yahoo-eng-team team mailing list archive

Thread
Date
[Bug 2107634] [NEW] Same Host Traffic Leaks in Neutron DVR When Using BGP

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Yusuf Güngör <2107634@xxxxxxxxxxxxxxxxxx>
Date: Fri, 18 Apr 2025 12:41:57 -0000
Reply-to: Bug 2107634 <2107634@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Public bug reported:

Hi everyone,

When Neutron BGP Dynamic Routing and DVR are used, instances in VXLAN
tenant networks located in different routers within different projects
can directly access each other if they are on the same compute host.
(They should ideally communicate via the gateway IP address of the
provider network serving as the router's external gateway).

Although the routers are in different projects, because their external
gateways are the same, the north-south traffic exiting the routers
reaches the fip namespace on the compute node due to the "fast-exit"
feature. ([RFE]"Fast exit" for compute node egress flows when using DVR
- https://bugs.launchpad.net/neutron/+bug/1577488)

This situation occurs due to the tenant network routes present in the
fip namespace on the compute node. The purpose of these routes is to
forward traffic arriving at the agent gateway IP address (announced as
the next-hop in BGP) towards the VMs via the qrouter namespace. (These
are the routes in the main table - see attacment).

While using different provider networks as the external gateway for each
router comes to mind as a solution, creating a dedicated external
gateway for each router is excessively costly, almost impossible, and
illogical. This is because, due to the address scope limitations in BGP
usage, it would also necessitate creating a new BGP speaker and
establishing a BGP connection for each tenant.

According to SOX cybersecurity compliance, it must be possible to apply
ACLs on the access between VXLAN tenant networks. We cannot use Security
Groups because we cannot manage ACLs centrally and easily, and as
discussed in a bug report we previously submitted, packet loss during
live migration increases dramatically as the number of rules grows.
Neutron developers informed us that there is no definitive solution for
this, and it operates on a best-effort basis.
(https://bugs.launchpad.net/neutron/+bug/1970606) Therefore, we need to
route the traffic between tenant networks through a physical firewall.

In conclusion, we consider this situation as a bug. What is your
assessment?

We think it will be nice to adding a new config flag and based on the
value of this flag, the VXLAN tenant networks could be isolated. Moving
the tenant network routes added to the fip namespace from the main table
to a different table, and adding the agent gateway port as an input
interface (iif) condition to the rule, is sufficient. (see attachment).

Thanks.

** Affects: neutron
     Importance: Undecided
         Status: New

** Attachment added: "fip-netns-ip-route-rule.txt"
   https://bugs.launchpad.net/bugs/2107634/+attachment/5872630/+files/fip-netns-ip-route-rule.txt

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2107634

Title:
  Same Host Traffic Leaks in Neutron DVR When Using BGP

Status in neutron:
  New

Bug description:
  Hi everyone,

  When Neutron BGP Dynamic Routing and DVR are used, instances in VXLAN
  tenant networks located in different routers within different projects
  can directly access each other if they are on the same compute host.
  (They should ideally communicate via the gateway IP address of the
  provider network serving as the router's external gateway).

  Although the routers are in different projects, because their external
  gateways are the same, the north-south traffic exiting the routers
  reaches the fip namespace on the compute node due to the "fast-exit"
  feature. ([RFE]"Fast exit" for compute node egress flows when using
  DVR - https://bugs.launchpad.net/neutron/+bug/1577488)

  This situation occurs due to the tenant network routes present in the
  fip namespace on the compute node. The purpose of these routes is to
  forward traffic arriving at the agent gateway IP address (announced as
  the next-hop in BGP) towards the VMs via the qrouter namespace. (These
  are the routes in the main table - see attacment).

  While using different provider networks as the external gateway for
  each router comes to mind as a solution, creating a dedicated external
  gateway for each router is excessively costly, almost impossible, and
  illogical. This is because, due to the address scope limitations in
  BGP usage, it would also necessitate creating a new BGP speaker and
  establishing a BGP connection for each tenant.

  According to SOX cybersecurity compliance, it must be possible to
  apply ACLs on the access between VXLAN tenant networks. We cannot use
  Security Groups because we cannot manage ACLs centrally and easily,
  and as discussed in a bug report we previously submitted, packet loss
  during live migration increases dramatically as the number of rules
  grows. Neutron developers informed us that there is no definitive
  solution for this, and it operates on a best-effort basis.
  (https://bugs.launchpad.net/neutron/+bug/1970606) Therefore, we need
  to route the traffic between tenant networks through a physical
  firewall.

  In conclusion, we consider this situation as a bug. What is your
  assessment?

  We think it will be nice to adding a new config flag and based on the
  value of this flag, the VXLAN tenant networks could be isolated.
  Moving the tenant network routes added to the fip namespace from the
  main table to a different table, and adding the agent gateway port as
  an input interface (iif) condition to the rule, is sufficient. (see
  attachment).

  Thanks.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2107634/+subscriptions