Should we allow all networks use allowed address pairs?
Bug #1373868 reported by
Wei Wang
This bug report is a duplicate of:
Bug #1447242: Use of allowed-address-pairs can allow tenant to cause denial of service in shared networks.
Edit
Remove
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Now we can add allowed address pair to every net's port if allowed address pair is enable.
This will cause security problem in a shared network, I think.
So we should add an limit for shared net or add a config entry in neutron.conf, so administrator
can disables some net's ports' allowed address pairs.
summary: |
- Should we alow all network can use allowed address pairs? + Should we allow all network can use allowed address pairs? |
summary: |
- Should we allow all network can use allowed address pairs? + Should we allow all networks use allowed address pairs? |
To post a comment you must log in.
Neutron already has max_allowed_ address_ pair configuration value in neutron conf.
The default limit is 10. However it's not related to shared networks and is a limitation per one port.
I think it worth reaching out to openstack-dev mailing list and starting a thread about this and then file a bug based on discussion.
Marking as invalid