IP address for a router interface allowed outside the allocation range of subnet
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Invalid
|
Undecided
|
Unassigned | ||
neutron |
Fix Released
|
High
|
Miguel Lavalle |
Bug Description
Currently running Queens on Ubuntu 16.04 with the linuxbridge ml2 plugin with vxlan overlays. We have a single, large provider network that we have set to 'shared' and 'external', so people who need to do things that don't work well with NAT can connect their instances directly to the provider network. Our 'allocation range' as defined in our provider subnet is dedicated to tenants, so there should be no conflicts.
One of our users connected a neutron router to the provider network (not via the 'external network' option, but rather via the normal 'add interface' option) and neglected to specify an IP address. The neutron router decided that it was now the gateway for the entire provider network and began arp'ing.
This seems like it should be disallowed inside of neutron (you shouldn't be able to specify an IP address for a router interface that isn't explicitly part of your allocation range on said subnet). Unless neutron just expect issues like this to be handled by the physical provider infrastructure (spoofing prevention, etc.)?
tags: | added: router |
tags: | added: provider |
Changed in neutron: | |
assignee: | nobody → Miguel Lavalle (minsel) |
tags: | added: neutron-proactive-backport-potential |
Changed in ossa: | |
assignee: | nobody → Tony Breeds (o-tony) |
status: | Incomplete → Triaged |
Thanks for reporting the issue. I suspect the issue should not be limited to linuxbridge. One part that's not clear is the sequence of commands you chose to plug the logical router on the network. If that was done through the CLI and using the add-interface command, that takes either a specific port or a subnet. In the latter case the IP ends up being auto-allocated from within the IP allocation pool. In the former case, that can be overridden but then it feels like the harm is somewhat self-inflicted?
Please consider providing more details so that it can help the triage efforts!
Thanks