Hello All, The un-addressed port spec [1] was approved for Liberty. I think this spec has good potential to provide very interesting solutions for NFV use cases but also for multi site connectivity and i would really want to see it move forward with the community.
There are some issues we need to discuss regarding L2 population (both for the reference implementation and for any "SDN" solution), but we can iterate on them. This email relates to a recent revert [2] that was done to prevent spoofing possibility due to recent work that was merged. If i understand the problem correctly, an un-addressed port can now perform ARP spoofing on an address of a port that already exists in the same network and listen to its traffic. (a problem which becomes bigger with shared network among tenants) One possible solution we could do to prevent this is to keep flow entries that block the port from pretending to have an IP that is already part of the network (or subnet). So there will be ARP spoofing checks that check the port is not answering for an IP that is already configured. *Any thoughts/comments on that?* Unrelated to this, i think that an un-address port should work in subnet context when it comes to L2 population and traffic forwarding, so that un-address port only gets traffic for addresses that are not found, but are on the same subnet as the un-address port. (I understand this is a bigger challenge and is not working with the way Neutron networks work today, but we can iterate on this as well since its unrelated to the security subject) Thanks Gal. [1] https://github.com/openstack/neutron-specs/blob/master/specs/liberty/unaddressed-port.rst [2] https://review.openstack.org/#/c/218470/
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
