Managing Port Security
How to manage and utilize allowed address pairs in OpenStack Flex
In Rackspace OpenStack Flex, every virtual network interface is represented by a logical port that defines the IP address and MAC address of the interface. By default, OpenStack will drop traffic from the virtual machine instance if it does not match the listed MAC and IP address.
Given the port list shown below, the following is true:
+--------------------------------------+---------+-------------------+-----------------------------------------+--------+
| ID | Name | MAC Address | Fixed IP Addresses | Status |
+--------------------------------------+---------+-------------------+-----------------------------------------+--------+
| 0c1383d0-c894-4796-9408-601251626e8d | | fa:16:3e:cd:9b:6b | ip_address='192.168.1.2', subnet_id='6a | DOWN |
| | | | 9d31e7-0b2e-43a2-8042-e33f944c2c38' | |
| c8614ddb-6822-42ae-adcd-c9ff76bb82d7 | server1 | fa:16:3e:3e:e3:14 | ip_address='192.168.1.138', subnet_id=' | DOWN |
| | | | 6a9d31e7-0b2e-43a2-8042-e33f944c2c38' | |
| c93c93ae-e1d3-4d21-bdda-0b2877e9fbd4 | server2 | fa:16:3e:7b:e9:03 | ip_address='192.168.1.136', subnet_id=' | DOWN |
| | | | 6a9d31e7-0b2e-43a2-8042-e33f944c2c38' | |
+--------------------------------------+---------+-------------------+-----------------------------------------+--------+
- server1 can send traffic as 192.168.1.138 with a source MAC address of fa:16:3e:3e:e3:14
- server2 can send traffic as 192.168.1.136 with a source MAC address of fa:16:3e:7b:e9:03
- any attempt to send traffic as a different IP or MAC address will be silently dropped
Likewise, the infrastructure's software defined networking (SDN) stack utilizes port information to forward inbound traffic to a VM to the proper Cloud hypervisor based on the IP and MAC address information.
Allowed Address Pairs are a component of port security in OpenStack that allow a VM to send traffic as something other than its assigned fixed IP or MAC address. Common use cases for this functionality include using a virtual IP (VIP) with keepalived/vrrp or routing traffic using VM-based routers. Allowed addresses can be /32 host addresses or larger subnets (e.g. /24).
To add an allowed address, use the openstack port set command for each port needing to share the same address.
Example - HAProxy with Keepalived
Two VMs, server1 and server2, are configured to load balance traffic using haproxy with keepalived in active/passive mode. A VIP, 192.168.1.10, will float between the VMs depending on which is active. Each port should be updated to include the VIP address as an allowed address as shown below:
~> openstack port set server1 --allowed-address ip-address=192.168.1.10
~> openstack port set server2 --allowed-address ip-address=192.168.1.10
The ports will reflect the change:
~> openstack port show server1 -c allowed_address_pairs
+-----------------------+------------------------------------------------------------+
| Field | Value |
+-----------------------+------------------------------------------------------------+
| allowed_address_pairs | ip_address='192.168.1.10', mac_address='fa:16:3e:3e:e3:14' |
+-----------------------+------------------------------------------------------------+
~> openstack port show server2 -c allowed_address_pairs
+-----------------------+------------------------------------------------------------+
| Field | Value |
+-----------------------+------------------------------------------------------------+
| allowed_address_pairs | ip_address='192.168.1.10', mac_address='fa:16:3e:7b:e9:03' |
+-----------------------+------------------------------------------------------------+
NOTE - If left undefined, the MAC address of the allowed address matches that of the VM's port. Should a different MAC address be needed, use
--allowed-address ip-address=<ip address>,mac-address=<mac address>
Once implemented, both ports will be allowed to use 192.168.1.10 in the event of a failover event.
Updated about 2 hours ago