| *** yamamoto has quit IRC | 00:03 | |
| *** hongbin has quit IRC | 00:22 | |
| *** yamamoto has joined #openstack-fwaas | 02:59 | |
| *** irclogbot_1 has quit IRC | 04:35 | |
| *** velizarx has joined #openstack-fwaas | 08:12 | |
| *** yamamoto has quit IRC | 08:42 | |
| *** yamamoto has joined #openstack-fwaas | 08:54 | |
| *** njohnston_ has joined #openstack-fwaas | 12:03 | |
| *** njohnston_ has quit IRC | 12:05 | |
| *** velizarx has quit IRC | 12:56 | |
| *** yamamoto has quit IRC | 13:09 | |
| *** velizarx has joined #openstack-fwaas | 13:09 | |
| *** yamamoto has joined #openstack-fwaas | 13:40 | |
| *** yamamoto has quit IRC | 14:11 | |
| *** yamamoto has joined #openstack-fwaas | 14:13 | |
| *** yamamoto has quit IRC | 14:13 | |
| *** yamamoto has joined #openstack-fwaas | 14:15 | |
| *** yamamoto has quit IRC | 14:20 | |
| *** hongbin has joined #openstack-fwaas | 14:58 | |
| *** velizarx has quit IRC | 15:00 | |
| *** velizarx has joined #openstack-fwaas | 16:08 | |
| openstackgerrit | Merged openstack/neutron-fwaas master: Define types for C calls in netlink_lib https://review.openstack.org/630451 | 16:53 |
|---|---|---|
| *** velizarx has quit IRC | 17:09 | |
| *** yamamoto has joined #openstack-fwaas | 17:13 | |
| openstackgerrit | Merged openstack/neutron-fwaas master: Change netns tests with oslo.privsep to check netns links https://review.openstack.org/631654 | 17:14 |
| *** yamamoto has quit IRC | 17:18 | |
| *** hongbin has quit IRC | 19:20 | |
| *** hongbin has joined #openstack-fwaas | 19:22 | |
| *** hongbin has quit IRC | 19:22 | |
| *** hongbin has joined #openstack-fwaas | 19:25 | |
| *** mlavalle has joined #openstack-fwaas | 19:58 | |
| *** yamamoto has joined #openstack-fwaas | 20:00 | |
| mlavalle | hongbin: hey | 20:00 |
| hongbin | mlavalle: pong | 20:00 |
| hongbin | it looks sridar is not here yet | 20:00 |
| mlavalle | let's give him a few minutes. if he doesn't show up, I'll ping him in whatsapp | 20:02 |
| hongbin | ok | 20:02 |
| mlavalle | hongbin: you know what whatsapp is, right? | 20:06 |
| hongbin | mlavalle: i know | 20:06 |
| hongbin | although my account is not used for a while | 20:07 |
| mlavalle | hongbin: US WeChat | 20:07 |
| hongbin | yes | 20:07 |
| mlavalle | without the payments functionality | 20:07 |
| hongbin | without redpack | 20:07 |
| mlavalle | yeap | 20:08 |
| mlavalle | Facebook pais $20 billion for it, though | 20:08 |
| mlavalle | paid^^^ | 20:08 |
| hongbin | yes, i heard the news in before | 20:09 |
| mlavalle | and then got in a fight with the founders and they left | 20:09 |
| mlavalle | one of them was so pissed off that he left several billion on the table | 20:10 |
| mlavalle | of course, he can afford it | 20:10 |
| hongbin | lol | 20:10 |
| * mlavalle pinging Sridar | 20:11 | |
| mlavalle | he is not responding in whatsapp either. When he does, I'll ping you here | 20:17 |
| hongbin | ok, thanks | 20:18 |
| *** SridarK has joined #openstack-fwaas | 20:24 | |
| SridarK | mlavalle: hongbin hi | 20:24 |
| SridarK | sorry got delayed in a conversation | 20:25 |
| hongbin | SridarK: hi sridar | 20:25 |
| mlavalle | SridarK: hey, nice to see you | 20:25 |
| hongbin | np | 20:25 |
| mlavalle | so we have one point of discussion about one of the specs, right? | 20:25 |
| hongbin | yes | 20:26 |
| hongbin | #link https://review.openstack.org/#/c/600870/ | 20:26 |
| SridarK | yes let me bring that up | 20:26 |
| SridarK | Was there a reason that we need multiple FWG ? | 20:27 |
| SridarK | We can achieve pretty much the samething with multiple policies | 20:27 |
| hongbin | i can explain the reasons | 20:27 |
| hongbin | the first use case is the anti-virus detection | 20:27 |
| SridarK | pls - again this is only a recommendation | 20:27 |
| hongbin | sure | 20:28 |
| hongbin | so, there is a use case that the cloud provider run anti-virus software to detect some VMs are compromise | 20:28 |
| SridarK | ok | 20:28 |
