#openstack-meeting-3 log

18:00:43 <SumitNaiksatam> #startmeeting networking_policy
18:00:43 <openstack> Meeting started Thu Aug 13 18:00:43 2015 UTC and is due to finish in 60 minutes.  The chair is SumitNaiksatam. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:00:44 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:00:46 <openstack> The meeting name has been set to 'networking_policy'
18:01:09 <SumitNaiksatam> #info agenda https://wiki.openstack.org/wiki/Meetings/GroupBasedPolicy#Aug_13th.2C_6th.2C_2015
18:01:18 <yapeng> hi
18:01:18 <rkukura> hi
18:01:23 <SumitNaiksatam> lets mostly focus on the release
18:01:42 <SumitNaiksatam> i think we are on track for tomorrow
18:02:28 <SumitNaiksatam> we will discuss the bugs and the high priority issues, but at a high level does anyone have any concerns with going forward with the release in the next couple of days?
18:02:54 <SumitNaiksatam> rkukura: Yi: hi
18:03:23 <SumitNaiksatam> okay, so seems like we are fairly comfortable
18:03:32 <SumitNaiksatam> #topic Bugs
18:03:54 <Yi> hi
18:04:24 <SumitNaiksatam> i would mostly like to discuss the bug fixes that I believe will good to have merged before the release is cut
18:04:58 <SumitNaiksatam> #link https://bugs.launchpad.net/group-based-policy/+bug/1479169
18:04:58 <openstack> Launchpad bug 1479169 in Group Based Policy "GBP default security group allows outbound access to the Internet" [High,In progress] - Assigned to Ivar Lazzaro (mmaleckk)
18:05:12 <SumitNaiksatam> the patch is here: #link https://review.openstack.org/#/c/207250/
18:05:49 <SumitNaiksatam> ivar-lazzaro: could you quickly summarize the change (will help the reviewers)
18:07:04 <ivar-lazzaro> sure
18:07:24 <ivar-lazzaro> basically the issue is in how we do outgoing security today in GBP
18:07:35 <SumitNaiksatam> ivar-lazzaro: right
18:07:55 <ivar-lazzaro> so far, we have been allowing all the outgoing traffic for any new classifier (eg. port 80 ALLOW 0.0.0.0/0 direction OUT)
18:08:21 <ivar-lazzaro> the reason why we did this is that we could always filter incoming traffic
18:08:32 <SumitNaiksatam> ivar-lazzaro: true
18:08:45 <ivar-lazzaro> This assumption doesn't held true with External Policies
18:09:20 <ivar-lazzaro> where we have no control over the Internet, and therefore we can't filter traffic on the other side of the fence
18:09:41 <SumitNaiksatam> ivar-lazzaro: right
18:09:54 <ivar-lazzaro> So this change makes sure that we do a granular outgoing filtering depending on who is consuming/providing a given contract
18:10:26 <ivar-lazzaro> instead of 0.0.0.0/0 for outgoing, we will allow traffic only for providing/consuming EPG-Subnets
18:10:45 <SumitNaiksatam> ivar-lazzaro: so how do you deal with external connectivity?
18:10:59 <ivar-lazzaro> That's based on the routes
18:11:05 <ivar-lazzaro> in the external_segment
18:11:29 <ivar-lazzaro> further ahead, this could be done based on the subnet specified in the EP itself
18:11:36 <rkukura> ivar-lazzaro: Does your patch always do the egress filtering, or only when the other side is external?
18:11:36 <ivar-lazzaro> but we don't have that kind of support yet
18:11:45 <ivar-lazzaro> rkukura: always
18:12:12 <ivar-lazzaro> rkukura: the advantage is that we can block traffic before it reaches the destination, saving some bandwidth
18:12:33 <rkukura> makes sense, and its twice as secure ;)
18:13:00 <SumitNaiksatam> ivar-lazzaro: i am not clear about the “based on the routes” part
18:13:17 <ivar-lazzaro> SumitNaiksatam: each External Segment has a set of routes that it serves
18:13:48 <ivar-lazzaro> the outgoing filter is calculated as the IPSet difference between the internal L3P pool and that set of routes
18:14:02 <ivar-lazzaro> for example, if you have a L3P with 192.168.0.0/16 as a pool
18:14:16 <ivar-lazzaro> and an external segment that servers 0.0.0.0/0 (most common case)
18:14:36 <ivar-lazzaro> the rule is filtered by IPSer(external) - IPSet(internal)
18:14:54 <ivar-lazzaro> that is all the CIDRs that are contained in the external segment but not in the L3P
18:15:17 <ivar-lazzaro> (Otherwise we would lose the advantage of filtering outgoing EAST-WEST traffic as well
18:15:35 <SumitNaiksatam> ivar-lazzaro: okay, but i believe we were already doing that before, right?
