Comment 0 for bug 2053113
Revision history for this message
| Frode Nordahl (fnordahl) wrote Potential DoS vulnerability transmitting BFD packets from VIF | #0 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
As part of implementing a overlay network, OVN configures tunnel ports in Open vSwitch (OVS). To monitor health of tunnel and remote hypervisor the OVS Bidirectional Forwarding Detection (BFD) functionality is enabled by setting `enbale` to 'true' in the `bfd` column.
The tunnel BFD status is also used to select the active chassis for distributed gateway ports for traffic going in and out of the deployment (North/South traffic).
The BFD packets are transmitted in-band in the tunnel, along with other traffic, and in its default configuration, OVS will consider any BFD packet received on the tunnel port as being from a privileged peer on the other side of the tunnel.
Traffic from unprivileged users connected to a VIF are also transmitted in these tunnels, and it is non-trivial for a end user of a system using OVS/OVN to transmit BFD packets that will be tunneled through the system.
Fortunately, traffic originating from or destined to a VIF is labeled with a VNI aka. tunnel key.
There exists a OVS BFD option called `check_tnl_key`, which makes OVS only consider BFD packets that have a tunnel key of zero.
Investigations so far suggest that setting the `check_tnl_key` option to 'true' would mitigate the issue, as only the OVS generated BFD packets would have a tunnel key of zero.
The options on the tunnel ports are however managed by OVN, and any attempt of manually setting them will immediately be reverted, consequently this becomes a potential security issue in OVN.
We have initiated conversations with the upstream following their security process on how to handle this issue.