On 3/3/16 4:48 AM, Vincent Godin wrote: > If you install Openstack using ipv4 but without disabling ipv6 (like > almost all distrib) a VM in any tenant is able to connect to every > daemon listening in ipv6 on the compute (ssh, libvirt and ...). This is > du to the interfaces in the linux bridge attach to the VM which have > ipv6 adresses by default and then are listening like all interfaces of > the host. To do this, you just have to configure an ipv6 address on a VM > of a tenant. > To protect, you can just disable ipv6 or configure all daemon on the > compute to listen only on ipv4 adresses You didn't say which version you are running, but we did address this issue in Liberty, with additional patches in Mitaka. Most changes have been backported to the stable branches. https://bugs.launchpad.net/nova/+bug/1470931 https://bugs.launchpad.net/neutron/+bug/1302080 https://bugs.launchpad.net/neutron/+bug/1534652 https://review.openstack.org/#/c/198054/ https://review.openstack.org/#/c/241076 https://review.openstack.org/#/c/268373/ https://review.openstack.org/#/c/275293/ Those reviews should have links to the changes that were cherry-picked to stable. -Brian