[neutron][security group][IPv6] IPv6 ICMPv6 port security in security group
Brian Haley
haleyb.dev at gmail.com
Fri Oct 11 21:21:09 UTC 2019
On 10/11/19 8:22 AM, Xing Zhang wrote:
> Hi all,
>
> When using neutron on CentOS 7 with OVSHybridIptablesFirewallDriver,
> create a vm with IPv4/IPv6 dual stack port,
> then remove all security group, we can get response with ping dhcp or
> router using IPv6 address in vm, while IPv4 can't.
> IPv6 works different with IPv4 in some cases and some useful function
> must work with ICMPv6 like NDP, NS, NA.
>
> Checking these two links below, neutron only drop IPv6 RA from vm, and
> allow all ICMPv6
> ICMPv6 Type 128 Echo Request and Type 129 Echo Reply are allowed by default.
> Should we try to restrict ICMPv6 some types or there are some
> considerations and just follow ITEF 4890?
The iptables rules you listed below are for egress traffic, and by
default the firewall driver only drops things that could allow one
instance to interfere with operation of another, for example, sending
DHCP replies or IPv6 router advertisements. Only privileged neutron
ports (router and dhcp) can do that.
I believe the reason we were so permissive on allowing all ICMPv6 out is
to not interfere with NS/NA/RS packets by accident, looking back we
probably could have written more specific rules here. The OVS firewall
driver actually does add more specific rules for outbound NS/NA/RS, and
has been the current default for neutron for a couple of cycles.
Regarding dropping other outbound IPv6 traffic, I don't think we should
filter anything else by default, it would be a not-backwards-compatible
change that would cause a lot of confusion.
-Brian
> IETF 4890 [section 4.3.2. Traffic That Normally Should Not Be Dropped]
> mentioned that:
>
> As discussed in
> Section 3.2 <https://tools.ietf.org/html/rfc4890#section-3.2>, the risks from port scanning in an IPv6 network are much
> less severe, and it is not necessary to filter IPv6 Echo Request
> messages.
>
> [section 3.2. Probing]
>
> However, the very large address space of IPv6 makes probing a less
> effective weapon as compared with IPv4 provided that addresses are
> not allocated in an easily guessable fashion.
>
>
> https://github.com/openstack/neutron/commit/a8a9d225d8496c044db7057552394afd6c950a8e
>
>
> https://www.ietf.org/rfc/rfc4890.txt
>
>
>
> Commands are:
> neutron port-update --no-security-groups
> 0307f016-0cc8-468b-bf3e-36ebe50e13ac
>
> ping6 from vm to dhcp
>
> ip6tables rules in compute node:
> PS: seems rules for type 131/135/143 are included in the rule
>
> # ip6tables-save | grep 08a0812a
> -A neutron-openvswi-o08a0812a-9 -s ::/128 -d ff02::/16 -p ipv6-icmp -m
> icmp6 --icmpv6-type 131 -m comment --comment "Allow IPv6 ICMP traffic."
> -j RETURN
> -A neutron-openvswi-o08a0812a-9 -s ::/128 -d ff02::/16 -p ipv6-icmp -m
> icmp6 --icmpv6-type 135 -m comment --comment "Allow IPv6 ICMP traffic."
> -j RETURN
> -A neutron-openvswi-o08a0812a-9 -s ::/128 -d ff02::/16 -p ipv6-icmp -m
> icmp6 --icmpv6-type 143 -m comment --comment "Allow IPv6 ICMP traffic."
