Network Address Translation (Implemented by Neutron L3 agent rather than Nova)

Security groups are the primary mechanism that tenants can use to control network traffic from and to virtual machines or network interfaces. A security group is defined by a set of rules. A rule consists of specific conditions (mainly pertaining to the type, source and destination of traffic) and the action (e.g. drop, reject, or accept) to be taken if the conditions are satisfied.
For example, a rule could be specified to allow all outgoing traffic, support anti-spoofing of MAC addresses, etc (A rule may even reference a security group as a traffic source. Overall, traffic is allowed only if there is a rule permits it. Security groups are tenant-specific. Virtual machines (or network interfaces) are assigned security groups when they are created.

Security groups may be provided by Nova-network or Neutron via configuration. Either way, the underlying implementation is based on Linux iptables. By default, security groups are provided by Nova-network. But Neutron is the recommended provider because of its advanced features and flexibility to use external plug-ins and we should use Neutron for this.

In Neutron (as contrast to nova), security groups are applied to virtual network interfaces (via Neutron ports). (In Nova, security groups are applied to virtual machines. As a result, all network interfaces on a virtual machine will have the same security groups.) A Neutron port may be associated with one or more security groups upon creation. If it is not explicitly assigned a security group, the tenant's default security group applies. By default, the default security group allows all egress traffic (subject to anti-spoofing of MAC/IP addresses and DHCP messages), but limits ingress traffic to only that from a security group member and an essential service (e.g. ICMPv6 for route advertisement). The default security group (like other security groups) is customizable on a per-tenant basis.

Neutron security groups prevent traffic to pass through an intermediate virtual machine. To support virtual network functions such as routers and firewalls, the port construct has been extended with the attribute port_security_enabled. The attribute is essentially a flag and it is enabled by default. In this case, security-group operations work the same way as before. If the flag is disabled, the port cannot be assigned a security group or an allowed address pair. The flag is set upon port-creation request. Only a user with a privileged role (such as the cloud administrator or owner) can issue such requests. Given that security-group and anti-spoofing rules no longer apply, the resulted ports will need to be monitored with a separate mechanism for detection of anomalies, such as address spoofing (Nova-network supports anti-spoofing of MAC addresses, IP addresses, ARP messages and DHCP messages through the libvirt network filter feature. Neutron is expected to provide equivalent support over time, although it cannot counter spoofing of ARP messages to date. (Anti-spoofing of ARP messages in Neutron should be implemented based on ebtables).