[Openstack-security] [Bug 1262759] Re: ICMPv6 RAs should only be permitted from known routers

Jeremy Stanley fungi at yuggoth.org
Sat Jan 11 20:25:16 UTC 2014


** Information type changed from Private Security to Public

** Tags added: security

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1262759

Title:
  ICMPv6 RAs should only be permitted from known routers

Status in OpenStack Neutron (virtual network service):
  New
Status in OpenStack Security Advisories:
  Invalid

Bug description:
  ICMPv6 is now allowed in from any host but other hosts can offer bogus
  routes.

  Change security group/port filtering to respect known routers:

  - tenant routers attached to subnets and passing v6
  - physical routers on provider networks provided on the network (as some sort of admin configurable list for that network).

  (Security issue: One VM sharing a neutron network can divert outgoing
  traffic from other VMs.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1262759/+subscriptions




More information about the Openstack-security mailing list