Activity log for bug #1274034

Date Who What changed Old value New value Message
2014-01-29 10:15:03 Édouard Thuleau bug added bug
2014-01-29 10:16:57 Édouard Thuleau bug added subscriber Mathieu Rohon
2014-01-29 13:40:59 Jeremy Stanley bug task added ossa
2014-01-29 13:41:32 Jeremy Stanley neutron: status New Incomplete
2014-01-29 13:41:37 Jeremy Stanley neutron: status Incomplete New
2014-01-29 13:41:42 Jeremy Stanley ossa: status New Incomplete
2014-01-29 16:43:31 Édouard Thuleau description The neutron firewall driver 'iptabes_firawall' does not prevent ARP cache poisoning. When anti-spoofing rules are handled by Nova, a list of rules was added through the libvirt network filter feature: - no-mac-spoofing - no-ip-spoofing - no-arp-spoofing - nova-no-nd-reflection - allow-dhcp-server Actually, the neutron firewall driver 'iptabes_firawall' handles only MAC and IP anti-spoofing rules. This is a security vulnerability, especially on shared networks. The neutron firewall driver 'iptabes_firawall' does not prevent ARP cache poisoning. When anti-spoofing rules are handled by Nova, a list of rules was added through the libvirt network filter feature: - no-mac-spoofing - no-ip-spoofing - no-arp-spoofing - nova-no-nd-reflection - allow-dhcp-server Actually, the neutron firewall driver 'iptabes_firawall' handles only MAC and IP anti-spoofing rules. This is a security vulnerability, especially on shared networks. Reproduce an ARP cache poisoning and man in the middle: - Create a private network/subnet 10.0.0.0/24 - Start 2 VM attached to that private network (VM1: IP 10.0.0.3, VM2: 10.0.0.4) - Log on VM1 and install ettercap [1] - Launch command: 'ettercap -T -w dump -M ARP /10.0.0.4/ // output:' - Log on too on VM2 (with VNC/spice console) and ping google.fr => ping is ok - Go back on VM1, and see the VM2's ping to google.fr going to the VM1 instead to be send directly to the network gateway and forwarded by the VM1 to the gw - Go back to VM2 and check the ARP table => the MAC address associated to the GW is the MAC address of VM1 [1] http://ettercap.github.io/ettercap/
2014-01-29 16:47:14 Édouard Thuleau description The neutron firewall driver 'iptabes_firawall' does not prevent ARP cache poisoning. When anti-spoofing rules are handled by Nova, a list of rules was added through the libvirt network filter feature: - no-mac-spoofing - no-ip-spoofing - no-arp-spoofing - nova-no-nd-reflection - allow-dhcp-server Actually, the neutron firewall driver 'iptabes_firawall' handles only MAC and IP anti-spoofing rules. This is a security vulnerability, especially on shared networks. Reproduce an ARP cache poisoning and man in the middle: - Create a private network/subnet 10.0.0.0/24 - Start 2 VM attached to that private network (VM1: IP 10.0.0.3, VM2: 10.0.0.4) - Log on VM1 and install ettercap [1] - Launch command: 'ettercap -T -w dump -M ARP /10.0.0.4/ // output:' - Log on too on VM2 (with VNC/spice console) and ping google.fr => ping is ok - Go back on VM1, and see the VM2's ping to google.fr going to the VM1 instead to be send directly to the network gateway and forwarded by the VM1 to the gw - Go back to VM2 and check the ARP table => the MAC address associated to the GW is the MAC address of VM1 [1] http://ettercap.github.io/ettercap/ The neutron firewall driver 'iptabes_firawall' does not prevent ARP cache poisoning. When anti-spoofing rules are handled by Nova, a list of rules was added through the libvirt network filter feature: - no-mac-spoofing - no-ip-spoofing - no-arp-spoofing - nova-no-nd-reflection - allow-dhcp-server Actually, the neutron firewall driver 'iptabes_firawall' handles only MAC and IP anti-spoofing rules. This