an instance can see other instances' unicast packets when security group firewall_driver is openvswitch
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Incomplete
|
Undecided
|
Unassigned | ||
neutron |
Confirmed
|
Medium
|
Unassigned |
Bug Description
We found that instances on the same host can see each others' unicast packets out to instances on the different host if these instances are on the same subnet when security group firewall_driver is openvswitch.
# How to reproduce
1. create 3 vms on the same subnet, no matter vlan or vxlan, called them vm1, vm2, vm3:
vm1: 192.168.100.3 (compute 1)
vm2: 192.168.100.12 (compute 1)
vm3: 192.168.100.17 (compute 2)
vm1 and vm2 are on the same host, while vm3 is on the other host.
2. ping vm3 from vm2
3. tcpdump eth0 on vm1, you will see icmp request packages from vm2 to vm3 are captured
# tcpdump -enni eth0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:01:59.361792 fa:16:3e:8e:49:5c > fa:16:3e:8f:ca:a7, ethertype IPv4 (0x0800), length 98: 192.168.100.12 > 192.168.100.17: ICMP echo request, id 1145, seq 4, length 64
09:02:00.361772 fa:16:3e:8e:49:5c > fa:16:3e:8f:ca:a7, ethertype IPv4 (0x0800), length 98: 192.168.100.12 > 192.168.100.17: ICMP echo request, id 1145, seq 5, length 64
09:02:01.361785 fa:16:3e:8e:49:5c > fa:16:3e:8f:ca:a7, ethertype IPv4 (0x0800), length 98: 192.168.100.12 > 192.168.100.17: ICMP echo request, id 1145, seq 6, length 64
09:02:02.361798 fa:16:3e:8e:49:5c > fa:16:3e:8f:ca:a7, ethertype IPv4 (0x0800), length 98: 192.168.100.12 > 192.168.100.17: ICMP echo request, id 1145, seq 7, length 64
4. ping vm2 from vm3
5. tcpdump eth0 on vm1, you will see icmp reply packages from vm2 to vm3 are captured
# tcpdump -enni eth0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:03:39.608748 fa:16:3e:8e:49:5c > fa:16:3e:8f:ca:a7, ethertype IPv4 (0x0800), length 98: 192.168.100.12 > 192.168.100.17: ICMP echo reply, id 1144, seq 3, length 64
09:03:40.609475 fa:16:3e:8e:49:5c > fa:16:3e:8f:ca:a7, ethertype IPv4 (0x0800), length 98: 192.168.100.12 > 192.168.100.17: ICMP echo reply, id 1144, seq 4, length 64
09:03:41.609444 fa:16:3e:8e:49:5c > fa:16:3e:8f:ca:a7, ethertype IPv4 (0x0800), length 98: 192.168.100.12 > 192.168.100.17: ICMP echo reply, id 1144, seq 5, length 64
TCP/UDP packages have the same problem, this will have performance issue and security problem on the production. This will not happen when the security group firewall driver is iptables_hybrid or disable port security.
# Versions
I am testing this on N and R release, both have the same problem, the R release neutron package versions are:
openstack-
openstack-
python2-
openstack-
openstack-
openstack-
openstack-
python2-
python-
python-
python-
and the operating system and kernel are:
[root@node-30 ~]# cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core)
[root@node-30 ~]# uname -a
Linux node-30 3.10.0-
and the openvswitch version is :
openvswitch-
information type: | Public → Public Security |
Changed in neutron: | |
status: | New → Confirmed |
importance: | Undecided → Medium |
no longer affects: | ossn |
summary: |
- an instance can see other instances' unicast packages when security - group firewall_driver is openvswitch + an instance can see other instances' unicast packets when security group + firewall_driver is openvswitch |
description: | updated |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.
Is this a mis-configuration from neutron or is it an ovs issue?