yahoo-eng-team team mailing list archive

[Dustin Lundquist <dustin@xxxxxxxxxxxx>]

Public bug reported:

Presently the IPTables firewall driver (the reference security group
implementation) permits all non-IP traffic to ingress and egress an
instance port. This should be altered to block non-IP traffic by
default.

Security groups are a collection of rules which specify which traffic
should be permitted into and out of an instance port. By only including
allow rules, the order in which rules are enforced doesn't matter.
Security groups are deny all by default except in for non-IP traffic.
This was largely an oversight, since the original implementation just
used iptables which doesn't filter non-IP traffic. Later ebtables was
employed to filter ARP message (which are non-IP frames), but other
Ethertypes besides IPv4, IPv6 and ARP are unfiltered.

Since non-IP traffic is not routed by Neutron, there is no Internet
facing security risk. In the case of a shared network, this is a cross
tenant/project security risk.

Since this would significantly alter the behavior of security groups I
propose making change in several stages:

1. Introduce a new configuration option to specify the firewall driver behavior for non-IP traffic. This should default to allow initially. Modify the IPtables firewall driver to honor this configuration.
2. Change the default of this new configuration option to deny.
3. Introduce an extension to security groups which permits arbitrary 16-bit values to be specified as Ethertypes, so tenant's can use security groups to filter non-IP traffic.

** Affects: neutron
     Importance: Undecided
         Status: New


** Tags: rfe sg-fw

** Summary changed:

- [RFE] Block non-IP traffic in security groups
+ [RFE] Block non-IP traffic in security groups/firewall driver

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1622753

Title:
  [RFE] Block non-IP traffic in security groups/firewall driver

Status in neutron:
  New

Bug description:
  Presently the IPTables firewall driver (the reference security group
  implementation) permits all non-IP traffic to ingress and egress an
  instance port. This should be altered to block non-IP traffic by
  default.

  Security groups are a collection of rules which specify which traffic
  should be permitted into and out of an instance port. By only
  including allow rules, the order in which rules are enforced doesn't
  matter. Security groups are deny all by default except in for non-IP
  traffic. This was largely an oversight, since the original
  implementation just used iptables which doesn't filter non-IP traffic.
  Later ebtables was employed to filter ARP message (which are non-IP
  frames), but other Ethertypes besides IPv4, IPv6 and ARP are
  unfiltered.

  Since non-IP traffic is not routed by Neutron, there is no Internet
  facing security risk. In the case of a shared network, this is a cross
  tenant/project security risk.

  Since this would significantly alter the behavior of security groups I
  propose making change in several stages:

  1. Introduce a new configuration option to specify the firewall driver behavior for non-IP traffic. This should default to allow initially. Modify the IPtables firewall driver to honor this configuration.
  2. Change the default of this new configuration option to deny.
  3. Introduce an extension to security groups which permits arbitrary 16-bit values to be specified as Ethertypes, so tenant's can use security groups to filter non-IP traffic.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1622753/+subscriptions