yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1534652] Re: Host machine exposed to tenant networks via IPv6

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1534652@xxxxxxxxxxxxxxxxxx>
Date: Fri, 26 Feb 2016 21:28:11 -0000
Reply-to: Bug 1534652 <1534652@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Reviewed:  https://review.openstack.org/268373
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=fc8ebae0351f5b6596951cdfc5cb4259501d84f2
Submitter: Jenkins
Branch:    master

commit fc8ebae0351f5b6596951cdfc5cb4259501d84f2
Author: Dustin Lundquist <dustin@xxxxxxxxxxxx>
Date:   Thu Jan 14 23:04:43 2016 -0800

    Prevent binding IPv6 addresses to Neutron interfaces
    
    Explicitly disable IPv6 on Neutron created interfaces in the default
    namespace before setting link up. Since the default behavior of IPv6 is
    to bind to all interfaces as opposed to IPv4 where an address must be
    explicitly configured we disable IPv6 on each interface before enabling
    the interface. This avoids leaving a time window between when the
    interface is enabled and when it is attached to bridge device during
    which the host could be access from a tenant network.
    
    Move disable_ipv6() from BridgeDevice to base IPDevice class so it is
    usable by all interfaces. Then we explicitly disable IPv6 on veth
    interfaces in the default namespaces and VXLAN and VLAN interfaces
    created by the LinuxBridge agent.
    
    In addition vlan interface is moved from LinuxBridgeManager to IPWrapper
    so it can return an IPDevice object.
    
    Closes-Bug: #1534652
    Change-Id: Id879075f2d5ee42f8ff153e813e7519a4424447b


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1534652

Title:
  Host machine exposed to tenant networks via IPv6

Status in neutron:
  Fix Released
Status in OpenStack Security Advisory:
  Incomplete

Bug description:
  When creating a new interface Neutron creates interface and brings
  link up without disabling default IPv6 binding. By default Linux
  brings IPv6 link local addresses to all interfaces, this is different
  behavior than IPv4 where an administrator must explicitly configure an
  address on the interface.

  The is significantly exposed in LinuxBridgeManager ensure_vlan() and
  ensure_vxlan() where a new VLAN or VXLAN interface is created and set
  link up before being enslaved in the bridge. In the case of compute
  node joining and existing network, there is a time window in which
  VLAN or VXLAN interface is created and has connectivity to the tenant
  network before it has been enslaved in bridge. Under normal
  circumstances this time window is less than the time needed to preform
  IPv6 duplicate address detection, but under high load this assumption
  may not hold.

  I recommend explicitly disabling IPv6 via sysctl on each interface
  which will be attached to a bridge prior bringing the interface link
  up. This is already done for the bridge interfaces themselves, but
  should be done for all Neutron configured interfaces in the default
  namespace.

  This issue was referenced in https://bugs.launchpad.net/neutron/+bug/1459856
  Related issue addressed being addressed in Nova: https://review.openstack.org/#/c/198054/

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1534652/+subscriptions