On 05/15/2015 07:48 PM, Jay Pipes wrote:
On 05/15/2015 12:38 PM, George Shuklin wrote:
Just to let everyone know: broken antispoofing is not an 'security
issue' and the fix is not planned to be backported to Juno/kilo.
https://bugs.launchpad.net/bugs/1274034
What can I say? All hail devstack! Who care about production?
George, I can understand you are frustrated with this issue and feel
strongly about it. However, I don't think notes like this are all that
productive.
Would a more productive action be to tell the operator community a bit
about the vulnerability and suggest appropriate remedies to take?
Ok, sorry.
Short issue: If few tenants use same network (shared network) one tenant
may disrupt network activities of other tenant by sending a specially
crafted ARP packets on behave of the victim. Normally, Openstack
prohibit usage of unauthorized addresses (this feature is called
'antispoofing' and it is essential for multi-tenant clouds). This
feature were subtly broken (malicious tenant may not use other addresses
but still may disrupt activities of other tenants).
Finally, that bug has been fixed. But now they says 'oh, it is not that
important, we will not backport it to current releases, only to
"Libery"' because of new etables dependency.
_______________________________________________
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators