From patchwork Fri Jan 29 15:58:21 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Numan Siddique X-Patchwork-Id: 575679 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from archives.nicira.com (li376-54.members.linode.com [96.126.127.54]) by ozlabs.org (Postfix) with ESMTP id B8D19140BA3 for ; Sat, 30 Jan 2016 02:58:29 +1100 (AEDT) Received: from archives.nicira.com (localhost [127.0.0.1]) by archives.nicira.com (Postfix) with ESMTP id 0D62710D55; Fri, 29 Jan 2016 07:58:29 -0800 (PST) X-Original-To: dev@openvswitch.org Delivered-To: dev@openvswitch.org Received: from mx3v3.cudamail.com (mx3.cudamail.com [64.34.241.5]) by archives.nicira.com (Postfix) with ESMTPS id 84B1810D0B for ; Fri, 29 Jan 2016 07:58:27 -0800 (PST) Received: from bar3.cudamail.com (localhost [127.0.0.1]) by mx3v3.cudamail.com (Postfix) with ESMTPS id 1D7BF161DCA for ; Fri, 29 Jan 2016 08:58:27 -0700 (MST) X-ASG-Debug-ID: 1454083104-03dd7b0cbebcf6d0001-byXFYA Received: from mx1-pf2.cudamail.com ([192.168.24.2]) by bar3.cudamail.com with ESMTP id LkoBzi1pfgX5Ablh (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 29 Jan 2016 08:58:25 -0700 (MST) X-Barracuda-Envelope-From: nusiddiq@redhat.com X-Barracuda-RBL-Trusted-Forwarder: 192.168.24.2 Received: from unknown (HELO mx1.redhat.com) (209.132.183.28) by mx1-pf2.cudamail.com with ESMTPS (DHE-RSA-AES256-SHA encrypted); 29 Jan 2016 15:58:24 -0000 Received-SPF: pass (mx1-pf2.cudamail.com: SPF record at _spf1.redhat.com designates 209.132.183.28 as permitted sender) X-Barracuda-Apparent-Source-IP: 209.132.183.28 X-Barracuda-RBL-IP: 209.132.183.28 Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by mx1.redhat.com (Postfix) with ESMTPS id B4695C0B66D5 for ; Fri, 29 Jan 2016 15:58:23 +0000 (UTC) Received: from nusiddiq.blr.redhat.com (dhcp-0-76.blr.redhat.com [10.70.1.76]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u0TFwLtZ021757 for ; Fri, 29 Jan 2016 10:58:22 -0500 X-CudaMail-Envelope-Sender: nusiddiq@redhat.com From: Numan Siddique X-CudaMail-MID: CM-E2-128029660 X-CudaMail-DTE: 012916 X-CudaMail-Originating-IP: 209.132.183.28 To: dev@openvswitch.org X-ASG-Orig-Subj: [##CM-E2-128029660##][PATCHv1 2/4] ovn: Add port_security proposal In-Reply-To: <56AB8B92.9010004@redhat.com> Organization: Red Hat Message-ID: <56AB8C1D.4030101@redhat.com> Date: Fri, 29 Jan 2016 21:28:21 +0530 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24 X-GBUdb-Analysis: 0, 209.132.183.28, Ugly c=0.308711 p=-0.4 Source Normal X-MessageSniffer-Rules: 0-0-0-14012-c X-Barracuda-Connect: UNKNOWN[192.168.24.2] X-Barracuda-Start-Time: 1454083105 X-Barracuda-Encrypted: DHE-RSA-AES256-SHA X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi X-Barracuda-BRTS-Status: 1 X-Virus-Scanned: by bsmtpd at cudamail.com X-Barracuda-Spam-Score: 0.60 X-Barracuda-Spam-Status: No, SCORE=0.60 using per-user scores of TAG_LEVEL=3.5 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=4.0 tests=BSF_SC5_MJ1963, RDNS_NONE X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.26567 Rule breakdown below pts rule name description ---- ---------------------- -------------------------------------------------- 0.10 RDNS_NONE Delivered to trusted network by a host with no rDNS 0.50 BSF_SC5_MJ1963 Custom Rule MJ1963 Subject: [ovs-dev] [PATCHv1 2/4] ovn: Add port_security proposal X-BeenThere: dev@openvswitch.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@openvswitch.org Sender: "dev" From: Ben Pfaff Signed-off-by: Numan Siddique --- ovn/ovn-nb.xml | 141 +++++++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 126 insertions(+), 15 deletions(-) diff --git a/ovn/ovn-nb.xml b/ovn/ovn-nb.xml index b4768d0..036fbbf 100644 --- a/ovn/ovn-nb.xml +++ b/ovn/ovn-nb.xml @@ -333,23 +333,134 @@ -

