os-net-config

TripleO does not correctly disable IPv6 autoconfiguration and RAs

Bug #1632830 reported by Dan Sneddon
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
os-net-config
In Progress
High
Dan Sneddon
tripleo
Fix Released
High
Dan Sneddon
tripleo ocata-1 "ocata-1"

Bug Description

TripleO Heat Templates include sysctl settings for IPv6 that are supposed to disable autoconfiguration and accepting route advertisements (RAs). The current sysctl settings only affect the default configuration, but are overridden by the settings in net.ipv6.conf.all.

Current settings:
           net.ipv6.conf.default.accept_ra:
             value: 0
           net.ipv6.conf.default.autoconf:
             value: 0

Due to this issue, autoconf and accept_ra are enabled for every interface, even if IPV6_AUTOCONF=no in the ifcfg file.

In order to make the ifcfg files work with this setting, the following sysctl settings need to be added to puppet/services/kernel.yaml:

New settings:
+ net.ipv6.conf.all.autoconf:
+ value: 0
+ net.ipv6.conf.all.accept_ra:
+ value: 0

Without these settings, the nodes are vulnerable to traffic interception via rogue Route Advertisements.

Dan Sneddon (dsneddon)
Changed in tripleo:
status: New → Triaged
importance: Undecided → High
assignee: nobody → Dan Sneddon (dsneddon)
OpenStack Infra (hudson-openstack)
Changed in tripleo:
status: Triaged → In Progress
Revision history for this message
Dan Sneddon (dsneddon) wrote :

This bug affects os-net-config in that without these sysctl settings, the value for IPV6AUTOCONF=no in the ifcfg files is ignored.

Changed in os-net-config:
status: New → Triaged
status: Triaged → In Progress
importance: Undecided → High
assignee: nobody → Dan Sneddon (dsneddon)
Dan Sneddon (dsneddon)
Changed in tripleo:
milestone: none → newton-rc3
milestone: newton-rc3 → ocata-1
tags: added: newton-backport-potential tripleo-heat-templates
tags: added: liberty-backport-potential mitaka-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/385603
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=4eacf4179d03cd2102cac4abf14e80eae440c2d3
Submitter: Jenkins
Branch: master

commit 4eacf4179d03cd2102cac4abf14e80eae440c2d3
Author: Dan Sneddon <email address hidden>
Date: Wed Oct 12 12:38:21 2016 -0700

    Disable IPv6 RAs & Autoconf For All (Not Just Default)

    The current kernel sysctl settings modify the
    net.ipv6.conf.default.accept_ra and net.ipv6.conf.default.autoconf
    to both be '0'. However, this is overridden by the settings in
    net.ipv6.conf.all, so no matter what setting is in the ifcfg file
    for the IPv6 interface, autoconfiguration and accept_ra will be
    enabled. This causes a security vulnerability where rogue RAs
    could be used to intercept traffic from the controllers.

    This change sets both default and all settings to '0' for IPv6
    accept_ra and autoconf.

    Closes-Bug: 1632830
    Change-Id: I95b86c5c6feed30dfa5103ffbddb9e85ac567bbb

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/386201

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/newton)

Reviewed: https://review.openstack.org/386201
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=b5d94be6d1d4e05296ea0d57aaf9a66de5711ab5
Submitter: Jenkins
Branch: stable/newton

commit b5d94be6d1d4e05296ea0d57aaf9a66de5711ab5
Author: Dan Sneddon <email address hidden>
Date: Wed Oct 12 12:38:21 2016 -0700

    Disable IPv6 RAs & Autoconf For All (Not Just Default)

    The current kernel sysctl settings modify the
    net.ipv6.conf.default.accept_ra and net.ipv6.conf.default.autoconf
    to both be '0'. However, this is overridden by the settings in
    net.ipv6.conf.all, so no matter what setting is in the ifcfg file
    for the IPv6 interface, autoconfiguration and accept_ra will be
    enabled. This causes a security vulnerability where rogue RAs
    could be used to intercept traffic from the controllers.

    This change sets both default and all settings to '0' for IPv6
    accept_ra and autoconf.

    Closes-Bug: 1632830
    Change-Id: I95b86c5c6feed30dfa5103ffbddb9e85ac567bbb
    (cherry picked from commit 4eacf4179d03cd2102cac4abf14e80eae440c2d3)

tags: added: in-stable-newton
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 5.0.0.0rc3

This issue was fixed in the openstack/tripleo-heat-templates 5.0.0.0rc3 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 5.0.0

This issue was fixed in the openstack/tripleo-heat-templates 5.0.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 6.0.0.0b1

This issue was fixed in the openstack/tripleo-heat-templates 6.0.0.0b1 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/399808

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/mitaka)

Reviewed: https://review.openstack.org/399808
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=dada49ad8160729384ea4ac68bb66c7752c3c732
Submitter: Jenkins
Branch: stable/mitaka

commit dada49ad8160729384ea4ac68bb66c7752c3c732
Author: Dan Sneddon <email address hidden>
Date: Wed Oct 12 12:38:21 2016 -0700

    Disable IPv6 RAs & Autoconf For All (Not Just Default)

    The current kernel sysctl settings modify the
    net.ipv6.conf.default.accept_ra and net.ipv6.conf.default.autoconf
    to both be '0'. However, this is overridden by the settings in
    net.ipv6.conf.all, so no matter what setting is in the ifcfg file
    for the IPv6 interface, autoconfiguration and accept_ra will be
    enabled. This causes a security vulnerability where rogue RAs
    could be used to intercept traffic from the controllers.

    This change sets both default and all settings to '0' for IPv6
    accept_ra and autoconf.

    Closes-Bug: 1632830
    Change-Id: I95b86c5c6feed30dfa5103ffbddb9e85ac567bbb

tags: added: in-stable-mitaka
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 2.2.0

This issue was fixed in the openstack/tripleo-heat-templates 2.2.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.