Host machine exposed to tenant networks via IPv6
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
OpenStack Security Notes |
Fix Released
|
Undecided
|
Vinay Potluri | ||
networking-midonet |
Fix Released
|
High
|
YAMAMOTO Takashi | ||
neutron |
Fix Released
|
High
|
Dustin Lundquist | ||
Kilo |
New
|
Undecided
|
Unassigned |
Bug Description
When creating a new interface Neutron creates interface and brings link up without disabling default IPv6 binding. By default Linux brings IPv6 link local addresses to all interfaces, this is different behavior than IPv4 where an administrator must explicitly configure an address on the interface.
The is significantly exposed in LinuxBridgeManager ensure_vlan() and ensure_vxlan() where a new VLAN or VXLAN interface is created and set link up before being enslaved in the bridge. In the case of compute node joining and existing network, there is a time window in which VLAN or VXLAN interface is created and has connectivity to the tenant network before it has been enslaved in bridge. Under normal circumstances this time window is less than the time needed to preform IPv6 duplicate address detection, but under high load this assumption may not hold.
I recommend explicitly disabling IPv6 via sysctl on each interface which will be attached to a bridge prior bringing the interface link up. This is already done for the bridge interfaces themselves, but should be done for all Neutron configured interfaces in the default namespace.
This issue was referenced in https:/
Related issue addressed being addressed in Nova: https:/
Changed in neutron: | |
status: | Confirmed → In Progress |
description: | updated |
Changed in neutron: | |
milestone: | mitaka-2 → mitaka-3 |
tags: | added: ipv6 |
Changed in ossn: | |
assignee: | nobody → Luke Hinds (lhinds) |
Changed in ossa: | |
assignee: | nobody → Vinay Potluri (vinay-potluri) |
Changed in ossn: | |
status: | New → Confirmed |
assignee: | Luke Hinds (lhinds) → Vinay Potluri (vinay-potluri) |
Changed in ossa: | |
assignee: | Vinay Potluri (vinay-potluri) → nobody |
Changed in ossn: | |
status: | Confirmed → Fix Released |
tags: | removed: kilo-backport-potential liberty-backport-potential |
I have a fix ready for this.