[Openstack-security] [stackforge/networking-ovs-dpdk] SecurityImpact review request change I82426b8d5951d2c96e72e42818bfae90b8301076

gerrit2 at review.openstack.org gerrit2 at review.openstack.org
Tue Apr 28 16:10:43 UTC 2015 

Hi, I'd like you to take a look at this patch for potential
SecurityImpact.
https://review.openstack.org/178268

Log:
commit 122e7d436d2baf4286f78c0165fcd6601b6e615e
Author: Sean Mooney <sean.k.mooney at intel.com>
Date:   Tue Apr 28 15:48:02 2015 +0000

    reopening master for liberty
    
    - updated test-requirments.txt to master
    - backported neuton agent changes from master.
    
    Squashed commit of the following:
    
    commit 268f1c5a84ba8fe9ddb453f7c3b13ae6a8f50127
    Merge: 79e9ffc a46f609
    Author: Jenkins <jenkins at review.openstack.org>
    Date:   Wed Apr 22 20:37:51 2015 +0000
    
        Merge "ovs_neutron_agent: Remove a redundant assignment of ovs_status"
    
    commit 79e9ffc9a423faab05ffdf060d77abaaa44ce19b
    Merge: f24d1c8 75c1d6f
    Author: Jenkins <jenkins at review.openstack.org>
    Date:   Wed Apr 15 00:36:38 2015 +0000
    
        Merge "Enable ARP spoofing prevention by default"
    
    commit f24d1c844c4095db9422357453b35251f6125c6a
    Merge: 7212258 eabd40a
    Author: Jenkins <jenkins at review.openstack.org>
    Date:   Mon Apr 13 20:09:06 2015 +0000
    
        Merge "Move values for network_type to plugins.common.constants.py"
    
    commit eabd40a8cd20b7189a31c301e5f19703604095d3
    Author: Romil Gupta <romilg at hp.com>
    Date:   Mon Mar 23 08:05:41 2015 -0700
    
        Move values for network_type to plugins.common.constants.py
    
        It is quite confusing to have values for network type in common.constants.py
        instead of having in plugins.common.constants.py.
    
        Currently, the plugins/common/constants.py consists network_type constants
        like VLAN, VXLAN, GRE etc. but values for network type like ranges
        are defined in common.constants.py which is not good, it is better to have
        both things at the same place.
    
        This patch set addresses the same.
    
        Moved out few methods which are predominantly used in plugins
        from common.utils.py to plugins.common.utils.py.
    
        Removed constants which were used in neutron-fwaas from
        plugins.common.constants.py: https://review.openstack.org/#/c/168709/
    
        Closes-Bug: #1441043
    
        Change-Id: Iecfb15c541ed5d3cce95ba48f072af7fa60ac6f1
    
    commit 7212258a0fdb4e6c41b816dc433e65f49bd37f1d
    Merge: 3564b55 088fe8b
    Author: Jenkins <jenkins at review.openstack.org>
    Date:   Thu Apr 9 01:21:53 2015 +0000
    
        Merge "Add simple ARP spoofing protection"
    
    commit a46f609127d64a158a62588b83eb82c1d0f1a5aa
    Author: YAMAMOTO Takashi <yamamoto at valinux.co.jp>
    Date:   Thu Apr 2 13:57:52 2015 +0900
    
        ovs_neutron_agent: Remove a redundant assignment of ovs_status
    
        Change-Id: I8ed572aa48ccc226137f65514c58ca5c3ba77870
    
    commit 75c1d6fa89e0d06c6821ebd998cd66a606fa77d6
    Author: Kevin Benton <blak111 at gmail.com>
    Date:   Sun Apr 12 14:14:38 2015 -0700
    
        Enable ARP spoofing prevention by default
    
        Turn on the ARP spoofing prevention added in
        I7c079b779245a0af6bc793564fa8a560e4226afe by
        default. It was disabled by default since it
        was going into Kilo at the last minute and we
        didn't want to risk shipping with a default
        that might have broken an edge case that we
        didn't consider.
    
        This patch enables it by default since there
        shouldn't be any need to have it disabled.
    
        Change-Id: Id17939914ebf8292dce76ccb7d0f6486c91f49e5
    
    commit 088fe8bf381875525ce1c41f482ce74fa989d786
    Author: Kevin Benton <blak111 at gmail.com>
    Date:   Sun Mar 29 03:37:25 2015 -0700
    
        Add simple ARP spoofing protection
    
        Adds an option to setup OVS rules that will prevent
        ports attached to the agent from sending any ARP responses
        that contain an IP address not belonging to the port
        (in fixed IPs or allowed_address_pairs).
    
        It is disabled by default and requires an OVS version that
        can match on ARP fields. If it is too old, traffic will
        still flow but it won't have ARP spoofing protection.
        There is a sanity check to verify that ARP header matching
        is supported.
    
        This prevention is specific to OVS so it will not help with
        other plugins that use the reference iptables filtering. A
        non-OVS-specific general approach will require something like
        the ebtables integration in Ibc6d3d520c1383cf7e00f4bdeb7853a41ac4b14b.
    
        Details:
        A new table is added for ARP spoofing prevention. All ARP traffic
        on the local switching table is sent to this spoofing table.
        The spoofing table will allow all ARP requests because we aren't
        interested in them. It will then install an ARP response allow rule
        for each IP address the port is assigned. All other ARP responses are
        dropped.
    
        DocImpact
        SecurityImpact
        Partial-Bug: #1274034
    
        Change-Id: I7c079b779245a0af6bc793564fa8a560e4226afe
    
    Change-Id: I82426b8d5951d2c96e72e42818bfae90b8301076

More information about the Openstack-security mailing list