Neutron allowed address pair 기능

기본적으로 Neutron은 포트 별 보안을 적용한다.

VM이 Neutron 포트에 속하지 않는 MAC 또는 IP 주소를 사용하여 트래픽을 전송하거나 수신하지 못하도록 하기 때문에 오픈스택 Network를 생성할 때 --disable-port-security를 사용해서 네트워크를 생성하거나, allow address pair 기능을 사용해야한다.

 

주로 VM 내에서 VIP를 사용하여 구성할 때 겪는 이슈이다.

 

아래 테스트는 port security disable 상태에서 테스트 방법이다.

 

1. Port 정보 및 기타 정보

VM 3개의 VIP가 동작중. port security disable 상태로 ping이 되는 상황

## VM1
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether fa:16:3e:50:c3:cc brd ff:ff:ff:ff:ff:ff
    inet 100.100.100.12/24 brd 100.100.100.255 scope global noprefixroute eth0
    
    
## VM2
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether fa:16:3e:5f:fb:d8 brd ff:ff:ff:ff:ff:ff
    inet 100.100.100.11/24 brd 100.100.100.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet 100.100.100.10/24 scope global secondary eth0
    
    
## ping 
[root@hk-k8s-master2 ~]# ping 100.100.100.10
PING 100.100.100.10 (100.100.100.10) 56(84) bytes of data.
64 bytes from 100.100.100.10: icmp_seq=1 ttl=64 time=0.096 ms
64 bytes from 100.100.100.10: icmp_seq=2 ttl=64 time=0.060 ms

[root@hk-k8s-master1 ~]# tcpdump -enpi eth0 icmp
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
01:10:49.651580 fa:16:3e:50:c3:cc > fa:16:3e:5f:fb:d8, ethertype IPv4 (0x0800), length 98: 100.100.100.12 > 100.100.100.10: ICMP echo request, id 48032, seq 1, length 64
01:10:49.651619 fa:16:3e:5f:fb:d8 > fa:16:3e:50:c3:cc, ethertype IPv4 (0x0800), length 98: 100.100.100.10 > 100.100.100.12: ICMP echo reply, id 48032, seq 1, length 64
01:10:50.665095 fa:16:3e:50:c3:cc > fa:16:3e:5f:fb:d8, ethertype IPv4 (0x0800), length 98: 100.100.100.12 > 100.100.100.10: ICMP echo request, id 48032, seq 2, length 64
01:10:50.665111 fa:16:3e:5f:fb:d8 > fa:16:3e:50:c3:cc, ethertype IPv4 (0x0800), length 98: 100.100.100.10 > 100.100.100.12: ICMP echo reply, id 48032, seq 2, length 64


## openstack port show 결과

(overcloud) [stack@rhosp-tb0-test ~]$openstack port show 56ecd373-49fd-4193-b70b-659973dd3f01 | grep port_se
| port_security_enabled | False

 

 

2. enable 적용 및 확인

(overcloud) [stack@rhosp-tb0-test ~]$openstack port set --enable-port-security 56ecd373-49fd-4193-b70b-659973dd3f01

(overcloud) [stack@rhosp-tb0-test ~]$openstack port show 56ecd373-49fd-4193-b70b-659973dd3f01 | grep port_se
| port_security_enabled | True

 

3. 핑 통신 확인

여전히 핑이 이루어진다. Port security 설정을 변경한 VM을 재부팅한다.

[root@hk-k8s-master2 ~]# ping 100.100.100.10
PING 100.100.100.10 (100.100.100.10) 56(84) bytes of data.
64 bytes from 100.100.100.10: icmp_seq=1 ttl=64 time=0.093 ms

01:16:45.220091 fa:16:3e:50:c3:cc > fa:16:3e:5f:fb:d8, ethertype IPv4 (0x0800), length 98: 100.100.100.12 > 100.100.100.10: ICMP echo request, id 50150, seq 1, length 64
01:16:45.220126 fa:16:3e:5f:fb:d8 > fa:16:3e:50:c3:cc, ethertype IPv4 (0x0800), length 98: 100.100.100.10 > 100.100.100.12: ICMP echo reply, id 50150, seq 1, length 64


[root@hk-k8s-master1 ~]# reboot

 

4. 핑 통신 확인

ICMP 패킷이 캡처되지 않는 것을 확인할 수 있다.

[root@hk-k8s-master2 ~]# ping 100.100.100.10
PING 100.100.100.10 (100.100.100.10) 56(84) bytes of data.
From 100.100.100.12 icmp_seq=1 Destination Host Unreachable
From 100.100.100.12 icmp_seq=2 Destination Host Unreachable

[root@hk-k8s-master1 ~]# tcpdump -enpi eth0 icmp
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

 

5. Allow address pair 기능 적용

(overcloud) [stack@rhosp-tb0-test ~]$openstack port show 56ecd373-49fd-4193-b70b-659973dd3f01 | grep allow
| allowed_address_pairs |

(overcloud) [stack@rhosp-tb0-test ~]$openstack port set --allowed-address ip-address=100.100.100.10 56ecd373-49fd-4193-b70b-659973dd3f01

| allowed_address_pairs | ip_address='100.100.100.10', mac_address='fa:16:3e:5f:fb:d8'                                                                                                                       |


# 핑 통신 확인
[root@hk-k8s-master2 ~]# ping 100.100.100.10
PING 100.100.100.10 (100.100.100.10) 56(84) bytes of data.
64 bytes from 100.100.100.10: icmp_seq=1 ttl=64 time=0.083 ms

[root@hk-k8s-master1 ~]# tcpdump -enpi eth0 icmp
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
01:21:26.175796 fa:16:3e:50:c3:cc > fa:16:3e:5f:fb:d8, ethertype IPv4 (0x0800), length 98: 100.100.100.12 > 100.100.100.10: ICMP echo request, id 51362, seq 1, length 64
01:21:26.175819 fa:16:3e:5f:fb:d8 > fa:16:3e:50:c3:cc, ethertype IPv4 (0x0800), length 98: 100.100.100.10 > 100.100.100.12: ICMP echo reply, id 51362, seq 1, length 64

 

5.1 해제하고 싶다면.....

(overcloud) [stack@rhosp-tb0-test ~]$openstack port set --no-allowed-address 56ecd373-49fd-4193-b70b-659973dd3f01

(overcloud) [stack@rhosp-tb0-test ~]$openstack port show 56ecd373-49fd-4193-b70b-659973dd3f01 | grep allow
| allowed_address_pairs |

 

## 그 외 참고할만한 사이트

이해를 돕기위한 사이트

http://superuser.openstack.org/articles/managing-port-level-security-openstack/

작업 절차 사이트

http://ibm-blue-box-help.github.io/help-documentation/neutron/configure-ha-ip/