As part of Spoofing filter chain Neutron drops all the outbound
traffic where MAC/IP does not match the IP address assigned
to the VM ports (inc' allowed_address_pairs). Along with this,
we also drop traffic associated to dhcp[v6] server (i.e., do
not allow a VM to run dhcp[v6] server). Currently we do not
have any rules to drop Router Advts from VM ports. This can create
issues in the network as other devices in the network may not have
any protection for this kind of stuff.
Even if we allow RAs from the VM ports, because of the Anti-Spoofing
rules that are applied, a VM cannot act as a IPv6 router (i.e., it
cannot forward IPv6 traffic). So there is no point in allowing Router
Advts from VMs assuming that it would be useful in Service VM use-cases.
In order to properly implement IPv6 router as a Service VM, one needs
to use the port_security_extension [1] which allows us to disable
security group rules/anti-spoofing filters on the VM ports.
Reviewed: https:/ /review. openstack. org/140046 /git.openstack. org/cgit/ openstack/ neutron/ commit/ ?id=9274c590a78 444e9157afd4d41 bff566b26c9323
Committed: https:/
Submitter: Jenkins
Branch: master
commit 9274c590a78444e 9157afd4d41bff5 66b26c9323
Author: sridhargaddam <email address hidden>
Date: Mon Dec 8 16:11:38 2014 +0000
Neutron to Drop Router Advts from VM ports
As part of Spoofing filter chain Neutron drops all the outbound address_ pairs). Along with this,
traffic where MAC/IP does not match the IP address assigned
to the VM ports (inc' allowed_
we also drop traffic associated to dhcp[v6] server (i.e., do
not allow a VM to run dhcp[v6] server). Currently we do not
have any rules to drop Router Advts from VM ports. This can create
issues in the network as other devices in the network may not have
any protection for this kind of stuff.
Even if we allow RAs from the VM ports, because of the Anti-Spoofing extension [1] which allows us to disable
rules that are applied, a VM cannot act as a IPv6 router (i.e., it
cannot forward IPv6 traffic). So there is no point in allowing Router
Advts from VMs assuming that it would be useful in Service VM use-cases.
In order to properly implement IPv6 router as a Service VM, one needs
to use the port_security_
security group rules/anti-spoofing filters on the VM ports.
[1]https:/ /review. openstack. org/#/c/ 99873/22/ specs/kilo/ ml2-ovs- portsecurity. rst
This patch disables Router Advts from VM ports.
Closes-Bug: #1372882 4f4e3754a886c6a a8a97a16bab
Change-Id: I8db5d6dbe60bf0