| hongbin | then, the cloud provider wanted to "block" those compromise VMs | 20:28 |
| hongbin | to achive that, the cloud provider create a FWG, and attach the FWG to the VMs | 20:29 |
| hongbin | this is the case that can be resolved by multiple FWGs | 20:30 |
| SridarK | agreed | 20:30 |
| SridarK | the alternate model: | 20:30 |
| hongbin | so, the VMs are created with their own FWG(s), once the VM is detected, the cluod provider add another FWG to the VMs | 20:30 |
| SridarK | sorry go ahead | 20:30 |
| hongbin | i basically finished :) | 20:31 |
| SridarK | :-) | 20:31 |
| SridarK | U want to sort of bind a FWG to a VM or set of VM's | 20:31 |
| hongbin | yes, that is one thing i want | 20:32 |
| SridarK | I felt we can achieve the same thing with a policy (set of rules) - so when this VM or a VM from a particular group is plugged into a port - we can add a policy block that has this set of rules | 20:33 |
| SridarK | to the FWG | 20:33 |
| SridarK | it may be easier to set a priority for the evaluation of policies | 20:34 |
| SridarK | irrespective of FWG or policy - we want to filter thru a set of rules | 20:34 |
| hongbin | yes, that is correct | 20:35 |
| SridarK | and the order in which we go thru the rules is important | 20:35 |
| SridarK | or at least deterministic and predictable | 20:36 |
| hongbin | that is right | 20:36 |
| hongbin | so it sounds like both models (multiple FWG or multiple policies) can achieve the goal | 20:37 |
| SridarK | yes | 20:37 |
| hongbin | then, the point is which model is easier to use and maintainable | 20:37 |
| SridarK | I think we had some validation to ensure that a port can only belong to one FWG | 20:38 |
| SridarK | for the reasons above | 20:38 |
| SridarK | The FWG is really a collection of Rules (in a policy) and a set of Ports | 20:38 |
| hongbin | yes, agree | 20:39 |
| SridarK | It is policy that actually defines a collection of Rules that we want to filter on | 20:39 |
| hongbin | yes | 20:39 |
| SridarK | Also if we can support multiple policies - we can achieve another goal | 20:39 |
| hongbin | which goal? | 20:39 |
| SridarK | In a workflow where: | 20:40 |
| SridarK | 1) the user defines some rules | 20:40 |
| SridarK | 2) the admin wants to enforce some set of rules | 20:40 |
| SridarK | perhaps like Infosec or PCI compliance | 20:40 |
| SridarK | we can have a policy block that can be applied | 20:41 |
| SridarK | rather easily | 20:41 |
| SridarK | so some of the std stuff can be picked up easily and reused | 20:41 |
| hongbin | i assume it can also be achieved in the multiple FWG model? | 20:41 |
| SridarK | So the multiple policy requirement has been in some thought for some time | 20:41 |
| SridarK | yes we can | 20:42 |
| hongbin | is there any cons if using the multiple FWGs model in your use case? | 20:42 |
| SridarK | Typically in deployment - we may not have a Firewall installed everytime we need a set of rules to be effected | 20:43 |
| SridarK | Also it may be good to keep the prioritization across policies within the context of a FWG | 20:44 |
| SridarK | rather than across FWG | 20:44 |
| hongbin | the reason is? | 20:44 |
| SridarK | IMO, that will be more modular | 20:44 |
| hongbin | ok | 20:45 |
| SridarK | u only want to enforce a priority within related blocks of rules | 20:45 |
| SridarK | so it is encapsulated within a FWG | 20:45 |
| hongbin | yes, it might be true | 20:45 |
| SridarK | if we were to do this across FWG - we will need to track the prioritization which would be meaningless if we they are on different ports | 20:46 |
| SridarK | In some sense we will introduce another grouping of FWG | 20:46 |
| hongbin | ok | 20:47 |
| SridarK | Is there a reason that having multiple policies will not work for u ? | 20:47 |
| hongbin | i am trying to think whether multiple policies will work for me or not | 20:48 |
| hongbin | i don't have an answer yet, but just brainstroming several cases | 20:48 |
