[Bug 1685237] Fix merged to neutron (stable/ocata)

OpenStack Infra 1685237 at bugs.launchpad.net
Fri Jul 7 20:44:30 UTC 2017

Reviewed:  https://review.openstack.org/474738
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=4aded9f16d14558ba1786f515db99ebf443aa820
Submitter: Jenkins
Branch:    stable/ocata

commit 4aded9f16d14558ba1786f515db99ebf443aa820
Author: Brian Haley <bhaley at redhat.com>
Date:   Wed May 3 16:34:12 2017 -0400

    Drop IPv6 Router Advertisements in OVS firewall
    Only neutron routers should be sending RAs, and with
    the iptables firewall these are dropped, but there
    was no corresponding rule for the OVS firewall.
    Change-Id: I045c652ad8cbecf5ed8e98934306476ed7170e90
    Partial-bug: #1685237
    (cherry picked from commit ce0352aa7b1609078e8f109b5b4c368d9a1baa89)

You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to neutron in Ubuntu.

  port security does not block router advertisements for instances

Status in neutron:
  Fix Released
Status in neutron package in Ubuntu:

Bug description:
  Affected version: mitaka

  Issue: If port security is enabled, IPv6 router advertisements may be
  send by any instance.

  Network configuration: vlan, security groups disabled, port security

    "description": "",
    "enable_dhcp": true,
    "network_id": "b71b7cc7-3534-481b-bb67-a473a8e083cc",
    "tenant_id": "4e632076f7004f908c8da67345a7592e",
    "created_at": "2017-04-21T12:39:13",
    "dns_nameservers": "",
    "updated_at": "2017-04-21T12:39:13",
    "ipv6_ra_mode": "",
    "allocation_pools": "{\"start\": \"2a00:xxxx:3:101::2\", \"end\": \"2a00:xxxx:3:101:ffff:ffff:ffff:ffff\"}",
    "gateway_ip": "2a00:xxxx:3:101::1",
    "ipv6_address_mode": "slaac",
    "ip_version": 6,
    "host_routes": "",
    "cidr": "2a00:xxxx:3:101::/64",
    "id": "789d4f41-7867-4b17-9f7b-220c1e689b0b",
    "subnetpool_id": "",
    "name": ""

  When instance is configured by (malicious) user, it starts to send
  router advertisements (like it is a router) and those RAs may
  interrupt networking.

  tcpdump from physical interface of compute node:
  tcpdump -ni eth4 ip6
  tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
  listening on eth4, link-type EN10MB (Ethernet), capture size 262144 bytes
  14:16:47.707480 IP6 fe80::52eb:1aff:fe77:de4f > ff02::1: ICMP6, router advertisement, length 64
  14:16:48.709429 IP6 fe80::f816:3eff:fe69:6644 > ff02::1: ICMP6, router advertisement, length 56

  first line is a valid router RA, second line (:6644) - by instance,
  which should be blocked by port security.

  On a victim machine (same segment) routing table looks like this:

  ip -6 route

  default via fe80::52eb:1aff:fe77:de4f dev ens3  proto ra  metric 1024  expires 1795sec hoplimit 64 pref medium
  default via fe80::f816:3eff:fe69:6644 dev ens3  proto ra  metric 1024  expires 1796sec hoplimit 64 pref medium

  Last line - result of network hijacking from malicious instance, and
  shouldn't happen.

  I'm not sure if this is a security issue or not.

To manage notifications about this bug go to:

More information about the Ubuntu-openstack-bugs mailing list