← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #29571

[Bug 1432856] [NEW] Security groups aren’t network topology aware

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Security group rules for a host include all hosts that are members of
the security group even though some can be unaccessible because they
aren’t attached to the same router. This introduces two problems. First,
it will create unneeded iptables rules on nodes and additional work on
neutron-server and agent-side. Second, in the case of overlapping
networks, the rules that result from a host on a completely separate
network may end up allowing traffic from an untrusted host on the same
network.

e.g. Security group SG1 has rules to allow traffic from other members of
the same group. Members of SG1 include 10.0.0.2 and 10.0.0.3, which are
on two separate networks with overlapping IPs. The iptables rules on
10.0.0.2 will then permit traffic from 10.0.0.3 even though 10.0.0.3
could be an untrusted node on its own network.

Workaround: Use separate security groups per each network. This will
decrease load from calculations significantly on neutron-server and also
will decrease number of iptables rules on nodes.

** Affects: mos
     Importance: Undecided
         Status: New

** Affects: neutron
     Importance: Undecided
         Status: New


** Tags: scale

** Also affects: mos
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1432856

Title:
  Security groups aren’t network topology aware

Status in Mirantis OpenStack:
  New
Status in OpenStack Neutron (virtual network service):
  New

Bug description:
  Security group rules for a host include all hosts that are members of
  the security group even though some can be unaccessible because they
  aren’t attached to the same router. This introduces two problems.
  First, it will create unneeded iptables rules on nodes and additional
  work on neutron-server and agent-side. Second, in the case of
  overlapping networks, the rules that result from a host on a
  completely separate network may end up allowing traffic from an
  untrusted host on the same network.

  e.g. Security group SG1 has rules to allow traffic from other members
  of the same group. Members of SG1 include 10.0.0.2 and 10.0.0.3, which
  are on two separate networks with overlapping IPs. The iptables rules
  on 10.0.0.2 will then permit traffic from 10.0.0.3 even though
  10.0.0.3 could be an untrusted node on its own network.

  Workaround: Use separate security groups per each network. This will
  decrease load from calculations significantly on neutron-server and
  also will decrease number of iptables rules on nodes.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mos/+bug/1432856/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next