Comment 0 for bug 2053113

Revision history for this message
Frode Nordahl (fnordahl) wrote : Potential DoS vulnerability transmitting BFD packets from VIF

As part of implementing a overlay network, OVN configures tunnel ports in Open vSwitch (OVS). To monitor health of tunnel and remote hypervisor the OVS Bidirectional Forwarding Detection (BFD) functionality is enabled by setting `enbale` to 'true' in the `bfd` column.

The tunnel BFD status is also used to select the active chassis for distributed gateway ports for traffic going in and out of the deployment (North/South traffic).

The BFD packets are transmitted in-band in the tunnel, along with other traffic, and in its default configuration, OVS will consider any BFD packet received on the tunnel port as being from a privileged peer on the other side of the tunnel.

Traffic from unprivileged users connected to a VIF are also transmitted in these tunnels, and it is non-trivial for a end user of a system using OVS/OVN to transmit BFD packets that will be tunneled through the system.

Fortunately, traffic originating from or destined to a VIF is labeled with a VNI aka. tunnel key.

There exists a OVS BFD option called `check_tnl_key`, which makes OVS only consider BFD packets that have a tunnel key of zero.

Investigations so far suggest that setting the `check_tnl_key` option to 'true' would mitigate the issue, as only the OVS generated BFD packets would have a tunnel key of zero.

The options on the tunnel ports are however managed by OVN, and any attempt of manually setting them will immediately be reverted, consequently this becomes a potential security issue in OVN.

We have initiated conversations with the upstream following their security process on how to handle this issue.