- A set of L2 (Ethernet) addresses from which the logical port is - allowed to send packets and to which it is allowed to receive - packets. If this column is empty, all addresses are permitted. - Logical ports are always allowed to receive packets addressed to - multicast and broadcast addresses. -

+

+ This column controls the addresses from which the host attached to the + logical port (``the host'') is allowed to send packets and to which it + is allowed to receive packets. If this column is empty, all addresses + are permitted. +

-

- Each member of the set is an Ethernet address in the form - xx:xx:xx:xx:xx:xx. -

+

+ Each element in the set must contain one Ethernet address optionally + masked followed by zero or more IPv4 or IPv6 addresses (or both). + It would restrict the host to sending packets from and receiving + packets to the ethernet addresses defined in the logical port's + column. It also restricts the inner + source MAC addresses that the host may send in ARP and IPv6 + Neighbor Discovery packets. The host is always allowed to receive packets + to multicast and broadcast Ethernet addresses. +

-

- This specification will be extended to support L3 port security. -

- +

+ Each element in the set may additionally contain one or more IPv4 or + IPv6 addresses (or both), with optional masks. If a mask is given, it + must be a CIDR mask. In addition to the restrictions described for + Ethernet addresses above, such an element restricts the IPv4 or IPv6 + addresses from the host may send and to which it may receive to packets + to the specified addresses. A masked address, if the host part is + zero, indicates that the host is allowed to use any addresses in the + subnet; if the host part is nonzero, the mask simply indicates the size + of the subnet. In addition: +

+ +
    +
  • +

    + If any IPv4 address is given, the host is also allowed to receive + packets to the IPv4 local broadcast address 255.255.255.255 and to + IPv4 multicast addresses (224.0.0.0/4). If an IPv4 address with a + mask is given, the host is also allowed to receive packets to the + broadcast address in that specified subnet. +

    + +

    + If any IPv4 address is given, the host is additionally restricted + to sending ARP packets with the specified source IPv4 address. + (RARP is not restricted.) +

    +
    • + +
  • +

    + If any IPv6 address is given, the host is also allowed to receive + packets to IPv6 multicast addresses (ff00::/8). +

    + +

    + If any IPv6 address is given, the host is additionally restricted + to sending IPv6 Neighbor Discovery Solicitation or Advertisement + packets with the specified source address or, for solicitations, + the unspecified address. +

    +
    • +
+ +

+ If an element includes an IPv4 address, but no IPv6 addresses, then + IPv6 traffic is not allowed. If an element includes an IPv6 address, + but no IPv4 address, then IPv4 and ARP traffic is not allowed. +

+ +

+ This column uses the same lexical syntax as the column in the OVN Southbound + database's table. Multiple + addresses within an element may be space or comma separated. +

+ +

+ This column is provided as a convenience to cloud management systems, + but all of the features that it implements can be implemented as ACLs + using the table. +

+ +

+ Examples: +

+ +
+
80:fa:5b:06:72:b7
+
+ The host may send traffic from and receive traffic to the specified + MAC address, and to receive traffic to Ethernet multicast and + broadcast addresses, but not otherwise. The host may not send ARP or + IPv6 Neighbor Discovery packets with inner source Ethernet addresses + other than the one specified. +
+ +
00:23:20:00:00:00/ff:ff:ff:00:00:00
+
+ Similar to the first example, except that any Ethernet address in the + Nicira OUI is allowed. +
+ +
80:fa:5b:06:72:b7 192.168.1.10/24
+
+ This adds further restrictions to the first example. The host may + send IPv4 packets from or receive IPv4 packets to only 192.168.1.10, + except that it may also receive IPv4 packets to 192.168.1.255 (based + on the subnet mask), 255.255.255.255, and any address n 224.0.0.0/4. + The host may not send ARPs with a source Ethernet address other than + 80:fa:5b:06:72:b7 or source IPv4 address other than 192.168.1.10. + The host may not send or receive any IPv6 (including IPv6 Neighbor + Discovery) traffic. +
+ +
"80:fa:5b:12:42:ba", "80:fa:5b:06:72:b7 192.168.1.10/24"
+
+ In this case, the host may send traffic from and receive traffic to the + specified MAC addresses - "80:fa:5b:12:42:ba" and "80:fa:5b:06:72:b7", and + to receive traffic to Ethernet multicast and broadcast addresses, + but not otherwise. With mac "80:fa:5b:12:42:ba", host may + send traffic from and receive traffic to any l3 address. + With mac "80:fa:5b:06:72:b7" the host may send IPv4 packets from or + receive IPv4 packets to only 192.168.1.10, except that it may also + receive IPv4 packets to 192.168.1.255 (based on the subnet mask), + 255.255.255.255, and any address n 224.0.0.0/4 and the host may not + send or receive any IPv6 (including IPv6 Neighbor Discovery) traffic. +
+
+