OpenStack Security Guide Documentation

Security Guide - Networking services  - Incorrect Information

Bug #1455926 reported by N Dillon
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Security Guide Documentation
Fix Released
Critical
Rahul U Nair

Bug Description

From: https://bugs.launchpad.net/neutron/+bug/1274034

"I believe the assertion is that Neutron's flat networking implementation does not provide layer 2 filtering guarantees between tenants on the same broadcast domain, unlike Nova's"

This section in the security guide is incorrect, and is giving security assurance where there is none.
-----------------------------------
Built: 2015-05-16T15:34:41 00:00
git SHA: c42cf46862483b5e7dc4a83bd8540c05b26dface
URL: http://docs.openstack.org/security-guide/content/networking-services.html

Tags: sec-guide
Revision history for this message
Joseph Robinson (joseph-r-email) wrote :

So to confirm - Two tenants on the same broadcasting domain, on layer 2, don't have filtering guarantees with the neutron services without the new patch described in bug 1274034 (https://bugs.launchpad.net/neutron/+bug/1274034). Their is potential for man in the middle attacks in it's current description of security. The docs need the information on setting up filtering and separation in multi-tenant platforms?

Changed in openstack-manuals:
status: New → Confirmed
Revision history for this message
N Dillon (sicarie) wrote :

Joseph, yes, the gap needs to be documented in the Networking chapter, and then guidance should be given around how to set up that isolation.

deng.zhengyi (deng-zhengyi)
Changed in openstack-manuals:
assignee: nobody → deng.zhengyi (deng-zhengyi)
assignee: deng.zhengyi (deng-zhengyi) → nobody
Ammar Raza (ammar-reza)
Changed in openstack-manuals:
assignee: nobody → Ammar Raza (ammar-reza)
Ammar Raza (ammar-reza)
Changed in openstack-manuals:
assignee: Ammar Raza (ammar-reza) → nobody
Ron De Rose (ronald-de-rose)
Changed in openstack-manuals:
assignee: nobody → Ron De Rose (ronald-de-rose)
Ron De Rose (ronald-de-rose)
Changed in openstack-manuals:
assignee: Ron De Rose (ronald-de-rose) → nobody
Tom Fifield (fifieldt)
information type: Public → Public Security
Manjeet Singh Bhatia (manjeet-s-bhatia)
Changed in openstack-manuals:
assignee: nobody → Manjeet Singh Bhatia (manjeet-s-bhatia)
Manjeet Singh Bhatia (manjeet-s-bhatia)
Changed in openstack-manuals:
assignee: Manjeet Singh Bhatia (manjeet-s-bhatia) → nobody
Ruchika (ruchika)
Changed in openstack-manuals:
assignee: nobody → Ruchika (ruchika)
Ruchika (ruchika)
Changed in openstack-manuals:
assignee: Ruchika (ruchika) → nobody
Revision history for this message
Edgar Magana (emagana) wrote :

I will do my best to help!

Changed in openstack-manuals:
assignee: nobody → Edgar Magana (emagana)
Revision history for this message
N Dillon (sicarie) wrote :

Thanks Edgar! Have you been able to take a look at this at all? If we can identify sections that are or are not current I think that would help focus people who might be able to help.

Gaoxiao Zhu (zhugaoxiao)
Changed in openstack-manuals:
assignee: Edgar Magana (emagana) → Gaoxiao Zhu (zhugaoxiao)
assignee: Gaoxiao Zhu (zhugaoxiao) → nobody
Ian Cordasco (icordasc)
affects: openstack-manuals → ossp-security-documentation
Rahul U Nair (rahulunair)
Changed in ossp-security-documentation:
assignee: nobody → Rahul U Nair (rahulunair)
Revision history for this message
Rahul U Nair (rahulunair) wrote :

As the security guide is discussing about this in https://docs.openstack.org/security-guide/networking/services-security-best-practices.html , I don't think this should be open. If any further details have to be added, a feature request or wish list bug can be opened.

Changed in ossp-security-documentation:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.