Comment 53 for bug 1558658
Revision history for this message
| Dustin Lundquist (dlundquist) wrote Re: Security Groups do not prevent MAC and/or IPv4 spoofing in DHCP requests | #53 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
Tristan, change 315828 addresses the OVS Firewall which currently has many of these same problems. Specifically table 71 (BASE_EGRESS_TABLE) permits specific ICMPv6 types, DHCP and DHCPv6 before validating source MAC or IP addresses. This allows IPv6 spoofing: neighbor discovery is permitted without any address validation. In addition the DHCP (IPv4) could be used to mask the source address of flood attack or release the DHCP lease of another instance (potentially belonging to another tenant on a shared network). In addition all the of above traffic types could be used to cause an physical switch to learn an incorrect port of another instance or router's MAC address potentially intercepting another tenants traffic on a shared provider network.
I finally have a working OVS Firewall test environment and this is my initial analysis of the OpenFlow rules it produces. I think all of the above vulnerabilities are addressed in the existing bug reports. I know the OVS Firewall is recent addition, so I'm not sure how it falls into the security advisory process.