yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1689830] [NEW] advanved policy for allowed addres pais

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Denes Nemeth <denes.nemeth@xxxxxxxxx>
Date: Wed, 10 May 2017 14:23:14 -0000
Reply-to: Bug 1689830 <1689830@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

==========================================================
Advanced policy for address pair  
==========================================================

The allowed address pair extension extends the port attribute to enable you to
specify arbitrary mac_address/ip_address(cidr) pairs that are allowed to pass
through a port regardless of the subnet associated with the network.

The allowed address pairs is typically used for specify a moving or virtual
IP between a HA server pair.

Problem Description
===================

An end user can only create ports with allowed address pairs on non owned
networks (shared or provider) with elevated privileges. With elevated
privileges it is possible to use any IP or MAC address. This poses a
significant security risk, because the attacker may abuse this privilege
for DoS or man in middle attacks.

Proposed Change ===============

Extend the currently existing policy with a rule that allows an user to
create or update a port with allowed address pairs to already allocated
IP / MAC addresses.

** Affects: neutron
     Importance: Undecided
         Status: New


** Tags: rfe

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1689830

Title:
  advanved policy for allowed addres pais

Status in neutron:
  New

Bug description:
  ==========================================================
  Advanced policy for address pair  
  ==========================================================

  The allowed address pair extension extends the port attribute to enable you to
  specify arbitrary mac_address/ip_address(cidr) pairs that are allowed to pass
  through a port regardless of the subnet associated with the network.

  The allowed address pairs is typically used for specify a moving or virtual
  IP between a HA server pair.

  Problem Description
  ===================

  An end user can only create ports with allowed address pairs on non owned
  networks (shared or provider) with elevated privileges. With elevated
  privileges it is possible to use any IP or MAC address. This poses a
  significant security risk, because the attacker may abuse this privilege
  for DoS or man in middle attacks.

  Proposed Change ===============

  Extend the currently existing policy with a rule that allows an user to
  create or update a port with allowed address pairs to already allocated
  IP / MAC addresses.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1689830/+subscriptions

Follow ups

[Bug 1689830] Re: [RFE] Add attribute to the a port that lists the UUIDs of other ports that the port is allowed to impersonate
From: Brian Haley, 2024-06-13