openstack
/
neutron
Code Issues Proposed changes
OpenStack Networking (Neutron)
12,287 Commits 9 Branches 73 Tags 1,009 MiB
Python 99.5%
Shell 0.4%
Jinja 0.1%
Go to file
Dustin Lundquist 1d1159bb2b IPtables firewall prevent ICMPv6 spoofing 
IPv6 includes the concept of link-local addresses. There are address
within the fe80::/64 prefix which are used only within the local layer 2
network. They should never be routed. DHCPv6 is one of several protocols
which utilize link-local addresses.

Previously the blanket permit DHCPv6 rule permitted DHCPv6 requests from
a link-local source, before the source address was validated.

The structure of the IPtables egress firewall is:

  a. fixed rules for special traffic
  b. validate source address
  c. fixed rules necessary for host to function
  d. user rules defined by security groups

This change restricts the special traffic permitted in part (a) to only
that traffic which utilizes the "unspecified address" (::), by moving
the fixed permit ICMPv6 and DHCPv6 rules to part (c), so they are
applied after the source address has been validated. In order to enable
DHCPv6 and other protocols utilizing link-local addresses, the
link-local address corresponding to each MAC address are included in the
permitted source addresses. After the source address is verified, the
fixed rules permit ICMPv6 and DHCPv6, then the user defined security
group rules are applied.

In the existing implementation ICMPv6 and DHCPv6 rules in the fixed
ip6tables firewall rules are too permissive: they permit ICMPv6 and
DHCPv6 traffic, regardless of source MAC or IPv6 address. These rules
where intended to allow a host to acquire an IPv6 address, but
inadvertently allowed a malicious or compromised host to spoof another's
MAC or IPv6 address.

A host acquiring an IPv6 address should preform DAD (duplicate address
detection). To preform this the host must join the multicast group
corresponding to the tentative IPv6 address and the all nodes multicast
group. To join these groups the host sends ICMP MLD (multicast listener
discovery) report messages before it has an IPv6 address assigned, so
the unspecified address is used as the source address. To complete DAD,
ICMP neighbor solicitation messages are sent to solicit if any nodes
using that address. This should be the only use of the unspecified IPv6
address as a source address. The IPv4 case is similar the unspecified
address is used for DHCP discovery and request messages.

To summarize, this patch permits only ICMPv6 traffic from the unspecified
address which is used for duplicate address detection. Then it enforces
the source IPv6 and MAC addresses and finally, allows only ICMPv6 traffic
which has passed this source address validation.

In addition this patch permits traffic from all link-local addresses
associated with each MAC address assigned to the port. This is required
by many IPv6 protocols, such as DHCPv6, which depend on the link-local
addresses. This traffic was previously allowed by the blanket allow
ICMPv6 and allow DHCPv6 rules before the source address was validated.

Conflicts:
	neutron/agent/linux/iptables_firewall.py
	neutron/tests/functional/agent/test_firewall.py
	neutron/tests/unit/agent/linux/test_iptables_firewall.py
Removed functional test not present in Liberty. Since Liberty doesn't
contain the OVSFirewall this resolve bug 1502933 for Liberty.

Change-Id: Ice1c9dd349864da28806c5053e38ef86f43b7771
Closes-Bug: 1502933
(cherry picked from commit a8a9d225d8)
 		2016-04-27 22:12:58 -05:00
bin Close XenAPI sessions in neutron-rootwrap-xen-dom0 2016-03-23 14:56:38 +00:00
devstack SR-IOV: devstack support for SR-IOV agent 2015-09-09 15:06:37 +03:00
doc Merge "Add tests that constrain db query count" into stable/liberty 2016-01-31 07:35:52 +00:00
etc Merge "add arp_responder flag to linuxbridge agent" into stable/liberty 2016-04-01 15:50:35 +00:00
neutron IPtables firewall prevent ICMPv6 spoofing 2016-04-27 22:12:58 -05:00
rally-jobs Changes in rally-jobs/README.rst 2015-06-04 10:34:15 -04:00
releasenotes Merge "Fix corrupted release note in Liberty" into stable/liberty 2016-04-12 10:37:13 +00:00
tools Adds base in-tree functional testing of the dhcp agent (OVS) 2016-04-01 16:45:58 +02:00
.coveragerc Change ignore-errors to ignore_errors 2015-09-21 14:31:29 +00:00
.gitignore Add reno for release notes management 2015-11-11 23:21:50 -08:00
.gitreview Update default branch in .gitreview to stable/liberty 2015-09-24 15:58:53 +00:00
.mailmap Add mailmap entry 2014-05-16 13:40:04 -04:00
.pylintrc pylint: enable `duplicate-key` check 2015-06-04 13:10:44 +10:00
.testr.conf Workaround test stream corruption issue. 2015-09-05 04:19:40 +00:00
CONTRIBUTING.rst Workflow documentation is now in infra-manual 2014-12-05 03:30:37 +00:00
HACKING.rst Python3: use six.iteritems() instead of dict.iteritems() 2015-06-01 23:13:42 +02:00
LICENSE Adding Apache Version 2.0 license file. This is the official license agreement under which Quantum code is available to 2011-08-08 12:31:04 -07:00
MANIFEST.in Rename Quantum to Neutron 2013-07-06 15:02:43 -04:00
README.rst Update the URLs to the Cloud Admin Guide 2015-08-24 17:24:34 +02:00
TESTING.rst Add testing coverage .rst, missing test infrastructure to-dos 2015-08-10 20:37:23 -04:00
babel.cfg Use babel to generate translation file 2013-01-24 00:20:32 +08:00
openstack-common.conf Switch to the oslo_utils.fileutils 2015-07-15 08:09:26 +03:00
requirements.txt Updated from global requirements 2015-12-20 17:23:45 +00:00
run_tests.sh Remove check for bash usage 2015-04-07 15:15:33 +00:00
setup.cfg move usage_audit to cmd/eventlet package 2015-12-18 16:19:20 +00:00
setup.py Updated from global requirements 2015-09-21 18:56:49 +00:00
test-requirements.txt Updated from global requirements 2016-04-11 08:02:16 +00:00
tox.ini Make all tox targets constrained 2016-03-07 13:28:11 +01:00

README.rst

Welcome!

You have come across a cloud computing network fabric controller. It has identified itself as "Neutron." It aims to tame your (cloud) networking!

External Resources:

The homepage for Neutron is: http://launchpad.net/neutron. Use this site for asking for help, and filing bugs. Code is available on git.openstack.org at <http://git.openstack.org/cgit/openstack/neutron>.

The latest and most in-depth documentation on how to use Neutron is available at: <http://docs.openstack.org>. This includes:

Neutron Administrator Guide

http://docs.openstack.org/admin-guide-cloud/networking.html

Networking Guide

http://docs.openstack.org/networking-guide/

Neutron API Reference:

http://docs.openstack.org/api/openstack-network/2.0/content/

Current Neutron developer documentation is available at:

http://wiki.openstack.org/NeutronDevelopment

For help on usage and hacking of Neutron, please send mail to <mailto:openstack-dev@lists.openstack.org>.

For information on how to contribute to Neutron, please see the contents of the CONTRIBUTING.rst file.