[Openstack-security] [Bug 1262759] Re: ICMPv6 RAs should only be permitted from known routers
Xu Han Peng
pengxuhan at gmail.com
Wed Jan 22 15:32:25 UTC 2014
As we talked in yesterday's IPv6 sub-team meeting, current we have this
patch allowing all the RA by default so VM can do SLAAC without any
security group configuration:
https://review.openstack.org/#/c/53028
But what we need soon is to only allow RA from the internal and external
routers instead of all the RA.
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1262759
Title:
ICMPv6 RAs should only be permitted from known routers
Status in OpenStack Neutron (virtual network service):
New
Status in OpenStack Security Advisories:
Invalid
Bug description:
ICMPv6 is now allowed in from any host but other hosts can offer bogus
routes.
Change security group/port filtering to respect known routers:
- tenant routers attached to subnets and passing v6
- physical routers on provider networks provided on the network (as some sort of admin configurable list for that network).
(Security issue: One VM sharing a neutron network can divert outgoing
traffic from other VMs.)
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1262759/+subscriptions
More information about the Openstack-security
mailing list