[ovs-discuss] OVN northd permits overly permissive use of 0.0.0.0 and ::

Dustin Lundquist dlundquist at linux.vnet.ibm.com
Wed Apr 13 18:47:41 UTC 2016


On 4/10/16 1:37 PM, Ben Pfaff wrote:
> It would be helpful, when fixing this, to precisely describe the packets
> that should be allowed.  The documentation for port_security already
> very specifically describes its restrictions, but it doesn't mention
> 0.0.0.0 or ::.  That's arguably a bug in the documentation, but if the
> current behavior is undesirable then it's a bug in the implementation as
> well.  It would be helpful if you (or someone else) could suggest
> changes to this documentation, and then we could fix the documentation
> and the implementation at the same time.
Thank you, questions and edits are line below:
> 
> Here's what the documentation says now, in case you don't have it
> conveniently at hand.
> 
>        port_security: set of strings
...
> 
>               Each element in the set may additionally  contain  one  or  more
>               IPv4  or  IPv6  addresses  (or both), with optional masks.  If a
>               mask is given, it must be a  CIDR  mask.   In  addition  to  the
>               restrictions  described  for  Ethernet  addresses above, such an
>               element restricts the IPv4 or IPv6 addresses from which the host
>               may  send  and  to which it may receive packets to the specified
>               addresses.  A masked address, if the host part  is  zero,  indi‐
>               cates that the host is allowed to use any address in the subnet;
>               if the host part is nonzero, the mask simply indicates the  size
>               of the subnet. In addition:
> 
>               ·      If any IPv4 address is given, the host is also allowed to
>                      receive packets  to  the  IPv4  local  broadcast  address
>                      255.255.255.255   and   to   IPv4   multicast   addresses
This doesn't describe what addresses the host is allowed to source
packets from. Present the host is allowed to send IP packets from the
IPv4 address provided and 0.0.0.0. Sourcing packets from 0.0.0.0 should
be restricted to DHCP discovery and renewal messages: IP src=0.0.0.0
dst=(255.255.255.255 or $DHCP_SERVER_IP), UDP src=68 dst=67, DHCP op=1.
>                      (224.0.0.0/4).  If an IPv4 address with a mask is  given,
>                      the host is also allowed to receive packets to the broad‐
>                      cast address in that specified subnet.
> 
>                      If any IPv4 address is given, the  host  is  additionally
>                      restricted  to  sending  ARP  packets  with the specified
>                      source IPv4 address.  (RARP is not restricted.)
> 
>               ·      If any IPv6 address is given, the host is also allowed to
>                      receive packets to IPv6 multicast addresses (ff00::/8).
Again this doesn't describe what addresses the host is allowed to source
IPv6 packets from. Presently the host is allowed to send traffic from
the provided IPv6 addresses, the link local addresses associated with
this ports and :: (the unspecified address). The unspecified address is
required to complete DAD (duplicate address detection). DAD required the
host to use MLD (multicast listener discovery) to join the all hosts
multicast group and the multicast group associated with tentative IPv6
address being assigned the interface. The host then sends a neighbor
solicitation message for the tentative address to determine if it is
already in use. Usage of :: as a source address should be restricted to
ICMP types 131 (MLD v1 report), 135 (neighbor solicitation), 143 (MLD v2
report). Once duplicate address detection has completed for the
link-local address, the link-local address is used for stateful DHCPv6.
> 
>                      If  any  IPv6  address is given, the host is additionally
>                      restricted to sending IPv6 Neighbor  Discovery  Solicita‐
>                      tion  or  Advertisement packets with the specified source
>                      address or, for solicitations, the unspecified address.
> 




More information about the discuss mailing list