[ovs-dev] [PATCH ovn] ovn-northd: Limit IPv6 ND NS/RA/RS to the local network.

[Dumitru Ceara]

On 4/20/20 5:13 PM, Numan Siddique wrote:
> On Sat, Apr 18, 2020 at 3:24 AM Dumitru Ceara <dceara at redhat.com> wrote:
>>
>> Neighbor solicitation packets for router owned IPs are replied to in
>> table IN_IP_INPUT at a higher priority than flows relay IPv6 multicast
>> traffic when needed. All other NS/NA packets received at this point can
>> be safely dropped.
>>
>> However, router advertisement and router solicitation packets are
>> processed at a later stage, in ND_RA_OPTIONS/ND_RA_RESPONSE. These
>> packets need to be allowed in table IN_IP_INPUT.
>>
>> Commit 677a3ba4d66b incorrectly allowed all IPv6 multicast traffic
>> destined to all-nodes in table IN_IP_INPUT. Instead, only ND_RA and
>> ND_RS packets should be allowed. All others were either already
>> processed or should be dropped. If multicast relay is enabled then IPv6
>> multicast traffic that's not destined to reserved groups should also be
>> allowed.
>>
>> Furthermore, router solicitation and advertisement packets that don't
>> get processed in tables ND_RA_OPTIONS/ND_RA_RESPONSE should be dropped
>> in IN_IP_ROUTING because they should never be routed.
>>
>> Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1825334
>> Reported-by: Jakub Libosvar <jlibosva at redhat.com>
>> Fixes: 677a3ba4d66b ("ovn: Add MLD support.")
>> Signed-off-by: Dumitru Ceara <dceara at redhat.com>
>> ---
>>  northd/ovn-northd.8.xml | 49 ++++++++++++++++++++++++++++++++-----------------
>>  northd/ovn-northd.c     | 43 ++++++++++++++++++++++++++++++-------------
>>  2 files changed, 62 insertions(+), 30 deletions(-)
> 
> Thanks Dumitru for the fix.
> I tested locally too and confirm that IPv6 RA packets  which entered
> the router pipeline
> are dropped.
> 
> I applied this patch to master and branch-20.03.
> 
> Thanks
> Numan
> 

Thanks Numan! I'll also try to send a patch soon to add a unit test for
this issue.

Regards,
Dumitru