[Openstack-security] [Bug 1492398] Re: VXLAN Overlay ping issue when Gateway IP is set to one of local NIC's IP address

Jeremy Stanley fungi at yuggoth.org
Fri Feb 28 00:03:59 UTC 2020 

** Description changed:

- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
- 
  There's an issue when a VXLAN overlay VM tries to ping an overlay IP
  address that is also the same as one of the host machine's local IP
  addresses. In my setup, I've tried pinging the overlay VM's router's IP
  address. Here are the details:
  
  VXLAN Id is 100 (this number is immaterial, what matters is that we use
  VXLAN for tenant traffic)
  
  Overlay VM:
  IP: 10.0.1.3/24
  GW: 10.0.1.1
  
  Host Info:
  enp21s0f0: 1.1.1.5/24 (This interface is used to contact the controller as well as for encapsulated datapath traffic.
  
  qbr89a962f7-9b: Linux Bridge to which the Overlay VM connects. No IP
  address on this one.
  
  brctl show:
  qbr89a962f7-9b          8000.56f6fefb9d5c       no              qvb89a962f7-9b
                                                          tap89a962f7-9b
  
  ifconfig qbr89a962f7-9b
  qbr89a962f7-9b: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
          inet6 fe80::54f6:feff:fefb:9d5c  prefixlen 64  scopeid 0x20<link>
          ether 56:f6:fe:fb:9d:5c  txqueuelen 0  (Ethernet)
          RX packets 916  bytes 27072 (26.4 KiB)
          RX errors 0  dropped 0  overruns 0  frame 0
          TX packets 10  bytes 780 (780.0 B)
          TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
  
  I am using a previously unused NIC named eno1 for this example. When
  eno1 has no IP address, ping from the overlay VM to the router is
  successful. ARP on the VM shows the correct MAC resolution. When I set
  eno1 to 10.0.1.1, ARP on the overlay VM show's qbr89a962f7-9b's MAC
  address and ping never succeeds.
  
  When things work OK ARP for 10.0.1.1 is fa:16:3e:0c:52:6d
  
  When eno1 is set to 10.0.1.1 ARP resolution is incorrect, 10.0.1.1
  resolves to 56:f6:fe:fb:9d:5c and ping never succeeds. I've deleted ARPs
  to ensure that resolution is triggered. It appears as of the OVS br-int
  never received the ARP request.
  
  Thanks,
  -Uday

-- 
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1492398

Title:
  VXLAN Overlay ping issue when Gateway IP is set to one of local NIC's
  IP address

Status in neutron:
  Expired
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  There's an issue when a VXLAN overlay VM tries to ping an overlay IP
  address that is also the same as one of the host machine's local IP
  addresses. In my setup, I've tried pinging the overlay VM's router's
  IP address. Here are the details:

  VXLAN Id is 100 (this number is immaterial, what matters is that we
  use VXLAN for tenant traffic)

  Overlay VM:
  IP: 10.0.1.3/24
  GW: 10.0.1.1

  Host Info:
  enp21s0f0: 1.1.1.5/24 (This interface is used to contact the controller as well as for encapsulated datapath traffic.

  qbr89a962f7-9b: Linux Bridge to which the Overlay VM connects. No IP
  address on this one.

  brctl show:
  qbr89a962f7-9b          8000.56f6fefb9d5c       no              qvb89a962f7-9b
                                                          tap89a962f7-9b

  ifconfig qbr89a962f7-9b
  qbr89a962f7-9b: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
          inet6 fe80::54f6:feff:fefb:9d5c  prefixlen 64  scopeid 0x20<link>
          ether 56:f6:fe:fb:9d:5c  txqueuelen 0  (Ethernet)
          RX packets 916  bytes 27072 (26.4 KiB)
          RX errors 0  dropped 0  overruns 0  frame 0
          TX packets 10  bytes 780 (780.0 B)
          TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

  I am using a previously unused NIC named eno1 for this example. When
  eno1 has no IP address, ping from the overlay VM to the router is
  successful. ARP on the VM shows the correct MAC resolution. When I set
  eno1 to 10.0.1.1, ARP on the overlay VM show's qbr89a962f7-9b's MAC
  address and ping never succeeds.

  When things work OK ARP for 10.0.1.1 is fa:16:3e:0c:52:6d

  When eno1 is set to 10.0.1.1 ARP resolution is incorrect, 10.0.1.1
  resolves to 56:f6:fe:fb:9d:5c and ping never succeeds. I've deleted
  ARPs to ensure that resolution is triggered. It appears as of the OVS
  br-int never received the ARP request.

  Thanks,
  -Uday

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1492398/+subscriptions

More information about the Openstack-security mailing list