Routed ICMP v6 traffic goes through with no security group rules with DVR
Bug #1515444 reported by
Ritesh Anand
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
neutron |
Invalid
|
Undecided
|
Unassigned |
Bug Description
V6 traffic flows between two dual stacked instances connected via DVR despite absence of security group rule allowing so. V4 traffic is blocked.
Build: Master Nov. 11/11/15
Setup: One controller/Network node, Two Compute nodes.
Steps:
1. create net1 and net2.
2. create IPv4 and IPv6 subnet(
3. create DVR.
4. Add router interface for each of four subnets to DVR.
5. Boot instance with nic on net1 and other with nic on net2.
6. Delete all security group rules if any exists.
7. Ping6 v6 IP from one instance to the other.
Expected: Traffic does not go through.
Observed: Traffic goes through.
*also observed with dhcpv6-stateful addressing.
information type: | Private Security → Public |
Changed in ossa: | |
status: | Incomplete → Won't Fix |
description: | updated |
To post a comment you must log in.
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.