18:15:49 <ivar-lazzaro> needless to say, this patch made me think that the FWaaS API seems way more suitable for this kind of N-S filtering :)
18:15:58 <ivar-lazzaro> SumitNaiksatam: only for ingress
18:16:05 <ivar-lazzaro> SumitNaiksatam: now it's done for egress as well
18:16:15 <SumitNaiksatam> ivar-lazzaro: okay
18:16:44 <SumitNaiksatam> ivar-lazzaro: thanks for the explanation
18:17:32 <SumitNaiksatam> this is an imp we fix we need to get in, otherwise we allow external connectivity even when there is no external policy providing it
18:17:58 <rkukura> SumitNaiksatam: I can review it today
18:18:03 <SumitNaiksatam> rkukura: great, thanks
18:18:39 <SumitNaiksatam> #link https://bugs.launchpad.net/group-based-policy/+bug/1481973
18:18:39 <openstack> Launchpad bug 1481973 in Group Based Policy "wrong IP allocation for multiple PTGs in same L2P" [Undecided,New]
18:18:57 <SumitNaiksatam> fix is #link https://review.openstack.org/#/c/209700/
18:19:26 <ivar-lazzaro> yeee, it's me again! :)
18:19:31 <SumitNaiksatam> i think this is pretty straightforward
18:19:50 <SumitNaiksatam> ivar-lazzaro: i just had the comment to add another exisitng bug to the commit
18:19:59 <SumitNaiksatam> since i believe it fixes that issue as well
18:20:18 <ivar-lazzaro> ok I'll give a look
18:20:18 <rkukura> SumitNaiksatam: I’ll review that one too.
18:20:32 <SumitNaiksatam> ivar-lazzaro: rkukura: thanks
18:21:19 <SumitNaiksatam> #link https://review.openstack.org/197973
18:21:28 <SumitNaiksatam> #link https://bugs.launchpad.net/group-based-policy/+bug/1470815
18:21:28 <openstack> Launchpad bug 1470815 in Group Based Policy "NCP Plugin does not handle Service chain Instance update and Spec update correctly" [High,In progress] - Assigned to Magesh GV (magesh-gv)
18:21:45 <SumitNaiksatam> i think we discussed this and the other patch briefly last week
18:22:14 <SumitNaiksatam> mageshgv: this particular one is good to go?
18:22:36 <SumitNaiksatam> mageshgv: i think it might help to rebase and let the gate run on it one more time
18:22:41 <mageshgv> SumitNaiksatam: Yes, this is ready for review
18:22:49 <mageshgv> SumitNaiksatam: will do it now
18:23:07 <SumitNaiksatam> mageshgv: thanks
18:23:42 <SumitNaiksatam> and the associated bug: #link https://bugs.launchpad.net/group-based-policy/+bug/1446587
18:23:42 <openstack> Launchpad bug 1446587 in Group Based Policy "Service chain related parameter updates are too disruptive" [High,In progress] - Assigned to Magesh GV (magesh-gv)
18:23:50 <SumitNaiksatam> and patch: #link https://review.openstack.org/#/c/198639/
18:23:58 <SumitNaiksatam> mageshgv: you will be updating the patch
18:24:03 <SumitNaiksatam> per ivar-lazzaro’s comment?
18:24:26 <mageshgv> right, This patch needs an update. was unable to find a way to add the first patch as a dependency
18:24:47 <mageshgv> so waiting for the other one to be reviewed and merged
18:24:51 <SumitNaiksatam> mageshgv: oh
18:25:13 <ivar-lazzaro> mageshgv: I typically cherry pick them one on top of the other
18:25:22 <ivar-lazzaro> mageshgv: and then push the whole thing
18:25:35 <ivar-lazzaro> *review*
18:25:41 <mageshgv> ivar-lazzaro: thanks, will give that a try
18:26:05 <rkukura> mageshgv: Another way is to pull in the patch, make it a branch, and rebase your branch on that branch.
18:26:20 <mageshgv> rkukura: okay
18:26:54 <SumitNaiksatam> rkukura: in the past i recall having used in that approach, thanks
18:28:00 <SumitNaiksatam> seems like the quota one just merged #link https://review.openstack.org/#/c/208200/
18:28:08 <SumitNaiksatam> rkukura: mageshgv: thanks for taking a look
18:28:52 <SumitNaiksatam> the other one i had on my list was this: #link https://bugs.launchpad.net/group-based-policy/+bug/1460831
18:28:52 <openstack> Launchpad bug 1460831 in Group Based Policy "API for group update is not clear" [High,Confirmed] - Assigned to Sumit Naiksatam (snaiksat)
18:29:02 <SumitNaiksatam> patch: #link https://review.openstack.org/#/c/209409/
18:29:18 <SumitNaiksatam> i still need to post a follow up patch set
18:29:22 <SumitNaiksatam> rkukura: thanks for the review
18:29:47 <SumitNaiksatam> i thought the above will be go to get in now, that way we can deprecate the older option over the course of liberty
18:30:46 <SumitNaiksatam> okay, so that’s a list of currently posted patches that i thought have significant impact and can be handled in a day or two of reviews
18:31:42 <SumitNaiksatam> we will always have the option posting further bug fixes and backporting
18:32:05 <SumitNaiksatam> mageshgv: ivar-lazzaro rkukura: anything critical that we missed?
18:32:56 <SumitNaiksatam> #topic Open Discussion
18:33:22 <SumitNaiksatam> if not i would like to open it up, so that we can wrap up early today and focus on the identified patches and reviews
18:33:37 <SumitNaiksatam> anything else we need to discuss?
18:34:27 <SumitNaiksatam> alright, thanks everyone, back to the reviews! ;-)
18:34:37 <ivar-lazzaro> Thanks! bye
18:34:40 <SumitNaiksatam> bye!
18:34:41 <mageshgv> bye
18:34:43 <SumitNaiksatam> #endmeeting