Race condition while allocating floating IPs

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

At first blush, this sounds like an impractical way to go about a denial of service attack, as it depends on an authenticated user and is likely to be fairly noisy with limited actual impact, but it might be a way for customers to avoid paying for additional quota depending on your billing model. As such I'd probably consider this a class C1 report (impractical but could still warrant a CVE) per our taxonomy: https://security.openstack.org/vmt-process.html#incident-report-taxonomy

If there's agreement from some Neutron core security reviewers (subscribed), we can probably continue this discussion as a regular public bug.

actually yes, 500 req test ended up with DOS of the Neutrone. And I guess the same test for other time consuming endpoints (eg. creating instance in Nova or creating Share in Manila) would have the same result. So I was wondering if it's some kind of core problem with request queueing in openstack or the problem should be handled by network devices and not by openstack modules. It just doesn't sound right when a single person can disable a core module with 500 requests.

Generally, resource exhaustion due to rapid calls to expensive API methods by authenticated users is treated as a security hardening opportunity. Operators are recommended to place rate-limiting solutions in front of API endpoints to reduce the impact a user can cause (either intentionally or accidentally) by making rapid-fire requests. Since the account used can be readily identified and disabled, it's an expensive attack scenario unless the environment makes it easy for the attacker to obtain control of additional accounts. See the OpenStack Security Guide for relevant recommendations: https://docs.openstack.org/security-guide/api-endpoints/api-endpoint-configuration-recommendations.html#api-endpoint-rate-limiting

Neutron does not enforce quotas in such a way that a quota violation like this could never occur. The extent of the issue will vary greatly by deployment architecture, specifically the number of neutron workers that are deployed. If more workers are deployed, this becomes more probable.

This is part of the nature of Neutron as a distributed system. The solution for an issue like this would be to move quota calculations into the database, which would be an intrusive and far-reaching rearchitecture. Neutron does better when it can detect issues rather than having to deal with database-reported issues and retries, so such an architectural change would have a significant negative effect on the reliability and responsiveness of the service at load. I do not believe that the risk of exceeding quota justifies the return on investment for such a change that would prevent minor quota overages.

The quota and consumption are easily available from existing API endpoints. If a deployer was so motivated, a combination of log watching and occasional API polling by a process that conforms to the deployer's business logic would permit these sorts of things to be flagged and alarmed on. I think that would be a sufficient compensating control for the risk of quota overages.

I agree with the proposed C1 class, and I could go with B2 too, though there is already an OSSN about that issue.

Any decision on this?

It seems like we've got reasonable consensus that this is expected behavior and have public documentation (at least in the Security Guide as linked above, but likely also elsewhere), indicating that OpenStack API servers on the whole do not make any attempt to mitigate excessively rapid calls to expensive methods and so should be protected by a separate filtering or throttling mechanism if they're deployed in an environment where they're at risk of being overloaded.

I'll switch this public, treating as a class C1 report. If you or someone else feels this scenario should be covered by a CVE then feel free to request one from MITRE or another CNA, but please add it in a follow-up comment on this bug if you do so that we won't end up with multiple CVE assignments floating around for the same scenario. Thanks!

C1 seems appropriate as the risk is not inherent to all deployments and there are multiple ways to prevent/mitigate where needed.