RA Leak on tenant network
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
neutron |
New
|
Undecided
|
Unassigned |
Bug Description
This morning we saw RA learned prefixes popping up on instances within the Limestone CI cloud nodepool tenant network. This was discovered because the instance hosting the openstack infra mirror at limestone, mirror.
I launched an instance to investigate the loss of connectivity and noticed that it also acted on these bogus RA's:
http://
In addition, my instance learned 5 ipv6 default nexthops from RA's: http://
Among these, only fe80::f816:
I attempted to identify the remaining 4 MAC addresses by searching nova/neutron logs on the controller hosts and the compute hosts. I also searched the openstack mysql databases for hits on these MACs. I wasn't able to find any sign of these MAC addresses anywhere, so I wonder if these MACs might be generated by a neutron instance running within one of the gate jobs on the cloud. fungi noticed several test jobs are configured to use the 2003:: network http://
It is extremely unlikely that these invalid RA's leaked from outside the openstack environment since they are not physical hardware mac addresses, and also the virtual network where these RAs were observed is not bridged to the physical network whatsoever. Its only access to the outside world is through a neutron L3 HA router hosted on the controller hosts. All traffic between the instances and the controllers is transmitted over a neutron linuxbridge vxlan network.
The cloud is a Rocky openstack cloud deployed by openstack-ansible. The entire configuration for this cloud is located at https:/
description: | updated |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.