[Openstack-operators] Raising the degree of the scandal
Miguel Ángel Ajo
majopela at redhat.com
Sun May 17 13:33:48 UTC 2015
Probably the solution is not selected to be backported because:
* It’s an intrusive change
* Introduces new dependencies
* Probably it’s going to introduce a performance penalty because eatables is slow.
I’m asking in reviews for this feature to be enabled/disabled via a flag.
In the future I hope OVS with connection tracking to be merged, so then we can
finally have a proper openvswitch_firewall_driver supporting stateful firewalling
without reflective rules or flag matching (one is slow, the other is insecure…)
Miguel Ángel Ajo
On Saturday, 16 de May de 2015 at 23:28, George Shuklin wrote:
> On 05/15/2015 07:48 PM, Jay Pipes wrote:
> > On 05/15/2015 12:38 PM, George Shuklin wrote:
> > > Just to let everyone know: broken antispoofing is not an 'security
> > > issue' and the fix is not planned to be backported to Juno/kilo.
> > >
> > > https://bugs.launchpad.net/bugs/1274034
> > >
> > > What can I say? All hail devstack! Who care about production?
> >
> > George, I can understand you are frustrated with this issue and feel
> > strongly about it. However, I don't think notes like this are all that
> > productive.
> >
> > Would a more productive action be to tell the operator community a bit
> > about the vulnerability and suggest appropriate remedies to take?
> >
>
> Ok, sorry.
>
> Short issue: If few tenants use same network (shared network) one tenant
> may disrupt network activities of other tenant by sending a specially
> crafted ARP packets on behave of the victim. Normally, Openstack
> prohibit usage of unauthorized addresses (this feature is called
> 'antispoofing' and it is essential for multi-tenant clouds). This
> feature were subtly broken (malicious tenant may not use other addresses
> but still may disrupt activities of other tenants).
>
> Finally, that bug has been fixed. But now they says 'oh, it is not that
> important, we will not backport it to current releases, only to
> "Libery"' because of new etables dependency.
>
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org (mailto:OpenStack-operators at lists.openstack.org)
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150517/d0914c0d/attachment.html>
More information about the OpenStack-operators
mailing list