yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #32213
[Bug 1447242] [NEW] Use of allowed-address-pairs can allow tenant to cause denial of service in shared networks
Public bug reported:
By assigning the subnet gateway address to a port as an allowed address,
a user can cause ARP conflicts and deny service to other users in the
network. This can be exacerbated by the use of arping to send gratuitous
ARPs and poison the arp cache of instances in the same network.
Steps to reproduce:
1. Build a VM. In this case, the network was a VLAN type with external=false and shared=true.
2. Assign the subnet gateway address as a secondary address in the VM
3. Use the 'port-update' command to add the gateway address as an allowed address on the VM port
4. Use 'arping' from iputils-arping to send gratuitous ARPs as the gateway IP from the instance
5. Watch as the ARP cache is updated on other instances in the network, effectively taking them offline.
This was tested with LinuxBridge/VLAN as a non-admin user, but may
affect other combinations.
Possible remedies may include removing the ability to use allowed-
address-pairs as a non-admin user, or ensuring that the user cannot add
the gateway_ip of the subnet associated with the port as an allowed
address. Either of those two remedies may negatively impact certain use
cases, so at a minimum it may be a good idea to document this somewhere.
If you need more information please reach out to me.
** Affects: neutron
Importance: Undecided
Status: New
** Tags: allowed-address-pairs
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1447242
Title:
Use of allowed-address-pairs can allow tenant to cause denial of
service in shared networks
Status in OpenStack Neutron (virtual network service):
New
Bug description:
By assigning the subnet gateway address to a port as an allowed
address, a user can cause ARP conflicts and deny service to other
users in the network. This can be exacerbated by the use of arping to
send gratuitous ARPs and poison the arp cache of instances in the same
network.
Steps to reproduce:
1. Build a VM. In this case, the network was a VLAN type with external=false and shared=true.
2. Assign the subnet gateway address as a secondary address in the VM
3. Use the 'port-update' command to add the gateway address as an allowed address on the VM port
4. Use 'arping' from iputils-arping to send gratuitous ARPs as the gateway IP from the instance
5. Watch as the ARP cache is updated on other instances in the network, effectively taking them offline.
This was tested with LinuxBridge/VLAN as a non-admin user, but may
affect other combinations.
Possible remedies may include removing the ability to use allowed-
address-pairs as a non-admin user, or ensuring that the user cannot
add the gateway_ip of the subnet associated with the port as an
allowed address. Either of those two remedies may negatively impact
certain use cases, so at a minimum it may be a good idea to document
this somewhere.
If you need more information please reach out to me.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1447242/+subscriptions
Follow ups
References