[Openstack-security] [openstack/neutron] SecurityImpact review request change I1f8311f1b9ae1be02afde3e9078e49c6da373a88

gerrit2 at review.openstack.org gerrit2 at review.openstack.org
Tue Jul 14 16:21:05 UTC 2015


Hi, I'd like you to take a look at this patch for potential
SecurityImpact.
https://review.openstack.org/201650

Log:
commit 9eaa0c3bca0f0a489f1cced72c4171f60996da5f
Author: sridhargaddam <sridhar.gaddam at enovance.com>
Date:   Tue Jul 14 16:18:06 2015 +0000

    Add IPv6 Address Resolution protection
    
    Similar to IPv4 arp protection support, this patch adds the necessary OVS
    rules to prevent ports attached to agent from sending any icmpv6 neighbor
    advertisement messages that contain an IPv6 address not belonging to the port.
    
    For details please refer to "Figure 3. Attack against IPv6 Address Resolution"
    http://www.cisco.com/web/about/security/intelligence/ipv6_first_hop.html
    
    I've verified this patch locally and it works. I would like to seek feedback
    about this approach before proceeding with pending items.
    
    Pending items:
    Functional tests.
    Unit tests.
    Sanity check.
    
    DocImpact
    SecurityImpact
    
    Partial-Bug: #1274034
    Change-Id: I1f8311f1b9ae1be02afde3e9078e49c6da373a88





More information about the Openstack-security mailing list