← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #32974

[Bug 1456333] [NEW] ovs-agent: prevent arp requests with faked ips

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Patch
https://git.openstack.org/cgit/openstack/neutron/commit/?id=aa7356b729f9672855980429677c969b6bab61a1
setup rules on br-int to prevent faking the IP address in ARP replies.
But it's also possible to poison a neighbour's ARP cache with a bogus
ARP request, as the victim updates its cache on receipt of it. That is
how arpcachepoison in scapy works.

Here the attacker is 10.0.1.6 and the victim is 10.0.1.7

victim# ip n
10.0.1.6 dev tapfccaf7c3-01 lladdr fa:16:3e:33:58:4e STALE
10.0.1.1 dev tapfccaf7c3-01 lladdr fa:16:3e:10:d3:b2 STALE

attacker#  scapy
INFO: Can't import python gnuplot wrapper . Won't be able to plot.
INFO: Can't import PyX. Won't be able to use psdump() or pdfdump().
WARNING: No route found for IPv6 destination :: (no default route?)
Welcome to Scapy (2.2.0)
>>> arpcachepoison("10.0.1.7", "10.0.1.1", interval=1)

victim# ip n
10.0.1.6 dev tapfccaf7c3-01 lladdr fa:16:3e:33:58:4e STALE
10.0.1.1 dev tapfccaf7c3-01 lladdr fa:16:3e:33:58:4e STALE

This is at the same level as
https://bugs.launchpad.net/neutron/+bug/1274034, which was deemed not to
be a security vulnerability.

** Affects: neutron
     Importance: Undecided
     Assignee: Darragh O'Reilly (darragh-oreilly)
         Status: In Progress

** Changed in: neutron
     Assignee: (unassigned) => Darragh O'Reilly (darragh-oreilly)

** Changed in: neutron
       Status: New => In Progress

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1456333

Title:
  ovs-agent: prevent arp requests with faked ips

Status in OpenStack Neutron (virtual network service):
  In Progress

Bug description:
  Patch
  https://git.openstack.org/cgit/openstack/neutron/commit/?id=aa7356b729f9672855980429677c969b6bab61a1
  setup rules on br-int to prevent faking the IP address in ARP replies.
  But it's also possible to poison a neighbour's ARP cache with a bogus
  ARP request, as the victim updates its cache on receipt of it. That is
  how arpcachepoison in scapy works.

  Here the attacker is 10.0.1.6 and the victim is 10.0.1.7

  victim# ip n
  10.0.1.6 dev tapfccaf7c3-01 lladdr fa:16:3e:33:58:4e STALE
  10.0.1.1 dev tapfccaf7c3-01 lladdr fa:16:3e:10:d3:b2 STALE

  attacker#  scapy
  INFO: Can't import python gnuplot wrapper . Won't be able to plot.
  INFO: Can't import PyX. Won't be able to use psdump() or pdfdump().
  WARNING: No route found for IPv6 destination :: (no default route?)
  Welcome to Scapy (2.2.0)
  >>> arpcachepoison("10.0.1.7", "10.0.1.1", interval=1)

  victim# ip n
  10.0.1.6 dev tapfccaf7c3-01 lladdr fa:16:3e:33:58:4e STALE
  10.0.1.1 dev tapfccaf7c3-01 lladdr fa:16:3e:33:58:4e STALE

  This is at the same level as
  https://bugs.launchpad.net/neutron/+bug/1274034, which was deemed not
  to be a security vulnerability.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1456333/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next