> -j RETURN
> -A neutron-openvswi-o08a0812a-9 -p ipv6-icmp -m icmp6 --icmpv6-type 134
> -m comment --comment "Drop IPv6 Router Advts from VM Instance." -j DROP
> -A neutron-openvswi-o08a0812a-9 -p ipv6-icmp -m comment --comment "Allow
> IPv6 ICMP traffic." -j RETURN
> -A neutron-openvswi-o08a0812a-9 -m comment --comment "Send unmatched
> traffic to the fallback chain." -j neutron-openvswi-sg-fallback
>
> full rules are at Ref #3
>
>
>
>
> REF #1
> ml2_config.ini
> [securitygroup]
> firewall_driver =
> neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
>
> Ref #2
> Chain neutron-openvswi-o08a0812a-9 (2 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 RETURN icmpv6 * * ::
> ff02::/16 ipv6-icmptype 131 /* Allow IPv6 ICMP traffic. */
> 1 72 RETURN icmpv6 * * ::
> ff02::/16 ipv6-icmptype 135 /* Allow IPv6 ICMP traffic. */
> 2 152 RETURN icmpv6 * * ::
> ff02::/16 ipv6-icmptype 143 /* Allow IPv6 ICMP traffic. */
> 5 344 neutron-openvswi-s08a0812a-9 all * * ::/0
> ::/0
> 0 0 DROP icmpv6 * * ::/0
> ::/0 ipv6-icmptype 134 /* Drop IPv6 Router Advts from VM
> Instance. */
> 5 344 RETURN icmpv6 * * ::/0
> ::/0 /* Allow IPv6 ICMP traffic. */
> 0 0 RETURN udp * * ::/0
> ::/0 udp spt:546 dpt:547 /* Allow DHCP client traffic. */
> 0 0 DROP udp * * ::/0
> ::/0 udp spt:547 dpt:546 /* Prevent DHCP Spoofing by VM. */
> 0 0 RETURN all * * ::/0
> ::/0 state RELATED,ESTABLISHED /* Direct packets
> associated with a known session to the RETURN chain. */
> 0 0 DROP all * * ::/0
> ::/0 state INVALID /* Drop packets that appear related
> to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in
> conntrack. */
> 0 0 neutron-openvswi-sg-fallback all * * ::/0
> ::/0 /* Send unmatched traffic to the
> fallback chain. */
>
> Ref #3
> # ip6tables-save | grep 08a0812a
>
> -A neutron-openvswi-PREROUTING -m physdev --physdev-in qvb08a0812a-9e -m
> comment --comment "Set zone for 812a-9ef7-45e3-9d81-9463dd80e63e" -j CT
> --zone 4104
> -A neutron-openvswi-PREROUTING -i qvb08a0812a-9e -m comment --comment
> "Set zone for 812a-9ef7-45e3-9d81-9463dd80e63e" -j CT --zone 4104
> -A neutron-openvswi-PREROUTING -m physdev --physdev-in tap08a0812a-9e -m
> comment --comment "Set zone for 812a-9ef7-45e3-9d81-9463dd80e63e" -j CT
> --zone 4104
> :neutron-openvswi-i08a0812a-9 - [0:0]
> :neutron-openvswi-o08a0812a-9 - [0:0]
> :neutron-openvswi-s08a0812a-9 - [0:0]
> -A neutron-openvswi-FORWARD -m physdev --physdev-out tap08a0812a-9e
> --physdev-is-bridged -m comment --comment "Direct traffic from the VM
> interface to the security group chain." -j neutron-openvswi-sg-chain
> -A neutron-openvswi-FORWARD -m physdev --physdev-in tap08a0812a-9e
> --physdev-is-bridged -m comment --comment "Direct traffic from the VM
> interface to the security group chain." -j neutron-openvswi-sg-chain
> -A neutron-openvswi-INPUT -m physdev --physdev-in tap08a0812a-9e
> --physdev-is-bridged -m comment --comment "Direct incoming traffic from
> VM to the security group chain." -j neutron-openvswi-o08a0812a-9
> -A neutron-openvswi-i08a0812a-9 -p ipv6-icmp -m icmp6 --icmpv6-type 130
> -j RETURN
> -A neutron-openvswi-i08a0812a-9 -p ipv6-icmp -m icmp6 --icmpv6-type 135
> -j RETURN
> -A neutron-openvswi-i08a0812a-9 -p ipv6-icmp -m icmp6 --icmpv6-type 136
> -j RETURN
> -A neutron-openvswi-i08a0812a-9 -m state --state RELATED,ESTABLISHED -m
> comment --comment "Direct packets associated with a known session to the
> RETURN chain." -j RETURN
> -A neutron-openvswi-i08a0812a-9 -p ipv6-icmp -m icmp6 --icmpv6-type 134
> -j RETURN
> -A neutron-openvswi-i08a0812a-9 -d 20ff::c/128 -p udp -m udp --sport 547
> --dport 546 -j RETURN
> -A neutron-openvswi-i08a0812a-9 -d fe80::/64 -p udp -m udp --sport 547
> --dport 546 -j RETURN
> -A neutron-openvswi-i08a0812a-9 -m state --state INVALID -m comment
> --comment "Drop packets that appear related to an existing connection
> (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
> -A neutron-openvswi-i08a0812a-9 -m comment --comment "Send unmatched
> traffic to the fallback chain." -j neutron-openvswi-sg-fallback
> -A neutron-openvswi-o08a0812a-9 -s ::/128 -d ff02::/16 -p ipv6-icmp -m
> icmp6 --icmpv6-type 131 -m comment --comment "Allow IPv6 ICMP traffic."
