← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #33234

[Bug 1459856] [NEW] Neutron ipv6_utils.is_enabled() uses /proc/sys/net/ipv6/conf/default/disable_ipv6

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Neutron uses /proc/sys/net/ipv6/conf/default/disable_ipv6 to determine
if IPv6 should be enabled, but there are legitimate cases where this
sysctl may be set in an IPv6 deployment.

By default Linux assigns link-local address to all new interfaces if
this sysctl is not enabled, this exposes the host machine to tenant
networks. To harden a deployment an administrator may set this sysctl
and explicitly disable /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6 on
each interface which should participate in IPv6 communications. This
brings parity with IPv4 where interfaces are only addressable if the
administer has explicitly assigned the interface an IPv4 address.

In this case Neutron will detect
/proc/sys/net/ipv6/conf/default/disable_ipv6=1 and
ipv6_util.is_enabled() will return false, there by disabling creation of
ip6tables rules enforcing security groups running on hosts with this
hardened IPv6 configuration.

Can we expose ipv6_utils.is_enabled() directly as a configuration option
rather than inferring from /proc/sys/net/ipv6/conf/default/disable_ipv6?

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1459856

Title:
  Neutron ipv6_utils.is_enabled() uses
  /proc/sys/net/ipv6/conf/default/disable_ipv6

Status in OpenStack Neutron (virtual network service):
  New

Bug description:
  Neutron uses /proc/sys/net/ipv6/conf/default/disable_ipv6 to determine
  if IPv6 should be enabled, but there are legitimate cases where this
  sysctl may be set in an IPv6 deployment.

  By default Linux assigns link-local address to all new interfaces if
  this sysctl is not enabled, this exposes the host machine to tenant
  networks. To harden a deployment an administrator may set this sysctl
  and explicitly disable /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6 on
  each interface which should participate in IPv6 communications. This
  brings parity with IPv4 where interfaces are only addressable if the
  administer has explicitly assigned the interface an IPv4 address.

  In this case Neutron will detect
  /proc/sys/net/ipv6/conf/default/disable_ipv6=1 and
  ipv6_util.is_enabled() will return false, there by disabling creation
  of ip6tables rules enforcing security groups running on hosts with
  this hardened IPv6 configuration.

  Can we expose ipv6_utils.is_enabled() directly as a configuration
  option rather than inferring from
  /proc/sys/net/ipv6/conf/default/disable_ipv6?

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1459856/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next