neutron

  1. Bug #1489111
  2. Comment #36

Comment 36 for bug 1489111

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/221342
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=bbca973986fdc99eae9d1b2545e8246c0b2be2e2
Submitter: Jenkins
Branch: master

commit bbca973986fdc99eae9d1b2545e8246c0b2be2e2
Author: Kevin Benton <email address hidden>
Date: Tue Aug 25 22:03:27 2015 -0700

    Stop device_owner from being set to 'network:*'

    This patch adjusts the FieldCheck class in the policy engine to
    allow a regex rule. It then leverages that to prevent users from
    setting the device_owner field to anything that starts with
    'network:' on networks which they do not own.

    This policy adjustment is necessary because any ports with a
    device_owner that starts with 'network:' will not have any security
    group rules applied because it is assumed they are trusted network
    devices (e.g. router ports, DHCP ports, etc). These security rules
    include the anti-spoofing protection for DHCP, IPv6 ICMP messages,
    and IP headers.

    Without this policy adjustment, tenants can abuse this trust when
    connected to a shared network with other tenants by setting their
    VM port's device_owner field to 'network:<anything>' and hijack other
    tenants' traffic via DHCP spoofing or MAC/IP spoofing.

    Closes-Bug: #1489111
    Change-Id: Ia64cf16142e0e4be44b5b0ed72c8e00792d770f9