Security Groups does not allow RA packets in by default

Bug #1242933 reported by Sean M. Collins on 2013-10-21
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
neutron
Medium
Sean M. Collins

Bug Description

Provisioning a VM using Neutron, with RA's being broadcast by upstream switches, the VM was not getting the packets.

Changing the rules manually to:

ip6tables -I neutron-openvswi-ie90990dd-0 1 -p ipv6-icmp -j ACCEPT

Allowed RA packets through.

Changed in neutron:
assignee: nobody → Sean M. Collins (scollins)
Changed in neutron:
status: New → In Progress
Miguel Angel Ajo (mangelajo) wrote :

Most probably I'm wrong here, because I'm quite new to neutron.
But, shouldn't this kind of policy be handled in the security policies manually? (The same way you open ICMP to VMs in IPv4).

Sean M. Collins (scollins) wrote :

Hi Miguel,

There are rules that Neutron creates for each port that allows DHCP traffic on the v4 side, so that an instance can configure v4 networking, without requiring a tenant to create a security group rule to pass in DHCP traffic. It "just works" and there should be parity on the v6 side to allow the same thing to happen.

Sean M. Collins (scollins) wrote :

The difference between v4 ICMP and v6 ICMP is that in the v6 side, there are more advanced operations, like RA's, that must be allowed through for an instance to configure SLAAC.

Brian Haley (brian-haley) wrote :

I made this comment in the review, but I'll copy here in case others only look at the bug:

I still don't think this change is correct as it will allow all Icmpv6 traffic through, when only a subset should be allowed. I think the following should be allowed on the input side: RA, NS, and NA, and they should be inserted with a '-j RETURN'.

I'm still trying to track down the issue myself and will post any info I can find about it here.

Fix proposed to branch: master
Review: https://review.openstack.org/58186

Changed in neutron:
assignee: Sean M. Collins (scollins) → Shixiong Shang (sparkofwisdom-cloud)
Changed in neutron:
assignee: Shixiong Shang (sparkofwisdom-cloud) → Sean M. Collins (scollins)
Changed in neutron:
assignee: Sean M. Collins (scollins) → Shixiong Shang (sparkofwisdom-cloud)
Changed in neutron:
assignee: Shixiong Shang (sparkofwisdom-cloud) → Sean M. Collins (scollins)
summary: - _spoofing_rule does not allow RA packets in
+ Security Groups does not allow RA packets in by default

Reviewed: https://review.openstack.org/53028
Committed: http://github.com/openstack/neutron/commit/cecd7591533e2c046aedba3b8e5d14a5b2fa7fe9
Submitter: Jenkins
Branch: master

commit cecd7591533e2c046aedba3b8e5d14a5b2fa7fe9
Author: Sean M. Collins <email address hidden>
Date: Fri Oct 18 14:33:23 2013 -0400

    Pass in certain ICMPv6 types by default

    This allows instances to do SLAAC configuration, without requiring
    explicit security group rules to do so.

    Closes-Bug: #1242933

    Change-Id: I517c66a470296141c0024a64e39b6d40b0c0d581

Changed in neutron:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2013-12-04
Changed in neutron:
milestone: none → icehouse-1
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2014-04-17
Changed in neutron:
milestone: icehouse-1 → 2014.1
tags: added: ipv6
Changed in neutron:
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers