[Bug 1685237] Re: port security does not block router advertisements for instances

George Shuklin 1685237 at bugs.launchpad.net
Sat Jun 24 09:59:33 UTC 2017 

** Also affects: neutron (Ubuntu)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to neutron in Ubuntu.
https://bugs.launchpad.net/bugs/1685237

Title:
  port security does not block router advertisements for instances

Status in neutron:
  Fix Released
Status in neutron package in Ubuntu:
  New

Bug description:
  Affected version: mitaka

  Issue: If port security is enabled, IPv6 router advertisements may be
  send by any instance.

  Network configuration: vlan, security groups disabled, port security
  enabled.

  subnet:
  {
    "description": "",
    "enable_dhcp": true,
    "network_id": "b71b7cc7-3534-481b-bb67-a473a8e083cc",
    "tenant_id": "4e632076f7004f908c8da67345a7592e",
    "created_at": "2017-04-21T12:39:13",
    "dns_nameservers": "",
    "updated_at": "2017-04-21T12:39:13",
    "ipv6_ra_mode": "",
    "allocation_pools": "{\"start\": \"2a00:xxxx:3:101::2\", \"end\": \"2a00:xxxx:3:101:ffff:ffff:ffff:ffff\"}",
    "gateway_ip": "2a00:xxxx:3:101::1",
    "ipv6_address_mode": "slaac",
    "ip_version": 6,
    "host_routes": "",
    "cidr": "2a00:xxxx:3:101::/64",
    "id": "789d4f41-7867-4b17-9f7b-220c1e689b0b",
    "subnetpool_id": "",
    "name": ""
  }

  When instance is configured by (malicious) user, it starts to send
  router advertisements (like it is a router) and those RAs may
  interrupt networking.

  tcpdump from physical interface of compute node:
  tcpdump -ni eth4 ip6
  tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
  listening on eth4, link-type EN10MB (Ethernet), capture size 262144 bytes
  14:16:47.707480 IP6 fe80::52eb:1aff:fe77:de4f > ff02::1: ICMP6, router advertisement, length 64
  14:16:48.709429 IP6 fe80::f816:3eff:fe69:6644 > ff02::1: ICMP6, router advertisement, length 56

  first line is a valid router RA, second line (:6644) - by instance,
  which should be blocked by port security.

  On a victim machine (same segment) routing table looks like this:

  ip -6 route

  default via fe80::52eb:1aff:fe77:de4f dev ens3  proto ra  metric 1024  expires 1795sec hoplimit 64 pref medium
  default via fe80::f816:3eff:fe69:6644 dev ens3  proto ra  metric 1024  expires 1796sec hoplimit 64 pref medium

  Last line - result of network hijacking from malicious instance, and
  shouldn't happen.

  I'm not sure if this is a security issue or not.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1685237/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list