Comment 17 for bug 1502933
Revision history for this message
| Dustin Lundquist (dlundquist) wrote Re: ICMPv6 anti-spoofing rules are too permissive | #17 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
@Tristan, the antispoofing rules (prior to 299021 which just merged) has permitted a number of types of spoofing attacks:
1. Source MAC spoofing -- this could allow an attacker to cause physical and virtual switches to learn an incorrect destination of MAC addresses allowing an attacker to intercept traffic destine to another instance on the local Neutron network. In the case of a shared multi-tenant network this allowed cross tenant traffic inception.
2. Source IP spoofing in IPv4 DHCP requests -- I'm not aware of an attack which would permit accessing another instances traffic, but could be used to mask the source of a DoS attack.
3. Source IP spoofing of IPv6 DHCP requests -- same as #2.
4. Source IP spoofing of ICMPv6 traffic -- this could allow an attacker to participate in neighbor discovery on the behalf of any other host on the local network, allowing it to receive traffic destine to another instance on the local Neutron network. Same multi tenant concerns as #1.