[openstack-dev] [nova] quota_fixed_ips cfg parameter
Lloyd Dewolf
lloydostack at gmail.com
Thu Mar 21 17:30:56 UTC 2013
Hi,
I came across the solution of adding cfg param quota_fixed_ips to resolve
the "DOS by allocating all fixed ips" CVE,
https://bugs.launchpad.net/nova/+bug/1125468
It seems like this adds one more thing that every cloud deployer has to be
set, and complicated the default and per project quota system.
Any value for quota_fixed_ips will feel arbitrary, and 10 feels almost
extreme.
Michael Still (mikalstill) asked at 2013-02-22 "Do people think this quota
should be per project or per instance? If its per instance isn't it still
pretty easy to DoS people? You just have to start a bunch of instances as
well."
I'm trying to understand why per instances fixed ip limit was rejected as a
better approach. (1) this is a feature specific solution -- only impacts if
multinic or similar extensions are in play. (2) The math is easy. Default
set it to 4 (or 2 or 1) multiple by number of instances multiple by
projects is the total number of fixed IPs that can be exhausted, and only
instances x fixed ip limit for any particular bad actor.
Per instances fixed ip seems like the better general solution possibly with
the current implementation being a good override for public clouds.
Thank you,
Lloyd
--
@lloyddewolf
http://www.pistoncloud.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130321/c48011e4/attachment.html>
More information about the OpenStack-dev
mailing list