[Openstack-operators] Raising the degree of the scandal

Kris G. Lindgren klindgren at godaddy.com
Mon May 18 09:28:36 UTC 2015

See inline.
Kris Lindgren
Senior Linux Systems Engineer
GoDaddy, LLC.

On 5/18/15, 1:40 AM, "Kevin Benton" <blak111 at gmail.com> wrote:

>This whole discussion is basically pointless because the ebtables work
>isn't even done. There is no merged ebtables fix to back-port.

>>Additionally, some of us don¹t want to run OVS
>Well OVS is the reference right now. If you choose to use something
>else, there are going to be feature gaps like this. Did you consider
>this before trying to remove OVS?
>>so an OVS only solution is effectively imho - crap
>You mean for people that choose not to use the gate-tested reference
>Anyone can just as easily argue that an ebtables solution is crap
>because it assumes a filtering bridge so it doesn't work with any
>direct plugging setups. However, we try to discourage attacking
>contributions that didn't happen to fit a narrow use-case. It's
>unproductive and poisonous behavior that discourages people from doing

You mean how security groups was/is currently and has always been
implemented in neutron + ovs.  Creating linux bridge per vm so you can do
filtering via iptables over the bridge?  To be fair, the OVS solution does
solve the problem for some people - so you are right I shouldn't have
called it crap.  I guess it's when that solution is called out as an
acceptable work around that the more complete/robust solution wont be back
ported because it add's new dependancies, I guess that to me is what is
crap.  BTW, to be clear that since we package our own packages - we will
pull this in and being running it as soon as it lands.  But that doesn't
do anyone else any good.
>>you need to run OVS - seems like a stretch if you aren't using GRE/vxlan
>>tunneling for all of your guests.
>Tunneling has little to do with OVS. Linux bridge also supports vxlan
>and GRE. You can just say why you don't like OVS (e.g. hard to debug,
>tooling is different, admins don't know how to use it, etc). This can
>help motivate the movement to restart development on the linux bridge
The references configuration all say or at minimum imply that if you are
doing gre/overlay networks you need to be using OVS.  I don¹t really want
to get into an ovs bashing/discussion here, but in general since neutron
creates a linux bridge to apply security group rules to for vms.  We
effectively make an architecture that uses both OVS and linux bridge for
every vm.  If I also have an architecture that happens to use vlans and
nothing else - what does ovs gain me?  Complexity - yep, additonal
overhead, yep.  Since a packet gets ran through kernel space for ovs +
possibly a trip to user space opensvswitchd + linux bridging code + bridge
mac learning code + iptables + tap code.  Now tell me in that chain whats
the one thing that doesn¹t need to be there?  I hope we both said
Openvswitch.  Last I heard the megaflows that allowed for the huge speed
ups no longer work when you start doing specific L4 matches (IE
ip/port/porto filtering).
>>Since, flat networks are a 100% supported
>Who is supporting Linux bridge used as a backend for shared networks
>and is claiming they are secure? Whoever is doing that should be on
>the receiving end of your complaints.

We are using neutron + ovs + shared networks (on real vlans).  But neutron
+ ml2 + linux bridge mechanism driver is totally a supported thing ;-).
We also aren't using any of the router stuff in neutron either.  Because
neutron is suppose to apply "anti-spoofing rules" to prevent vm's from
doing bad things to other vm's.  So I think the complaints are
appropriately justified, since the original commit that added security
groups to quantum had a method named: "_arp_spoofing_rule" [1] that the
original intent was to have neutron preventing arp spoofing.  It just
never worked for the 3+ years, because as it turns out you can't filter
arp via iptables - since iptables is layer3-7 and arp is layer2.  It was
also further hidden during the addition of allowed address-pairs [2],
which effectively reverse implemented the previous logic [3]

