[openstack-dev] [Neutron] Un-addressed Port spec and implementation

Kevin Benton blak111 at gmail.com
Wed Sep 2 23:58:37 UTC 2015


That patch was reverted because it relied on a non-obvious corner case to
work. A port would not get any spoofing prevention if it had no IP
addresses.

At first we reasoned that this would be okay since the only way to create a
port without IPs was if the network has no subnets and it doesn't make
sense for Neutron to do L3 protection on a network it doesn't manage L3
for. However, this was an issue once a subnet was subsequently added to the
network. A port would still be remaining without IP addresses and it
wouldn't have any spoofing prevention. We don't want these kind of corner
cases in the API so we reverted it.

>One possible solution we could do to prevent this is to keep flow entries
that block the port from pretending to have an IP that is already part of
the network (or subnet).

Three issues with this I can see right away:

   - This breaks protection for provider network scenarios where the
   provider has a router that Neutron doesn't know about.
   - It introduces a window of attack where you can send gratuitous ARP for
   all of the IP addresses which aren't in use and collect traffic to new
   ports as they come online before the ARP entries time out.
   - Each L2 agent is now going to require an ARP flow rule for every other
   port's IP/MAC on the same network. This could easily be 10,000+ of rules on
   a densely packed node (50 VMs on 200 port networks). Syncing this info will
   need a reliability mechanism to make there are no missed messages (which
   result in vulnerabilities).


Why can you just use the port security API to disable port security for the
port? If the issue is just that you want MAC spoofing prevention but
nothing else, then we need to adjust the port security API to be more
fine-grained.

On Wed, Sep 2, 2015 at 1:37 AM, Gal Sagie <gal.sagie at gmail.com> wrote:

> Hello All,
>
> The un-addressed port spec [1] was approved for Liberty.
> I think this spec has good potential to provide very interesting solutions
> for NFV use cases
> but also for multi site connectivity and i would really want to see
> it move forward with the community.
>
> There are some issues we need to discuss regarding L2 population (both for
> the reference
> implementation and for any "SDN" solution), but we can iterate on them.
>
> This email relates to a recent revert [2] that was done to prevent
> spoofing possibility
> due to recent work that was merged.
>
> If i understand the problem correctly, an un-addressed port can now
> perform ARP spoofing
> on an address of a port that already exists in the same network and listen
> to its traffic.
> (a problem which becomes bigger with shared network among tenants)
>
> One possible solution we could do to prevent this is to keep flow entries
> that block the port
> from pretending to have an IP that is already part of the network (or
> subnet).
> So there will be ARP spoofing checks that check the port is not answering
> for an IP that is already
> configured.
> *Any thoughts/comments on that?*
>
> Unrelated to this, i think that an un-address port should work in subnet
> context when it comes
> to L2 population and traffic forwarding, so that un-address port only gets
> traffic for addresses
> that are not found, but are on the same subnet as the un-address port.
> (I understand this is a bigger challenge and is not working with the way
> Neutron networks
> work today, but we can iterate on this as well since its unrelated to the
> security subject)
>
> Thanks
> Gal.
>
> [1]
> https://github.com/openstack/neutron-specs/blob/master/specs/liberty/unaddressed-port.rst
> [2] https://review.openstack.org/#/c/218470/
>



-- 
Kevin Benton
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150902/66085b67/attachment.html>


More information about the OpenStack-dev mailing list