Hello All,

The un-addressed port spec [1] was approved for Liberty.
I think this spec has good potential to provide very interesting solutions
for NFV use cases
but also for multi site connectivity and i would really want to see
it move forward with the community.

There are some issues we need to discuss regarding L2 population (both for
the reference
implementation and for any "SDN" solution), but we can iterate on them.

This email relates to a recent revert [2] that was done to prevent spoofing
possibility
due to recent work that was merged.

If i understand the problem correctly, an un-addressed port can now perform
ARP spoofing
on an address of a port that already exists in the same network and listen
to its traffic.
(a problem which becomes bigger with shared network among tenants)

One possible solution we could do to prevent this is to keep flow entries
that block the port
from pretending to have an IP that is already part of the network (or
subnet).
So there will be ARP spoofing checks that check the port is not answering
for an IP that is already
configured.
*Any thoughts/comments on that?*

Unrelated to this, i think that an un-address port should work in subnet
context when it comes
to L2 population and traffic forwarding, so that un-address port only gets
traffic for addresses
that are not found, but are on the same subnet as the un-address port.
(I understand this is a bigger challenge and is not working with the way
Neutron networks
work today, but we can iterate on this as well since its unrelated to the
security subject)

Thanks
Gal.

[1]
https://github.com/openstack/neutron-specs/blob/master/specs/liberty/unaddressed-port.rst
[2] https://review.openstack.org/#/c/218470/
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to