[ovs-discuss] In ovs-userconntrack_20151115 Branch - ICMP Blocked port can be hacked, if same icmp request id is used while sending the packet from the blocked side of the firewall.

Daniele Di Proietto diproiettod at vmware.com
Fri May 13 02:02:09 UTC 2016


Hi Subramani,

I appreciate the feedback on the userspace connection tracker, thanks

Yes, the ICMP state is identified by the tuple (SRC IP, DST IP, ID). This mimics the behaviour of FreeBSD's pf.

I guess I'd be possible to have more intelligence on ICMP connections by tracking sequence numbers and matching request/response types (from some quick testing I did, I think this is what the Linux connection tracker does).  This can be implemented in a separate conntrack-icmp module and it will be a nice addition to the userspace connection tracker.

I think I would still like to try to merge it with ICMP support as it is, and add sequence and type matching later. Obviously contributions are welcome.

What do you think?

Thanks,

Daniele


On 10/05/2016 23:44, "subramani.paramasivam at wipro.com" <subramani.paramasivam at wipro.com> wrote:

>
>Hello Daniele/All,
>
>
>While testing Userconntrack (Branch - ovs-userconntrack_20151115), we found the following issue.
>
>
> 
>Problem:
>
>
>ICMP Blocked port can be hacked, if same ICMP request id is used while sending the packet from the blocked side of the firewall.
>
>
>
>Test Setup:
>
>
>Openvswitch Branch - ovs-userconntrack_20151115
>DPDK Branch - dpdk-2.2.0
>
>
>303/1 <-> dpdk0 - port 1
>303/3 <-> dpdk1 - port 2
>
>
>Agilent Configuration:
>
>
>303/1 - 35.35.35.1/24
>303/3 - 35.35.35.101/24
>
>
>Traffic Configuration:
>
>
>303/1 - 35.35.35.1 to 35.35.35.101 - ICMP request packet with id=0
>303/3 - 35.35.35.101 to 35.35.35.1 - ICMP request packet with id=0
>
>
>Firewall Flow Rules:
>
>
>ovs-ofctl del-flows br0
>ovs-ofctl add-flow br0 "table=0,priority=1,action=drop"
>ovs-ofctl add-flow br0 "table=0,priority=10,arp,action=normal"
>ovs-ofctl add-flow br0 "table=0,priority=100,icmp,ct_state=-trk,action=ct(table=1)"
>ovs-ofctl add-flow br0 "table=1,in_port=1,icmp,ct_state=+trk+new,action=ct(commit),2"
>ovs-ofctl add-flow br0 "table=1,in_port=1,icmp,ct_state=+trk+est,action=2"
>ovs-ofctl add-flow br0 "table=1,in_port=2,icmp,ct_state=+trk+new,action=drop"
>ovs-ofctl add-flow br0 "table=1,in_port=2,icmp,ct_state=+trk+est,action=1"
>ovs-ofctl dump-flows br0
>
>
>Steps to Reproduce:
>
>
>
>1. With the above configuration, start bidirectional traffic in Agilent.
>2. Traffic from 303/3 to 303/1 is successful.
>3. Expecting traffic from 303/3 to 303/1 should not pass through the firewall.
> 
>Regards,
>
>Subramani.
>
>
>________________________________________
>From: Subramani Paramasivam (Cisco)
>Sent: 10 May 2016 12:31:53
>To: diproiettod at vmware.com
>Cc: Soumyadeep Chowdhury (Cisco); Sourabh Bansal (Cisco); Karuppusamy Marappagounder (NEPC)
>Subject: In ovs-userconntrack_20151115 Branch - ICMP Blocked port can be hacked, if same icmp request id is used while sending the packet from the blocked side of the firewall. 
>
>Hello Daniele,
>
>
>While testing Userconntrack (Branch - ovs-userconntrack_20151115), we found the following issue.
>
>
>Problem:
>
>
>ICMP Blocked port can be hacked, if same ICMP request id is used while sending the packet from the blocked side of the firewall.
>
>
>
>Test Setup:
>
>
>Openvswitch Branch - ovs-userconntrack_20151115
>DPDK Branch - dpdk-2.2.0
>
>
>303/1 <-> dpdk0 - port 1
>303/3 <-> dpdk1 - port 2
>
>
>Agilent Configuration:
>
>
>303/1 - 35.35.35.1/24
>303/3 - 35.35.35.101/24
>
>
>Traffic Configuration:
>
>
>303/1 - 35.35.35.1 to 35.35.35.101 - ICMP request packet with id=0
>303/3 - 35.35.35.101 to 35.35.35.1 - ICMP request packet with id=0
>
>
>Firewall Flow Rules:
>
>
>ovs-ofctl del-flows br0
>ovs-ofctl add-flow br0 "table=0,priority=1,action=drop"
>ovs-ofctl add-flow br0 "table=0,priority=10,arp,action=normal"
>ovs-ofctl add-flow br0 "table=0,priority=100,icmp,ct_state=-trk,action=ct(table=1)"
>ovs-ofctl add-flow br0 "table=1,in_port=1,icmp,ct_state=+trk+new,action=ct(commit),2"
>ovs-ofctl add-flow br0 "table=1,in_port=1,icmp,ct_state=+trk+est,action=2"
>ovs-ofctl add-flow br0 "table=1,in_port=2,icmp,ct_state=+trk+new,action=drop"
>ovs-ofctl add-flow br0 "table=1,in_port=2,icmp,ct_state=+trk+est,action=1"
>ovs-ofctl dump-flows br0
>
>
>Steps to Reproduce:
>
>
>
>1. With the above configuration, start bidirectional traffic in Agilent.
>2. Traffic from 303/3 to 303/1 is successful.
>3. Expecting traffic from 303/3 to 303/1 should not pass through the firewall.
>
>Regards,
>
>Subramani.
>
>
>The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should
> not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments
> for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com
>
>


More information about the discuss mailing list