| SridarK | Again i dont fully understand if there are some intricacies in ur scenario that need that | 20:49 |
| SridarK | Perhaps u can give this some thought | 20:49 |
| hongbin | in particular, in our use cases, one of the reason we want to adopt FWaaS API is to make things more managable | 20:49 |
| hongbin | for example, in a cloud, there are lots of VMs, lots of polices, lots of ports, and FWGs | 20:49 |
| hongbin | i am trying to think which model is more managable in such cases | 20:50 |
| SridarK | ok | 20:50 |
| hongbin | then, go back to the anti-virus cases | 20:50 |
| hongbin | if a VM is compromise, we block this VM | 20:51 |
| SridarK | Sometimes i have felt even the notion of FWG is a bit redundant - but it kind of provides a grouping | 20:51 |
| hongbin | the first model is to add a policy to the existing FWG of the VM | 20:51 |
| hongbin | the second model is to add another FWG to the VM | 20:51 |
| SridarK | it in itself is only a collection of policy and ports | 20:52 |
| hongbin | yes, i agree with that point | 20:52 |
| SridarK | if the port is all distinct - u can always have separate FWG | 20:52 |
| SridarK | the problem is when u have multiple FWG on a port | 20:52 |
| SridarK | even if it is distinct, look at this workflow: | 20:53 |
| SridarK | 1) u a VM with a FWG (with some set of rules in a policy) | 20:53 |
| SridarK | 2) when u add a VM (which is from the same group as (1) with similar filtering requirements: | 20:54 |
| SridarK | a) u plug the VM | 20:54 |
| SridarK | b) u add the port u are plugging the VM into to the existing FWG | 20:54 |
| SridarK | pls take that with a caveat w.r.t default FWG | 20:55 |
| SridarK | but that basic idea | 20:55 |
| SridarK | so u will have lesser number of FWGs to manage | 20:55 |
| SridarK | as long as u have the right set of ports in the FWG | 20:55 |
| SridarK | just a thought | 20:56 |
| SridarK | again this is an oversimplification possibl | 20:56 |
| SridarK | y | 20:56 |
| * hongbin is digesting the context | 20:57 | |
| SridarK | :-) | 20:57 |
| hongbin | could you give an example? | 20:58 |
| hongbin | (so that i can follow it better) | 20:58 |
| SridarK | If u have VM1 on Port 1 with some set of Rules in a policy P1 | 20:59 |
| hongbin | right | 20:59 |
| SridarK | then the FWG would be: FWG1: P1, Port 1 | 20:59 |
| hongbin | yes | 20:59 |
| SridarK | Now if u add another VM VM2 on Port2 with the same set of Rules: | 21:00 |
| SridarK | Then u can just update FWG1 to be: | 21:00 |
| SridarK | FWG1: P1, (Port1, Port2) | 21:00 |
| SridarK | so u only have one FWG | 21:01 |
| SridarK | for both VMs | 21:01 |
| hongbin | that is right | 21:01 |
| hongbin | that is the simple scenario | 21:01 |
| SridarK | Now if the admin wants some infosec rules | 21:02 |
| SridarK | to be on all ports | 21:02 |
| SridarK | which is perhaps admin owned | 21:02 |
| hongbin | ok | 21:02 |
| SridarK | then we can have: | 21:02 |
| SridarK | FWG1: PolicyINFOSEC, P1, (Port1, Port2) | 21:03 |
| SridarK | and we can force the ordering across the policies | 21:03 |
| SridarK | PolicyINFOSEC before P1 | 21:03 |
| SridarK | or can be controlled by configuration | 21:03 |
| hongbin | ok | 21:03 |
| SridarK | Now the ordering is within the context of FWG1 | 21:04 |
| hongbin | yes | 21:04 |
| SridarK | Lets say u bring up some other VM | 21:04 |
| SridarK | not related to VM1 and VM2 with different filtering requiremnts | 21:04 |
| SridarK | VM 3 brought up on Port3 | 21:05 |
| hongbin | right | 21:05 |
| SridarK | FWG2: PolicyINFOSEC, P2, (Port3) | 21:05 |
| SridarK | FWG1 is on Port1 and Port2 | 21:06 |
| hongbin | right | 21:06 |
| SridarK | FWG is on Port3 | 21:06 |
| SridarK | *FWG2 is on Port3 | 21:06 |
| hongbin | so, let's say later, we have another VM | 21:06 |
| hongbin | VM4 that has P4 | 21:07 |
| SridarK | hongbin: sorry i will need to run out in abt 5 mins - just quick timecheck | 21:07 |
| SridarK | ok | 21:07 |
