yahoo-eng-team team mailing list archive

[Brian Haley <1689830@xxxxxxxxxxxxxxxxxx>]

Closing as this bug is very old and there was never a spec or patch
proposed for this. Please re-open if anyone wishes to work on it.
Thanks.

** Changed in: neutron
       Status: Triaged => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1689830

Title:
  [RFE] Add attribute to the a port that lists the UUIDs of other ports
  that the port is allowed to impersonate

Status in neutron:
  Won't Fix

Bug description:
  ==========================================================
  Advanced policy for address pair  
  ==========================================================

  The allowed address pair extension extends the port attribute to enable you to
  specify arbitrary mac_address/ip_address(cidr) pairs that are allowed to pass
  through a port regardless of the subnet associated with the network.

  The allowed address pairs is typically used for specify a moving or virtual
  IP between a HA server pair.

  Problem Description
  ===================

  An end user can only create ports with allowed address pairs on non owned
  networks (shared or provider) with elevated privileges. With elevated
  privileges it is possible to use any IP or MAC address. This poses a
  significant security risk, because the attacker may abuse this privilege
  for DoS or man in middle attacks.

  Proposed Change ===============

  Extend the currently existing policy with a rule that allows an user to
  create or update a port with allowed address pairs to already allocated
  IP / MAC addresses.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1689830/+subscriptions