[Openstack-security] [openstack/neutron] SecurityImpact review request change I1f8311f1b9ae1be02afde3e9078e49c6da373a88
gerrit2 at review.openstack.org
gerrit2 at review.openstack.org
Tue Jul 14 16:21:05 UTC 2015
Hi, I'd like you to take a look at this patch for potential
SecurityImpact.
https://review.openstack.org/201650
Log:
commit 9eaa0c3bca0f0a489f1cced72c4171f60996da5f
Author: sridhargaddam <sridhar.gaddam at enovance.com>
Date: Tue Jul 14 16:18:06 2015 +0000
Add IPv6 Address Resolution protection
Similar to IPv4 arp protection support, this patch adds the necessary OVS
rules to prevent ports attached to agent from sending any icmpv6 neighbor
advertisement messages that contain an IPv6 address not belonging to the port.
For details please refer to "Figure 3. Attack against IPv6 Address Resolution"
http://www.cisco.com/web/about/security/intelligence/ipv6_first_hop.html
I've verified this patch locally and it works. I would like to seek feedback
about this approach before proceeding with pending items.
Pending items:
Functional tests.
Unit tests.
Sanity check.
DocImpact
SecurityImpact
Partial-Bug: #1274034
Change-Id: I1f8311f1b9ae1be02afde3e9078e49c6da373a88
More information about the Openstack-security
mailing list