An attacker would start creating port whose device_id value is any uuid (say "XXX") and use them as a 'bait' and deive_owner is set to network:router_interface
The attack will then be successful if eventually a router with uuid "XXX" is created. In that case the l3 agent will process the attacker's port as a valid interface for that router thus potentially giving the attacker connectivity to all the other networks attached to that router.
The chances of this happening are anyway very low, because the attacker to be successful should create a consistent number of ports, and this is very likely to be impossible because of quota limitations. (now you can argue that actually an attacker can use stolen credit cards to buy enough capacity, and I would agree with you).
For this reason let's consider a scenario in which in a rather busy cloud 10,000 routers per day are created (that is less than 1 every 10 seconds ).
Using the birthday's paradox to determine the number of days needed to get a 1% probability of guessing a UUID with a single port we get:
An attacker would start creating port whose device_id value is any uuid (say "XXX") and use them as a 'bait' and deive_owner is set to network: router_ interface
The attack will then be successful if eventually a router with uuid "XXX" is created. In that case the l3 agent will process the attacker's port as a valid interface for that router thus potentially giving the attacker connectivity to all the other networks attached to that router.
The chances of this happening are anyway very low, because the attacker to be successful should create a consistent number of ports, and this is very likely to be impossible because of quota limitations. (now you can argue that actually an attacker can use stolen credit cards to buy enough capacity, and I would agree with you).
For this reason let's consider a scenario in which in a rather busy cloud 10,000 routers per day are created (that is less than 1 every 10 seconds ).
Using the birthday's paradox to determine the number of days needed to get a 1% probability of guessing a UUID with a single port we get:
0.01 = 1 - e^(-(n^2/2^122))
e^-((n^2/2^122)) = 0.99
-n^2 = log(0.99) * 2^122
n = sqrt(-ln(0.99)) * 2^61
n = 2.31163905344368E17
This number is quite large... to achieve a 1% probability over a year one would need to create 633,325,768,066,763 ports
Summarizing I think we might want a backportable fix but probably this not enough of a critical vulnerability to grant an embargo