Comment 2 for bug 1862050

At first blush, this sounds like an impractical way to go about a denial of service attack, as it depends on an authenticated user and is likely to be fairly noisy with limited actual impact, but it might be a way for customers to avoid paying for additional quota depending on your billing model. As such I'd probably consider this a class C1 report (impractical but could still warrant a CVE) per our taxonomy: https://security.openstack.org/vmt-process.html#incident-report-taxonomy

If there's agreement from some Neutron core security reviewers (subscribed), we can probably continue this discussion as a regular public bug.