[Openstack-security] [Bug 1262759] Re: ICMPv6 RAs should only be permitted from known routers

OpenStack Infra 1262759 at bugs.launchpad.net
Fri Apr 4 00:11:48 UTC 2014 

Reviewed:  https://review.openstack.org/72252
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=b7b0c7dbcd3e6754bc09b2fd75d888c41ae4aadb
Submitter: Jenkins
Branch:    master

commit b7b0c7dbcd3e6754bc09b2fd75d888c41ae4aadb
Author: Xuhan Peng <xuhanp at cn.ibm.com>
Date:   Sun Feb 9 22:02:33 2014 -0500

    Permit ICMPv6 RAs only from known routers
    
    Currently ingress ICMPv6 RAs are permitted from any IPs by
    default to allow VMs to accept ICMPv6 RA from provider network.
    In this way, VM can accept RAs from attacker VM and configure
    a network prefix specified by the attacher VM.
    
    Remove permitting ICMPv6 RAs from any IPs and add security rule
    to only permit ICMPv6 RA from:
    
    1. If the port's subnet is configured with ipv6_ra_mode value
    (i.e.value is slaac, dhcpv6-stateful, or dhcpv6-stateless), RA
    is sending from dnsmasq controlled by OpenStack. In this case,
    allow RA from the link local address of gateway port (if the
    gateway port is created).
    
    2. If the subnet's gateway port is not managed by OpenStack, allow
    the ICMPv6 RA sent from the subnet gateway IP if it's a link local
    address. The administrator needs to configure the gateway IP as
    link local address in this case to make the RA rule work.
    
    Change-Id: I1d5c7aaa8e4cf057204eb746c0faab2c70409a94
    Closes-Bug: 1262759


** Changed in: neutron
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1262759

Title:
  ICMPv6 RAs should only be permitted from known routers

Status in OpenStack Neutron (virtual network service):
  Fix Committed
Status in OpenStack Security Advisories:
  Invalid

Bug description:
  ICMPv6 is now allowed in from any host but other hosts can offer bogus
  routes.

  Change security group/port filtering to respect known routers:

  - tenant routers attached to subnets and passing v6
  - physical routers on provider networks provided on the network (as some sort of admin configurable list for that network).

  (Security issue: One VM sharing a neutron network can divert outgoing
  traffic from other VMs.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1262759/+subscriptions

More information about the Openstack-security mailing list