<div dir="ltr">Yes, this is expected behavior. Allows address pairs were mainly intended for a few extra IP addresses that the port owns. Using /0 implies that the Neutron port is responsible for all of those addresses. So if you allow traffic from that Neutron port, it allows traffic from /0.<div><br></div><div>The router use-case should probably be documented to use either a separate security group or to disable the security groups completely on the router port using the port-security-enabled flag. <a href="http://specs.openstack.org/openstack/neutron-specs/specs/kilo/ml2-ovs-portsecurity.html">http://specs.openstack.org/openstack/neutron-specs/specs/kilo/ml2-ovs-portsecurity.html</a><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jun 30, 2015 at 6:42 PM, James Dempsey <span dir="ltr"><<a href="mailto:jamesd@catalyst.net.nz" target="_blank">jamesd@catalyst.net.nz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi All,<br>
<br>
Would someone help me understand some potentially dangerous interactions<br>
between allowed_address_pairs and security groups?  My cloud is Icehouse<br>
at the moment, but the behaviour seems unchanged in master. [1]<br>
<br>
Suppose a User wants to build an instance that acts as a router.<br>
<br>
User creates an instance named ROUTER with an interface that has an<br>
allowed_address_pair of <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a>. (to bypass the anti-spoofing security<br>
group feature)<br>
<br>
By default, ROUTER is in the 'default' security group.<br>
<br>
User also creates an instance named WEB.<br>
<br>
By default, WEB is in the 'default' security group.<br>
<br>
The 'default' security group allows inbound traffic from other hosts(and<br>
associated allowed_address_pairs) in the 'default' security group.<br>
<br>
Now, WEB receives all traffic from <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> because User didn't realize<br>
that allowed_address_pairs associated with ROUTER would effectively<br>
change all associated security groups to be fully permissive.<br>
<br>
<br>
Have I missed something?  This seems like exceedingly dangerous<br>
behaviour.  I've already seen two instances of this from my users.<br>
<br>
[1]<br>
<a href="https://github.com/openstack/neutron/blob/master/neutron/db/securitygroups_rpc_base.py#L287" rel="noreferrer" target="_blank">https://github.com/openstack/neutron/blob/master/neutron/db/securitygroups_rpc_base.py#L287</a><br>
<br>
Cheers,<br>
James<br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
--<br>
James Dempsey<br>
Senior Cloud Engineer<br>
Catalyst IT Limited<br>
<a href="tel:%2B64%204%20803%202264" value="+6448032264">+64 4 803 2264</a><br>
--<br>
<br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div>Kevin Benton</div></div>
</div>