fir3net
PPS-Firenetbanner-780.5x190-30-03-17

OpenStack Neutron - What is Port Security?

Contents[Hide]

What is Port Security?

By default, Neutron enforces the following port security restrictions:

  • Security Groups - All incoming and outgoing traffic is blocked for ports connected to virtual machine instances (unless a ‘Security Group’ has been applied).[1]
  • Anti-Spoofing - As part of Neutrons security group implementation, anti-spoofing rules are included, preventing a VM from sending or receiving traffic with a MAC or IP address which does not belong to its Neutron port.[2] However this presents issues for NFV based instances where packets are passed through the VM, meaning the packets are not addressed to or from it.

Allowed Address Pairs

In order to allow additional (MAC/IP) address pairs through a port, the allowed-address-pairs extension can be used (Figure 1).

port-security-address-pairs

Figure 1 - Additional allowed address pairs upon a Neutron Port.[3]

Example

Lets look at how we can add additional address pairs to a port.

First if we look at the port we can see that no allowed_address_pairs are assigned. This means that only the MAC and IP assigned against the port is permitted.

root@infra1:~# openstack port show db02263e-b433-411b-bd83-d396e5f3f607
+-----------------------+-----------------------------------------------------------------------------+
| Field                 | Value                                                                       |
+-----------------------+-----------------------------------------------------------------------------+
| admin_state_up        | UP                                                                          |
| allowed_address_pairs |                                                                             |
| binding_host_id       |                                                                             |
| binding_profile       |                                                                             |
| binding_vif_details   |                                                                             |
| binding_vif_type      | unbound                                                                     |
| binding_vnic_type     | normal                                                                      |
| created_at            | 2017-09-04T13:31:45Z                                                        |
| description           |                                                                             |
| device_id             |                                                                             |
| device_owner          |                                                                             |
| dns_assignment        | None                                                                        |
| dns_name              | None                                                                        |
| extra_dhcp_opts       |                                                                             |
| fixed_ips             | ip_address='172.31.88.10', subnet_id='7c26e59b-0ed4-4407-be42-079133cd66b3' |
| id                    | db02263e-b433-411b-bd83-d396e5f3f607                                        |
| ip_address            | None                                                                        |
| mac_address           | fa:16:3e:fd:00:7a                                                           |
| name                  | vnf-port                                                                    |
| network_id            | 33ad9c28-5884-41e1-97c0-05886740b5c1                                        |
| option_name           | None                                                                        |
| option_value          | None                                                                        |
| port_security_enabled | True                                                                        |
| project_id            | f1eb80264e9c4c688c7603bbb5541396                                            |
| qos_policy_id         | None                                                                        |
| revision_number       | 5                                                                           |
| security_groups       | 5cb2594e-8fcf-4603-99b8-d5005982b150                                        |
| status                | ACTIVE                                                                      |
| subnet_id             | None                                                                        |
| updated_at            | 2017-09-04T13:31:45Z                                                        |
+-----------------------+-----------------------------------------------------------------------------+

Next, we permit another address pair through the port. Like so:

openstack port set db02263e-b433-411b-bd83-d396e5f3f607 --allowed-address ip-address=172.31.88.11,mac-address=00:00:00:11:12:22

Finally we confirm the changes have been made to the port. Here we can see the new value against allowed_address_pairs.

root@infra1:~# openstack port show db02263e-b433-411b-bd83-d396e5f3f607
+-----------------------+-----------------------------------------------------------------------------+
| Field                 | Value                                                                       |
+-----------------------+-----------------------------------------------------------------------------+
| admin_state_up        | UP                                                                          |
| allowed_address_pairs | ip_address='172.31.88.11', mac_address='00:00:00:11:12:22'                  |
| binding_host_id       |                                                                             |
| binding_profile       |                                                                             |
| binding_vif_details   |                                                                             |
| binding_vif_type      | unbound                                                                     |
| binding_vnic_type     | normal                                                                      |
| created_at            | 2017-09-04T13:31:45Z                                                        |
| description           |                                                                             |
| device_id             |                                                                             |
| device_owner          |                                                                             |
| dns_assignment        | None                                                                        |
| dns_name              | None                                                                        |
| extra_dhcp_opts       |                                                                             |
| fixed_ips             | ip_address='172.31.88.10', subnet_id='7c26e59b-0ed4-4407-be42-079133cd66b3' |
| id                    | db02263e-b433-411b-bd83-d396e5f3f607                                        |
| ip_address            | None                                                                        |
| mac_address           | fa:16:3e:fd:00:7a                                                           |
| name                  | vnf-port                                                                    |
| network_id            | 33ad9c28-5884-41e1-97c0-05886740b5c1                                        |
| option_name           | None                                                                        |
| option_value          | None                                                                        |
| port_security_enabled | True                                                                        |
| project_id            | f1eb80264e9c4c688c7603bbb5541396                                            |
| qos_policy_id         | None                                                                        |
| revision_number       | 6                                                                           |
| security_groups       | 5cb2594e-8fcf-4603-99b8-d5005982b150                                        |
| status                | ACTIVE                                                                      |
| subnet_id             | None                                                                        |
| updated_at            | 2017-09-04T13:33:51Z                                                        |
+-----------------------+-----------------------------------------------------------------------------+

