IP-Spoofing for unallocated IPs
Bug #1729815 reported by
Assen Tarlov
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Juniper Openstack | Status tracked in Trunk | |||||
Trunk |
In Progress
|
High
|
sangarshan p |
Bug Description
Assign of a secondary ip to any instance in a network (same subnet) will work without adding "allowed address pairs"
e.g.
I have a 2 instances in my 10.0.0.1/24 network:
10.0.0.2 & 10.0.0.3
If I add another ip on one of the hosts which has not been allocated as an interface e.g.:
" ip a a 10.0.0.4/32 dev eth0"
I will be able to ping it from the other host.
Assumption is that it will only have work if there was an "allowed address pair" on the neutron port.
Customer is not able to take an IP for an instance which does exist but this seems unintended behavior.
Contrail version: contrail 3.2.1.0-
Reverse Path Forwarding is set to enabled
information type: | Proprietary → Public |
Changed in juniperopenstack: | |
importance: | Undecided → Medium |
importance: | Medium → High |
tags: | added: vrouter |
To post a comment you must log in.
PCAP
send: this will ping from 10.41.0.24 to 10.41.0.44