[ovs-discuss] OVN northd permits overly permissive use of 0.0.0.0 and ::
Ben Pfaff
blp at ovn.org
Sun Apr 10 20:37:01 UTC 2016
On Wed, Apr 06, 2016 at 11:56:34AM -0700, Dustin Lundquist wrote:
> Testing networking-ovn with OVS -master (rev c4623bb83), I found OVN
> permitted unrestricted use of 0.0.0.0 and ::. These should only be used
> for IPv4 DHCP discovery and request messages and ICMPv6 MLD reports as
> well as Neighbor Solicitation to enable duplicate address detection. It
> appears the PORT_SEC_IP stage only validates L3 headers, and later
> stages do not restrict the use of these special purpose source L3 addresses.
It would be helpful, when fixing this, to precisely describe the packets
that should be allowed. The documentation for port_security already
very specifically describes its restrictions, but it doesn't mention
0.0.0.0 or ::. That's arguably a bug in the documentation, but if the
current behavior is undesirable then it's a bug in the implementation as
well. It would be helpful if you (or someone else) could suggest
changes to this documentation, and then we could fix the documentation
and the implementation at the same time.
Here's what the documentation says now, in case you don't have it
conveniently at hand.
port_security: set of strings
This column controls the addresses from which the host attached
to the logical port (``the host’’) is allowed to send packets
and to which it is allowed to receive packets. If this column
is empty, all addresses are permitted.
Each element in the set must begin with one Ethernet address.
This would restrict the host to sending packets from and receiv‐
ing packets to the ethernet addresses defined in the logical
port’s port_security column. It also restricts the inner source
MAC addresses that the host may send in ARP and IPv6 Neighbor
Discovery packets. The host is always allowed to receive packets
to multicast and broadcast Ethernet addresses.
Each element in the set may additionally contain one or more
IPv4 or IPv6 addresses (or both), with optional masks. If a
mask is given, it must be a CIDR mask. In addition to the
restrictions described for Ethernet addresses above, such an
element restricts the IPv4 or IPv6 addresses from which the host
may send and to which it may receive packets to the specified
addresses. A masked address, if the host part is zero, indi‐
cates that the host is allowed to use any address in the subnet;
if the host part is nonzero, the mask simply indicates the size
of the subnet. In addition:
· If any IPv4 address is given, the host is also allowed to
receive packets to the IPv4 local broadcast address
255.255.255.255 and to IPv4 multicast addresses
(224.0.0.0/4). If an IPv4 address with a mask is given,
the host is also allowed to receive packets to the broad‐
cast address in that specified subnet.
If any IPv4 address is given, the host is additionally
restricted to sending ARP packets with the specified
source IPv4 address. (RARP is not restricted.)
· If any IPv6 address is given, the host is also allowed to
receive packets to IPv6 multicast addresses (ff00::/8).
If any IPv6 address is given, the host is additionally
restricted to sending IPv6 Neighbor Discovery Solicita‐
tion or Advertisement packets with the specified source
address or, for solicitations, the unspecified address.
If an element includes an IPv4 address, but no IPv6 addresses,
then IPv6 traffic is not allowed. If an element includes an
IPv6 address, but no IPv4 address, then IPv4 and ARP traffic is
not allowed.
This column uses the same lexical syntax as the match column in
the OVN Southbound database’s Pipeline table. Multiple
addresses within an element may be space or comma separated.
This column is provided as a convenience to cloud management
systems, but all of the features that it implements can be
implemented as ACLs using the ACL table.
Examples:
80:fa:5b:06:72:b7
The host may send traffic from and receive traffic to the
specified MAC address, and to receive traffic to Ethernet
multicast and broadcast addresses, but not otherwise.
The host may not send ARP or IPv6 Neighbor Discovery
packets with inner source Ethernet addresses other than
the one specified.
80:fa:5b:06:72:b7 192.168.1.10/24
This adds further restrictions to the first example. The
host may send IPv4 packets from or receive IPv4 packets
to only 192.168.1.10, except that it may also receive
IPv4 packets to 192.168.1.255 (based on the subnet mask),
255.255.255.255, and any address in 224.0.0.0/4. The
host may not send ARPs with a source Ethernet address
other than 80:fa:5b:06:72:b7 or source IPv4 address other
than 192.168.1.10. The host may not send or receive any
IPv6 (including IPv6 Neighbor Discovery) traffic.
"80:fa:5b:12:42:ba", "80:fa:5b:06:72:b7 192.168.1.10/24"
The host may send traffic from and receive traffic to the
specified MAC addresses, and to receive traffic to Ether‐
net multicast and broadcast addresses, but not otherwise.
With MAC 80:fa:5b:12:42:ba, the host may send traffic
from and receive traffic to any L3 address. With MAC
80:fa:5b:06:72:b7, the host may send IPv4 packets from or
receive IPv4 packets to only 192.168.1.10, except that it
may also receive IPv4 packets to 192.168.1.255 (based on
the subnet mask), 255.255.255.255, and any address in
224.0.0.0/4. The host may not send or receive any IPv6
(including IPv6 Neighbor Discovery) traffic.
More information about the discuss
mailing list