Security group mismatch for floating IP

Bug #1740739 reported by Omer Anson
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
DragonFlow
New
High
Omer Anson

Bug Description

Scenario:
1. Create two separate private networks, two separate routers, and connect the private networks (separately) to the public network
2. Define two VMs on the separate private networks
3. Assign each VM a floating IP.
4. (optional) Modify security groups to allow ICMP ingress from *ALL* IPs and verify ping succeeds, then remove this rule.
5. Modify security group to allow ICMP ingress from the other VMs security group (if same security group, put the current security group)
6. See that ping fails.

Expected scenario:
Ping succeeds in point 6.

Analysis:
The security rules installed match by the original IP address. However, the
packet arrives with its floating IP as source. Therefore, the match fails.

Additional Tasks:
* Revert https://review.openstack.org/#/c/540841/

Revision history for this message
Omer Anson (omer-anson) wrote :

I think the best plan of attack would be to test against source port IDs (reg6) rather than IP addresses. This raises the problem that reg6 must always be set to the correct value. This is mostly correct, except for a few apps:

* Tunneling

* dNAT

* Provider network

* SFC

For dNAT and provider network, we can infer reg6 from the incoming packet by source IP and network or source IP and MAC.

For SFC, we should have all the information available, we just need to re-set reg6 once the packet finished the SFC flow.

For tunneling, there are two options:

1. Infer all routable addresses to the network, and then infer from source IP and network. (preferred)

2. Do the routing both on the source and destination node. The packet sent through the tunnel will be the original tunnel (before routing), and routing will be done again on the destination node (routing will be done twice!)

3. Encode the reg6 value somewhere on the packet, e.g. source MAC address, and then (optionally) re-encode the correct MAC on the destination node.

Option 1 is preferred, because it is the only option allowing full interoperability (option 3 won't work if the tunnel source is an e.g. DVR compute node).

Action Items:

1-4. Update dNAT app
1-4. Update provider network app
1-4. Update SFC app
1-4. Update tunnelling app
5. Update SecGroup

This solution only works for 'ingress' rules. For 'egress' rules, we may want to move them to a point where we know the destination port (reg7) and then match by port and not by IP as well.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to dragonflow (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/539546

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: master
Review: https://review.openstack.org/540841

Omer Anson (omer-anson)
description: updated
Changed in dragonflow:
assignee: nobody → Omer Anson (omer-anson)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: master
Review: https://review.openstack.org/540855

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to dragonflow (master)

Reviewed: https://review.openstack.org/540841
Committed: https://git.openstack.org/cgit/openstack/dragonflow/commit/?id=66a02d146218a0affca2dbf2d3da8f27f6000e2d
Submitter: Zuul
Branch: master

commit 66a02d146218a0affca2dbf2d3da8f27f6000e2d
Author: Omer Anson <email address hidden>
Date: Mon Feb 5 14:20:37 2018 +0200

    Disable tempest test TestSecurityGroupsBasicOps.test_cross_tenant_traffic

    Test is broken and makes tempest gate fail. To be fixed in bug 1740739.

    Change-Id: I70104d61520ea275a217ccb6fc5adbdaab1e1b23
    Related-Bug: #1740739

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/540855
Committed: https://git.openstack.org/cgit/openstack/dragonflow/commit/?id=45b22a21b15831b1cec8193390e87717f8e161b0
Submitter: Zuul
Branch: master

commit 45b22a21b15831b1cec8193390e87717f8e161b0
Author: Omer Anson <email address hidden>
Date: Mon Feb 5 15:52:16 2018 +0200

    Move _get_ips_in_logical_port from sg to LogicalPort (lport.all_ips)

    The method _get_ips_in_logical_port returned a set with all lport's IPs.
    This method is not security-groups specific, and therefore can sit in
    LogicalPort for other apps and libraries to reuse.

    Change-Id: Id10092eab9c7b9558d12d066ffac73edabd6d894
    Related-Bug: #1740739

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/539546
Committed: https://git.openstack.org/cgit/openstack/dragonflow/commit/?id=e1a15a07e51bf6590591e4010d52dfa1bb8f8e9f
Submitter: Zuul
Branch: master

commit e1a15a07e51bf6590591e4010d52dfa1bb8f8e9f
Author: Omer Anson <email address hidden>
Date: Wed Jan 17 13:53:39 2018 +0200

    Detect source port for DNAT ingress

    Detect the source port when a packet with a floating port source IP
    arrives from br-ex.

    Change-Id: Ia417212a48c68614877d97a749e5dcae8b6e88c8
    Related-Bug: #1740739

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.