[Openstack-security] [Bug 1666959] Re: ha_vrrp_auth_type defaults to PASS which is insecure

Brian Haley 1666959 at bugs.launchpad.net
Fri Feb 7 19:18:55 UTC 2020 

** Changed in: neutron
       Status: New => Won't Fix

-- 
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1666959

Title:
  ha_vrrp_auth_type defaults to PASS which is insecure

Status in neutron:
  Won't Fix
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  With l3_ha enabled, ha_vrrp_auth_type defaults to PASS authentication:

  https://github.com/openstack/neutron/blob/b90ec94dc3f83f63bdb505ace1e4c272435c494b/neutron/conf/agent/l3/ha.py#L28

  which according to http://louwrentius.com/configuring-attacking-and-
  securing-vrrp-on-linux.html is totally insecure because the VRRP
  password is transmitted in the clear.

  I'm not sure if this is currently a serious issue, since if the VRRP
  network is untrusted, maybe there are already bigger problems.  But I
  thought it was worth reporting, at least.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1666959/+subscriptions

More information about the Openstack-security mailing list