Neutron should drop certain outbound ICMPv6 packets

Why should it drop RA packets? VM could be a router in some cases.

I think it makes sense for ports, that belong to networks with external router.

I mean, when network have other "metal" servers besides VM's, VM can send fake RA's. Other VM's are protected by patch that accepts RA's from known gateways, bot not neighbor "metal" servers.

Moving this to confirmed - yes we have logic that filters RAs inbound on VM ports to only allow RAs from the subnet's gateway IP, but in the case of provider networks where VMs are attached to a network that also contains bare metal hosts, the bare metal hosts are not protected.

Would the bare metal host be under neutron control as well? Would it be possible to configure its RA rule as we did for openstack VM?

If by default, we don't allow the RA from exiting a VM, and I do agree with Eugene that in the case of service VM, we need a way to enable it if the service VM does RA.

Also check this out https://blueprints.launchpad.net/neutron/+spec/security-group-ipv6-ra-guard

No, bare metal hosts are not under Neutron control. This is "provider" network, with external router. I think such filtering should be done only for ports, that belong to network with external router.

I hope we have a consensus here. We will be filtering only for VM ports that belong to a network with an external router (i.e., provider network use-case).

Fix proposed to branch: master
Review: https://review.openstack.org/140046

@Sridhar - yes I think we have consensus - Neutron should filter outbound RAs on provider networks from guest VMs. Filtering bare metal nodes not controlled by Neutron is very much out of scope - and in addition we already have logic for allowing RAs from the gateway_ip configured in the Neutron subnet that is associated with the provider network - so Neutron vms attached to a provider network are protected from malicious bare metal nodes.

I think we would have to amend the patch slightly to drop RAs from the VM ports.

Reasoning:
1. Irrespective of whether the network is a external network or not, it would be good to drop all RAs from the VMs (similar to not allowing DHCP server inside a VM). It also helps because we are not sure if other devices on the network have any protection for this kind of stuff.

2. Currently even if we allow RAs from the VM ports, because of the Anti-Spoofing rules that are applied, a VM cannot act as a IPv6 router (i.e., it cannot forward IPv6 traffic). So there is no point in allowing Router Advts from VMs assuming that it would be used in Service VM use-cases.
Inorder to properly implement IPv6 router as a Service VM, one needs to use the port_security_extension [1] which allows us to disable security group rules/anti-spoofing filters on the VM ports.

[1] - https://review.openstack.org/#/c/99873/22/specs/kilo/ml2-ovs-portsecurity.rst

I can update the patch accordingly and would like to hear the feedback.

Reviewed: https://review.openstack.org/140046
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=9274c590a78444e9157afd4d41bff566b26c9323
Submitter: Jenkins
Branch: master

commit 9274c590a78444e9157afd4d41bff566b26c9323
Author: sridhargaddam <email address hidden>
Date: Mon Dec 8 16:11:38 2014 +0000

    Neutron to Drop Router Advts from VM ports

    As part of Spoofing filter chain Neutron drops all the outbound
    traffic where MAC/IP does not match the IP address assigned
    to the VM ports (inc' allowed_address_pairs). Along with this,
    we also drop traffic associated to dhcp[v6] server (i.e., do
    not allow a VM to run dhcp[v6] server). Currently we do not
    have any rules to drop Router Advts from VM ports. This can create
    issues in the network as other devices in the network may not have
    any protection for this kind of stuff.

    Even if we allow RAs from the VM ports, because of the Anti-Spoofing
    rules that are applied, a VM cannot act as a IPv6 router (i.e., it
    cannot forward IPv6 traffic). So there is no point in allowing Router
    Advts from VMs assuming that it would be useful in Service VM use-cases.
    In order to properly implement IPv6 router as a Service VM, one needs
    to use the port_security_extension [1] which allows us to disable
    security group rules/anti-spoofing filters on the VM ports.

    [1]https://review.openstack.org/#/c/99873/22/specs/kilo/ml2-ovs-portsecurity.rst

    This patch disables Router Advts from VM ports.

    Closes-Bug: #1372882
    Change-Id: I8db5d6dbe60bf04f4e3754a886c6aa8a97a16bab

Fix proposed to branch: neutron-pecan
Review: https://review.openstack.org/185072