neutron

router add subnet <router> <external network>

Bug #1774022 reported by bjolo on 2018-05-29

This bug report is a duplicate of: Bug #1757482: IP address for a router interface allowed outside the allocation range of subnet. Edit Remove

264

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Security Advisory	Incomplete	Undecided	Unassigned
	neutron	Confirmed	Critical	Miguel Lavalle

Bug Description

hi,

When using the command router add subnet <route> <external subnet>, neutron creates a port with the first IP on the subnet. This causes IP conflict with the real GW ip for the network, and the result is that the physical network goes down. In our case it brought down the whole physical fabric.

cloud info:
(openstack) network show internet
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | UP |
| availability_zone_hints | |
| availability_zones | nova |
| created_at | 2017-05-10T14:05:08Z |
| description | |
| dns_domain | |
| id | df26cc5b-b122-4506-b948-a213d2b0a7d8 |
| ipv4_address_scope | None |
| ipv6_address_scope | None |
| is_default | False |
| is_vlan_transparent | None |
| mtu | 9000 |
| name | internet |
| port_security_enabled | True |
| project_id | 1642f7380213486aa6b8fefeb179ffd7 |
| provider:network_type | flat |
| provider:physical_network | physnet1 |
| provider:segmentation_id | None |
| qos_policy_id | None |
| revision_number | 7 |
| router:external | External |
| segments | None |
| shared | True |
| status | ACTIVE |
| subnets | cbd1f84a-d31e-4bb3-b788-bacab21f9b6f |
| tags | |
| updated_at | 2017-11-27T00:37:31Z |
+---------------------------+--------------------------------------+

(openstack) subnet show internet-sub1
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| allocation_pools | xxx.yyy.zzz.20-xxx.yyy.zzz.254 |
| cidr | xxx.yyy.zzz.0/24 |
| created_at | 2017-05-10T14:28:46Z |
| description | |
| dns_nameservers | |
| enable_dhcp | True |
| gateway_ip | xxx.yyy.zzz.1 |
| host_routes | |
| id | cbd1f84a-d31e-4bb3-b788-bacab21f9b6f |
| ip_version | 4 |
| ipv6_address_mode | None |
| ipv6_ra_mode | None |
| name | internet-sub1 |
| network_id | df26cc5b-b122-4506-b948-a213d2b0a7d8 |
| project_id | 1642f7380213486aa6b8fefeb179ffd7 |
| revision_number | 3 |
| segment_id | None |
| service_types | |
| subnetpool_id | None |
| tags | |
| updated_at | 2017-05-16T12:02:39Z |
+-------------------+--------------------------------------+

way to reproduce:
1. As normal _member_ user, create a router
(openstack) router create vpn-client-router
2. add the external subnet to the router.
(openstack) router add subnet vpn-client-router internet-sub1

Actual result:
The port created gets the ip xxx.yyy.zzz.1, which is the same ip as the physical GW IP.

expected result:
First of all, this command should probably return error since the correct command is router set --external-gateway. If it should work, the IP should be in the allocation_pool for the subnet.

version:
openstack pike
neutron 11.0.2
distribution kolla-ansible

bjolo

Revision history for this message

Jeremy Stanley (fungi) wrote on 2018-05-29:

#1

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

description:	updated
Changed in ossa:
status:	New → Incomplete

Revision history for this message

Miguel Lavalle (minsel) wrote on 2018-05-30:

#2

Hi bjolo,

Thanks for your report. If I understand correctly, network "internet" is your external network and "internet-sub1" is its IPv4 subnet. I am confused about your report. You know (as you point it out in your report) that to create the external gateway for the router you have to use the "openstack router set --external-gateway" command. Why are you adding the external network's subnet to the router with the "openstack router add subnet" command? This command serves a different purpose, namely to link internal networks subnets to the router, which in turn uses the external gateway. What are you trying to accomplish? It seems to me this is an erroneous sequence of commands

Changed in neutron:
assignee:	nobody → Miguel Lavalle (minsel)

Revision history for this message

Ian Kumlien (pomac) wrote on 2018-05-30:

#3

You add a router to a subnet and the router gets a ip that is outside the subnet it is added to?

Btw, We had a major outage due to this, it can't be expected behavior =)

The router should get a free ip in the range of the subnet it's being added to...

Note: I was only part of the cleanup/debug/fix effort

Revision history for this message

bjolo (bjorn-lofdahl) wrote on 2018-05-31:

#4

Hi Miguel,

Yes, it is the wrong command, but that is beside the point. The situation is that right now any normal user on our cloud can run that command and thus bring down the whole cloud. i.e. this is a huge security risk.

bjolo

Revision history for this message

Miguel Lavalle (minsel) wrote on 2018-05-31:

#5

Hi Bjorn,

Thnks for your quick response. I can confirm that this issue also takes place with master: http://paste.openstack.org/show/722472/

Changed in neutron:
status:	New → Confirmed
importance:	Undecided → Critical

Revision history for this message

Miguel Lavalle (minsel) wrote on 2018-05-31:

#6

Brian Haley and Akihiro Motoki are members of the Neutron Core Security team and they will help in fixing this bug

Revision history for this message

Miguel Lavalle (minsel) wrote on 2018-05-31:

#7

It seems to me that the solution should be to return an error when trying to add the external subnet to the router, as suggested by Bjorn in #1. Let's see what other team members think

Revision history for this message

Miguel Lavalle (minsel) wrote on 2018-05-31:

#8

Bjorn,

Do you use that external network for floating IPs or do you allow tenants to create ports / VMs on that external network?

Revision history for this message

Ian Kumlien (pomac) wrote on 2018-05-31:

#9

We use it for both

Björn will be offline for a while so I'll be answering your questions during that time =)

Revision history for this message

Jeremy Stanley (fungi) wrote on 2018-05-31:

#10

It appears this is a duplicate of public bug 1757482, so I'm marking this report as a duplicate and directing further discussion there.

description:	updated
information type:	Private Security → Public Security

Revision history for this message

Miguel Lavalle (minsel) wrote on 2018-05-31:

#11

Ian,

Thanks, let's continue the conversation in https://bugs.launchpad.net/neutron/+bug/1757482

Report a bug

This report contains Public Security information

Everyone can see this security related information.

Duplicate of bug #1757482 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.