Disable Port Security

In certain circumstances, such as deploying NFV based VMs and/or when additional functionality is required that cannot be addressed by the allowed-address-pairs extension ; you may need to disable port security (i.e packet filtering) upon a port.

When doing so it is important to remember that port security cannot be disabled if a security group or allowed address pairs are assigned to a port.

Example

As previously mentioned, we first ensure that there are no allowed address pairs are configured and/or security groups.

openstack port set db02263e-b433-411b-bd83-d396e5f3f607 --no-allowed-address
openstack port set db02263e-b433-411b-bd83-d396e5f3f607 --no-security-group 

Port security can be disabled against the port. Like so:

openstack port set db02263e-b433-411b-bd83-d396e5f3f607 --disable-port-security

We then finally check the port to confirm the change has been made.

openstack port show db02263e-b433-411b-bd83-d396e5f3f607
+-----------------------+-----------------------------------------------------------------------------+
| Field                 | Value                                                                       |
+-----------------------+-----------------------------------------------------------------------------+
| admin_state_up        | UP                                                                          |
| allowed_address_pairs |                                                                             |
| binding_host_id       |                                                                             |
| binding_profile       |                                                                             |
| binding_vif_details   |                                                                             |
| binding_vif_type      | unbound                                                                     |
| binding_vnic_type     | normal                                                                      |
| created_at            | 2017-09-04T13:31:45Z                                                        |
| description           |                                                                             |
| device_id             |                                                                             |
| device_owner          |                                                                             |
| dns_assignment        | None                                                                        |
| dns_name              | None                                                                        |
| extra_dhcp_opts       |                                                                             |
| fixed_ips             | ip_address='172.31.88.10', subnet_id='7c26e59b-0ed4-4407-be42-079133cd66b3' |
| id                    | db02263e-b433-411b-bd83-d396e5f3f607                                        |
| ip_address            | None                                                                        |
| mac_address           | fa:16:3e:fd:00:7a                                                           |
| name                  | vnf-port                                                                    |
| network_id            | 33ad9c28-5884-41e1-97c0-05886740b5c1                                        |
| option_name           | None                                                                        |
| option_value          | None                                                                        |
| port_security_enabled | False                                                                       |
| project_id            | f1eb80264e9c4c688c7603bbb5541396                                            |
| qos_policy_id         | None                                                                        |
| revision_number       | 9                                                                           |
| security_groups       |                                                                             |
| status                | ACTIVE                                                                      |
| subnet_id             | None                                                                        |
| updated_at            | 2017-09-04T13:55:38Z                                                        |
+-----------------------+-----------------------------------------------------------------------------+

References

[1] "Managing port level security in OpenStack - OpenStack Superuser." 21 Apr. 2017, http://superuser.openstack.org/articles/managing-port-level-security-openstack/. Accessed 4 Sep. 2017.
[2] "What's Coming in OpenStack Networking for the Kilo Release – Red ...." 11 May. 2015, http://redhatstackblog.redhat.com/2015/05/11/whats-coming-in-openstack-networking-for-the-kilo-release/. Accessed 4 Sep. 2017.
[3] "Managing port level security in OpenStack - OpenStack Superuser." 21 Apr. 2017, http://superuser.openstack.org/articles/managing-port-level-security-openstack/. Accessed 4 Sep. 2017.

Tags: OpenStack, ML2, Neutron

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001