From patchwork Thu Jan 28 08:10:43 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Numan Siddique X-Patchwork-Id: 574572 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from archives.nicira.com (unknown [IPv6:2600:3c00::f03c:91ff:fe6e:bdf7]) by ozlabs.org (Postfix) with ESMTP id 99B75140B0E for ; Thu, 28 Jan 2016 19:10:56 +1100 (AEDT) Received: from archives.nicira.com (localhost [127.0.0.1]) by archives.nicira.com (Postfix) with ESMTP id 1059610A77; Thu, 28 Jan 2016 00:10:55 -0800 (PST) X-Original-To: dev@openvswitch.org Delivered-To: dev@openvswitch.org Received: from mx3v3.cudamail.com (mx3.cudamail.com [64.34.241.5]) by archives.nicira.com (Postfix) with ESMTPS id 3645010A72 for ; Thu, 28 Jan 2016 00:10:54 -0800 (PST) Received: from bar4.cudamail.com (localhost [127.0.0.1]) by mx3v3.cudamail.com (Postfix) with ESMTPS id C310E1627E8 for ; Thu, 28 Jan 2016 01:10:53 -0700 (MST) X-ASG-Debug-ID: 1453968653-03dc217d9ca5a0a0001-byXFYA Received: from mx3-pf2.cudamail.com ([192.168.14.1]) by bar4.cudamail.com with ESMTP id ThZk1wIdlDsb1Dw9 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 28 Jan 2016 01:10:53 -0700 (MST) X-Barracuda-Envelope-From: nusiddiq@redhat.com X-Barracuda-RBL-Trusted-Forwarder: 192.168.14.1 Received: from unknown (HELO mx1.redhat.com) (209.132.183.28) by mx3-pf2.cudamail.com with ESMTPS (DHE-RSA-AES256-SHA encrypted); 28 Jan 2016 08:10:46 -0000 Received-SPF: pass (mx3-pf2.cudamail.com: SPF record at _spf1.redhat.com designates 209.132.183.28 as permitted sender) X-Barracuda-Apparent-Source-IP: 209.132.183.28 X-Barracuda-RBL-IP: 209.132.183.28 Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by mx1.redhat.com (Postfix) with ESMTPS id 0FE8892A48 for ; Thu, 28 Jan 2016 08:10:46 +0000 (UTC) Received: from nusiddiq.blr.redhat.com (dhcp-0-76.blr.redhat.com [10.70.1.76]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u0S8Ai5a026775 for ; Thu, 28 Jan 2016 03:10:45 -0500 X-CudaMail-Envelope-Sender: nusiddiq@redhat.com From: Numan Siddique X-CudaMail-MID: CM-V2-127000846 X-CudaMail-DTE: 012816 X-CudaMail-Originating-IP: 209.132.183.28 In-Reply-To: <56A9CC99.4010705@redhat.com> X-ASG-Orig-Subj: [##CM-V2-127000846##][PATCH 1/3] ovn: Add port_security proposal To: dev@openvswitch.org Organization: Red Hat Message-ID: <56A9CD03.8040403@redhat.com> Date: Thu, 28 Jan 2016 13:40:43 +0530 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24 X-GBUdb-Analysis: 0, 209.132.183.28, Ugly c=0.331706 p=-0.2 Source Normal X-MessageSniffer-Rules: 0-0-0-12832-c X-Barracuda-Connect: UNKNOWN[192.168.14.1] X-Barracuda-Start-Time: 1453968653 X-Barracuda-Encrypted: DHE-RSA-AES256-SHA X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi X-Virus-Scanned: by bsmtpd at cudamail.com X-Barracuda-BRTS-Status: 1 X-Barracuda-Spam-Score: 0.60 X-Barracuda-Spam-Status: No, SCORE=0.60 using per-user scores of TAG_LEVEL=3.5 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=4.0 tests=BSF_SC5_MJ1963, RDNS_NONE X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.26527 Rule breakdown below pts rule name description ---- ---------------------- -------------------------------------------------- 0.10 RDNS_NONE Delivered to trusted network by a host with no rDNS 0.50 BSF_SC5_MJ1963 Custom Rule MJ1963 Subject: [ovs-dev] [PATCH 1/3] ovn: Add port_security proposal X-BeenThere: dev@openvswitch.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@openvswitch.org Sender: "dev" From: Ben Pfaff Signed-off-by: Numan Siddique --- ovn/ovn-nb.xml | 133 ++++++++++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 118 insertions(+), 15 deletions(-) diff --git a/ovn/ovn-nb.xml b/ovn/ovn-nb.xml index 4e414ce..e79a42d 100644 --- a/ovn/ovn-nb.xml +++ b/ovn/ovn-nb.xml @@ -305,23 +305,126 @@ -

