← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #47216

[Bug 1534652] Re: Host machine exposed to tenant networks via IPv6

  Thread PreviousDate PreviousThread Next 
MidonetInterfaceDriver in networking-midonet repo has the same issue.

** Also affects: networking-midonet
   Importance: Undecided
       Status: New

** Changed in: networking-midonet
   Importance: Undecided => High

** Changed in: networking-midonet
    Milestone: None => 2.0.0

** Changed in: networking-midonet
     Assignee: (unassigned) => YAMAMOTO Takashi (yamamoto)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1534652

Title:
  Host machine exposed to tenant networks via IPv6

Status in networking-midonet:
  New
Status in neutron:
  Fix Released
Status in OpenStack Security Advisory:
  Incomplete

Bug description:
  When creating a new interface Neutron creates interface and brings
  link up without disabling default IPv6 binding. By default Linux
  brings IPv6 link local addresses to all interfaces, this is different
  behavior than IPv4 where an administrator must explicitly configure an
  address on the interface.

  The is significantly exposed in LinuxBridgeManager ensure_vlan() and
  ensure_vxlan() where a new VLAN or VXLAN interface is created and set
  link up before being enslaved in the bridge. In the case of compute
  node joining and existing network, there is a time window in which
  VLAN or VXLAN interface is created and has connectivity to the tenant
  network before it has been enslaved in bridge. Under normal
  circumstances this time window is less than the time needed to preform
  IPv6 duplicate address detection, but under high load this assumption
  may not hold.

  I recommend explicitly disabling IPv6 via sysctl on each interface
  which will be attached to a bridge prior bringing the interface link
  up. This is already done for the bridge interfaces themselves, but
  should be done for all Neutron configured interfaces in the default
  namespace.

  This issue was referenced in https://bugs.launchpad.net/neutron/+bug/1459856
  Related issue addressed being addressed in Nova: https://review.openstack.org/#/c/198054/

To manage notifications about this bug go to:
https://bugs.launchpad.net/networking-midonet/+bug/1534652/+subscriptions
  Thread PreviousDate PreviousThread Next