ec72c07f87
Allow user to control setting of MAC spoof checking for the SR-IOV ports. Blueprint: sriov-spoofchk Change-Id: I1be979641fe114b8a069bcc192936761a6bb2238
4.1 KiB
Enable spoofchk control for SR-IOV ports
https://blueprints.launchpad.net/neutron/+spec/sriov-spoofchk
Allow user to control setting of MAC spoof checking for the SR-IOV ports.
Problem Description
Support for SR-IOV ports appeared in Neutron Juno and allows allows VMs to access virtual network via SR-IOV VFs. SR-IOV ports in Linux allow specification of whether source MAC spoof checking should be enabled or disabled for them. This can be done, for example, using the ip-link(8) tool:
ip link set eth0 vf 2 spoofchk off
This command disables spoof checking for Virtual Function 2 on Physical Device 'eth0'.
This feature is useful for bonding configurations inside guests. For example, MAC spoof checking should be disabled for 802.3ad (Dynamic link aggregation) bonds. Please see the 'Configuring QoS Features with Intel Flexible Port Partitioning' whitepaper for more details, link is available in the 'References' section.
Proposed Change
The proposal is to leverage the port security extension. Specifically, for 'direct' types of ports port_security_enabled = False would mean that spoof checking should be disabled.
Actual setting for the VF will be done by the sriovnicagent using the ip-link(8) tool.
Default value for the spoof checking will be enabled, so the change will not affect a default behavior.
Data Model Impact
None
REST API Impact
None
Security Impact
That could have a security impact if user disables spoof checking for a specific port, however it is expected and user can manually decide if that's applicable for his configuration.
As spoof checking is enabled by default, there would be no security impact with the default setting.
Notifications Impact
None
Other End User Impact
And user will have a facility to control spoof checking settings on specific Neutron ports.
- python-neutronclient does not need to be modified
Performance Impact
It'll have a slight impact on the sriovagent as it'll have to run one more external command (ip-link(8)).
IPv6 Impact
None
Other Deployer Impact
None
Developer Impact
None
Community Impact
This changes has not been discussed so far.
Alternatives
Another possible way of providing control to user is to introduce a dedicated attribute for spoof checking instead of 'port_security_enabled' from the portsecurity extension. It could be named 'spoofchk' and be placed either into portsecurity extension or into portbindings extension.
Implementation
Assignee(s)
- Primary assignee:
-
novel
Work Items
- Modify sriovagent to be able to enable or disable spoof checking based on user setting
- Verify on API level and in binding handling routines that sriovagent is not disabled as it being turned off would not allow to meet user's expectation.
Dependencies
None
Testing
Tempest tests are not planned currently as SR-IOV hardware is not always available. 3rd party CI testing could be considered, though probably the feature is relatively minor for that.
Tempest Tests
None
Functional Tests
None
API Tests
API tests would be added to cover specifics of port_security for 'direct' type of ports.
Documentation Impact
User Documentation
User documentation will be updated with information about spoof checking control for 'direct' ports and its security considerations.
Developer Documentation
None