Neutron should drop certain outbound ICMPv6 packets

Bug #1372882 reported by Alexey I. Froloff
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Undecided
Sridhar Gaddam

Bug Description

Neutron should drop certain ICMPv6 messages (like 134) on VM -> Network path. Like it allows certain ICMPv6 messages to be accepted on Network -> VM path, as in bug #1242933

Tags: ipv6
Revision history for this message
Eugene Nikanorov (enikanorov) wrote :

Why should it drop RA packets? VM could be a router in some cases.

tags: added: ipv6
Changed in neutron:
status: New → Incomplete
Revision history for this message
Alexey I. Froloff (raorn) wrote :

I think it makes sense for ports, that belong to networks with external router.

Revision history for this message
Alexey I. Froloff (raorn) wrote :

I mean, when network have other "metal" servers besides VM's, VM can send fake RA's. Other VM's are protected by patch that accepts RA's from known gateways, bot not neighbor "metal" servers.

Revision history for this message
Sean M. Collins (scollins) wrote :

Moving this to confirmed - yes we have logic that filters RAs inbound on VM ports to only allow RAs from the subnet's gateway IP, but in the case of provider networks where VMs are attached to a network that also contains bare metal hosts, the bare metal hosts are not protected.

Changed in neutron:
status: Incomplete → Confirmed
Changed in neutron:
assignee: nobody → Sridhar Gaddam (sridhargaddam)
Revision history for this message
Baodong (Robert) Li (baoli) wrote :

Would the bare metal host be under neutron control as well? Would it be possible to configure its RA rule as we did for openstack VM?

If by default, we don't allow the RA from exiting a VM, and I do agree with Eugene that in the case of service VM, we need a way to enable it if the service VM does RA.

Also check this out https://blueprints.launchpad.net/neutron/+spec/security-group-ipv6-ra-guard

Revision history for this message
Alexey I. Froloff (raorn) wrote :

No, bare metal hosts are not under Neutron control. This is "provider" network, with external router. I think such filtering should be done only for ports, that belong to network with external router.

Changed in neutron:
status: Confirmed → In Progress
Revision history for this message
Sridhar Gaddam (sridhargaddam) wrote :

I hope we have a consensus here. We will be filtering only for VM ports that belong to a network with an external router (i.e., provider network use-case).

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/140046

Revision history for this message
Sean M. Collins (scollins) wrote :

@Sridhar - yes I think we have consensus - Neutron should filter outbound RAs on provider networks from guest VMs. Filtering bare metal nodes not controlled by Neutron is very much out of scope - and in addition we already have logic for allowing RAs from the gateway_ip configured in the Neutron subnet that is associated with the provider network - so Neutron vms attached to a provider network are protected from malicious bare metal nodes.

Revision history for this message
Sridhar Gaddam (sridhargaddam) wrote :

I think we would have to amend the patch slightly to drop RAs from the VM ports.

Reasoning:
1. Irrespective of whether the network is a external network or not, it would be good to drop all RAs from the VMs (similar to not allowing DHCP server inside a VM). It also helps because we are not sure if other devices on the network have any protection for this kind of stuff.

2. Currently even if we allow RAs from the VM ports, because of the Anti-Spoofing rules that are applied, a VM cannot act as a IPv6 router (i.e., it cannot forward IPv6 traffic). So there is no point in allowing Router Advts from VMs assuming that it would be used in Service VM use-cases.
Inorder to properly implement IPv6 router as a Service VM, one needs to use the port_security_extension [1] which allows us to disable security group rules/anti-spoofing filters on the VM ports.

[1] - https://review.openstack.org/#/c/99873/22/specs/kilo/ml2-ovs-portsecurity.rst

I can update the patch accordingly and would like to hear the feedback.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/140046
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=9274c590a78444e9157afd4d41bff566b26c9323
Submitter: Jenkins
Branch: master

commit 9274c590a78444e9157afd4d41bff566b26c9323
Author: sridhargaddam <email address hidden>
Date: Mon Dec 8 16:11:38 2014 +0000

    Neutron to Drop Router Advts from VM ports

    As part of Spoofing filter chain Neutron drops all the outbound
    traffic where MAC/IP does not match the IP address assigned
    to the VM ports (inc' allowed_address_pairs). Along with this,
    we also drop traffic associated to dhcp[v6] server (i.e., do
    not allow a VM to run dhcp[v6] server). Currently we do not
    have any rules to drop Router Advts from VM ports. This can create
    issues in the network as other devices in the network may not have
    any protection for this kind of stuff.

    Even if we allow RAs from the VM ports, because of the Anti-Spoofing
    rules that are applied, a VM cannot act as a IPv6 router (i.e., it
    cannot forward IPv6 traffic). So there is no point in allowing Router
    Advts from VMs assuming that it would be useful in Service VM use-cases.
    In order to properly implement IPv6 router as a Service VM, one needs
    to use the port_security_extension [1] which allows us to disable
    security group rules/anti-spoofing filters on the VM ports.

    [1]https://review.openstack.org/#/c/99873/22/specs/kilo/ml2-ovs-portsecurity.rst

    This patch disables Router Advts from VM ports.

    Closes-Bug: #1372882
    Change-Id: I8db5d6dbe60bf04f4e3754a886c6aa8a97a16bab

Changed in neutron:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (neutron-pecan)

Fix proposed to branch: neutron-pecan
Review: https://review.openstack.org/185072

Thierry Carrez (ttx)
Changed in neutron:
milestone: none → liberty-1
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in neutron:
milestone: liberty-1 → 7.0.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.