[openstack-dev] [Neutron]One security issue about floating ip

Carl Baldwin carl at ecbaldwin.net
Thu Jun 26 19:56:21 UTC 2014


There is a bit more to it.  The floating ip was dissociated which means it
should have been removed from the gateway device.

How long did the connection stay up?  Was this a matter of the l3 agent
getting a little behind and not processing the update for a while?  Can you
confirm that the floating ip was removed from the router's gateway device?

This isn't to say that we shouldn't explicitly cut connections in the
connection tracker regardless of the answer to these questions.

Carl
On Jun 26, 2014 11:01 AM, "Miguel Angel Ajo Pelayo" <mangelajo at redhat.com>
wrote:

> Yes, once a connection has past the nat tables,
> and it's on the kernel connection tracker, it
> will keep working even if you remove the nat rule.
>
> Doing that would require manipulating the kernel
> connection tracking to kill that connection,
> I'm not familiar with that part of the linux network
> stack, not sure if it's possible, but that would be
> the perfect way. (kill nat connection on ext ip=float ip int_ip = internal
> ip)...
>
>
>
>
> ----- Original Message -----
> > Hi folks,
> >
> > After we create an SSH connection to a VM via its floating ip, even
> though we
> > have removed the floating ip association, we can still access the VM via
> > that connection. Namely, SSH is not disconnected when the floating ip is
> not
> > valid. Any good solution about this security issue?
> >
> > Thanks
> > Xurong Yang
> >
> > _______________________________________________
> > OpenStack-dev mailing list
> > OpenStack-dev at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140626/9be24a05/attachment.html>


More information about the OpenStack-dev mailing list