> -j RETURN
> -A neutron-openvswi-o08a0812a-9 -s ::/128 -d ff02::/16 -p ipv6-icmp -m
> icmp6 --icmpv6-type 135 -m comment --comment "Allow IPv6 ICMP traffic."
> -j RETURN
> -A neutron-openvswi-o08a0812a-9 -s ::/128 -d ff02::/16 -p ipv6-icmp -m
> icmp6 --icmpv6-type 143 -m comment --comment "Allow IPv6 ICMP traffic."
> -j RETURN
> -A neutron-openvswi-o08a0812a-9 -j neutron-openvswi-s08a0812a-9
> -A neutron-openvswi-o08a0812a-9 -p ipv6-icmp -m icmp6 --icmpv6-type 134
> -m comment --comment "Drop IPv6 Router Advts from VM Instance." -j DROP
> -A neutron-openvswi-o08a0812a-9 -p ipv6-icmp -m comment --comment "Allow
> IPv6 ICMP traffic." -j RETURN
> -A neutron-openvswi-o08a0812a-9 -p udp -m udp --sport 546 --dport 547 -m
> comment --comment "Allow DHCP client traffic." -j RETURN
> -A neutron-openvswi-o08a0812a-9 -p udp -m udp --sport 547 --dport 546 -m
> comment --comment "Prevent DHCP Spoofing by VM." -j DROP
> -A neutron-openvswi-o08a0812a-9 -m state --state RELATED,ESTABLISHED -m
> comment --comment "Direct packets associated with a known session to the
> RETURN chain." -j RETURN
> -A neutron-openvswi-o08a0812a-9 -m state --state INVALID -m comment
> --comment "Drop packets that appear related to an existing connection
> (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
> -A neutron-openvswi-o08a0812a-9 -m comment --comment "Send unmatched
> traffic to the fallback chain." -j neutron-openvswi-sg-fallback
> -A neutron-openvswi-s08a0812a-9 -s 20ff::c/128 -m mac --mac-source
> FA:16:3E:7C:D8:C0 -m comment --comment "Allow traffic from defined
> IP/MAC pairs." -j RETURN
> -A neutron-openvswi-s08a0812a-9 -s fe80::f816:3eff:fe7c:d8c0/128 -m mac
> --mac-source FA:16:3E:7C:D8:C0 -m comment --comment "Allow traffic from
> defined IP/MAC pairs." -j RETURN
> -A neutron-openvswi-s08a0812a-9 -m comment --comment "Drop traffic
> without an IP/MAC allow rule." -j DROP
> -A neutron-openvswi-sg-chain -m physdev --physdev-out tap08a0812a-9e
> --physdev-is-bridged -m comment --comment "Jump to the VM specific
> chain." -j neutron-openvswi-i08a0812a-9
> -A neutron-openvswi-sg-chain -m physdev --physdev-in tap08a0812a-9e
> --physdev-is-bridged -m comment --comment "Jump to the VM specific
> chain." -j neutron-openvswi-o08a0812a-9
More information about the openstack-discuss
mailing list