neutron

Neutron ipv6_utils.is_enabled() uses /proc/sys/net/ipv6/conf/default/disable_ipv6

Bug #1459856 reported by Dustin Lundquist
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
neutron
In Progress
Undecided
Dustin Lundquist

Bug Description

Neutron uses /proc/sys/net/ipv6/conf/default/disable_ipv6 to determine if IPv6 should be enabled, but there are legitimate cases where this sysctl may be set in an IPv6 deployment.

By default Linux assigns link-local address to all new interfaces if this sysctl is not enabled, this exposes the host machine to tenant networks. To harden a deployment an administrator may set this sysctl and explicitly disable /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6 on each interface which should participate in IPv6 communications. This brings parity with IPv4 where interfaces are only addressable if the administer has explicitly assigned the interface an IPv4 address.

In this case Neutron will detect /proc/sys/net/ipv6/conf/default/disable_ipv6=1 and ipv6_util.is_enabled() will return false, there by disabling creation of ip6tables rules enforcing security groups running on hosts with this hardened IPv6 configuration.

Can we expose ipv6_utils.is_enabled() directly as a configuration option rather than inferring from /proc/sys/net/ipv6/conf/default/disable_ipv6?

OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: nobody → Dustin Lundquist (dlundquist)
status: New → In Progress
Revision history for this message
Dustin Lundquist (dlundquist) wrote :

Patch submitted: https://review.openstack.org/#/c/196199/

Revision history for this message
Sean M. Collins (scollins) wrote :

How are guest instances getting IPv6 connectivity, if the hypervisor where guests are running has disabled IPv6 on all the interfaces?

Revision history for this message
Dustin Lundquist (dlundquist) wrote :

The hypervisor only needs to provide L2 connectivity to an IPv6 router. Frames containing IPv6 packages are bridged normally when disable_ipv6 is set.

Revision history for this message
Jarek Kamiński (cmp) wrote :

The bug popped in our deployment just yesterday. IMO the check should verify whether IPv6 Netfilter support is present (so for instance try modprobe ip6_tables). The override is a great thing (thanks!), but it's just a work-around, not a proper fix.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (master)

Change abandoned by Kyle Mestery (<email address hidden>) on branch: master
Review: https://review.openstack.org/196199
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Revision history for this message
Sean M. Collins (scollins) wrote :

I'm marking this as a duplicate since the newer bug has a better summary of what we are trying to accomplish

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.