aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBartek Grzybowski <b.grzybowski@partner.samsung.com>2019-09-12 09:51:34 +0200
committerDaniel Rose <dr695h@att.com>2019-09-12 13:08:24 +0000
commitf1d0a8be232f7b6a4076acbe32dab8e15856c41e (patch)
tree496757646c1d382a9700a54b5a4ea8338d54bea6
parent73b02ed6a0c8c8942f2740034d6a2546a6551932 (diff)
Add remarks related to Openstack's port security on vCPE
Extended anti-spoofing related notes with some hints on dealing with Neutron's Port Security Extension Driver which in some cases may prevent VNFs to function properly. Change-Id: Icf4f44b8cbcaa70621bf21d5b72ff552be80d4e2 Issue-ID: DOC-549 Signed-off-by: Bartek Grzybowski <b.grzybowski@partner.samsung.com>
-rw-r--r--docs/docs_vCPE.rst3
1 files changed, 2 insertions, 1 deletions
diff --git a/docs/docs_vCPE.rst b/docs/docs_vCPE.rst
index 6a4b1b2db..c6534b821 100644
--- a/docs/docs_vCPE.rst
+++ b/docs/docs_vCPE.rst
@@ -195,5 +195,6 @@ Known Issues and Workaround
3) In some Openstack environments (e.g. Ocata version), there is an issue with DHCP anti-spoofing rules preventing BRG to receive DHCP reply (Option 82) from DHCP. By default Openstack neutron is using *IptablesFirewallDriver*, which is actively inserting *Prevent DHCP Spoofing by VM* rules into linuxbridge firewall rules. This feature should prevent mailicious traffic from rogue VM inside Openstack, however it's affecting also vCPE usecase. Manual tweaking of fw rules is not persistent and those rules are automatically regenerated, but one can disable this logic by switching to *neutron.agent.firewall.NoopFirewallDriver*. More details can be found on https://codesomniac.com/2017/07/how-to-run-a-dhcp-server-as-openstack-instance/
- **NOTE:** To propagate change in firewall_driver one need to restart neutron-linuxbridge-agent and also openstack-nova-compute services.
+ **NOTE:** To propagate change in firewall_driver one needs to restart neutron-linuxbridge-agent and also openstack-nova-compute services.
+ Additionally Neutron's Port Security Extension Driver is by default preventing any routing functions of an instance (be it a router or VNF). Hence for smoothest vCPE experience it's advised to either disable the packet filtering by setting port_security_enabled flag for a network/port to "False" or alternatively add allowed_address_pairs to relevant VNFs ports with appropriate network prefixes. Port security driver can be also disabled globally, for more insight into Port Security Extension Driver please visit https://wiki.openstack.org/wiki/Neutron/ML2PortSecurityExtensionDriver