← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1447242] [NEW] Use of allowed-address-pairs can allow tenant to cause denial of service in shared networks

 

Public bug reported:

By assigning the subnet gateway address to a port as an allowed address,
a user can cause ARP conflicts and deny service to other users in the
network. This can be exacerbated by the use of arping to send gratuitous
ARPs and poison the arp cache of instances in the same network.

Steps to reproduce:

1. Build a VM. In this case, the network was a VLAN type with external=false and shared=true. 
2. Assign the subnet gateway address as a secondary address in the VM
3. Use the 'port-update' command to add the gateway address as an allowed address on the VM port
4. Use 'arping' from iputils-arping to send gratuitous ARPs as the gateway IP from the instance
5. Watch as the ARP cache is updated on other instances in the network, effectively taking them offline.

This was tested with LinuxBridge/VLAN as a non-admin user, but may
affect other combinations.

Possible remedies may include removing the ability to use allowed-
address-pairs as a non-admin user, or ensuring that the user cannot add
the gateway_ip of the subnet associated with the port as an allowed
address. Either of those two remedies may negatively impact certain use
cases, so at a minimum it may be a good idea to document this somewhere.

If you need more information please reach out to me.

** Affects: neutron
     Importance: Undecided
         Status: New


** Tags: allowed-address-pairs

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1447242

Title:
  Use of allowed-address-pairs can allow tenant to cause denial of
  service in shared networks

Status in OpenStack Neutron (virtual network service):
  New

Bug description:
  By assigning the subnet gateway address to a port as an allowed
  address, a user can cause ARP conflicts and deny service to other
  users in the network. This can be exacerbated by the use of arping to
  send gratuitous ARPs and poison the arp cache of instances in the same
  network.

  Steps to reproduce:

  1. Build a VM. In this case, the network was a VLAN type with external=false and shared=true. 
  2. Assign the subnet gateway address as a secondary address in the VM
  3. Use the 'port-update' command to add the gateway address as an allowed address on the VM port
  4. Use 'arping' from iputils-arping to send gratuitous ARPs as the gateway IP from the instance
  5. Watch as the ARP cache is updated on other instances in the network, effectively taking them offline.

  This was tested with LinuxBridge/VLAN as a non-admin user, but may
  affect other combinations.

  Possible remedies may include removing the ability to use allowed-
  address-pairs as a non-admin user, or ensuring that the user cannot
  add the gateway_ip of the subnet associated with the port as an
  allowed address. Either of those two remedies may negatively impact
  certain use cases, so at a minimum it may be a good idea to document
  this somewhere.

  If you need more information please reach out to me.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1447242/+subscriptions


Follow ups

References