[Openstack-security] [Bug 1262759] Re: ICMPv6 RAs should only be permitted from known routers
OpenStack Infra
1262759 at bugs.launchpad.net
Fri Apr 4 00:11:48 UTC 2014
Reviewed: https://review.openstack.org/72252
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=b7b0c7dbcd3e6754bc09b2fd75d888c41ae4aadb
Submitter: Jenkins
Branch: master
commit b7b0c7dbcd3e6754bc09b2fd75d888c41ae4aadb
Author: Xuhan Peng <xuhanp at cn.ibm.com>
Date: Sun Feb 9 22:02:33 2014 -0500
Permit ICMPv6 RAs only from known routers
Currently ingress ICMPv6 RAs are permitted from any IPs by
default to allow VMs to accept ICMPv6 RA from provider network.
In this way, VM can accept RAs from attacker VM and configure
a network prefix specified by the attacher VM.
Remove permitting ICMPv6 RAs from any IPs and add security rule
to only permit ICMPv6 RA from:
1. If the port's subnet is configured with ipv6_ra_mode value
(i.e.value is slaac, dhcpv6-stateful, or dhcpv6-stateless), RA
is sending from dnsmasq controlled by OpenStack. In this case,
allow RA from the link local address of gateway port (if the
gateway port is created).
2. If the subnet's gateway port is not managed by OpenStack, allow
the ICMPv6 RA sent from the subnet gateway IP if it's a link local
address. The administrator needs to configure the gateway IP as
link local address in this case to make the RA rule work.
Change-Id: I1d5c7aaa8e4cf057204eb746c0faab2c70409a94
Closes-Bug: 1262759
** Changed in: neutron
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1262759
Title:
ICMPv6 RAs should only be permitted from known routers
Status in OpenStack Neutron (virtual network service):
Fix Committed
Status in OpenStack Security Advisories:
Invalid
Bug description:
ICMPv6 is now allowed in from any host but other hosts can offer bogus
routes.
Change security group/port filtering to respect known routers:
- tenant routers attached to subnets and passing v6
- physical routers on provider networks provided on the network (as some sort of admin configurable list for that network).
(Security issue: One VM sharing a neutron network can divert outgoing
traffic from other VMs.)
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1262759/+subscriptions
More information about the Openstack-security
mailing list