Fede's mobile edition Dr. Federico Michele Facca Head of Martel Lab Martel Innovate Dorfstrasse 73 - 3073 Gümligen (Switzerland) 0041 78 807 58 38 0041 31 994 25 25 martel-innovate.com (Inizio messaggio inoltrato) > Da: Luke Hinds <lhinds at redhat.com> > Data: 8 settembre 2016 12:38:43 GMT-5 > A: openstack at lists.openstack.org, openstack-dev at lists.openstack.org > Oggetto: [Openstack] [OSSN-0069] Host machine exposed to tenant networks via IPv6 > > Host machine exposed to tenant networks via IPv6 > --- > > ### Summary ### > > New interfaces created by Neutron in the default namespace, were done so > without disabling IPv6 link-local addresses. This resulted in instances > gaining the ability to directly access the host OS, therefore breaking > guest isolation. > > In Linux, link-local IPv6 addresses are assigned to all active > interfaces, unlike IPv4 addresses where an administrator must configure > each interface explicitly. This leads to a time window between when the > interface is enabled and when it is attached to bridge device. Within > this time window the host could be accessed from a tenant network. > > IPv6 is now disabled automatically by both Neutron and Nova, prior to > bringing any links up, however operators should still be aware of the > security risks associated with re-enabling IPv6 link-local addresses. > > ### Affected Services / Software ### > > Nova, Neutron, networking-midonet, Kilo, Liberty > > ### Discussion ### > > Linux assigns link-local IPv6 addresses to all the active interfaces, > which is different to that of IPv4 addresses, where an administrator > must configure each interface explicitly. Once an interface is enslaved > in a bridge, all addresses assigned to it are ignored and only the > addresses on the bridge are active. They are exposed via > LinuxBridgeManager calls to `ensure_vlan` and `ensure_vxlan` where a new > VLAN or VXLAN interface is created prior to enslaving the interfaces in > the bridge. > > Both Neutron and Nova now disable IPv6 on all interfaces before bringing > the interface up. This avoids exposing a time window between when the > interface is enabled and when it is attached to a bridge device, during > which time the host could be accessible from a tenant network. > > ### Recommended Actions ### > > IPv6 should remain disabled for each interface, before the interface is > brought to link up. If an operator, for any given reason, needs to > re-enable link-local IPv6 adreses, they should be aware of the security > implications of allowing tenant networks access of the host. > > IPv6 is now disabled by default using root_dev.disable_ipv6() in > interface.py, which calls the method common.ip_utils.is_enabled() > > We can verify the value of the IPv6 parameters within sysctl.conf by > using the following command: > > $ sysctl -a | grep disable | grep ipv6 > > A value of `0` represents IPv6 enabled, with `1` as disabled. > > net.ipv6.conf.default.disable_ipv6 = 1 > net.ipv6.conf.$IFACE.disable_ipv6 = 1 > > Here $IFACE refers to the interface for which IPv6 is disabled by > default in Neutron. > > Note: The value set at /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6 is > equivalent to net.ipv6.conf.$IFACE.disable_ipv6 in sysctl.conf > > ### Contacts / References ### > > Author: Vinay Potluri, Intel & Luke Hinds, Red Hat > This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0069 > Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1534652 > This issue was referenced in https://bugs.launchpad.net/Neutron/+bug/1459856 > Related issue addressed in Nova: https://review.openstack.org/#/c/313070/ > OpenStack Security ML : openstack-dev at lists.openstack.org > OpenStack Security Group : https://launchpad.net/~openstack-ossg > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : openstack at lists.openstack.org > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.fiware.org/private/fiware-lab-federation-nodes/attachments/20160908/18c2dcbb/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x3C202614.asc Type: application/pgp-keys Size: 1728 bytes Desc: not available URL: <https://lists.fiware.org/private/fiware-lab-federation-nodes/attachments/20160908/18c2dcbb/attachment.key> -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.fiware.org/private/fiware-lab-federation-nodes/attachments/20160908/18c2dcbb/attachment-0001.html>
You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy