From 14c908acb7043a67f902cb38ba2e1a1c18169ea7 Mon Sep 17 00:00:00 2001 From: lavado Date: Thu, 15 Oct 2020 16:09:49 +0200 Subject: [PATCH] Simple strategy to allow address pairs for virtual IP Change-Id: I732d8700f7ca66cabc289d683c277b6c9b22616b --- Release9/strategy_allow_address_pairs.md | 37 ++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 Release9/strategy_allow_address_pairs.md diff --git a/Release9/strategy_allow_address_pairs.md b/Release9/strategy_allow_address_pairs.md new file mode 100644 index 0000000..448ec09 --- /dev/null +++ b/Release9/strategy_allow_address_pairs.md @@ -0,0 +1,37 @@ +# Simple strategy to allow address pairs for virtual IP + +## Proposers + +- Gianpietro Lavado (Whitestack) +- Gerardo García de Blas (Telefonica) + +## Type + +Feature + +## Target MDG/TF + +IM, RO + +## Description + +Openstack VIMs allow to ways to access virtual IPs inside VMs: +1. Per-IP/MAC or prefix, with allow-address-pairs. +2. Full access, by disabling port-security + +Today, OSM only supports the second one, which is not supported in some VIMs. +As a different strategy to allow full access in these VIMs that do not support disabling port +security, the proposal is to leverage allowed-address-pairs with a command like this one: + +openstack port set --allowed-address ip-address=0.0.0.0/0 PORT_ID + +This would not allow full access to the port, but would cover most cases where VIPs need +to be reached. + +At the VNFD level, a new entry would need to be added, to support this different strategy of +disabling port security. + +## Demo or definition of done + +- The VNFD supports a method of disabling port-security, through the use of allowed-address-pairs. +- The ports are implemented with an allowed-address-pair rule that allows 0.0.0.0/0 \ No newline at end of file -- 2.25.1