Whether you want to build the software, run it, grow the community or just learn more about it, there will be content, workshops and design sessions for you to attend at the OpenStack Summit, Oct 15-18 in San Diego. Stick around Friday for the first OpenStack service day, a 1/2 day beach cleanup.
There is a need to detect, log, and possibly rate-limit an instance's outbound network traffic based on it's type and rate. This can help us detect and prevent things like SMTP (spam), SSH brute force, and DDOS attacks, as well as mitigate port-scanning attempts.
Ideally, we would want to be able to dynamically create rules on a per-instance, per-tenant, and global basis, so that trusted parties could increase these limits as required. This could be done via a new Nova API, for example, 'nova app-rate-limit set ...'
HP has an initial implementation in Nova using iptables to both log and rate-limit certain types of network traffic.
Areas for discussion: - Does this belong in Quantum or Nova ? - Should it be configured via quotas or a separate mechanism of its own ? - What traffic patterns does such a system need to be able to detect ? (we have some examples) - What implementations other than IPtables are people interested in (and can the solution be generalized enough to cover them) ?
Thursday October 18, 2012 11:50am - 12:30pm