[ovs-discuss] OVN northd permits overly permissive use of 0.0.0.0 and ::
Dustin Lundquist
dlundquist at linux.vnet.ibm.com
Wed Apr 13 18:47:41 UTC 2016
On 4/10/16 1:37 PM, Ben Pfaff wrote:
> It would be helpful, when fixing this, to precisely describe the packets
> that should be allowed. The documentation for port_security already
> very specifically describes its restrictions, but it doesn't mention
> 0.0.0.0 or ::. That's arguably a bug in the documentation, but if the
> current behavior is undesirable then it's a bug in the implementation as
> well. It would be helpful if you (or someone else) could suggest
> changes to this documentation, and then we could fix the documentation
> and the implementation at the same time.
Thank you, questions and edits are line below:
>
> Here's what the documentation says now, in case you don't have it
> conveniently at hand.
>
> port_security: set of strings
...
>
> Each element in the set may additionally contain one or more
> IPv4 or IPv6 addresses (or both), with optional masks. If a
> mask is given, it must be a CIDR mask. In addition to the
> restrictions described for Ethernet addresses above, such an
> element restricts the IPv4 or IPv6 addresses from which the host
> may send and to which it may receive packets to the specified
> addresses. A masked address, if the host part is zero, indi‐
> cates that the host is allowed to use any address in the subnet;
> if the host part is nonzero, the mask simply indicates the size
> of the subnet. In addition:
>
> · If any IPv4 address is given, the host is also allowed to
> receive packets to the IPv4 local broadcast address
> 255.255.255.255 and to IPv4 multicast addresses
This doesn't describe what addresses the host is allowed to source
packets from. Present the host is allowed to send IP packets from the
IPv4 address provided and 0.0.0.0. Sourcing packets from 0.0.0.0 should
be restricted to DHCP discovery and renewal messages: IP src=0.0.0.0
dst=(255.255.255.255 or $DHCP_SERVER_IP), UDP src=68 dst=67, DHCP op=1.
> (224.0.0.0/4). If an IPv4 address with a mask is given,
> the host is also allowed to receive packets to the broad‐
> cast address in that specified subnet.
>
> If any IPv4 address is given, the host is additionally
> restricted to sending ARP packets with the specified
> source IPv4 address. (RARP is not restricted.)
>
> · If any IPv6 address is given, the host is also allowed to
> receive packets to IPv6 multicast addresses (ff00::/8).
Again this doesn't describe what addresses the host is allowed to source
IPv6 packets from. Presently the host is allowed to send traffic from
the provided IPv6 addresses, the link local addresses associated with
this ports and :: (the unspecified address). The unspecified address is
required to complete DAD (duplicate address detection). DAD required the
host to use MLD (multicast listener discovery) to join the all hosts
multicast group and the multicast group associated with tentative IPv6
address being assigned the interface. The host then sends a neighbor
solicitation message for the tentative address to determine if it is
already in use. Usage of :: as a source address should be restricted to
ICMP types 131 (MLD v1 report), 135 (neighbor solicitation), 143 (MLD v2
report). Once duplicate address detection has completed for the
link-local address, the link-local address is used for stateful DHCPv6.
>
> If any IPv6 address is given, the host is additionally
> restricted to sending IPv6 Neighbor Discovery Solicita‐
> tion or Advertisement packets with the specified source
> address or, for solicitations, the unspecified address.
>
More information about the discuss
mailing list