[neutron][security group][IPv6] IPv6 ICMPv6 port security in security group
Xing Zhang
angeiv.zhang at gmail.com
Fri Oct 11 12:22:55 UTC 2019
Hi all,
When using neutron on CentOS 7 with OVSHybridIptablesFirewallDriver, create
a vm with IPv4/IPv6 dual stack port,
then remove all security group, we can get response with ping dhcp or
router using IPv6 address in vm, while IPv4 can't.
IPv6 works different with IPv4 in some cases and some useful function must
work with ICMPv6 like NDP, NS, NA.
Checking these two links below, neutron only drop IPv6 RA from vm, and
allow all ICMPv6
ICMPv6 Type 128 Echo Request and Type 129 Echo Reply are allowed by default.
Should we try to restrict ICMPv6 some types or there are some
considerations and just follow ITEF 4890?
IETF 4890 [section 4.3.2. Traffic That Normally Should Not Be Dropped]
mentioned that:
As discussed in
Section 3.2 <https://tools.ietf.org/html/rfc4890#section-3.2>, the
risks from port scanning in an IPv6 network are much
less severe, and it is not necessary to filter IPv6 Echo Request
messages.
[section 3.2. Probing]
However, the very large address space of IPv6 makes probing a less
effective weapon as compared with IPv4 provided that addresses are
not allocated in an easily guessable fashion.
https://github.com/openstack/neutron/commit/a8a9d225d8496c044db7057552394afd6c950a8e
https://www.ietf.org/rfc/rfc4890.txt
Commands are:
neutron port-update --no-security-groups
0307f016-0cc8-468b-bf3e-36ebe50e13ac
ping6 from vm to dhcp
ip6tables rules in compute node:
PS: seems rules for type 131/135/143 are included in the rule
# ip6tables-save | grep 08a0812a
-A neutron-openvswi-o08a0812a-9 -s ::/128 -d ff02::/16 -p ipv6-icmp -m
icmp6 --icmpv6-type 131 -m comment --comment "Allow IPv6 ICMP traffic." -j
RETURN
-A neutron-openvswi-o08a0812a-9 -s ::/128 -d ff02::/16 -p ipv6-icmp -m
icmp6 --icmpv6-type 135 -m comment --comment "Allow IPv6 ICMP traffic." -j
RETURN
-A neutron-openvswi-o08a0812a-9 -s ::/128 -d ff02::/16 -p ipv6-icmp -m
icmp6 --icmpv6-type 143 -m comment --comment "Allow IPv6 ICMP traffic." -j
RETURN
-A neutron-openvswi-o08a0812a-9 -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m
comment --comment "Drop IPv6 Router Advts from VM Instance." -j DROP
-A neutron-openvswi-o08a0812a-9 -p ipv6-icmp -m comment --comment "Allow
IPv6 ICMP traffic." -j RETURN
-A neutron-openvswi-o08a0812a-9 -m comment --comment "Send unmatched
traffic to the fallback chain." -j neutron-openvswi-sg-fallback
full rules are at Ref #3
REF #1
ml2_config.ini
[securitygroup]
firewall_driver =
neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
Ref #2
Chain neutron-openvswi-o08a0812a-9 (2 references)
pkts bytes target prot opt in out source
destination
0 0 RETURN icmpv6 * * ::
ff02::/16 ipv6-icmptype 131 /* Allow IPv6 ICMP traffic. */
1 72 RETURN icmpv6 * * ::
ff02::/16 ipv6-icmptype 135 /* Allow IPv6 ICMP traffic. */
2 152 RETURN icmpv6 * * ::
ff02::/16 ipv6-icmptype 143 /* Allow IPv6 ICMP traffic. */
5 344 neutron-openvswi-s08a0812a-9 all * * ::/0
::/0
0 0 DROP icmpv6 * * ::/0 ::/0
ipv6-icmptype 134 /* Drop IPv6 Router Advts from VM Instance.
