Open Stack

On Mon, Feb 20, 2017 at 08:08:00PM +0000, Jeremy Stanley wrote:
> On 2017-02-20 14:36:15 -0500 (-0500), Clint Byrum wrote:
> > What exactly is the security concern of the metadata service? Perhaps
> > those concerns can be addressed directly?
> [...]
> 
> A few I'm aware of:
> 
> 1. It's something that runs in the control plane but needs to be
> reachable from untrusted server instances (which may themselves even
> want to be on completely non-routed networks).

That is the key problem that virtio-vsock solves, by separating
traffic out from the network stack there's no way for a guest
to use vsock to access anything except services on the local
compute host listening on vsock

> 2. If you put a Web proxy between your server instances and the
> metadata service and also make it reachable without going through
> that proxy then instances may be able to spoof one another
> (OSSN-0074).

FYI, with virtio-vsock it is impossible for the guest to spoof
the sending address of another guest. So the process on the host
can use the socket peer address to reliably identify which guest
it is communicating with. With the IP based metadata service
you need to setup firewall rules on the host to drop traffic
with spoofed source mac/ip address.

> 3. Lots of things, for example facter, like to beat on it heavily
> which makes for a fun DDoS and so is a bit of a scaling challenge in
> large deployments.

FYI, with virtio-vsock, you would need to either run the metdata
service on every compute host, or have some kind of vhost<->tcp
proxy on every compute host that forwards requests to the real
metadata service off-host.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://entangle-photo.org       -o-    http://search.cpan.org/~danberr/ :|