Open Stack

Reviewed:  https://review.openstack.org/171003
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=aa7356b729f9672855980429677c969b6bab61a1
Submitter: Jenkins
Branch:    master

commit aa7356b729f9672855980429677c969b6bab61a1
Author: Kevin Benton <blak111 at gmail.com>
Date:   Sun Mar 29 03:37:25 2015 -0700

    Add simple ARP spoofing protection
    
    Adds an option to setup OVS rules that will prevent
    ports attached to the agent from sending any ARP responses
    that contain an IP address not belonging to the port
    (in fixed IPs or allowed_address_pairs).
    
    It is disabled by default and requires an OVS version that
    can match on ARP fields. If it is too old, traffic will
    still flow but it won't have ARP spoofing protection.
    There is a sanity check to verify that ARP header matching
    is supported.
    
    This prevention is specific to OVS so it will not help with
    other plugins that use the reference iptables filtering. A
    non-OVS-specific general approach will require something like
    the ebtables integration in Ibc6d3d520c1383cf7e00f4bdeb7853a41ac4b14b.
    
    Details:
    A new table is added for ARP spoofing prevention. All ARP traffic
    on the local switching table is sent to this spoofing table.
    The spoofing table will allow all ARP requests because we aren't
    interested in them. It will then install an ARP response allow rule
    for each IP address the port is assigned. All other ARP responses are
    dropped.
    
    DocImpact
    SecurityImpact
    Partial-Bug: #1274034
    
    Change-Id: I7c079b779245a0af6bc793564fa8a560e4226afe

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1274034

Title:
  Neutron firewall anti-spoofing does not prevent ARP poisoning

Status in OpenStack Neutron (virtual network service):
  In Progress
Status in OpenStack Security Advisories:
  Invalid
Status in OpenStack Security Notes:
  Fix Released

Bug description:
  The neutron firewall driver 'iptabes_firawall' does not prevent ARP cache poisoning.
  When anti-spoofing rules are handled by Nova, a list of rules was added through the libvirt network filter feature:
  - no-mac-spoofing
  - no-ip-spoofing
  - no-arp-spoofing
  - nova-no-nd-reflection
  - allow-dhcp-server

  Actually, the neutron firewall driver 'iptabes_firawall' handles only
  MAC and IP anti-spoofing rules.

  This is a security vulnerability, especially on shared networks.

  Reproduce an ARP cache poisoning and man in the middle:
  - Create a private network/subnet 10.0.0.0/24
  - Start 2 VM attached to that private network (VM1: IP 10.0.0.3, VM2: 10.0.0.4)
  - Log on VM1 and install ettercap [1]
  - Launch command: 'ettercap -T -w dump -M ARP /10.0.0.4/ // output:'
  - Log on too on VM2 (with VNC/spice console) and ping google.fr => ping is ok
  - Go back on VM1, and see the VM2's ping to google.fr going to the VM1 instead to be send directly to the network gateway and forwarded by the VM1 to the gw. The ICMP capture looks something like that [2]
  - Go back to VM2 and check the ARP table => the MAC address associated to the GW is the MAC address of VM1

  [1] http://ettercap.github.io/ettercap/
  [2] http://paste.openstack.org/show/62112/

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1274034/+subscriptions