >> > adding unit tests), and you also plan to make further changes for 4.2 >>- >> > let¹s call these ³current² and ³future². changes. >> > >> > (1) Your ³current² changes add support for the Security Groups >>Capability >> > in Advanced Shared networks, however this will be only be supported by >> the >> > Virtual Router Provider, with no option to be supported by other >>network >> > plugins. >> > >> > (2) For 4.2 (³future²), you plan to add support for the Security >>Groups >> > Capability in Advanced Isolated networks. This will also not have the >> > option of being supported by other network plugins. >> > >> > Is this correct? >> > >> > Any reason why you have chosen to implement this service differently >>than >> > the other Services with respect to pluggability? >> > >> > Thanks, >> > Joe* >> > >> > On Fri, Feb 15, 2013 at 1:11 PM, Anthony Xu <xuefei...@citrix.com> >> wrote: >> > >> > > I have plan to add isolated and shared networks to SG enabled zone >>in >> > 4.2, >> > > the service providers on these network will be supported in SG >>enabled >> > > zone, but as for SG enabled shared network, current plan is only >> support >> > > Virtual Router as service provider. If you want to add other service >> > > provider in SG enabled shared network, please file a feature request >> for >> > > it, and welcome work on that feature. >> > > >> > > >> > > Anthony >> > > >> > > > -----Original Message----- >> > > > From: Mills, Joseph [mailto:j...@midokura.jp] >> > > > Sent: Thursday, February 14, 2013 7:02 PM >> > > > To: cloudstack-dev@incubator.apache.org >> > > > Subject: Security Groups in Advanced Zone - Plugin Support >> > > > >> > > > I was looking at the FS for Security Group Isolation in Advanced >> Zone, >> > > > (CLOUDSTACK-737) and I noticed that: >> > > > >> > > > "Only one network service provider is supported in advanced SG >> enabled >> > > > zone >> > > > - Virtual Router" >> > > > >> > > > Are there currently any plans to add pluggability support for >> Security >> > > > Groups in 4.2, and if so, is any timeline estimate available? As >>far >> as >> > > > we >> > > > know, all other Services are pluggable, and we would like to >>support >> > > > Security Group Isolation as well. >> > > > >> > > > Thanks, >> > > > Joe >> > > >> > >>
