[Openstack-security] [Bug 1262759] Re: ICMPv6 RAs should only be permitted from known routers
Jeremy Stanley
fungi at yuggoth.org
Sat Jan 11 20:25:16 UTC 2014
** Information type changed from Private Security to Public
** Tags added: security
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1262759
Title:
ICMPv6 RAs should only be permitted from known routers
Status in OpenStack Neutron (virtual network service):
New
Status in OpenStack Security Advisories:
Invalid
Bug description:
ICMPv6 is now allowed in from any host but other hosts can offer bogus
routes.
Change security group/port filtering to respect known routers:
- tenant routers attached to subnets and passing v6
- physical routers on provider networks provided on the network (as some sort of admin configurable list for that network).
(Security issue: One VM sharing a neutron network can divert outgoing
traffic from other VMs.)
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1262759/+subscriptions
More information about the Openstack-security
mailing list