openstack/security-doc
Code Issues Proposed changes
Files
c0570f02dd64ced534f1997be13e47890668c247
security-doc/security-notes/OSSN-0069
Vinay Potluri a72a0bcb0f Updated OSSN-0069 
Added instructions to disable IPv6 for new interfaces in Neutron

Change-Id: I58b1d283cf1f6b9a383e159f0e65e1cb1279b9ac
closes-bug: 1534652
2016-09-07 16:43:47 +00:00

69 lines
3.1 KiB
Plaintext
Raw Blame History

Host machine exposed to tenant networks via IPv6
---
### Summary ###
New interfaces created by Neutron in the default namespace, were done so
without disabling IPv6 link-local addresses. This resulted in instances gaining
the ability to directly access the host OS, therefore breaking guest isolation.
In Linux, link-local IPv6 addresses are assigned to all active interfaces,
unlike IPv4 addresses where an administrator must configure each interface
explicitly. This leads to a time window between when the interface is enabled
and when it is attached to bridge device. Within this time window the host
could be accessed from a tenant network.
IPv6 is now disabled automatically by both Neutron and Nova, prior to bringing
any links up, however operators should still be aware of the security risks
associated with re-enabling IPv6 link-local addresses.
### Affected Services / Software ###
Nova, Neutron, networking-midonet, Kilo, Liberty
### Discussion ###
Linux assigns link-local IPv6 addresses to all the active interfaces, which is
different to that of IPv4 addresses, where an administrator must configure
each interface explicitly. Once an interface is enslaved in a bridge,
all addresses assigned to it are ignored and only the addresses on the bridge
are active. They are exposed via LinuxBridgeManager calls to `ensure_vlan` and
`ensure_vxlan` where a new VLAN or VXLAN interface is created prior to
enslaving the interfaces in the bridge.
Both Neutron and Nova now disable IPv6 on all interfaces before bringing the
interface up. This avoids exposing a time window between when the interface is
enabled and when it is attached to a bridge device, during which time the
host could be accessible from a tenant network.
### Recommended Actions ###
IPv6 should remain disabled for each interface, before the interface is brought
to link up. If an operator, for any given reason, needs to re-enable link-local
IPv6 adreses, they should be aware of the security implications of allowing
tenant networks access of the host.
IPv6 is now disabled by default using root_dev.disable_ipv6() in interface.py,
which calls the method common.ip_utils.is_enabled()
We can verify the value of the IPv6 parameters within sysctl.conf by using the
following command:
$ sysctl -a | grep disable | grep ipv6
A value of `0` represents IPv6 enabled, with `1` as disabled.
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.$IFACE.disable_ipv6 = 1
Here $IFACE refers to the interface for which IPv6 is disabled by default in
Neutron.
Note: The value set at /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6 is
equivalent to net.ipv6.conf.$IFACE.disable_ipv6 in sysctl.conf
### Contacts / References ###
Author: Vinay Potluri, Intel & Luke Hinds, Red Hat
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0069
Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1534652
This issue was referenced in https://bugs.launchpad.net/Neutron/+bug/1459856
Related issue addressed in Nova: https://review.openstack.org/#/c/313070/
OpenStack Security ML : openstack-dev@lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg
View Git Blame Copy Permalink