is a security vulnerability, especially on shared networks. Reproduce an ARP cache poisoning and man in the middle: - Create a private network/subnet 10.0.0.0/24 - Start 2 VM attached to that private network (VM1: IP 10.0.0.3, VM2: 10.0.0.4) - Log on VM1 and install ettercap [1] - Launch command: 'ettercap -T -w dump -M ARP /10.0.0.4/ // output:' - Log on too on VM2 (with VNC/spice console) and ping google.fr => ping is ok - Go back on VM1, and see the VM2's ping to google.fr going to the VM1 instead to be send directly to the network gateway and forwarded by the VM1 to the gw. The ICMP capture looks something like that [2] - Go back to VM2 and check the ARP table => the MAC address associated to the GW is the MAC address of VM1 [1] http://ettercap.github.io/ettercap/ [2] http://paste.openstack.org/show/62112/
2014-02-03 16:26:15 Édouard Thuleau attachment added iptables_firewall_basic_spoofing.patch https://bugs.launchpad.net/ossa/+bug/1274034/+attachment/3967734/+files/iptables_firewall_basic_spoofing.patch
2014-02-03 16:48:14 Thierry Carrez bug added subscriber Mark McClain
2014-02-10 13:25:44 Mathieu Rohon ossa: status Incomplete Confirmed
2014-02-10 13:26:08 Mathieu Rohon ossa: status Confirmed Incomplete
2014-02-10 13:55:28 Mathieu Rohon bug added subscriber Nachi Ueno
2014-02-10 17:29:57 Mark McClain bug added subscriber Aaron Rosen
2014-02-17 19:54:53 Jeremy Stanley information type Private Security Public
2014-02-17 19:55:09 Jeremy Stanley tags sg-fw security sg-fw
2014-02-17 19:57:07 Jeremy Stanley ossa: status Incomplete Invalid
2014-02-21 20:50:35 Mark McClain neutron: status New Triaged
2014-02-21 20:50:49 Mark McClain tags security sg-fw l3-ipam-dhcp security sg-fw
2014-03-09 21:48:46 Cedric Brandily bug added subscriber Cedric Brandily
2014-03-25 21:58:29 Kevin Bringard tags l3-ipam-dhcp security sg-fw havana-backport-potential l3-ipam-dhcp security sg-fw
2014-03-26 18:16:31 Kevin Bringard attachment added iptables_firewall.py.patch https://bugs.launchpad.net/neutron/+bug/1274034/+attachment/4045291/+files/iptables_firewall.py.patch
2014-03-30 18:39:32 Darragh O'Reilly bug added subscriber Darragh O'Reilly
2014-04-08 20:06:50 OpenStack Infra neutron: status Triaged In Progress
2014-04-08 20:06:50 OpenStack Infra neutron: assignee Kevin Bringard (kbringard)
2014-04-11 14:28:08 Akihiro Motoki tags havana-backport-potential l3-ipam-dhcp security sg-fw havana-backport-potential icehouse-backport-potential l3-ipam-dhcp security sg-fw
2014-06-19 20:23:11 Mathieu Gagné bug added subscriber Mathieu Gagné
2014-07-11 16:45:49 Kevin Bringard neutron: assignee Kevin Bringard (kbringard)
2014-08-19 02:40:25 Juergen Brendel neutron: assignee Juergen Brendel (jbrendel)
2014-08-22 09:31:36 Robert Clark bug task added ossn
2014-08-25 14:57:05 Kyle Mestery neutron: importance Undecided High
2014-08-28 07:00:30 Matt Popow bug added subscriber Matt Popow
2014-09-02 14:34:23 Tim Kelsey ossn: assignee Tim Kelsey (tim-kelsey)
2014-09-03 15:47:10 Sharmin Choksey bug added subscriber Sharmin Choksey
2014-09-05 10:22:45 Tim Kelsey ossn: status New In Progress
2014-09-19 10:29:34 Tim Kelsey ossn: status In Progress Fix Committed
2014-09-24 09:15:39 haruka tanizawa bug added subscriber haruka tanizawa
2014-09-26 02:27:40 Nathan Kinder ossn: status Fix Committed Fix Released
2014-10-10 04:45:03 Tomoko Inoue bug added subscriber Tomoko Inoue
2014-11-18 08:27:31 Jian Wen bug added subscriber Jian Wen
2014-12-01 03:25:47 huangyunpeng bug added subscriber huangyunpeng
2014-12-16 01:04:54 Subrahmanyam Ongole bug added subscriber Subrahmanyam Ongole
2015-01-10 00:28:56 George Shuklin bug added subscriber George Shuklin