| SridarK | If VM4 has policy P4 and is obviously on a different port | 21:08 |
| hongbin | VM4 needs to have P2 and PolicyINFOSEC | 21:08 |
| SridarK | ah ok | 21:08 |
| SridarK | then if u have it on Port 4 | 21:08 |
| hongbin | then, we need to create another FWG? | 21:08 |
| SridarK | then u can add Port 4 to FWG2 | 21:08 |
| SridarK | no need for another FWG | 21:09 |
| hongbin | ok | 21:09 |
| hongbin | then, let's said VM4 needs to have P1, P2, and PolicyINFOSEC | 21:09 |
| hongbin | then you need another FWG | 21:09 |
| SridarK | for all VM's with a common set of rules (contained in Policy) we can use the same FWG | 21:10 |
| SridarK | yes if VM4 needs a different set of rules | 21:10 |
| hongbin | so, we create P3, which is P1 + P2? | 21:10 |
| hongbin | then VM4 will be | 21:11 |
| hongbin | FWG3: PolicyINFOSEC, P3, (Port4) | 21:11 |
| hongbin | correct? | 21:11 |
| SridarK | yes or u can also just have it as: | 21:11 |
| SridarK | FWG3: PolicyINFOSEC, P1, P2, (Port 4) | 21:12 |
| hongbin | right | 21:12 |
| SridarK | if we can reuse policies | 21:12 |
| SridarK | less resources on OpenStack | 21:12 |
| hongbin | then, if there are lots of VMs | 21:12 |
| hongbin | we will end up creating lots of FWGs | 21:13 |
| hongbin | each FWG will have different permutation of policies | 21:13 |
| SridarK | Not if the VM's are using same set of rules | 21:13 |
| hongbin | yes | 21:13 |
| SridarK | u will just a port association | 21:13 |
| hongbin | however, VMs rules are changing at runtime , right? | 21:14 |
| hongbin | (for example, a VM is compromised) | 21:14 |
| SridarK | and managing the ordering across Rule blocks | 21:14 |
| SridarK | well if u change a rule in a policy | 21:14 |
| hongbin | that is no ideal, i can explain why | 21:14 |
| hongbin | if i change rule in policy, all VMs are affected | 21:15 |
| SridarK | I really have to run to an appt | 21:15 |
| hongbin | if there are lots of VMs using the same rule, changing a rule is not managable | 21:15 |
| SridarK | but lets wrap this | 21:15 |
| hongbin | sure | 21:15 |
| hongbin | could we continue the discussion using email? | 21:15 |
| SridarK | yes we can | 21:16 |
| hongbin | or want to schedule another meeting? | 21:16 |
| SridarK | what timezone are u in ? | 21:16 |
| hongbin | toronto | 21:16 |
| mlavalle | he is west coast + 3 | 21:16 |
| SridarK | so it 4:15pm ? | 21:16 |
| mlavalle | I'm west coast + 2 | 21:16 |
| hongbin | right | 21:16 |
| mlavalle | yes | 21:16 |
| SridarK | shall we continue tomorrow ? | 21:16 |
| hongbin | sure | 21:16 |
| mlavalle | fine with me | 21:16 |
| SridarK | or email is fine too | 21:16 |
| mlavalle | let's give it a try tomorrow | 21:17 |
| SridarK | or i can set up a webex too | 21:17 |
| mlavalle | that works | 21:17 |
| mlavalle | what time are you available tomorrow? | 21:17 |
| SridarK | i am fairly open - let me email | 21:17 |
| SridarK | i have to run out | 21:17 |
| SridarK | very late | 21:17 |
| hongbin | i am not sure about webex, not sure if it will be allowed by my company firewall | 21:17 |
| SridarK | sorry abt that | 21:17 |
| SridarK | oh ok | 21:18 |
| SridarK | will send an email on time for tomorrow | 21:18 |
| SridarK | running out talk later | 21:18 |
| SridarK | thx hongbin mlavalle | 21:18 |
| hongbin | ok, see you later | 21:18 |
| mlavalle | SridarK: thank you | 21:18 |
| hongbin | SridarK: thanks for your time | 21:18 |
| SridarK | np bye all | 21:18 |
| hongbin | bye | 21:20 |
| mlavalle | good discussion hongbin. Thanks | 21:20 |
| hongbin | mlavalle: i will try to summary what we discussed today, then the next time, we started from there | 21:21 |
| hongbin | mlavalle: thanks for making this meeting happen | 21:21 |
| mlavalle | that's a god idea | 21:21 |
| mlavalle | good^^^ | 21:21 |
| hongbin | :) | 21:21 |
| *** mlavalle has left #openstack-fwaas | 21:42 | |
| *** hongbin has quit IRC | 22:54 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!