[ovs-discuss] OVN northd permits overly permissive use of 0.0.0.0 and ::

Ben Pfaff blp at ovn.org
Sun Apr 10 20:37:01 UTC 2016


On Wed, Apr 06, 2016 at 11:56:34AM -0700, Dustin Lundquist wrote:
> Testing networking-ovn with OVS -master (rev c4623bb83), I found OVN
> permitted unrestricted use of 0.0.0.0 and ::.  These should only be used
> for IPv4 DHCP discovery and request messages and ICMPv6 MLD reports as
> well as Neighbor Solicitation to enable duplicate address detection. It
> appears the PORT_SEC_IP stage only validates L3 headers, and later
> stages do not restrict the use of these special purpose source L3 addresses.

It would be helpful, when fixing this, to precisely describe the packets
that should be allowed.  The documentation for port_security already
very specifically describes its restrictions, but it doesn't mention
0.0.0.0 or ::.  That's arguably a bug in the documentation, but if the
current behavior is undesirable then it's a bug in the implementation as
well.  It would be helpful if you (or someone else) could suggest
changes to this documentation, and then we could fix the documentation
and the implementation at the same time.

Here's what the documentation says now, in case you don't have it
conveniently at hand.

       port_security: set of strings
              This  column controls the addresses from which the host attached
              to the logical port (``the host’’) is allowed  to  send  packets
              and  to  which it is allowed to receive packets.  If this column
              is empty, all addresses are permitted.

              Each element in the set must begin with  one  Ethernet  address.
              This would restrict the host to sending packets from and receiv‐
              ing packets to the ethernet addresses  defined  in  the  logical
              port’s  port_security column. It also restricts the inner source
              MAC addresses that the host may send in ARP  and  IPv6  Neighbor
              Discovery packets. The host is always allowed to receive packets
              to multicast and broadcast Ethernet addresses.

              Each element in the set may additionally  contain  one  or  more
              IPv4  or  IPv6  addresses  (or both), with optional masks.  If a
              mask is given, it must be a  CIDR  mask.   In  addition  to  the
              restrictions  described  for  Ethernet  addresses above, such an
              element restricts the IPv4 or IPv6 addresses from which the host
              may  send  and  to which it may receive packets to the specified
              addresses.  A masked address, if the host part  is  zero,  indi‐
              cates that the host is allowed to use any address in the subnet;
              if the host part is nonzero, the mask simply indicates the  size
              of the subnet. In addition:

              ·      If any IPv4 address is given, the host is also allowed to
                     receive packets  to  the  IPv4  local  broadcast  address
                     255.255.255.255   and   to   IPv4   multicast   addresses
                     (224.0.0.0/4).  If an IPv4 address with a mask is  given,
                     the host is also allowed to receive packets to the broad‐
                     cast address in that specified subnet.

                     If any IPv4 address is given, the  host  is  additionally
                     restricted  to  sending  ARP  packets  with the specified
                     source IPv4 address.  (RARP is not restricted.)

              ·      If any IPv6 address is given, the host is also allowed to
                     receive packets to IPv6 multicast addresses (ff00::/8).

                     If  any  IPv6  address is given, the host is additionally
                     restricted to sending IPv6 Neighbor  Discovery  Solicita‐
                     tion  or  Advertisement packets with the specified source
                     address or, for solicitations, the unspecified address.

              If an element includes an IPv4 address, but no  IPv6  addresses,
              then  IPv6  traffic  is  not allowed.  If an element includes an
              IPv6 address, but no IPv4 address, then IPv4 and ARP traffic  is
              not allowed.

              This  column uses the same lexical syntax as the match column in
              the  OVN  Southbound  database’s   Pipeline   table.    Multiple
              addresses within an element may be space or comma separated.

              This  column  is  provided  as a convenience to cloud management
              systems, but all of the  features  that  it  implements  can  be
              implemented as ACLs using the ACL table.

              Examples:

              80:fa:5b:06:72:b7
                     The host may send traffic from and receive traffic to the
                     specified MAC address, and to receive traffic to Ethernet
                     multicast  and  broadcast  addresses,  but not otherwise.
                     The host may not send  ARP  or  IPv6  Neighbor  Discovery
                     packets  with  inner source Ethernet addresses other than
                     the one specified.

              80:fa:5b:06:72:b7 192.168.1.10/24
                     This adds further restrictions to the first example.  The
                     host  may  send IPv4 packets from or receive IPv4 packets
                     to only 192.168.1.10, except that  it  may  also  receive
                     IPv4 packets to 192.168.1.255 (based on the subnet mask),
                     255.255.255.255, and any  address  in  224.0.0.0/4.   The
                     host  may  not  send  ARPs with a source Ethernet address
                     other than 80:fa:5b:06:72:b7 or source IPv4 address other
                     than  192.168.1.10.  The host may not send or receive any
                     IPv6 (including IPv6 Neighbor Discovery) traffic.

              "80:fa:5b:12:42:ba", "80:fa:5b:06:72:b7 192.168.1.10/24"
                     The host may send traffic from and receive traffic to the
                     specified MAC addresses, and to receive traffic to Ether‐
                     net multicast and broadcast addresses, but not otherwise.
                     With  MAC  80:fa:5b:12:42:ba,  the  host may send traffic
                     from and receive traffic to any  L3  address.   With  MAC
                     80:fa:5b:06:72:b7, the host may send IPv4 packets from or
                     receive IPv4 packets to only 192.168.1.10, except that it
                     may  also receive IPv4 packets to 192.168.1.255 (based on
                     the subnet mask), 255.255.255.255,  and  any  address  in
                     224.0.0.0/4.   The  host may not send or receive any IPv6
                     (including IPv6 Neighbor Discovery) traffic.



More information about the discuss mailing list