On Wed, Sep 15, 2010 at 7:33 AM, Soren Hansen <[email protected]> wrote: > I have a spec[1] and a corresponding branch[2] about making basic use of > libvirt's nwfilter support. It basically just adds a snippet to the > libvirt templates that enables a number of network filtering techniques. > Specifically, it prevents MAC spoofing, ARP spoofing, and IP spoofing. I > didn't bother making this configurable, since it seems like the sort of > thing everyone will always want. As such, there's no API call to enable > it, nor is there a setting in the datamodel that enables/disables it.
\o/ +1 for specs and blueprints :) > While this is a great feature to have, it raises a few questions about > the non-libvirt hypervisors. > > Ideally, of course, we don't want the choice of hypervisors to affect > the utility of Nova. Lacking decent network filtering IMO limits a cloud > computing platform's utility significantly. Agreed. > So, what to do? Should we more clearly define the contract to which a > hypervisor driver is meant to adhere and list the above mentioned > spoofing protections as requirements? We could assign specific people as > designated maintainers of the different hypervisor drivers, and make it > their responsibility to make their driver conformant to the contract. Not sure. I'll wait to hear from the vendors on this one. -jay > Other suggestions? > > I also have another spec[3] and a corresponding branch[4] that > implements EC2 style security groups using libvirt's nwfilter. This is a > bigger chunk of work, but it seems like it should follow the same pattern. > > [1]: https://blueprints.launchpad.net/nova/+spec/austin-nwfilter > [2]: https://code.launchpad.net/~soren/nova/nwfilter > [3]: https://blueprints.launchpad.net/nova/+spec/austin-ec2-security-groups > [4]: https://code.launchpad.net/~soren/nova/ec2-security-groups > > -- > Soren Hansen > Ubuntu Developer http://www.ubuntu.com/ > OpenStack Developer http://www.openstack.org/ > > _______________________________________________ > Mailing list: https://launchpad.net/~nova > Post to : [email protected] > Unsubscribe : https://launchpad.net/~nova > More help : https://help.launchpad.net/ListHelp > _______________________________________________ Mailing list: https://launchpad.net/~nova Post to : [email protected] Unsubscribe : https://launchpad.net/~nova More help : https://help.launchpad.net/ListHelp
