Comment 52 for bug 1274034

Darragh O'Reilly, they can not use fake address (I've tested this), but they can announce it rendering any host in the network disabled.

Or they can announce fake IP and listen for any non-stream protocols (f.e. UDP). They still will not be able to retransmit it to original or reply, but can intercept any unidirectional UDP (f.e. pieces of voice conversations in RTP, or even, pieces of TCP (with cookies! yum!)). Legitimate host will ask to retransmit them, but malicious VM will receive one copy of data.

If it will do this sporadically for short time (like once in 10s) it will not disturb work of the legitimate host significantly (sometimes TCP will be really slow or stuck, but recover eventually), but still allows interception of pieces of traffic.

I think this is a clear vulnerability in neutron without any 'but you can try to mitigate this' (HOW?).