neutron

Use of allowed-address-pairs can allow tenant to cause denial of service in shared networks

Series kilo
Bug #1447242

Bug #1447242 reported by James Denton on 2015-04-22

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	High	Kevin Benton	neutron 7.0.0 "liberty"
	Kilo	New	Undecided	Unassigned

Bug Description

By assigning the subnet gateway address to a port as an allowed address, a user can cause ARP conflicts and deny service to other users in the network. This can be exacerbated by the use of arping to send gratuitous ARPs and poison the arp cache of instances in the same network.

Steps to reproduce:

1. Build a VM. In this case, the network was a VLAN type with external=false and shared=true.
2. Assign the subnet gateway address as a secondary address in the VM
3. Use the 'port-update' command to add the gateway address as an allowed address on the VM port
4. Use 'arping' from iputils-arping to send gratuitous ARPs as the gateway IP from the instance
5. Watch as the ARP cache is updated on other instances in the network, effectively taking them offline.

This was tested with LinuxBridge/VLAN as a non-admin user, but may affect other combinations.

Possible remedies may include removing the ability to use allowed-address-pairs as a non-admin user, or ensuring that the user cannot add the gateway_ip of the subnet associated with the port as an allowed address. Either of those two remedies may negatively impact certain use cases, so at a minimum it may be a good idea to document this somewhere.

If you need more information please reach out to me.

Tags:

Revision history for this message

Kevin Benton (kevinbenton) wrote on 2015-04-22:

I think we should just block users from using allowed address pairs on networks they don't own.

Changed in neutron:
assignee:	nobody → Kevin Benton (kevinbenton)

Eugene Nikanorov (enikanorov) on 2015-04-22

Changed in neutron:
importance:	Undecided → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-22: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/176429

Changed in neutron:
status:	New → In Progress

Revision history for this message

James Denton (james-denton) wrote on 2015-04-23:

Patch appears to work as intended on latest Devstack.

Revision history for this message

Kevin Benton (kevinbenton) wrote on 2015-04-23:

Hi James,

It looks like this can be accomplished with a simple policy.json change. Can you try out the latest patch and make sure it still blocks as intended?

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-24: Fix merged to neutron (master)

Reviewed: https://review.openstack.org/176429
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=927399c011409b7d152b7670b896f15eee7d0db3
Submitter: Jenkins
Branch: master

commit 927399c011409b7d152b7670b896f15eee7d0db3
Author: Kevin Benton <email address hidden>
Date: Tue Apr 21 02:01:39 2015 -0700

Block allowed address pairs on other tenants' net

    Don't allow tenants to use the allowed address pairs extension
    when they are attaching a port to a network that does not belong
    to them.

    This is done because allowed address pairs can allow things like
    ARP spoofing and all tenants attached to a shared network might not
    implicitly trust each other.

Change-Id: Ie6c3e8ad04103804e40f2b043202387385e62ca5
Closes-Bug: #1447242

Changed in neutron:
status:	In Progress → Fix Committed

Revision history for this message

James Denton (james-denton) wrote on 2015-04-24:

Hi Kevin,

Looks like the policy.json changes did the trick. Thanks!

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-05-07: Fix proposed to neutron (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/181158

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-05-22: Fix proposed to neutron (neutron-pecan)

Fix proposed to branch: neutron-pecan
Review: https://review.openstack.org/185072

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-05-29: Fix merged to neutron (stable/kilo)

Reviewed: https://review.openstack.org/181158
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=4c9a4bf337b27a8cc85dd97ab403f348b6efeb88
Submitter: Jenkins
Branch: stable/kilo

commit 4c9a4bf337b27a8cc85dd97ab403f348b6efeb88
Author: Kevin Benton <email address hidden>
Date: Tue Apr 21 02:01:39 2015 -0700

Block allowed address pairs on other tenants' net

    Don't allow tenants to use the allowed address pairs extension
    when they are attaching a port to a network that does not belong
    to them.

    This is done because allowed address pairs can allow things like
    ARP spoofing and all tenants attached to a shared network might not
    implicitly trust each other.

    Change-Id: Ie6c3e8ad04103804e40f2b043202387385e62ca5
    Closes-Bug: #1447242
    (cherry picked from commit 927399c011409b7d152b7670b896f15eee7d0db3)

tags:

added: in-stable-kilo

Thierry Carrez (ttx) on 2015-06-24

Changed in neutron:
milestone:	none → liberty-1
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-10-15

Changed in neutron:
milestone:	liberty-1 → 7.0.0

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1373868

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.