[Bug 2053113] Re: Insufficient validation of incoming BFD packets.

James Page 2053113 at bugs.launchpad.net
Thu Mar 21 07:48:18 UTC 2024 

** Changed in: cloud-archive
       Status: Invalid => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to ovn in Ubuntu.
https://bugs.launchpad.net/bugs/2053113

Title:
  Insufficient validation of incoming BFD packets.

Status in Ubuntu Cloud Archive:
  Fix Committed
Status in Ubuntu Cloud Archive antelope series:
  Fix Committed
Status in Ubuntu Cloud Archive zed series:
  Fix Committed
Status in ovn package in Ubuntu:
  Fix Released

Bug description:
  As part of implementing an overlay network, OVN configures tunnel
  ports in Open vSwitch (OVS). To monitor the health of the tunnel and
  remote hypervisor the OVS Bidirectional Forwarding Detection (BFD)
  functionality is enabled by setting `enable` to 'true' in the `bfd`
  column.

  In addition to monitoring the health of the tunnel, the tunnel BFD
  status is used to make forwarding decisions that may impact multiple
  nodes and users of a cluster.

  The BFD packets are transmitted in-band in the tunnel, along with
  other traffic, and in its default configuration, OVS will consider any
  BFD packet with TTL 255 received on the tunnel as originating from the
  privileged peer on the other side of the tunnel.

  Traffic from unprivileged users connected to a VIF are also
  transmitted in these tunnels, and it is trivial for a end user of a
  system using OVS/OVN to transmit BFD packets from a container or
  virtual machine that will be tunneled through the system with TTL 255.

  Fortunately, traffic originating from or destined to a VIF is labeled
  with a VNI aka. tunnel key. There exists an OVS BFD option called
  `check_tnl_key`, which makes OVS only consider BFD packets that have a
  tunnel key of zero.

  Setting the `check_tnl_key` option to 'true' mitigates the issue,
  because the OVN pipeline design ensures only the OVS generated BFD
  packets would have a tunnel key of zero.

  The options on the tunnel ports are however managed by OVN, and any
  attempt of manually setting them will immediately be reverted,
  consequently this becomes a security issue in OVN.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/2053113/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list