OpenStack Neutron - Port Security Explained
Scroll Down
What is Port Security?
By default Neutron enforces the following port security i.e. security on a per-port basis.
Security Groups - All incoming and outgoing traffic is blocked for ports connected to virtual machine instances (unless a ‘Security Group’ has been applied).[1]
Anti-Spoofing - As part of Neutron’s security group implementation, anti-spoofing rules are included, preventing a VM from sending or receiving traffic with a MAC or IP address which does not belong to its Neutron port.[2] However this presents issues for NFV based instances where packets are passed through the VM, meaning the packets are not addressed to or from it.
Allowed Address Pairs
In order to allow additional (MAC/IP) address pairs through a port the allowed-address-pairs extension can be used (Figure 1).
Figure 1 - Additional allowed address pairs upon a Neutron Port.[3]
Example
Let’s look at how we can add additional address pairs to a port.
First, if we look at the port we can see that no ‘allowed_address_pairs’ are assigned. This means that only the MAC and IP assigned against the port is permitted.
root@infra1:~# openstack port show db02263e-b433-411b-bd83-d396e5f3f607
+-----------------------+-----------------------------------------------------------------------------+
| Field | Value |
+-----------------------+-----------------------------------------------------------------------------+
| admin_state_up | UP |
| allowed_address_pairs | |
| binding_host_id | |
| binding_profile | |
| binding_vif_details | |
| binding_vif_type | unbound |
| binding_vnic_type | normal |
| created_at | 2017-09-04T13:31:45Z |
| description | |
| device_id | |
| device_owner | |
| dns_assignment | None |
| dns_name | None |
| extra_dhcp_opts | |
| fixed_ips | ip_address='172.31.88.10', subnet_id='7c26e59b-0ed4-4407-be42-079133cd66b3' |
| id | db02263e-b433-411b-bd83-d396e5f3f607 |
| ip_address | None |
| mac_address | fa:16:3e:fd:00:7a |
| name | vnf-port |
| network_id | 33ad9c28-5884-41e1-97c0-05886740b5c1 |
| option_name | None |
| option_value | None |
| port_security_enabled | True |
| project_id | f1eb80264e9c4c688c7603bbb5541396 |
| qos_policy_id | None |
| revision_number | 5 |
| security_groups | 5cb2594e-8fcf-4603-99b8-d5005982b150 |
| status | ACTIVE |
| subnet_id | None |
| updated_at | 2017-09-04T13:31:45Z |
+-----------------------+-----------------------------------------------------------------------------+
Next, we permit another address pair through the port.
openstack port set db02263e-b433-411b-bd83-d396e5f3f607 --allowed-address ip-address=172.31.88.11,mac-address=00:00:00:11:12:22
Finally we confirm the changes have been made to the port. Here we can see the new value against allowed_address_pairs.
root@infra1:~# openstack port show db02263e-b433-411b-bd83-d396e5f3f607
+-----------------------+-----------------------------------------------------------------------------+
| Field | Value |
+-----------------------+-----------------------------------------------------------------------------+
| admin_state_up | UP |
| allowed_address_pairs | ip_address='172.31.88.11', mac_address='00:00:00:11:12:22' |
| binding_host_id | |
| binding_profile | |
| binding_vif_details | |
| binding_vif_type | unbound |
| binding_vnic_type | normal |
| created_at | 2017-09-04T13:31:45Z |
| description | |
| device_id | |
| device_owner | |
| dns_assignment | None |
| dns_name | None |
| extra_dhcp_opts | |
| fixed_ips | ip_address='172.31.88.10', subnet_id='7c26e59b-0ed4-4407-be42-079133cd66b3' |
| id | db02263e-b433-411b-bd83-d396e5f3f607 |
| ip_address | None |
| mac_address | fa:16:3e:fd:00:7a |
| name | vnf-port |
| network_id | 33ad9c28-5884-41e1-97c0-05886740b5c1 |
| option_name | None |
| option_value | None |
| port_security_enabled | True |
| project_id | f1eb80264e9c4c688c7603bbb5541396 |
| qos_policy_id | None |
| revision_number | 6 |
| security_groups | 5cb2594e-8fcf-4603-99b8-d5005982b150 |
| status | ACTIVE |
| subnet_id | None |
| updated_at | 2017-09-04T13:33:51Z |
+-----------------------+-----------------------------------------------------------------------------+
Disable Port Security
In certain circumstances, such as deploying NFV VMs and/or when additional functionality is required that cannot be addressed by the allowed-address-pairs extension ; you may need to disable port security (i.e packet filtering) upon a port.
When doing so it is important to remember that port security cannot be disabled if a security group or allowed address pairs are assigned to a VM.
Example
As previously mentioned, we must ensure that no allowed address pairs are configured, likewise security groups.
root@infra1:~# openstack port set db02263e-b433-411b-bd83-d396e5f3f607 --no-security-group
root@infra1:~# openstack port set db02263e-b433-411b-bd83-d396e5f3f607 --no-security-group
Now, port security can be disabled against the port. Like so,
root@infra1:~# openstack port set db02263e-b433-411b-bd83-d396e5f3f607 --disable-port-security
We then finally check the port to confirm the change has been made,
root@infra1:~# openstack port show db02263e-b433-411b-bd83-d396e5f3f607
+-----------------------+-----------------------------------------------------------------------------+
| Field | Value |
+-----------------------+-----------------------------------------------------------------------------+
| admin_state_up | UP |
| allowed_address_pairs | |
| binding_host_id | |
| binding_profile | |
| binding_vif_details | |
| binding_vif_type | unbound |
| binding_vnic_type | normal |
| created_at | 2017-09-04T13:31:45Z |
| description | |
| device_id | |
| device_owner | |
| dns_assignment | None |
| dns_name | None |
| extra_dhcp_opts | |
| fixed_ips | ip_address='172.31.88.10', subnet_id='7c26e59b-0ed4-4407-be42-079133cd66b3' |
| id | db02263e-b433-411b-bd83-d396e5f3f607 |
| ip_address | None |
| mac_address | fa:16:3e:fd:00:7a |
| name | vnf-port |
| network_id | 33ad9c28-5884-41e1-97c0-05886740b5c1 |
| option_name | None |
| option_value | None |
| port_security_enabled | False |
| project_id | f1eb80264e9c4c688c7603bbb5541396 |
| qos_policy_id | None |
| revision_number | 9 |
| security_groups | |
| status | ACTIVE |
| subnet_id | None |
| updated_at | 2017-09-04T13:55:38Z |
+-----------------------+-----------------------------------------------------------------------------+
References
"Managing port level security in OpenStack - OpenStack Superuser." 21 Apr. 2017, http://superuser.openstack.org/articles/managing-port-level-security-openstack/. Accessed 4 Sep. 2017. ↩︎
"What's Coming in OpenStack Networking for the Kilo Release – Red ...." 11 May. 2015, http://redhatstackblog.redhat.com/2015/05/11/whats-coming-in-openstack-networking-for-the-kilo-release/. Accessed 4 Sep. 2017. ↩︎
"Managing port level security in OpenStack - OpenStack Superuser." 21 Apr. 2017, http://superuser.openstack.org/articles/managing-port-level-security-openstack/. Accessed 4 Sep. 2017. ↩︎