[1] - 
[2] - 
[3] - 

So, to be clear.  I want the bug fix - dare I say security/vunerability
fix - when it lands to be back-ported to the current supported stable
release.  This is to close a 3+ year old security issue in that neutron
tries to provide anti-spoofing rules - but fails to implement them in a
way that actual work.  Yet at a minimum alludes to the fact that it does
stuff like nova to prevent vm's from doing arp spoofing/poisoning.
Additionally, I want done in a way that is as generic as possible, so it
works with the most amount of supported neutron plugins.  (Ala linux
bridge+iptables+ now ebtables).
>Please be clear about what you really want here. It sounds like you
>want ARP filtering support in the Linux bridge driver. Is that
>On Mon, May 18, 2015 at 12:22 AM, Kris G. Lindgren
><klindgren at godaddy.com> wrote:
>> I always thought that ebtables was below the stack in the iptables
>>schema -
>> but still part of netfilter - thus should be reasonably fast (I would
>> faster than a user space lookup to openvswitchd).  Considering the rules
>> being added are small in number and trivial (on this port allow src/dst
>> of blah).  Do you have any performance data showing that its slow?  A
>> google search shows nothing relevant :-).  Additionally, libvirt
>> anti-spoofing rules configured via nova using nwfilter uses ebtables to
>> the anti spoofing rules.  No one seems to complain about the
>>performance of
>> that...
>> Additionally, some of us don¹t want to run OVS, so an OVS only solution
>> effectively imho - crap.  We are actively looking at removing OVS from
>> environment due to a number of reasons.  So saying if you run neutron
>> care to have *REAL* network protection - you need to run OVS - seems
>>like a
>> stretch if you aren't using GRE/vxlan tunneling for all of your guests.
>> I personally agree with George, this stance of "We never said that
>> would provide anti-spoofing on flat networks thus we wont backport this,
>> because it now brings into scope ebtables", seems to be a pretty huge
>>gap in
>> what neutron says it does and the protection it actually provides.  We
>> supply security group rules, but stealing someone else's IP or the
>> that doesn't belong to you - yep that totally cool with us.  It strikes
>> that neutrons goal to deliver networking is basically two fold. 1.)
>> multi-tenant networking 2.) Make sure tenants cant stomp on each other.
>> Without number 2 (anti-spoofing) you kinda fail to provide number 1.
>> flat networks are a 100% supported and viable way of doing tenant
>> I would say that this is a bug and should be backported to kilo/juno.
>> I don¹t personly buy the new dependency reason, new to neutron - maybe
>>- but
>> not new to people running nova/libvirt.  Ebtables is used by libvirt for
>> nwfilter, assuming an pretty standard libvirt install ebtables should be
>> installed by default.  Additionally, this would have already been a
>> dependency in nova-compute due to anti-spoofing support there.
>> ____________________________________________
>> Kris Lindgren
>> Senior Linux Systems Engineer
>> GoDaddy, LLC.
>> From: Miguel Ángel Ajo <majopela at redhat.com>
>> Date: Sunday, May 17, 2015 at 6:33 AM
>> To: George Shuklin <george.shuklin at gmail.com>
>> Cc: "openstack-operators at lists.openstack.org"
>> <openstack-operators at lists.openstack.org>
>> Subject: Re: [Openstack-operators] Raising the degree of the scandal
>> Probably the solution is not selected to be backported because:
>>   * It¹s an intrusive change
>>   * Introduces new dependencies
>>   * Probably it¹s going to introduce a performance penalty because
>> is slow.
>> I¹m asking in reviews for this feature to be enabled/disabled via a
>> In the future I hope OVS with connection tracking to be merged, so then
>> can
>> finally have a proper openvswitch_firewall_driver supporting stateful
>> firewalling
>> without reflective rules or flag matching (one is slow, the other is
>> insecureŠ)
>> Miguel Ángel Ajo
>> On Saturday, 16 de May de 2015 at 23:28, George Shuklin wrote:
>> On 05/15/2015 07:48 PM, Jay Pipes wrote:
>> On 05/15/2015 12:38 PM, George Shuklin wrote:
>> Just to let everyone know: broken antispoofing is not an 'security
>> issue' and the fix is not planned to be backported to Juno/kilo.
>> https://bugs.launchpad.net/bugs/1274034
>> What can I say? All hail devstack! Who care about production?
>> George, I can understand you are frustrated with this issue and feel
>> strongly about it. However, I don't think notes like this are all that
>> productive.
>> Would a more productive action be to tell the operator community a bit
>> about the vulnerability and suggest appropriate remedies to take?
>> Ok, sorry.
>> Short issue: If few tenants use same network (shared network) one tenant
>> may disrupt network activities of other tenant by sending a specially
>> crafted ARP packets on behave of the victim. Normally, Openstack
>> prohibit usage of unauthorized addresses (this feature is called
>> 'antispoofing' and it is essential for multi-tenant clouds). This
>> feature were subtly broken (malicious tenant may not use other addresses
>> but still may disrupt activities of other tenants).
>> Finally, that bug has been fixed. But now they says 'oh, it is not that
>> important, we will not backport it to current releases, only to
>> "Libery"' because of new etables dependency.
>> _______________________________________________
>> OpenStack-operators mailing list
>> OpenStack-operators at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>> _______________________________________________
>> OpenStack-operators mailing list
>> OpenStack-operators at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>Kevin Benton

More information about the OpenStack-operators mailing list