yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #79713
[Bug 1837252] Re: IFLA_BR_AGEING_TIME of 0 causes flooding across bridges
For a while I've been meaning to raise the topic of dropping requirement
#5 from
https://governance.openstack.org/tc/reference/tags/vulnerability_managed.html#requirements
since it was a high bar to clear and even projects which were previously
under vulnerability management before the tag existed did not
retroactively undergo threat analysis. While I still think it would be
swell to have architectural info on critical OpenStack components, the
volume of vulnerability reports we've received in recent years is low
enough that I think we could cover more projects even without that. I
did bring this up with the other members of the OpenStack VMT and there
was no disagreement, so I'll start a thread about that on the ML.
I'll go ahead and draft an impact description since it looks like the
stable/stein change is passing and likely to merge, and then request a
CVE assignment and prepare to issue an advisory.
** Changed in: ossa
Status: Won't Fix => Confirmed
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1837252
Title:
IFLA_BR_AGEING_TIME of 0 causes flooding across bridges
Status in neutron:
Invalid
Status in OpenStack Compute (nova):
Invalid
Status in os-vif:
Fix Released
Status in os-vif stein series:
In Progress
Status in os-vif trunk series:
Fix Released
Status in OpenStack Security Advisory:
Confirmed
Bug description:
Release: OpenStack Stein
Driver: LinuxBridge
Using Stein w/ the LinuxBridge mech driver/agent, we have found that
traffic is being flooded across bridges. Using tcpdump inside an
instance, you can see unicast traffic for other instances.
We have confirmed the macs table shows the aging timer set to 0 for
permanent entries, and the bridge is NOT learning new MACs:
root@lab-compute01:~# brctl showmacs brqd0084ac0-f7
port no mac addr is local? ageing timer
5 24:be:05:a3:1f:e1 yes 0.00
5 24:be:05:a3:1f:e1 yes 0.00
1 fe:16:3e:02:62:18 yes 0.00
1 fe:16:3e:02:62:18 yes 0.00
7 fe:16:3e:07:65:47 yes 0.00
7 fe:16:3e:07:65:47 yes 0.00
4 fe:16:3e:1d:d6:33 yes 0.00
4 fe:16:3e:1d:d6:33 yes 0.00
9 fe:16:3e:2b:2f:f0 yes 0.00
9 fe:16:3e:2b:2f:f0 yes 0.00
8 fe:16:3e:3c:42:64 yes 0.00
8 fe:16:3e:3c:42:64 yes 0.00
10 fe:16:3e:5c:a6:6c yes 0.00
10 fe:16:3e:5c:a6:6c yes 0.00
2 fe:16:3e:86:9c:dd yes 0.00
2 fe:16:3e:86:9c:dd yes 0.00
6 fe:16:3e:91:9b:45 yes 0.00
6 fe:16:3e:91:9b:45 yes 0.00
11 fe:16:3e:b3:30:00 yes 0.00
11 fe:16:3e:b3:30:00 yes 0.00
3 fe:16:3e:dc:c3:3e yes 0.00
3 fe:16:3e:dc:c3:3e yes 0.00
root@lab-compute01:~# bridge fdb show | grep brqd0084ac0-f7
01:00:5e:00:00:01 dev brqd0084ac0-f7 self permanent
fe:16:3e:02:62:18 dev tap74af38f9-2e master brqd0084ac0-f7 permanent
fe:16:3e:02:62:18 dev tap74af38f9-2e vlan 1 master brqd0084ac0-f7 permanent
fe:16:3e:86:9c:dd dev tapb00b3c18-b3 master brqd0084ac0-f7 permanent
fe:16:3e:86:9c:dd dev tapb00b3c18-b3 vlan 1 master brqd0084ac0-f7 permanent
fe:16:3e:dc:c3:3e dev tap7284d235-2b master brqd0084ac0-f7 permanent
fe:16:3e:dc:c3:3e dev tap7284d235-2b vlan 1 master brqd0084ac0-f7 permanent
fe:16:3e:1d:d6:33 dev tapbeb9441a-99 vlan 1 master brqd0084ac0-f7 permanent
fe:16:3e:1d:d6:33 dev tapbeb9441a-99 master brqd0084ac0-f7 permanent
24:be:05:a3:1f:e1 dev eno1.102 vlan 1 master brqd0084ac0-f7 permanent
24:be:05:a3:1f:e1 dev eno1.102 master brqd0084ac0-f7 permanent
fe:16:3e:91:9b:45 dev tapc8ad2cec-90 master brqd0084ac0-f7 permanent
fe:16:3e:91:9b:45 dev tapc8ad2cec-90 vlan 1 master brqd0084ac0-f7 permanent
fe:16:3e:07:65:47 dev tap86e2c412-24 master brqd0084ac0-f7 permanent
fe:16:3e:07:65:47 dev tap86e2c412-24 vlan 1 master brqd0084ac0-f7 permanent
fe:16:3e:3c:42:64 dev tap37bcb70e-9e master brqd0084ac0-f7 permanent
fe:16:3e:3c:42:64 dev tap37bcb70e-9e vlan 1 master brqd0084ac0-f7 permanent
fe:16:3e:2b:2f:f0 dev tap40f6be7c-2d vlan 1 master brqd0084ac0-f7 permanent
fe:16:3e:2b:2f:f0 dev tap40f6be7c-2d master brqd0084ac0-f7 permanent
fe:16:3e:b3:30:00 dev tap6548bacb-c0 vlan 1 master brqd0084ac0-f7 permanent
fe:16:3e:b3:30:00 dev tap6548bacb-c0 master brqd0084ac0-f7 permanent
fe:16:3e:5c:a6:6c dev tap61107236-1e vlan 1 master brqd0084ac0-f7 permanent
fe:16:3e:5c:a6:6c dev tap61107236-1e master brqd0084ac0-f7 permanent
The ageing time for the bridge is set to 0:
root@lab-compute01:~# brctl showstp brqd0084ac0-f7
brqd0084ac0-f7
bridge id 8000.24be05a31fe1
designated root 8000.24be05a31fe1
root port 0 path cost 0
max age 20.00 bridge max age 20.00
hello time 2.00 bridge hello time 2.00
forward delay 0.00 bridge forward delay 0.00
ageing time 0.00
hello timer 0.00 tcn timer 0.00
topology change timer 0.00 gc timer 0.00
flags
The default ageing time of 300 is being overridden by the value set
here:
Stein: https://github.com/openstack/os-
vif/blob/stable/stein/os_vif/internal/command/ip/linux/impl_pyroute2.py#L89
Master: https://github.com/openstack/os-
vif/blob/master/os_vif/internal/ip/linux/impl_pyroute2.py#L89
I am not sure of the behavior in OVS environments using the iptables
firewall, but I have confirmed the 'qbr' bridges also have a ageing
time of 0 (formerly 300).
Please let me know if you have any questions.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1837252/+subscriptions
References