*/
5 344 RETURN icmpv6 * * ::/0 ::/0
/* Allow IPv6 ICMP traffic. */
0 0 RETURN udp * * ::/0 ::/0
udp spt:546 dpt:547 /* Allow DHCP client traffic. */
0 0 DROP udp * * ::/0 ::/0
udp spt:547 dpt:546 /* Prevent DHCP Spoofing by VM. */
0 0 RETURN all * * ::/0 ::/0
state RELATED,ESTABLISHED /* Direct packets associated with a
known session to the RETURN chain. */
0 0 DROP all * * ::/0 ::/0
state INVALID /* Drop packets that appear related to an
existing connection (e.g. TCP ACK/FIN) but do not have an entry in
conntrack. */
0 0 neutron-openvswi-sg-fallback all * * ::/0
::/0 /* Send unmatched traffic to the fallback
chain. */
Ref #3
# ip6tables-save | grep 08a0812a
-A neutron-openvswi-PREROUTING -m physdev --physdev-in qvb08a0812a-9e -m
comment --comment "Set zone for 812a-9ef7-45e3-9d81-9463dd80e63e" -j CT
--zone 4104
-A neutron-openvswi-PREROUTING -i qvb08a0812a-9e -m comment --comment "Set
zone for 812a-9ef7-45e3-9d81-9463dd80e63e" -j CT --zone 4104
-A neutron-openvswi-PREROUTING -m physdev --physdev-in tap08a0812a-9e -m
comment --comment "Set zone for 812a-9ef7-45e3-9d81-9463dd80e63e" -j CT
--zone 4104
:neutron-openvswi-i08a0812a-9 - [0:0]
:neutron-openvswi-o08a0812a-9 - [0:0]
:neutron-openvswi-s08a0812a-9 - [0:0]
-A neutron-openvswi-FORWARD -m physdev --physdev-out tap08a0812a-9e
--physdev-is-bridged -m comment --comment "Direct traffic from the VM
interface to the security group chain." -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tap08a0812a-9e
--physdev-is-bridged -m comment --comment "Direct traffic from the VM
interface to the security group chain." -j neutron-openvswi-sg-chain
-A neutron-openvswi-INPUT -m physdev --physdev-in tap08a0812a-9e
--physdev-is-bridged -m comment --comment "Direct incoming traffic from VM
to the security group chain." -j neutron-openvswi-o08a0812a-9
-A neutron-openvswi-i08a0812a-9 -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j
RETURN
-A neutron-openvswi-i08a0812a-9 -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j
RETURN
-A neutron-openvswi-i08a0812a-9 -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j
RETURN
-A neutron-openvswi-i08a0812a-9 -m state --state RELATED,ESTABLISHED -m
comment --comment "Direct packets associated with a known session to the
RETURN chain." -j RETURN
-A neutron-openvswi-i08a0812a-9 -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j
RETURN
-A neutron-openvswi-i08a0812a-9 -d 20ff::c/128 -p udp -m udp --sport 547
--dport 546 -j RETURN
-A neutron-openvswi-i08a0812a-9 -d fe80::/64 -p udp -m udp --sport 547
--dport 546 -j RETURN
-A neutron-openvswi-i08a0812a-9 -m state --state INVALID -m comment
--comment "Drop packets that appear related to an existing connection (e.g.
TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-openvswi-i08a0812a-9 -m comment --comment "Send unmatched
traffic to the fallback chain." -j neutron-openvswi-sg-fallback
-A neutron-openvswi-o08a0812a-9 -s ::/128 -d ff02::/16 -p ipv6-icmp -m
icmp6 --icmpv6-type 131 -m comment --comment "Allow IPv6 ICMP traffic." -j
RETURN
-A neutron-openvswi-o08a0812a-9 -s ::/128 -d ff02::/16 -p ipv6-icmp -m
icmp6 --icmpv6-type 135 -m comment --comment "Allow IPv6 ICMP traffic." -j
RETURN
-A neutron-openvswi-o08a0812a-9 -s ::/128 -d ff02::/16 -p ipv6-icmp -m
icmp6 --icmpv6-type 143 -m comment --comment "Allow IPv6 ICMP traffic." -j
RETURN
-A neutron-openvswi-o08a0812a-9 -j neutron-openvswi-s08a0812a-9
-A neutron-openvswi-o08a0812a-9 -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m
comment --comment "Drop IPv6 Router Advts from VM Instance." -j DROP
-A neutron-openvswi-o08a0812a-9 -p ipv6-icmp -m comment --comment "Allow
IPv6 ICMP traffic." -j RETURN
-A neutron-openvswi-o08a0812a-9 -p udp -m udp --sport 546 --dport 547 -m
comment --comment "Allow DHCP client traffic." -j RETURN
-A neutron-openvswi-o08a0812a-9 -p udp -m udp --sport 547 --dport 546 -m
comment --comment "Prevent DHCP Spoofing by VM." -j DROP
-A neutron-openvswi-o08a0812a-9 -m state --state RELATED,ESTABLISHED -m
comment --comment "Direct packets associated with a known session to the
RETURN chain." -j RETURN
-A neutron-openvswi-o08a0812a-9 -m state --state INVALID -m comment
--comment "Drop packets that appear related to an existing connection (e.g.
TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-openvswi-o08a0812a-9 -m comment --comment "Send unmatched
traffic to the fallback chain." -j neutron-openvswi-sg-fallback
-A neutron-openvswi-s08a0812a-9 -s 20ff::c/128 -m mac --mac-source
FA:16:3E:7C:D8:C0 -m comment --comment "Allow traffic from defined IP/MAC
pairs." -j RETURN
-A neutron-openvswi-s08a0812a-9 -s fe80::f816:3eff:fe7c:d8c0/128 -m mac
--mac-source FA:16:3E:7C:D8:C0 -m comment --comment "Allow traffic from
defined IP/MAC pairs." -j RETURN
-A neutron-openvswi-s08a0812a-9 -m comment --comment "Drop traffic without
an IP/MAC allow rule." -j DROP
-A neutron-openvswi-sg-chain -m physdev --physdev-out tap08a0812a-9e
--physdev-is-bridged -m comment --comment "Jump to the VM specific chain."
-j neutron-openvswi-i08a0812a-9
-A neutron-openvswi-sg-chain -m physdev --physdev-in tap08a0812a-9e
--physdev-is-bridged -m comment --comment "Jump to the VM specific chain."
-j neutron-openvswi-o08a0812a-9
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20191011/7b5dfa32/attachment-0001.html>
More information about the openstack-discuss
mailing list