yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #94362
[Bug 2075539] Re: port-security iptables rules allows rogue DHCP servers to reach instances
Hi Arun,
While I can't confirm this is still a bug, there are a couple of things
to be aware of.
1) Xena is an unsupported release, at this point only 2023.1 (Antelope)
and later are actively supported by the upstream community.
2) Linux Bridge is unsupported and considered an "experimental" option
for Neutron. While we will consider any patches for it, the code is not
actively maintained because of its low use.
For those reasons I would consider moving to ML2/OVS or OVN if possible.
If this issue could be reproduced in one of those drivers we could
investigate further.
** Changed in: neutron
Status: New => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2075539
Title:
port-security iptables rules allows rogue DHCP servers to reach
instances
Status in neutron:
Won't Fix
Bug description:
High level description:
The default iptables rules added by neutron port-security allows the
replies from rogue DHCP servers to reach the VM on provider network
steps to reproduce-
- Create provider network with DHCP enabled
- enable port-security
- if there is a rogue DHCP running on the network, or behind the router (when dhcp relay is enabled on router), the DHCP-discover from VMs will reach there and dhcp-offer and dhcp-ack from those Rogue DHCP servers can hit VMs.
- there is 50% probability that VMs get configured with IP from rogue DHCP instead of neutron assigned IP
Below are the two of the default rules added by neutron on the input chain of port.
-A neutron-linuxbri-i13f86148-e -d xx.xx.xx.xx/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A neutron-linuxbri-i13f86148-e -d 255.255.255.255/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
The second rule in the above chain will allow a DHCP udp packet with destination address as broadcast address.
When does VM receives DHCP replies as broadcast:
Guest VMs, especially windows VM send DHCP discovery with broadcast
FLag set, by explicitly telling DHCP server to generate replies as
broadcast instead of unicast.
Below is a dhcp-udp packet from a rogue dhcp server:
1:09:32.461689 IP (tos 0x0, ttl 255, id 25540, offset 0, flags [none], proto UDP (17), length 337)
_gateway.bootps > 255.255.255.255.bootpc: [udp sum ok] BOOTP/DHCP, Reply, length 309, hops 1, xid 0x782eed61, Flags [Broadcast] (0x8000)
Your-IP 10.20.146.108
Gateway-IP _gateway
Client-Ethernet-Address fa:16:3e:8f:8c:0c (oui Unknown)
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Offer
Subnet-Mask Option 1, length 4: 255.255.248.0
Default-Gateway Option 3, length 4: _gateway
Domain-Name-Server Option 6, length 4: 10.20.136.61
Hostname Option 12, length 7: "win22-1"
Domain-Name Option 15, length 15: "xx.xx"
Lease-Time Option 51, length 4: 1800
Server-ID Option 54, length 4: 172.22.0.5
Client-ID Option 61, length 7: ether fa:16:3e:8f:8c:0c
END Option 255, length 0
Expected output:
The port security of neutron not bypassing these broadcast DCHP
replies from Rogue DHCP server
Actual output:
The VM receives these rogue dhcp-replies along with replies from
neutron dhcp-agent and sometimes gets configured with wrong IP.
proposed fix:
When dhcp is enabled for the provider network, the DHCP offer and
DHCP-ACK from the dnsmasq process will have the dhcp-agent's IP as
source IP. But the destination can be either broadcast address or
unicast address (VM's offered IP)
So we need to allow only DHCP replies whose source address is neutron
dhcp-agent's IP, when its broadcasting replies.
something like,
-A neutron-linuxbri-i13f86148-e -s xx.xx.xx.xx -d 255.255.255.255/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
where , xx.xx.xx.xx is neutron dhcp-agent's IP
version:
openstack: xena
Linux distro: centos 8
Environment:
neutron driver: linux bridge
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2075539/+subscriptions
References