yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1736739] [NEW] Machines attached to isolated network are able to reach VMs attached to other networks

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Dragos Dumitrescu <1736739@xxxxxxxxxxxxxxxxxx>
Date: Wed, 06 Dec 2017 14:52:32 -0000
Reply-to: Bug 1736739 <1736739@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Machines attached to isolated network are able to reach VMs attached to other networks.
This behavior was observed using Symnet - the symbolic network analysis engine.

Pre-conditions: devstack latest version (at the time of writing) + all
services latest versions on ubuntu 16.04

Steps to reproduce:
Contents of local.conf:
[[local|localrc]]
ADMIN_PASSWORD=stack
DATABASE_PASSWORD=stack
RABBIT_PASSWORD=stack
RABBIT_HOST=localhost
SERVICE_PASSWORD=$ADMIN_PASSWORD
HOST_IP=192.168.154.23
IP_VERSION=4
LOGFILE=$DEST/logs/stack.sh.log
LOGDAYS=2
MYSQL_PASSWORD=stack
DATABASE_TYPE=mysql

[[post-config|$NEUTRON_CONF]]
[DEFAULT]
service_plugins = router,trunk

[[post-config|/$Q_PLUGIN_CONF_FILE]]
[securitygroup]
firewall_driver = openvswitch

After stack.sh finishes operation (note that devstack creates networks
public and private and a router to connect them).

source openrc admin demo
openstack server create --network private --image cirros-0.3.5-x86_64-disk --flavor m1.nano private
openstack network create isolated
openstack subnet create --network isolated --subnet-range 192.168.134.0/24 isolated
openstack server create --network isolated --image cirros-0.3.5-x86_64-disk --flavor m1.nano isolated

openstack port list --server private
// get MAC and IP of private server

openstack port list --server isolated
// get MAC and IP of isolated server

Log into isolated and create an ARP entry for private machine:
sudo ip route add 10.0.0.0/26 dev eth0 src <isolated_ip>
arp -s <private_ip> <private_mac>
ping <private_ip>

Back to the devstack machine:
sudo tcpdump -e -vv -i tap<private_port_id>
// notice the ICMP traffic originating from isolated towards private

Expected output: No traffic can get from the isolated VM to the private VM.
Actual output: Traffic from the isolated machine reaches the private virtual machine even though they are not connected via any router.

** Affects: neutron
     Importance: Undecided
         Status: New


** Tags: ovs ovs-fw

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1736739

Title:
  Machines attached to isolated network are able to reach VMs attached
  to other networks

Status in neutron:
  New

Bug description:
  Machines attached to isolated network are able to reach VMs attached to other networks.
  This behavior was observed using Symnet - the symbolic network analysis engine.

  Pre-conditions: devstack latest version (at the time of writing) + all
  services latest versions on ubuntu 16.04

  Steps to reproduce:
  Contents of local.conf:
  [[local|localrc]]
  ADMIN_PASSWORD=stack
  DATABASE_PASSWORD=stack
  RABBIT_PASSWORD=stack
  RABBIT_HOST=localhost
  SERVICE_PASSWORD=$ADMIN_PASSWORD
  HOST_IP=192.168.154.23
  IP_VERSION=4
  LOGFILE=$DEST/logs/stack.sh.log
  LOGDAYS=2
  MYSQL_PASSWORD=stack
  DATABASE_TYPE=mysql

  [[post-config|$NEUTRON_CONF]]
  [DEFAULT]
  service_plugins = router,trunk

  [[post-config|/$Q_PLUGIN_CONF_FILE]]
  [securitygroup]
  firewall_driver = openvswitch

  After stack.sh finishes operation (note that devstack creates networks
  public and private and a router to connect them).

  source openrc admin demo
  openstack server create --network private --image cirros-0.3.5-x86_64-disk --flavor m1.nano private
  openstack network create isolated
  openstack subnet create --network isolated --subnet-range 192.168.134.0/24 isolated
  openstack server create --network isolated --image cirros-0.3.5-x86_64-disk --flavor m1.nano isolated

  openstack port list --server private
  // get MAC and IP of private server

  openstack port list --server isolated
  // get MAC and IP of isolated server

  Log into isolated and create an ARP entry for private machine:
  sudo ip route add 10.0.0.0/26 dev eth0 src <isolated_ip>
  arp -s <private_ip> <private_mac>
  ping <private_ip>

  Back to the devstack machine:
  sudo tcpdump -e -vv -i tap<private_port_id>
  // notice the ICMP traffic originating from isolated towards private

  Expected output: No traffic can get from the isolated VM to the private VM.
  Actual output: Traffic from the isolated machine reaches the private virtual machine even though they are not connected via any router.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1736739/+subscriptions

Follow ups

[Bug 1736739] Re: Machines attached to isolated network are able to reach VMs attached to other networks
From: Jakub Libosvar, 2018-05-14