Security Groups do not prevent MAC spoofing with non-IP traffic

Bug #1558674 reported by Dustin Lundquist
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
New
Undecided
Unassigned

Bug Description

The IptablesFirewallDriver does not prevent spoofing other instances or a routers MAC addresses. Iptables and ip6tables are used to verify the source MAC of IP traffic, but anti-spoofing measures are not implemented for non-IP traffic. Presently ebtables is used to prevent ARP spoofing, but not used to enforce the source address of all Ethernet frames.

If L2population is not used, an instance can spoof the Neutron router's MAC address and cause the switches to learn a MAC move, allowing the instance to intercept other instances traffic potentially belonging to other tenants if this is shared network.

A solution for this is to use ebtables restrict the source MAC address from frames accepted from the instance to MAC addresses assigned to the Neutron port. Using a rule such as this:

     -i tap29f34cfc-a7 --among-src ! fa:16:3e:e0:b1:ba, -j DROP

Should be sufficient, and allow removing MAC address verification within iptables and ip6tables rules managed by Neutron.

Revision history for this message
Kevin Benton (kevinbenton) wrote :

Marking as duplicate because the other bug is a result of the same non-enforcement of MACs.

information type: Private Security → Public
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.