port security does not block router advertisements for instances
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
High
|
Brian Haley | ||
neutron (Ubuntu) |
Fix Released
|
High
|
Unassigned |
Bug Description
Affected version: mitaka
Issue: If port security is enabled, IPv6 router advertisements may be send by any instance.
Network configuration: vlan, security groups disabled, port security enabled.
subnet:
{
"description": "",
"enable_dhcp": true,
"network_id": "b71b7cc7-
"tenant_id": "4e632076f7004f
"created_at": "2017-04-
"dns_
"updated_at": "2017-04-
"ipv6_ra_mode": "",
"allocation_
"gateway_ip": "2a00:xxxx:
"ipv6_
"ip_version": 6,
"host_routes": "",
"cidr": "2a00:xxxx:
"id": "789d4f41-
"subnetpool_id": "",
"name": ""
}
When instance is configured by (malicious) user, it starts to send router advertisements (like it is a router) and those RAs may interrupt networking.
tcpdump from physical interface of compute node:
tcpdump -ni eth4 ip6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth4, link-type EN10MB (Ethernet), capture size 262144 bytes
14:16:47.707480 IP6 fe80::52eb:
14:16:48.709429 IP6 fe80::f816:
first line is a valid router RA, second line (:6644) - by instance, which should be blocked by port security.
On a victim machine (same segment) routing table looks like this:
ip -6 route
default via fe80::52eb:
default via fe80::f816:
Last line - result of network hijacking from malicious instance, and shouldn't happen.
I'm not sure if this is a security issue or not.
description: | updated |
Can you cut/paste the output of 'ip6tables-save' from the compute node and the router namespace on the network node? Could be there's a single rule missing, I just don't remember seeing a fix for something like this.