yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #94118
[Bug 1689830] Re: [RFE] Add attribute to the a port that lists the UUIDs of other ports that the port is allowed to impersonate
Closing as this bug is very old and there was never a spec or patch
proposed for this. Please re-open if anyone wishes to work on it.
Thanks.
** Changed in: neutron
Status: Triaged => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1689830
Title:
[RFE] Add attribute to the a port that lists the UUIDs of other ports
that the port is allowed to impersonate
Status in neutron:
Won't Fix
Bug description:
==========================================================
Advanced policy for address pair
==========================================================
The allowed address pair extension extends the port attribute to enable you to
specify arbitrary mac_address/ip_address(cidr) pairs that are allowed to pass
through a port regardless of the subnet associated with the network.
The allowed address pairs is typically used for specify a moving or virtual
IP between a HA server pair.
Problem Description
===================
An end user can only create ports with allowed address pairs on non owned
networks (shared or provider) with elevated privileges. With elevated
privileges it is possible to use any IP or MAC address. This poses a
significant security risk, because the attacker may abuse this privilege
for DoS or man in middle attacks.
Proposed Change ===============
Extend the currently existing policy with a rule that allows an user to
create or update a port with allowed address pairs to already allocated
IP / MAC addresses.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1689830/+subscriptions
References