← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #71531

[Bug 1753757] [NEW] connection on Neutron Bridging

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Summary (Bug title): connection on Neutron Bridging.

High level description: A bug was revealed in the default setting of
OpenStack mitaka Neutron. It allows bridging of a TAP interfaces that
does not have a private Ethernet interface at backend (that are used to
connect to the internet) as a result, this connection would create a
serious security risk by disclosing the network traffic of tenants.

Pre-conditions:- Created a project - test

Created a network, subnet, router, a VMs and VMs are attached to the
network.

Step-by-step reproduction steps: CLI commands or API requests are great;

Connection with bridge Interface through which traffic of all other VMs
passed.

create Mirror name=<mirror_name>
select-src-port=@br-int
set mirror @ br-int
select-src-port=@br-int
select-dst-port=@dummy0


This command as a result can disclose the privacy of the tenant VMs, by redirecting their network traffic at destination point.

Version:
  OpenStack version stable/mitaka
  Linux Distro: Seen this behavior in Ubuntu. It is independent of distro.
  ** devstack 

Environment: what types of services are you running (core services like DB and AMQP broker, as well as Nova/hypervisor if it matters), and which type of deployment (clustered servers)? Multi-node or single node, etc.
Single node. Independent of Hypervisor.

Perceived severity: is this a blocker for you?
I think this must be fix in next release. As it disclose the privacy of tenant.

** Affects: neutron
     Importance: Undecided
     Assignee: new (cloudie)
         Status: In Progress

** Patch added: "By executing this patch on devstack, It block all such attachments."
   https://bugs.launchpad.net/bugs/1753757/+attachment/5070735/+files/ovs_vsctl_enhance.py

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1753757

Title:
  connection on Neutron Bridging

Status in neutron:
  In Progress

Bug description:
  Summary (Bug title): connection on Neutron Bridging.

  High level description: A bug was revealed in the default setting of
  OpenStack mitaka Neutron. It allows bridging of a TAP interfaces that
  does not have a private Ethernet interface at backend (that are used
  to connect to the internet) as a result, this connection would create
  a serious security risk by disclosing the network traffic of tenants.

  Pre-conditions:- Created a project - test

  Created a network, subnet, router, a VMs and VMs are attached to the
  network.

  Step-by-step reproduction steps: CLI commands or API requests are
  great;

  Connection with bridge Interface through which traffic of all other
  VMs passed.

  create Mirror name=<mirror_name>
  select-src-port=@br-int
  set mirror @ br-int
  select-src-port=@br-int
  select-dst-port=@dummy0

  
  This command as a result can disclose the privacy of the tenant VMs, by redirecting their network traffic at destination point.

  Version:
    OpenStack version stable/mitaka
    Linux Distro: Seen this behavior in Ubuntu. It is independent of distro.
    ** devstack 

  Environment: what types of services are you running (core services like DB and AMQP broker, as well as Nova/hypervisor if it matters), and which type of deployment (clustered servers)? Multi-node or single node, etc.
  Single node. Independent of Hypervisor.

  Perceived severity: is this a blocker for you?
  I think this must be fix in next release. As it disclose the privacy of tenant.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1753757/+subscriptions
  Thread PreviousDate PreviousThread Next