nown protocols are allowed, we cannot allow protocols which
>>>>are not listed in the known protocol list.
>>>>For instance, if "tcp", "udp" and "icmp" are registered as known
>>>>protocols (this is the current neutron implementation),
>>>>a tenant cannot allow "stcp" or "gre".
>>>>
>>>>Pros of "known protocols only" is the infrastructure provider can
>>>>control which protocols are allowed.
>>>>Cons is that users cannot use ip protocols not listed in a known list
>>>>and a provider needs to maintain a known protocol list.
>>>>Pros and cons of "all protocols allowed" is vice versa.
>>>>
>>>>If a list of known protocols is configurable, we can cover both cases,
>>>>e.g., an empty list or a list ["ANY"] means all protocols are allowed.
>>>>The question in this case is what is the best default value.
>>>>
>>>>My preference is to allow all protocols. At least a list of known
>>>>protocols needs to be configurable.
>>>>In my principle, a virtual network should be able to convery any type
>>>>of IP protocols in a virtual network. This is the reason of my
>>>>preference.
>>>>
>>>>-
>>>>Regarding (a), if a name and a number refer to a same protocol, it
>>>>should be considered as identical.
>>>>For example, ip protocol number 6 is "tcp", so ip protocol number 6
>>>>and protocol name "tcp" should be regarded as same.
>>>>My preference is to allow both name and number of IP protocol. This
>>>>will be achieved by Arvind's patch under the review.
>>>>"name" representation is easy to understand in general, but
>>>>maintaining all protocol names is a tough work.
>>>>This is the reason of my preference.
>>>>
>>>>
>>>>I understand there is a topic whether a list of known protocols should
>>>>contain name only or accepts both name and number.
>>>>I don't discuss it here because it is a simple question once we have a
>>>>consensus on the above two topic.
>>>>
>>>>Thanks,
>>>>Akihiro
>>>>
>>>>On Wed, Sep 11, 2013 at 11:15 PM, Arvind Somya (asomya)
>>>> wrote:
>>>>> Hello all
>>>>>
>>>>> I have a patch in review where Akihiro made some comments about only
>>>>> restricting protocols by names and allowing all protocol numbers when
>>>>> creating security group rules. I personally disagree with this
>>>>>approach
>>>>>as
>>>>> names and numbers are just a textual/integer representation of a
>>>>>common
>>>>> protocol. The end result is going to be the same in both cases.
>>>>>
>>>>> https://review.openstack.org/#/c/43725/
>>>>>
>>>>> Akihiro suggested a community discussion around this issue before the
>>>>>patch
>>>>> is accepted upstream. I hope this e-mail gets the ball rolling on
>>>>>that.
>>>>>I
>>>>> would like to hear the community's opinion on this issue and any
>>>>> pros/cons/pitfalls of either approach.
>>>>>
>>>>> Thanks
>>>>> Arvind
>>>>>
>>>>> ___
>>>>> OpenStack-dev mailing list
>>>>> OpenStack-dev@lists.openstack.org
>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>>
>>>>
>>>>
>>>>
>>>>--
>>>>Akihiro MOTOKI
>>>>
>>>>___
>>>>OpenStack-dev mailing list
>>>>OpenStack-dev@lists.openstack.org
>>>>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>>
>>> ___
>>> OpenStack-dev mailing list
>>> OpenStack-dev@lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>--
>>Akihiro MOTOKI
>>
>>___
>>OpenStack-dev mailing list
>>OpenStack-dev@lists.openstack.org
>>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>___
>OpenStack-dev mailing list
>OpenStack-dev@lists.openstack.org
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
