VXLAN Overlay ping issue when Gateway IP is set to one of local NIC's IP address
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
neutron |
Expired
|
Undecided
|
Unassigned |
Bug Description
There's an issue when a VXLAN overlay VM tries to ping an overlay IP address that is also the same as one of the host machine's local IP addresses. In my setup, I've tried pinging the overlay VM's router's IP address. Here are the details:
VXLAN Id is 100 (this number is immaterial, what matters is that we use VXLAN for tenant traffic)
Overlay VM:
IP: 10.0.1.3/24
GW: 10.0.1.1
Host Info:
enp21s0f0: 1.1.1.5/24 (This interface is used to contact the controller as well as for encapsulated datapath traffic.
qbr89a962f7-9b: Linux Bridge to which the Overlay VM connects. No IP address on this one.
brctl show:
qbr89a962f7-9b 8000.56f6fefb9d5c no qvb89a962f7-9b
ifconfig qbr89a962f7-9b
qbr89a962f7-9b: flags=4163<
inet6 fe80::54f6:
ether 56:f6:fe:fb:9d:5c txqueuelen 0 (Ethernet)
RX packets 916 bytes 27072 (26.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10 bytes 780 (780.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
I am using a previously unused NIC named eno1 for this example. When eno1 has no IP address, ping from the overlay VM to the router is successful. ARP on the VM shows the correct MAC resolution. When I set eno1 to 10.0.1.1, ARP on the overlay VM show's qbr89a962f7-9b's MAC address and ping never succeeds.
When things work OK ARP for 10.0.1.1 is fa:16:3e:0c:52:6d
When eno1 is set to 10.0.1.1 ARP resolution is incorrect, 10.0.1.1 resolves to 56:f6:fe:fb:9d:5c and ping never succeeds. I've deleted ARPs to ensure that resolution is triggered. It appears as of the OVS br-int never received the ARP request.
Thanks,
-Uday
Hi, is there a reason why you reported this bug as a security vulnerability ?