2015-01-15 21:36:08 Kyle Mestery neutron: milestone kilo-3
2015-01-16 07:16:58 gustavo panizzo bug added subscriber gustavo panizzo
2015-01-22 10:42:31 Viktor Tikkanen bug added subscriber Viktor Tikkanen
2015-03-04 16:14:53 Mike Dorman bug added subscriber Mike Dorman
2015-03-19 14:13:56 Kyle Mestery neutron: milestone kilo-3
2015-03-31 13:59:37 Kyle Mestery neutron: milestone liberty-1
2015-04-06 23:21:14 OpenStack Infra neutron: assignee Juergen Brendel (jbrendel) Kevin Benton (kevinbenton)
2015-04-07 13:58:56 Kyle Mestery neutron: milestone liberty-1 kilo-rc1
2015-04-08 12:06:35 Danny Choi bug added subscriber Danny Choi
2015-04-09 01:29:15 Kyle Mestery neutron: milestone kilo-rc1 liberty-1
2015-04-12 20:59:56 Kevin Benton neutron: assignee Kevin Benton (kevinbenton)
2015-04-12 21:28:04 Juergen Brendel ossa: assignee Juergen Brendel (jbrendel)
2015-05-05 23:12:55 Ahmed Rahal bug added subscriber Ahmed Rahal
2015-05-13 22:40:05 Tomoko Inoue tags havana-backport-potential icehouse-backport-potential l3-ipam-dhcp security sg-fw havana-backport-potential icehouse-backport-potential juno-backport-potential kilo-backport-potential l3-ipam-dhcp security sg-fw
2015-05-14 01:06:51 Cedric Brandily tags havana-backport-potential icehouse-backport-potential juno-backport-potential kilo-backport-potential l3-ipam-dhcp security sg-fw l3-ipam-dhcp security sg-fw
2015-05-15 17:47:16 Michael Still bug added subscriber Rackspace Cloud Builders Australia
2015-05-18 09:04:33 Adam Huffman bug added subscriber Adam Huffman
2015-05-21 00:45:23 Sam Morrison bug added subscriber Sam Morrison
2015-05-27 20:31:33 Dustin Lundquist bug added subscriber Dustin Lundquist
2015-06-04 20:01:21 Juergen Brendel ossa: assignee Juergen Brendel (jbrendel)
2015-06-04 20:04:55 Henry Gessau neutron: assignee Mark McClain (markmcclain)
2015-06-23 15:45:18 Thierry Carrez neutron: milestone liberty-1 liberty-2
2015-06-30 09:00:45 OpenStack Infra neutron: assignee Mark McClain (markmcclain) Kevin Benton (kevinbenton)
2015-07-08 20:40:13 OpenStack Infra neutron: status In Progress Fix Committed
2015-07-09 20:03:00 OpenStack Infra tags l3-ipam-dhcp security sg-fw in-feature-pecan l3-ipam-dhcp security sg-fw
2015-07-29 18:57:53 Doug Hellmann neutron: status Fix Committed Fix Released
2015-08-04 20:19:36 Chet Burgess attachment added juno backport https://bugs.launchpad.net/neutron/+bug/1274034/+attachment/4439215/+files/0001-Add-ARP-spoofing-protection-for-LinuxBridge-agent.patch
2015-09-20 18:28:59 OpenStack Infra tags in-feature-pecan l3-ipam-dhcp security sg-fw in-feature-pecan in-stable-juno l3-ipam-dhcp security sg-fw
2015-09-21 18:46:46 OpenStack Infra tags in-feature-pecan in-stable-juno l3-ipam-dhcp security sg-fw in-feature-pecan in-stable-juno in-stable-kilo l3-ipam-dhcp security sg-fw
2015-10-11 18:30:14 Chuck Short nominated for series neutron/kilo
2015-10-11 18:30:14 Chuck Short bug task added neutron/kilo
2015-10-11 18:30:24 Chuck Short neutron/kilo: status New Fix Committed
2015-10-11 18:30:30 Chuck Short neutron/kilo: milestone 2015.1.2
2015-10-13 19:23:10 Chuck Short neutron/kilo: status Fix Committed Fix Released
2015-10-15 12:25:05 Thierry Carrez neutron: milestone liberty-2 7.0.0
2015-11-14 10:34:03 Alan Pevec nominated for series neutron/juno
2015-11-14 10:34:03 Alan Pevec bug task added neutron/juno
2015-11-14 15:07:02 Alan Pevec neutron/juno: status New Fix Committed
2015-11-14 15:07:02 Alan Pevec neutron/juno: milestone 2014.2.4
2015-11-19 21:45:15 Alan Pevec neutron/juno: status Fix Committed Fix Released
2016-03-01 16:55:05 Nobuto Murata bug added subscriber Nobuto Murata
2023-06-14 13:39:50 Christian Rohmann bug added subscriber Christian Rohmann