← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #76753

[Bug 1813439] Re: an instance can see other instances' unicast packages when security group firewall_driver is openvswitch

  Thread PreviousDate PreviousThread Next 
Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security reviewers
for the affected project or projects confirm the bug and discuss the
scope of any vulnerability along with potential solutions.

Is this a mis-configuration from neutron or is it an ovs issue?

** Also affects: ossa
   Importance: Undecided
       Status: New

** Changed in: ossa
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1813439

Title:
  an instance can see other instances' unicast packages when security
  group firewall_driver is openvswitch

Status in neutron:
  New
Status in OpenStack Security Advisory:
  Incomplete

Bug description:
  We found that instances on the same host can see each others' unicast
  packages out to instances on the different host if these instances are
  on the same subnet when security group firewall_driver is openvswitch.

  # How to reproduce

  1. create 3 vms on the same subnet, no matter vlan or vxlan, called
  them vm1, vm2, vm3:

  vm1: 192.168.100.3 (compute 1)
  vm2: 192.168.100.12 (compute 1)
  vm3: 192.168.100.17 (compute 2)

  vm1 and vm2 are on the same host, while vm3 is on the other host.

  2. ping vm3 from vm2

  3. tcpdump eth0 on vm1, you will see icmp request packages from vm2 to
  vm3 are captured

  # tcpdump -enni eth0 icmp
  tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
  listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
  09:01:59.361792 fa:16:3e:8e:49:5c > fa:16:3e:8f:ca:a7, ethertype IPv4 (0x0800), length 98: 192.168.100.12 > 192.168.100.17: ICMP echo request, id 1145, seq 4, length 64
  09:02:00.361772 fa:16:3e:8e:49:5c > fa:16:3e:8f:ca:a7, ethertype IPv4 (0x0800), length 98: 192.168.100.12 > 192.168.100.17: ICMP echo request, id 1145, seq 5, length 64
  09:02:01.361785 fa:16:3e:8e:49:5c > fa:16:3e:8f:ca:a7, ethertype IPv4 (0x0800), length 98: 192.168.100.12 > 192.168.100.17: ICMP echo request, id 1145, seq 6, length 64
  09:02:02.361798 fa:16:3e:8e:49:5c > fa:16:3e:8f:ca:a7, ethertype IPv4 (0x0800), length 98: 192.168.100.12 > 192.168.100.17: ICMP echo request, id 1145, seq 7, length 64

  4. ping vm2 from vm3

  5. tcpdump eth0 on vm1, you will see icmp reply packages from vm2 to
  vm3 are captured

  # tcpdump -enni eth0 icmp
  tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
  listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
  09:03:39.608748 fa:16:3e:8e:49:5c > fa:16:3e:8f:ca:a7, ethertype IPv4 (0x0800), length 98: 192.168.100.12 > 192.168.100.17: ICMP echo reply, id 1144, seq 3, length 64
  09:03:40.609475 fa:16:3e:8e:49:5c > fa:16:3e:8f:ca:a7, ethertype IPv4 (0x0800), length 98: 192.168.100.12 > 192.168.100.17: ICMP echo reply, id 1144, seq 4, length 64
  09:03:41.609444 fa:16:3e:8e:49:5c > fa:16:3e:8f:ca:a7, ethertype IPv4 (0x0800), length 98: 192.168.100.12 > 192.168.100.17: ICMP echo reply, id 1144, seq 5, length 64

  TCP/UDP packages have the same problem, this will have performance
  issue and security problem on the production. This will not happen
  when the security group firewall driver is iptables_hybrid or disable
  port security.

  # Versions

  I am testing this on N and R release, both have the same problem, the
  R release neutron package versions are:

  openstack-neutron-ml2-13.0.2-1.el7.noarch
  openstack-neutron-openvswitch-13.0.2-1.el7.noarch
  python2-neutronclient-6.9.1-1.el7.noarch
  openstack-neutron-common-13.0.2-1.el7.noarch
  openstack-neutron-fwaas-13.0.1-1.el7.noarch
  openstack-neutron-13.0.2-1.el7.noarch
  openstack-neutron-lbaas-13.0.0-1.el7.noarch
  python2-neutron-lib-1.18.0-1.el7.noarch
  python-neutron-lbaas-13.0.0-1.el7.noarch
  python-neutron-13.0.2-1.el7.noarch
  python-neutron-fwaas-13.0.1-1.el7.noarch

  and the operating system and kernel are:

  [root@node-30 ~]# cat /etc/redhat-release
  CentOS Linux release 7.5.1804 (Core)

  [root@node-30 ~]# uname -a
  Linux node-30 3.10.0-862.9.1.el7.x86_64 #1 SMP Mon Jul 16 16:29:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

  and the openvswitch version is :

  openvswitch-2.9.0-3.el7.x86_64

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1813439/+subscriptions

References

  Thread PreviousDate PreviousThread Next