Feature Request Overview (mandatory - Complete while in New status){_}
{}What user goal or problem do you need to solve?{_} 
This feature is based on customer request from OSPRH-19148 based on comment.

Customer would like to replicate(broadcast) all traffic arriving on the physical interface to the whole OVS-bridge. The OVS-bridge will host some workload VMs as well as the "Suricata VM" link. This VM will then be responsible for monitoring and inspecting traffic on the bridge.
This customer is moving from VMware and apperantly that is how it worked with VMware.

Just replicating all traffic from physical interface and broadcasting it to the whole bridge is not very secure and it can cause issues. However, I think we can implement this feature in more sophisticated and secure way.

This feature would be to extend the tap-as-a-service service to allow the operator to deploy a "security vm"(like the suricata VM) per each network which will be responsible in monitoring all the traffic. For example, imagine a Neutron network called "private" which has N VMs. A user would be able to do "openstack network mirror set --mirror-network private --mirror-to-port <port_of_security_vm> mirror_session_foo" which is on the same private network. No GRE / ERSPAN encapsulation required.

It would be great to do some market research if this is how customers want to use such port mirroring. Maybe also looking into how "suricata VMs" are deployed and used in AWS https://aws.amazon.com/blogs/opensource/scaling-threat-prevention-on-aws-with-suricata/

• Things to consider, performance! You are essentially doubling the traffic on the bridge
• We might need to also support mirror traffic filtering in OVN and Neutron. OVS switch already supports mirror traffic filtering

Business justification (mandatory - Complete while in New status)
How would this feature benefit the customer?
Designed for customers who are looking for "Lawful intercept in IP Networks" on their cloud deployment
 

Functional requirements (mandatory - Complete while in New status){_}
{}What do you want the result of this feature to be? Add as many requirements as needed.{_}

Describe the customer impact

IMPORTANT: Do not include customer names.

• Provide links to the account project
• Provide links to any related support tickets (open or closed)

For details on connecting Jira issues to an account, see Connecting Jira Issues to Accounts.

(Optional) Point of contact

• Provide any additional points of contact for this feature request, such as an account executive, SA, or TAM: 
•  

(Optional) Additional links

Click More > Link to add any links to issues, such as an outcome, that are related to this feature request.