yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1685237] [NEW] port security does not block router advertisements for instances

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: George Shuklin <1685237@xxxxxxxxxxxxxxxxxx>
Date: Fri, 21 Apr 2017 14:17:41 -0000
Reply-to: Bug 1685237 <1685237@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Affected version: mitaka

Issue: If port security is enabled, IPv6 router advertisements may be
send by any instance.

Network configuration: vlan, security groups disabled, port security
enabled.

subnet:
{
  "description": "",
  "enable_dhcp": true,
  "network_id": "b71b7cc7-3534-481b-bb67-a473a8e083cc",
  "tenant_id": "4e632076f7004f908c8da67345a7592e",
  "created_at": "2017-04-21T12:39:13",
  "dns_nameservers": "",
  "updated_at": "2017-04-21T12:39:13",
  "ipv6_ra_mode": "",
  "allocation_pools": "{\"start\": \"2a00:xxxx:3:101::2\", \"end\": \"2a00:xxxx:3:101:ffff:ffff:ffff:ffff\"}",
  "gateway_ip": "2a00:xxxx:3:101::1",
  "ipv6_address_mode": "slaac",
  "ip_version": 6,
  "host_routes": "",
  "cidr": "2a00:xxxx:3:101::/64",
  "id": "789d4f41-7867-4b17-9f7b-220c1e689b0b",
  "subnetpool_id": "",
  "name": ""
}

When instance is configured by (malicious) user, it starts to send
router advertisements (like it is a router) and those RAs may interrupt
networking.

tcpdump from physical interface of compute node:
tcpdump -ni eth4 ip6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth4, link-type EN10MB (Ethernet), capture size 262144 bytes
14:16:47.707480 IP6 fe80::52eb:1aff:fe77:de4f > ff02::1: ICMP6, router advertisement, length 64
14:16:48.709429 IP6 fe80::f816:3eff:fe69:6644 > ff02::1: ICMP6, router advertisement, length 56

first line is a valid router RA, second line (:6644) - by instance,
which should be blocked by port security.

On a victim machine (same segment) routing table looks like this:

ip -6 route

default via fe80::52eb:1aff:fe77:de4f dev ens3  proto ra  metric 1024  expires 1795sec hoplimit 64 pref medium
default via fe80::f816:3eff:fe69:6644 dev ens3  proto ra  metric 1024  expires 1796sec hoplimit 64 pref medium

Last line - result of network hijacking from malicious instance, and
shouldn't happen.

I'm not sure if this is a security issue or not.

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1685237

Title:
  port security does not block router advertisements for instances

Status in neutron:
  New

Bug description:
  Affected version: mitaka

  Issue: If port security is enabled, IPv6 router advertisements may be
  send by any instance.

  Network configuration: vlan, security groups disabled, port security
  enabled.

  subnet:
  {
    "description": "",
    "enable_dhcp": true,
    "network_id": "b71b7cc7-3534-481b-bb67-a473a8e083cc",
    "tenant_id": "4e632076f7004f908c8da67345a7592e",
    "created_at": "2017-04-21T12:39:13",
    "dns_nameservers": "",
    "updated_at": "2017-04-21T12:39:13",
    "ipv6_ra_mode": "",
    "allocation_pools": "{\"start\": \"2a00:xxxx:3:101::2\", \"end\": \"2a00:xxxx:3:101:ffff:ffff:ffff:ffff\"}",
    "gateway_ip": "2a00:xxxx:3:101::1",
    "ipv6_address_mode": "slaac",
    "ip_version": 6,
    "host_routes": "",
    "cidr": "2a00:xxxx:3:101::/64",
    "id": "789d4f41-7867-4b17-9f7b-220c1e689b0b",
    "subnetpool_id": "",
    "name": ""
  }

  When instance is configured by (malicious) user, it starts to send
  router advertisements (like it is a router) and those RAs may
  interrupt networking.

  tcpdump from physical interface of compute node:
  tcpdump -ni eth4 ip6
  tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
  listening on eth4, link-type EN10MB (Ethernet), capture size 262144 bytes
  14:16:47.707480 IP6 fe80::52eb:1aff:fe77:de4f > ff02::1: ICMP6, router advertisement, length 64
  14:16:48.709429 IP6 fe80::f816:3eff:fe69:6644 > ff02::1: ICMP6, router advertisement, length 56

  first line is a valid router RA, second line (:6644) - by instance,
  which should be blocked by port security.

  On a victim machine (same segment) routing table looks like this:

  ip -6 route

  default via fe80::52eb:1aff:fe77:de4f dev ens3  proto ra  metric 1024  expires 1795sec hoplimit 64 pref medium
  default via fe80::f816:3eff:fe69:6644 dev ens3  proto ra  metric 1024  expires 1796sec hoplimit 64 pref medium

  Last line - result of network hijacking from malicious instance, and
  shouldn't happen.

  I'm not sure if this is a security issue or not.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1685237/+subscriptions

Follow ups

[Bug 1685237] Re: port security does not block router advertisements for instances
From: James Page, 2017-10-20
[Bug 1685237] Re: port security does not block router advertisements for instances
From: George Shuklin, 2017-06-24
[Bug 1685237] Re: port security does not block router advertisements for instances
From: OpenStack Infra, 2017-06-16