[Openstack-operators] [openstack operators][neutron] Neutron Router getting address not inside allocation range on provider network
Chris Apsey
bitskrieg at bitskrieg.net
Sat Mar 17 21:10:50 UTC 2018
All,
Had a strange incident the other day that seems like it shouldn't be
possible inside of neutron...
We are currently running Queens on Ubuntu 16.04 w/ the linuxbridge ml2
plugin with vxlan overlays. We have a single, large provider network
that we have set to 'shared' and 'external', so people who need to do
things that don't work well with NAT can connect their instances
directly to the provider network. Our 'allocation range' as defined in
our provider subnet is dedicated to tenants, so there should be no
conflicts.
The other day, one of our users connected a neutron router to the
provider network (not via the 'external network' option, but rather via
the normal 'add interface' option) and neglected to specify an IP
address. The neutron router decided that it was now the gateway for the
entire provider network and began arp'ing as such (I'm sure you can
imagine the results).
To me, this seems like it should be disallowed inside of neutron (you
shouldn't be able to specify an IP address for a router interface that
isn't explicitly part of your allocation range on said subnet). Does
neutron just expect issues like this to be handled by the physical
provider infrastructure (spoofing prevention, etc.)?
Thanks,
---
v/r
Chris Apsey
bitskrieg at bitskrieg.net
https://www.bitskrieg.net
More information about the OpenStack-operators
mailing list