Use of allowed-address-pairs can allow tenant to cause denial of service in shared networks
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
High
|
Kevin Benton | ||
Kilo |
New
|
Undecided
|
Unassigned |
Bug Description
By assigning the subnet gateway address to a port as an allowed address, a user can cause ARP conflicts and deny service to other users in the network. This can be exacerbated by the use of arping to send gratuitous ARPs and poison the arp cache of instances in the same network.
Steps to reproduce:
1. Build a VM. In this case, the network was a VLAN type with external=false and shared=true.
2. Assign the subnet gateway address as a secondary address in the VM
3. Use the 'port-update' command to add the gateway address as an allowed address on the VM port
4. Use 'arping' from iputils-arping to send gratuitous ARPs as the gateway IP from the instance
5. Watch as the ARP cache is updated on other instances in the network, effectively taking them offline.
This was tested with LinuxBridge/VLAN as a non-admin user, but may affect other combinations.
Possible remedies may include removing the ability to use allowed-
If you need more information please reach out to me.
Changed in neutron: | |
importance: | Undecided → High |
Changed in neutron: | |
milestone: | none → liberty-1 |
status: | Fix Committed → Fix Released |
Changed in neutron: | |
milestone: | liberty-1 → 7.0.0 |
I think we should just block users from using allowed address pairs on networks they don't own.