yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #95760
[Bug 2107634] [NEW] Same Host Traffic Leaks in Neutron DVR When Using BGP
Public bug reported:
Hi everyone,
When Neutron BGP Dynamic Routing and DVR are used, instances in VXLAN
tenant networks located in different routers within different projects
can directly access each other if they are on the same compute host.
(They should ideally communicate via the gateway IP address of the
provider network serving as the router's external gateway).
Although the routers are in different projects, because their external
gateways are the same, the north-south traffic exiting the routers
reaches the fip namespace on the compute node due to the "fast-exit"
feature. ([RFE]"Fast exit" for compute node egress flows when using DVR
- https://bugs.launchpad.net/neutron/+bug/1577488)
This situation occurs due to the tenant network routes present in the
fip namespace on the compute node. The purpose of these routes is to
forward traffic arriving at the agent gateway IP address (announced as
the next-hop in BGP) towards the VMs via the qrouter namespace. (These
are the routes in the main table - see attacment).
While using different provider networks as the external gateway for each
router comes to mind as a solution, creating a dedicated external
gateway for each router is excessively costly, almost impossible, and
illogical. This is because, due to the address scope limitations in BGP
usage, it would also necessitate creating a new BGP speaker and
establishing a BGP connection for each tenant.
According to SOX cybersecurity compliance, it must be possible to apply
ACLs on the access between VXLAN tenant networks. We cannot use Security
Groups because we cannot manage ACLs centrally and easily, and as
discussed in a bug report we previously submitted, packet loss during
live migration increases dramatically as the number of rules grows.
Neutron developers informed us that there is no definitive solution for
this, and it operates on a best-effort basis.
(https://bugs.launchpad.net/neutron/+bug/1970606) Therefore, we need to
route the traffic between tenant networks through a physical firewall.
In conclusion, we consider this situation as a bug. What is your
assessment?
We think it will be nice to adding a new config flag and based on the
value of this flag, the VXLAN tenant networks could be isolated. Moving
the tenant network routes added to the fip namespace from the main table
to a different table, and adding the agent gateway port as an input
interface (iif) condition to the rule, is sufficient. (see attachment).
Thanks.
** Affects: neutron
Importance: Undecided
Status: New
** Attachment added: "fip-netns-ip-route-rule.txt"
https://bugs.launchpad.net/bugs/2107634/+attachment/5872630/+files/fip-netns-ip-route-rule.txt
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2107634
Title:
Same Host Traffic Leaks in Neutron DVR When Using BGP
Status in neutron:
New
Bug description:
Hi everyone,
When Neutron BGP Dynamic Routing and DVR are used, instances in VXLAN
tenant networks located in different routers within different projects
can directly access each other if they are on the same compute host.
(They should ideally communicate via the gateway IP address of the
provider network serving as the router's external gateway).
Although the routers are in different projects, because their external
gateways are the same, the north-south traffic exiting the routers
reaches the fip namespace on the compute node due to the "fast-exit"
feature. ([RFE]"Fast exit" for compute node egress flows when using
DVR - https://bugs.launchpad.net/neutron/+bug/1577488)
This situation occurs due to the tenant network routes present in the
fip namespace on the compute node. The purpose of these routes is to
forward traffic arriving at the agent gateway IP address (announced as
the next-hop in BGP) towards the VMs via the qrouter namespace. (These
are the routes in the main table - see attacment).
While using different provider networks as the external gateway for
each router comes to mind as a solution, creating a dedicated external
gateway for each router is excessively costly, almost impossible, and
illogical. This is because, due to the address scope limitations in
BGP usage, it would also necessitate creating a new BGP speaker and
establishing a BGP connection for each tenant.
According to SOX cybersecurity compliance, it must be possible to
apply ACLs on the access between VXLAN tenant networks. We cannot use
Security Groups because we cannot manage ACLs centrally and easily,
and as discussed in a bug report we previously submitted, packet loss
during live migration increases dramatically as the number of rules
grows. Neutron developers informed us that there is no definitive
solution for this, and it operates on a best-effort basis.
(https://bugs.launchpad.net/neutron/+bug/1970606) Therefore, we need
to route the traffic between tenant networks through a physical
firewall.
In conclusion, we consider this situation as a bug. What is your
assessment?
We think it will be nice to adding a new config flag and based on the
value of this flag, the VXLAN tenant networks could be isolated.
Moving the tenant network routes added to the fip namespace from the
main table to a different table, and adding the agent gateway port as
an input interface (iif) condition to the rule, is sufficient. (see
attachment).
Thanks.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2107634/+subscriptions