neutron

Neutron only permits IPv6 MLDv1 not v2

Bug #1575225 reported by Dustin Lundquist
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Security Advisory
Won't Fix
Undecided
Unassigned
neutron
Expired
Wishlist
Unassigned

Bug Description

IPv6 Multicast Listener Discovery (MLD) v2 [1] is used on recent version of Linux, currently Neutron only permits MLDv1 in the ICMPV6_ALLOWED_TYPES, so duplicate address discovery (DAD) doesn't not actually detect duplicate addresses should Neutron actually enforce ICMPv6 source addresses (bug/1502933). While Neutron should not assign duplicate addresses, instances where duplicate addresses are possible on provider networks between instances and external devices and on user assign addresses when using allowed address pairs.

Here is a dump showing duplicate address detection on a recent Linux kernel:

$ uname -r
4.4.0-0.bpo.1-amd64
$ sudo ip link add veth0 type veth peer name veth1
$ sudo ip link set veth1 up
$ sudo tcpdump -npel -i veth1 &
[1] 15528
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on veth1, link-type EN10MB (Ethernet), capture size 262144 bytes
$ sudo ip link set veth0 up
$

09:47:38.853762 5e:9b:3c:4f:a3:e0 > 33:33:00:00:00:16, ethertype IPv6 (0x86dd), length 90: :: > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
09:47:38.853774 b2:29:3a:34:bc:eb > 33:33:00:00:00:16, ethertype IPv6 (0x86dd), length 90: :: > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
09:47:39.113772 b2:29:3a:34:bc:eb > 33:33:ff:34:bc:eb, ethertype IPv6 (0x86dd), length 78: :: > ff02::1:ff34:bceb: ICMP6, neighbor solicitation, who has fe80::b029:3aff:fe34:bceb, length 24
09:47:39.141766 5e:9b:3c:4f:a3:e0 > 33:33:ff:4f:a3:e0, ethertype IPv6 (0x86dd), length 78: :: > ff02::1:ff4f:a3e0: ICMP6, neighbor solicitation, who has fe80::5c9b:3cff:fe4f:a3e0, length 24
09:47:39.505764 b2:29:3a:34:bc:eb > 33:33:00:00:00:16, ethertype IPv6 (0x86dd), length 90: :: > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
09:47:39.717759 5e:9b:3c:4f:a3:e0 > 33:33:00:00:00:16, ethertype IPv6 (0x86dd), length 90: :: > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
09:47:40.113807 b2:29:3a:34:bc:eb > 33:33:00:00:00:16, ethertype IPv6 (0x86dd), length 90: fe80::b029:3aff:fe34:bceb > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
09:47:40.113827 b2:29:3a:34:bc:eb > 33:33:00:00:00:02, ethertype IPv6 (0x86dd), length 70: fe80::b029:3aff:fe34:bceb > ff02::2: ICMP6, router solicitation, length 16
09:47:40.121756 b2:29:3a:34:bc:eb > 33:33:00:00:00:16, ethertype IPv6 (0x86dd), length 90: fe80::b029:3aff:fe34:bceb > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
09:47:40.141811 5e:9b:3c:4f:a3:e0 > 33:33:00:00:00:16, ethertype IPv6 (0x86dd), length 90: fe80::5c9b:3cff:fe4f:a3e0 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
09:47:40.141836 5e:9b:3c:4f:a3:e0 > 33:33:00:00:00:02, ethertype IPv6 (0x86dd), length 70: fe80::5c9b:3cff:fe4f:a3e0 > ff02::2: ICMP6, router solicitation, length 16
09:47:40.149763 5e:9b:3c:4f:a3:e0 > 33:33:00:00:00:16, ethertype IPv6 (0x86dd), length 90: fe80::5c9b:3cff:fe4f:a3e0 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28

1. https://www.ietf.org/rfc/rfc3810.txt

See original description
Tags: ipv6
Dustin Lundquist (dlundquist)
description: updated
OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: nobody → Dustin Lundquist (dlundquist)
status: New → In Progress
Dustin Lundquist (dlundquist)
tags: added: ipv6
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-lib (master)

Fix proposed to branch: master
Review: https://review.openstack.org/310909

Revision history for this message
Dustin Lundquist (dlundquist) wrote :

Upon closer examination, the present behavior is correct since ICMPV6_ALLOWED_TYPES controls the ingress ICMPV6 types, and instances send MLDv2 reports in response to MLD queries. ICMPV6_ALLOWED_TYPES does not need to be updated for MLDv2, and https://review.openstack.org/#/c/300233/ now correctly permits egress of MLDv2 reports.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron-lib (master)

Change abandoned by Doug Wiegley (<email address hidden>) on branch: master
Review: https://review.openstack.org/310909
Reason: Abandoning as requested. Are you sure you were logged in?

Revision history for this message
Dustin Lundquist (dlundquist) wrote :

The OVS firewall implementation restricts egress ICMPv6 types to ICMPV6_ALLOWED_TYPES which defines the ICMPv6 types which should be permitted ingress to an instance. This list does not include MLDv2 reports.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/315828

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Changed in ossa:
status: New → Incomplete
Revision history for this message
Dustin Lundquist (dlundquist) wrote :

Tristan, This MLD bug is compatibility issue not a security issue. Modern operating systems use MLDv2, with only MLDv1 permitted and MLDv2 blocked, may not work properly. Particularly when using provider networks with multicast aware switches.

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

Ok my bad, then the OSSA task needs to be removed. Thanks!

Changed in ossa:
status: Incomplete → Won't Fix
Sean M. Collins (scollins)
Changed in neutron:
importance: Undecided → Wishlist
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (master)

Change abandoned by Armando Migliaccio (<email address hidden>) on branch: master
Review: https://review.openstack.org/315828
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

ping?

Changed in neutron:
status: In Progress → Incomplete
assignee: Dustin Lundquist (dlundquist) → nobody
Revision history for this message
Dustin Lundquist (dlundquist) wrote :

This has been on the the back burner while I try to better understand where the OVS, IPtables and OVN firewall implementations differ. I'm trying to get a clearer picture, so this isn't whack'a'mole. The OVS FW is affected by this bug, but I'm taking a more thorough look across all three firewall implementations.

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for neutron because there has been no activity for 60 days.]

Changed in neutron:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.