yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1685237] Re: port security does not block router advertisements for instances

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1685237@xxxxxxxxxxxxxxxxxx>
Date: Fri, 16 Jun 2017 06:14:08 -0000
Reply-to: Bug 1685237 <1685237@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/472509
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=0cb9b5254f412e9ec0d3f2cb6fd07e038c3a5097
Submitter: Jenkins
Branch:    master

commit 0cb9b5254f412e9ec0d3f2cb6fd07e038c3a5097
Author: Brian Haley <bhaley@xxxxxxxxxx>
Date:   Thu Jun 8 23:35:17 2017 -0400

    Split allowed ICMPv6 types into two constants
    
    There was only a single list of allowed ICMPv6
    types, but the defaults allowed for ingress
    and egress are different when it comes to
    Router Advertisements and Router Solicitations.
    
    Change-Id: I737f07065cf2fb0b574a7f0f49e084488bf23ac0
    Closes-bug: #1685237


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1685237

Title:
  port security does not block router advertisements for instances

Status in neutron:
  Fix Released

Bug description:
  Affected version: mitaka

  Issue: If port security is enabled, IPv6 router advertisements may be
  send by any instance.

  Network configuration: vlan, security groups disabled, port security
  enabled.

  subnet:
  {
    "description": "",
    "enable_dhcp": true,
    "network_id": "b71b7cc7-3534-481b-bb67-a473a8e083cc",
    "tenant_id": "4e632076f7004f908c8da67345a7592e",
    "created_at": "2017-04-21T12:39:13",
    "dns_nameservers": "",
    "updated_at": "2017-04-21T12:39:13",
    "ipv6_ra_mode": "",
    "allocation_pools": "{\"start\": \"2a00:xxxx:3:101::2\", \"end\": \"2a00:xxxx:3:101:ffff:ffff:ffff:ffff\"}",
    "gateway_ip": "2a00:xxxx:3:101::1",
    "ipv6_address_mode": "slaac",
    "ip_version": 6,
    "host_routes": "",
    "cidr": "2a00:xxxx:3:101::/64",
    "id": "789d4f41-7867-4b17-9f7b-220c1e689b0b",
    "subnetpool_id": "",
    "name": ""
  }

  When instance is configured by (malicious) user, it starts to send
  router advertisements (like it is a router) and those RAs may
  interrupt networking.

  tcpdump from physical interface of compute node:
  tcpdump -ni eth4 ip6
  tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
  listening on eth4, link-type EN10MB (Ethernet), capture size 262144 bytes
  14:16:47.707480 IP6 fe80::52eb:1aff:fe77:de4f > ff02::1: ICMP6, router advertisement, length 64
  14:16:48.709429 IP6 fe80::f816:3eff:fe69:6644 > ff02::1: ICMP6, router advertisement, length 56

  first line is a valid router RA, second line (:6644) - by instance,
  which should be blocked by port security.

  On a victim machine (same segment) routing table looks like this:

  ip -6 route

  default via fe80::52eb:1aff:fe77:de4f dev ens3  proto ra  metric 1024  expires 1795sec hoplimit 64 pref medium
  default via fe80::f816:3eff:fe69:6644 dev ens3  proto ra  metric 1024  expires 1796sec hoplimit 64 pref medium

  Last line - result of network hijacking from malicious instance, and
  shouldn't happen.

  I'm not sure if this is a security issue or not.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1685237/+subscriptions

References

[Bug 1685237] [NEW] port security does not block router advertisements for instances
From: George Shuklin, 2017-04-21