Re: [openstack-dev] [neutron][lbaas] Shared Objects in LBaaS - Use Cases that led us to adopt this.

2014-11-22 Thread Samuel Bercovici
Hi Stephen, 1. The issue is that if we do 1:1 and allow status/state to proliferate throughout all objects we will then get an issue to fix it later, hence even if we do not do sharing, I would still like to have all objects besides LB be treated as logical. 2. The 3rd use case be

Re: [openstack-dev] No PROTOCOL_SSLv3 in Python 2.7 in Sid since 3 days

2014-11-22 Thread Jeremy Stanley
On 2014-11-22 16:33:52 -0500 (-0500), Donald Stufft wrote: > I refreshed my memory and I was wrong about the specific attack. > However the point still stands that both the rfc and respected > folks such as Thomas porin state that you should look at the > version negotiation as a way to selectively

Re: [openstack-dev] [neutron] L3 agent restructuring notes

2014-11-22 Thread Carl Baldwin
Paul, I worked much of this in to my blueprint [1]. Carl [1] https://review.openstack.org/#/c/131535/4/specs/kilo/restructure-l3-agent.rst On Fri, Nov 21, 2014 at 11:48 AM, Paul Michali (pcm) wrote: > Hi, > > I talked to Carl today to discuss the L3 agent restructuring and the change > set I h

Re: [openstack-dev] No PROTOCOL_SSLv3 in Python 2.7 in Sid since 3 days

2014-11-22 Thread Jeremy Stanley
On 2014-11-22 19:45:09 +1300 (+1300), Robert Collins wrote: > Given the persistent risks of downgrade attacks, I think this does > actually qualify as a security issue: not that its breaking, but > that SSLv3 is advertised and accepted anywhere. Which downgrade attacks? Outside of Web browser auth

Re: [openstack-dev] No PROTOCOL_SSLv3 in Python 2.7 in Sid since 3 days

2014-11-22 Thread Donald Stufft
I refreshed my memory and I was wrong about the specific attack. However the point still stands that both the rfc and respected folks such as Thomas porin state that you should look at the version negotiation as a way to selectively enable new features not as a way to ensure that a connection us

Re: [openstack-dev] No PROTOCOL_SSLv3 in Python 2.7 in Sid since 3 days

2014-11-22 Thread Donald Stufft
I'm in my phone but rfc 2246 says that there are many ways in which an attacker can attempt to make an attacker drop down to the least secure option they both support. It's like the second or third paragraph of that section. > On Nov 22, 2014, at 4:00 PM, Jeremy Stanley wrote: > >> On 2014-1

Re: [openstack-dev] No PROTOCOL_SSLv3 in Python 2.7 in Sid since 3 days

2014-11-22 Thread Jeremy Stanley
On 2014-11-22 13:37:55 -0500 (-0500), Donald Stufft wrote: > Yes this. SSLv3 isn’t a “Well as long as you have newer things > enabled it’s fine” it’s a “If you have this enabled at all it’s a > problem”. As far as I am aware without TLS_FALLBACK_SCSV a MITM > who is willing to do active attacks can

Re: [openstack-dev] Alembic 0.7.0 - hitting Pypi potentially Sunday night

2014-11-22 Thread Mike Bayer
> On Nov 21, 2014, at 8:07 PM, Mike Bayer wrote: > > >> On Nov 21, 2014, at 7:35 PM, Kevin Benton > > wrote: >> >> This is great! I'm not sure if you have been following some of the >> discussion about the separation of vendor drivers in Neutron, but one of the >> t

Re: [openstack-dev] No PROTOCOL_SSLv3 in Python 2.7 in Sid since 3 days

2014-11-22 Thread Donald Stufft
> On Nov 22, 2014, at 1:45 AM, Robert Collins wrote: > > On 22 November 2014 08:11, Jeremy Stanley wrote: >> On 2014-11-21 12:31:08 -0500 (-0500), Donald Stufft wrote: >>> Death to SSLv3 IMO. >> >> Sure, we should avoid releasing new versions of things which assume >> SSLv3 support is present

Re: [openstack-dev] [Neutron][FWaaS]Firewall Web Services Research Thesis and OpenStack Applicability - UPDATED

2014-11-22 Thread Mike Grima
For whatever reason, this wasn’t linked appropriately to the older post in the list. That post is here: http://lists.openstack.org/pipermail/openstack-dev/2014-August/042981.html ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://li

Re: [openstack-dev] [Neutron][FWaaS]Firewall Web Services Research Thesis and OpenStack Applicability - UPDATED

2014-11-22 Thread Michael Grima
Sumit, My thesis is now complete! The entire research, including source code and screen recordings, are included in my deliverable here: https://docs.google.com/uc?id=0B7WyzOL96X9QaF9QMHFBSFhpbFE&e xport=download I am now in the process of drafting up a whitepaper based on my thesis research. P

Re: [openstack-dev] [QA][Tempest] Proposing Ghanshyam Mann for Tempest Core

2014-11-22 Thread Andrea Frittoli
+1 On 21 Nov 2014 18:25, "Ken1 Ohmichi" wrote: > +1 :-) > > Sent from my iPod > > On 2014/11/22, at 7:56, Christopher Yeoh wrote: > > > +1 > > > > Sent from my iPad > > > >> On 22 Nov 2014, at 4:56 am, Matthew Treinish > wrote: > >> > >> > >> Hi Everyone, > >> > >> I'd like to propose we add Gh

Re: [openstack-dev] Status of Neutron IPv6 dual stack

2014-11-22 Thread Xuhan Peng
Harm, We were not able to enable dual stack with l3 routers in Juno release. You may need to wait for Kilo to see if that can be pushed in. Xu Han  — Xu Han Peng (xuhanp) On Sat, Nov 22, 2014 at 3:03 AM, Harm Weites wrote: > Hi, > We're running Juno since a few weeks now, is it now possib