2019-11-27 06:02:59 |
Yang Li |
description |
1.Create 2 security groups:
test-security1, with rule(ingress, IPv4, 1-65535/tcp, remote_group: test-security1)
test-security2, with rule(ingress, IPv4, 1-65535/tcp, remote_group: test-security2)
2.Create a VM(IP: 40.0.0.46) with test-security1, then the open flows showed:
cookie=0x4fff3d22d8b38f46, duration=52.174s, table=82, n_packets=0, n_bytes=0, idle_age=790, priority=73,ct_state=+est-rel-rpl,ip,reg6=0x8,nw_src=40.0.0.46 actions=conjunction(14,1/2)
cookie=0x4fff3d22d8b38f46, duration=52.174s, table=82, n_packets=0, n_bytes=0, idle_age=790, priority=73,ct_state=+new-est,ip,reg6=0x8,nw_src=40.0.0.46 actions=conjunction(15,1/2)
3.Update VM's sg to test-security2, then the open flows showed:
cookie=0x12bb9d102f0c8b3b, duration=2.298s, table=82, n_packets=0, n_bytes=0, idle_age=814, priority=73,ct_state=+est-rel-rpl,ip,reg6=0x8,nw_src=40.0.0.46 actions=conjunction(14,1/2),conjunction(22,1/2)
cookie=0x12bb9d102f0c8b3b, duration=2.298s, table=82, n_packets=0, n_bytes=0, idle_age=814, priority=73,ct_state=+new-est,ip,reg6=0x8,nw_src=40.0.0.46 actions=conjunction(15,1/2),conjunction(23,1/2)
You can see the old conjunction for test-security1 still exists: conjunction(15,1/2)
This will cause security problem for VM, because it still can be reached by the old sg VMs. |
1.Create 2 security groups:
test-security1, with rule(ingress, IPv4, 1-65535/tcp, remote_group: test-security1)
test-security2, with rule(ingress, IPv4, 1-65535/tcp, remote_group: test-security2)
2.Create a VM(IP: 40.0.0.46) with test-security1, then the open flows showed:
cookie=0x4fff3d22d8b38f46, duration=52.174s, table=82, n_packets=0, n_bytes=0, idle_age=790, priority=73,ct_state=+est-rel-rpl,ip,reg6=0x8,nw_src=40.0.0.46 actions=conjunction(14,1/2)
cookie=0x4fff3d22d8b38f46, duration=52.174s, table=82, n_packets=0, n_bytes=0, idle_age=790, priority=73,ct_state=+new-est,ip,reg6=0x8,nw_src=40.0.0.46 actions=conjunction(15,1/2)
3.Update VM's sg to test-security2, then the open flows showed:
cookie=0x12bb9d102f0c8b3b, duration=2.298s, table=82, n_packets=0, n_bytes=0, idle_age=814, priority=73,ct_state=+est-rel-rpl,ip,reg6=0x8,nw_src=40.0.0.46 actions=conjunction(14,1/2),conjunction(22,1/2)
cookie=0x12bb9d102f0c8b3b, duration=2.298s, table=82, n_packets=0, n_bytes=0, idle_age=814, priority=73,ct_state=+new-est,ip,reg6=0x8,nw_src=40.0.0.46 actions=conjunction(15,1/2),conjunction(23,1/2)
You can see the old conjunction for test-security1 still exists: conjunction(14,1/2) and conjunction(15,1/2)
This will cause security problem for VM, because it still can be reached by the old sg VMs. |
|