yahoo-eng-team team mailing list archive

[Dave Walker <email@xxxxxxxxxx>]

** Also affects: neutron/kilo
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1558658

Title:
  Security Groups do not prevent MAC and/or IPv4 spoofing in DHCP
  requests

Status in neutron:
  Fix Released
Status in neutron kilo series:
  New
Status in OpenStack Security Advisory:
  Triaged

Bug description:
  The IptablesFirewallDriver does not prevent spoofing other instances
  or a routers MAC and/or IP addresses. The rule to permit DHCP
  discovery and request messages:

          ipv4_rules += [comment_rule('-p udp -m udp --sport 68 --dport 67 '
                                      '-j RETURN', comment=ic.DHCP_CLIENT)]

  is too permissive, it does not enforce the source MAC or IP address.
  This is the IPv4 case of public bug
  https://bugs.launchpad.net/neutron/+bug/1502933, and a solution was
  previously mentioned in June 2013 in
  https://bugs.launchpad.net/neutron/+bug/1427054.

  If L2population is not used, an instance can spoof the Neutron
  router's MAC address and cause the switches to learn a MAC move,
  allowing the instance to intercept other instances traffic potentially
  belonging to other tenants if this is shared network.

  The solution for this is to permit this DHCP traffic only from the
  instance's IP address and the unspecified IPv4 address 0.0.0.0/32
  rather than from an IPv4 source, additionally the source MAC address
  should be restricted to MAC addresses assigned to the instance's
  Neutron port.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1558658/+subscriptions