ICMPv6 RAs should only be permitted from known routers
Bug #1262759 reported by
Ian Wells
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Invalid
|
Undecided
|
Unassigned | ||
neutron |
Fix Released
|
Medium
|
Xu Han Peng |
Bug Description
ICMPv6 is now allowed in from any host but other hosts can offer bogus routes.
Change security group/port filtering to respect known routers:
- tenant routers attached to subnets and passing v6
- physical routers on provider networks provided on the network (as some sort of admin configurable list for that network).
(Security issue: One VM sharing a neutron network can divert outgoing traffic from other VMs.)
Changed in ossa: | |
status: | New → Incomplete |
information type: | Private Security → Public |
tags: | added: security |
Changed in neutron: | |
assignee: | nobody → Xu Han Peng (xuhanp) |
Changed in neutron: | |
milestone: | none → juno-1 |
Changed in neutron: | |
status: | Fix Committed → Fix Released |
Changed in neutron: | |
milestone: | juno-1 → 2014.2 |
To post a comment you must log in.
IETF RFC 6105 could be helpful reading here.