- A set of L2 (Ethernet) addresses from which the logical port is - allowed to send packets and to which it is allowed to receive - packets. If this column is empty, all addresses are permitted. - Logical ports are always allowed to receive packets addressed to - multicast and broadcast addresses. -

+

+ This column controls the addresses from which the host attached to the + logical port (``the host'') is allowed to send packets and to which it + is allowed to receive packets. If this column is empty, all addresses + are permitted. +

-

- Each member of the set is an Ethernet address in the form - xx:xx:xx:xx:xx:xx. -

+

+ Each element in the set must contain one or more Ethernet addresses, + optionally masked. An element that contains only Ethernet addresses + restricts the host to sending packets from and receiving packets to + those addresses. It also restricts the inner source MAC addresses that + the host may send in ARP and IPv6 Neighbor Discovery packets. It does + not restrict the logical port to any particular L3 addresses. The host + is always allowed to receive packets to multicast and broadcast + Ethernet addresses. +

-

- This specification will be extended to support L3 port security. -

- +

+ Each element in the set may additionally contain one or more IPv4 or + IPv6 addresses (or both), with optional masks. If a mask is given, it + must be a CIDR mask. In addition to the restrictions described for + Ethernet addresses above, such an element restricts the IPv4 or IPv6 + addresses from the host may send and to which it may receive to packets + to the specified addresses. A masked address, if the host part is + zero, indicates that the host is allowed to use any addresses in the + subnet; if the host part is nonzero, the mask simply indicates the size + of the subnet. In addition: +

+ +
    +
  • +

    + If any IPv4 address is given, the host is also allowed to receive + packets to the IPv4 local broadcast address 255.255.255.255 and to + IPv4 multicast addresses (224.0.0.0/4). If an IPv4 address with a + mask is given, the host is also allowed to receive packets to the + broadcast address in that specified subnet. +

    + +

    + If any IPv4 address is given, the host is additionally restricted + to sending ARP packets with the specified source IPv4 address. + (RARP is not restricted.) +

    +
    • + +
  • +

    + If any IPv6 address is given, the host is also allowed to receive + packets to IPv6 multicast addresses (ff00::/8). +

    + +

    + If any IPv6 address is given, the host is additionally restricted + to sending IPv6 Neighbor Discovery Solicitation or Advertisement + packets with the specified source address or, for solicitations, + the unspecified address. +

    +
    • +
+ +

+ If an element includes an IPv4 address, but no IPv6 addresses, then + IPv6 traffic is not allowed. If an element includes an IPv6 address, + but no IPv4 address, then IPv4 and ARP traffic is not allowed. +

+ +

+ Multiple elements act as a disjunction. That is, when multiple + elements exist, any packet that would be permitted by any individual + element, as described above, is permitted by the overall policy. +

+ +

+ This column uses the same lexical syntax as the column in the OVN Southbound + database's table. Multiple + addresses within an element may be space or comma separated. +

+ +

+ This column is provided as a convenience to cloud management systems, + but all of the features that it implements can be implemented as ACLs + using the table. +

+ +

+ Examples: +

+ +
+
80:fa:5b:06:72:b7
+
+ The host may send traffic from and receive traffic to the specified + MAC address, and to receive traffic to Ethernet multicast and + broadcast addresses, but not otherwise. The host may not send ARP or + IPv6 Neighbor Discovery packets with inner source Ethernet addresses + other than the one specified. +
+ +
00:23:20:00:00:00/ff:ff:ff:00:00:00
+
+ Similar to the first example, except that any Ethernet address in the + Nicira OUI is allowed. +
+ +
80:fa:5b:06:72:b7 192.168.1.10/24
+
+ This adds further restrictions to the first example. The host may + send IPv4 packets from or receive IPv4 packets to only 192.168.1.10, + except that it may also receive IPv4 packets to 192.168.1.255 (based + on the subnet mask), 255.255.255.255, and any address n 224.0.0.0/4. + The host may not send ARPs with a source Ethernet address other than + 80:fa:5b:06:72:b7 or source IPv4 address other than 192.168.1.10. + The host may not send or receive any IPv6 (including IPv6 Neighbor + Discovery) traffic. +
+
+