← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #61991

[Bug 1669765] [NEW] RA is not disabled on backup HA routers

  Thread PreviousDate PreviousThread Next 
Public bug reported:

When an HA router is created, RA is enabled on the gateway interface for the 'master' router [0].
However, it is not disabled in the 'else' clause and therefore:

1. If the router was set to 'master' before, it will still have RA enabled on its gateway interface
2. If default value for accept_ra in '/proc/sys/net/ipv6/conf/default/accept_ra' is > 0, then it will still have RA enabled on its gateway interface.

Having RA enabled on a backup router leads to the following unwanted
situation:

- It may respond to RA packets coming from an external switch and,
because it has the same MAC address as the master instance, the switch
will learn its MAC address and may send the traffic to it until the
master sends some packets. Therefore, any existing connections will be
interrupted.

The fix would consist in disabling RA on the gateway interface if
conditions are not met to enable it.

[0]
https://github.com/openstack/neutron/blob/master/neutron/agent/l3/ha.py#L136

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1669765

Title:
  RA is not disabled on backup HA routers

Status in neutron:
  New

Bug description:
  When an HA router is created, RA is enabled on the gateway interface for the 'master' router [0].
  However, it is not disabled in the 'else' clause and therefore:

  1. If the router was set to 'master' before, it will still have RA enabled on its gateway interface
  2. If default value for accept_ra in '/proc/sys/net/ipv6/conf/default/accept_ra' is > 0, then it will still have RA enabled on its gateway interface.

  Having RA enabled on a backup router leads to the following unwanted
  situation:

  - It may respond to RA packets coming from an external switch and,
  because it has the same MAC address as the master instance, the switch
  will learn its MAC address and may send the traffic to it until the
  master sends some packets. Therefore, any existing connections will be
  interrupted.

  The fix would consist in disabling RA on the gateway interface if
  conditions are not met to enable it.

  [0]
  https://github.com/openstack/neutron/blob/master/neutron/agent/l3/ha.py#L136

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1669765/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next