@Kevin: Thanks for your backportable patch. I still need to rebase and proposed my patch (some UT need to be coded)
@Xu Han Peng: Thanks to create that patch to prevent RA and FHS IPv6 directly to the egress traffic port.
When I writing my patch, I though it could be better to separate first hop security port (spoofing, ARP, DHCP, RA, ND...) to the security group. I think it's two different things. For example, actually, to protect DHCP spoofing, we add provider security group to the security group of a port. But that security group is not visible by the user.
To separate FHS to SG, we need to implement specific RPC calls between API servers and agents. It's a huge work.
Any thoughts ?
@Kevin: Thanks for your backportable patch. I still need to rebase and proposed my patch (some UT need to be coded)
@Xu Han Peng: Thanks to create that patch to prevent RA and FHS IPv6 directly to the egress traffic port.
When I writing my patch, I though it could be better to separate first hop security port (spoofing, ARP, DHCP, RA, ND...) to the security group. I think it's two different things. For example, actually, to protect DHCP spoofing, we add provider security group to the security group of a port. But that security group is not visible by the user.
To separate FHS to SG, we need to implement specific RPC calls between API servers and agents. It's a huge work.
Any thoughts ?