[openstack-dev] [neutron] dangerous allowed_address_pairs?

James Dempsey jamesd at catalyst.net.nz
Wed Jul 1 01:42:07 UTC 2015


Hi All,

Would someone help me understand some potentially dangerous interactions
between allowed_address_pairs and security groups?  My cloud is Icehouse
at the moment, but the behaviour seems unchanged in master. [1]

Suppose a User wants to build an instance that acts as a router.

User creates an instance named ROUTER with an interface that has an
allowed_address_pair of 0.0.0.0/0. (to bypass the anti-spoofing security
group feature)

By default, ROUTER is in the 'default' security group.

User also creates an instance named WEB.

By default, WEB is in the 'default' security group.

The 'default' security group allows inbound traffic from other hosts(and
associated allowed_address_pairs) in the 'default' security group.

Now, WEB receives all traffic from 0.0.0.0/0 because User didn't realize
that allowed_address_pairs associated with ROUTER would effectively
change all associated security groups to be fully permissive.


Have I missed something?  This seems like exceedingly dangerous
behaviour.  I've already seen two instances of this from my users.

[1]
https://github.com/openstack/neutron/blob/master/neutron/db/securitygroups_rpc_base.py#L287

Cheers,
James


-- 
James Dempsey
Senior Cloud Engineer
Catalyst IT Limited
+64 4 803 2264
--



More information about the OpenStack-dev mailing list