@Sridhar - yes I think we have consensus - Neutron should filter outbound RAs on provider networks from guest VMs. Filtering bare metal nodes not controlled by Neutron is very much out of scope - and in addition we already have logic for allowing RAs from the gateway_ip configured in the Neutron subnet that is associated with the provider network - so Neutron vms attached to a provider network are protected from malicious bare metal nodes.
@Sridhar - yes I think we have consensus - Neutron should filter outbound RAs on provider networks from guest VMs. Filtering bare metal nodes not controlled by Neutron is very much out of scope - and in addition we already have logic for allowing RAs from the gateway_ip configured in the Neutron subnet that is associated with the provider network - so Neutron vms attached to a provider network are protected from malicious bare metal nodes.