yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1666959] Re: ha_vrrp_auth_type defaults to PASS which is insecure

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Brian Haley <1666959@xxxxxxxxxxxxxxxxxx>
Date: Fri, 07 Feb 2020 19:18:55 -0000
Reply-to: Bug 1666959 <1666959@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: neutron
       Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1666959

Title:
  ha_vrrp_auth_type defaults to PASS which is insecure

Status in neutron:
  Won't Fix
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  With l3_ha enabled, ha_vrrp_auth_type defaults to PASS authentication:

  https://github.com/openstack/neutron/blob/b90ec94dc3f83f63bdb505ace1e4c272435c494b/neutron/conf/agent/l3/ha.py#L28

  which according to http://louwrentius.com/configuring-attacking-and-
  securing-vrrp-on-linux.html is totally insecure because the VRRP
  password is transmitted in the clear.

  I'm not sure if this is currently a serious issue, since if the VRRP
  network is untrusted, maybe there are already bigger problems.  But I
  thought it was worth reporting, at least.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1666959/+subscriptions