Should we allow all networks use allowed address pairs?
Bug #1373868 reported by
Wei Wang
This bug report is a duplicate of:
Bug #1447242: Use of allowed-address-pairs can allow tenant to cause denial of service in shared networks.
Edit
Remove
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| neutron |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
Now we can add allowed address pair to every net's port if allowed address pair is enable.
This will cause security problem in a shared network, I think.
So we should add an limit for shared net or add a config entry in neutron.conf, so administrator
can disables some net's ports' allowed address pairs.
| summary: |
- Should we alow all network can use allowed address pairs? + Should we allow all network can use allowed address pairs? |
| summary: |
- Should we allow all network can use allowed address pairs? + Should we allow all networks use allowed address pairs? |
Revision history for this message
| Eugene Nikanorov (enikanorov) wrote | #1 |
| Changed in neutron: | |
| status: | New → Invalid |
To post a comment you must log in.
Neutron already has max_allowed_
The default limit is 10. However it's not related to shared networks and is a limitation per one port.
I think it worth reaching out to openstack-dev mailing list and starting a thread about this and then file a bug based on discussion.
Marking as invalid