[nova][neutron][deployment-projects] Re secbug #1734320

Slawek Kaplonski skaplons at redhat.com
Wed Aug 4 06:55:47 UTC 2021


On Fri, Jun 18, 2021 at 06:12:35PM +0200, Radosław Piliszek wrote:
> Hello Folks!
> I am writing this because a recent patch proposed to DevStack [1]
> mentioned "when using ml2/ovs vif isolation should always be used to
> prevent cross tenant traffic during a live migration" which is related
> to secbug #1734320 "Eavesdropping private traffic" [2].
> However, I've found that none of the publicly-available deployment
> projects seem to be using ``isolate_vif``. [3] [4]
> Should this be corrected?
> PS: I used the deployment-projects tag as a collective tag to avoid
> mentioning all the projects (as it is too long to write :-) ). I hope
> that relevant people see this if need be or someone passes the
> information to them. For now, I am curious whether this should
> actually be enforced by default with ML2/OVS.

I think that Sean explained in the commit message of
https://review.opendev.org/c/openstack/os-vif/+/612534/ why it defaults to
False. And as it is os-vif's setting we can't do it "conditional" as os-vif
don't knows about Neutron backend which is used really.
So IMO deployment tools should maybe default this setting to True when ML2/OVS
is used really.

> [1] https://review.opendev.org/c/openstack/devstack/+/796826
> [2] https://bugs.launchpad.net/neutron/+bug/1734320
> [3] https://codesearch.opendev.org/?q=%5Cbisolate_vif%5Cb&i=nope&files=&excludeFiles=&repos=
> [4] https://github.com/search?p=1&q=isolate_vif&type=Code
> -yoctozepto

Slawek Kaplonski
Principal Software Engineer
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20210804/56753a5b/attachment.sig>

More information about the openstack-discuss mailing list