yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #83446
[Bug 1889631] [NEW] [OVS][FW] Multicast non-IGMP traffic is allowed by default, not in iptables FW
Public bug reported:
In iptables firewall, the multicast traffic (non-IGMP) fro 224.0.0.X
traffic was blocked. For example, VRRP traffic
(https://en.wikipedia.org/wiki/Virtual_Router_Redundancy_Protocol) was
blocked until a rule was added to allow it.
In OVS native firewall implementation, this traffic is allowed by default because:
- The OVS FW does not block it.
- OVS follows the recommendations provided in https://tools.ietf.org/html/rfc4541, chapter 2.1.2, section (2):
"Packets with a destination IP (DIP) address in the 224.0.0.X range
which are not IGMP must be forwarded on all ports.
This recommendation is based on the fact that many host systems do
not send Join IP multicast addresses in this range before sending
or listening to IP multicast packets. Furthermore, since the
224.0.0.X address range is defined as link-local (not to be
routed), it seems unnecessary to keep the state for each address
in this range. Additionally, some routers operate in the
224.0.0.X address range without issuing IGMP Joins, and these
applications would break if the switch were to prune them due to
not having seen a Join Group message from the router."
That means this traffic, belonging to a link-local IP address, in the
range 224.0.0.x, should be always forwarded to all ports.
Deployments migrating from iptables FW to OVS FW won't have this traffic blocked by default; this is a behavior change between both.
Should we implicitly block this traffic when using OVS FW?
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1889631
Title:
[OVS][FW] Multicast non-IGMP traffic is allowed by default, not in
iptables FW
Status in neutron:
New
Bug description:
In iptables firewall, the multicast traffic (non-IGMP) fro 224.0.0.X
traffic was blocked. For example, VRRP traffic
(https://en.wikipedia.org/wiki/Virtual_Router_Redundancy_Protocol) was
blocked until a rule was added to allow it.
In OVS native firewall implementation, this traffic is allowed by default because:
- The OVS FW does not block it.
- OVS follows the recommendations provided in https://tools.ietf.org/html/rfc4541, chapter 2.1.2, section (2):
"Packets with a destination IP (DIP) address in the 224.0.0.X range
which are not IGMP must be forwarded on all ports.
This recommendation is based on the fact that many host systems do
not send Join IP multicast addresses in this range before sending
or listening to IP multicast packets. Furthermore, since the
224.0.0.X address range is defined as link-local (not to be
routed), it seems unnecessary to keep the state for each address
in this range. Additionally, some routers operate in the
224.0.0.X address range without issuing IGMP Joins, and these
applications would break if the switch were to prune them due to
not having seen a Join Group message from the router."
That means this traffic, belonging to a link-local IP address, in the
range 224.0.0.x, should be always forwarded to all ports.
Deployments migrating from iptables FW to OVS FW won't have this traffic blocked by default; this is a behavior change between both.
Should we implicitly block this traffic when using OVS FW?
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1889631/+subscriptions
Follow ups
