git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[neutron][security group][IPv6] IPv6 ICMPv6 port security in security group


Hi all,

When using neutron on CentOS 7 with OVSHybridIptablesFirewallDriver, create
a vm with IPv4/IPv6 dual stack port,
then remove all security group, we can get response with ping dhcp or
router using IPv6 address in vm, while IPv4 can't.
IPv6 works different with IPv4 in some cases and some useful function must
work with ICMPv6 like NDP, NS, NA.

Checking these two links below, neutron only drop IPv6 RA from vm, and
allow all ICMPv6
ICMPv6 Type 128 Echo Request and Type 129 Echo Reply are allowed by default.
Should we try to restrict ICMPv6 some types or there are some
considerations and just follow ITEF 4890?

IETF 4890 [section 4.3.2. Traffic That Normally Should Not Be Dropped]
mentioned that:

As discussed in
   Section 3.2 <https://tools.ietf.org/html/rfc4890#section-3.2>, the
risks from port scanning in an IPv6 network are much
   less severe, and it is not necessary to filter IPv6 Echo Request
   messages.

[section 3.2. Probing]

However, the very large address space of IPv6 makes probing a less
   effective weapon as compared with IPv4 provided that addresses are
   not allocated in an easily guessable fashion.


https://github.com/openstack/neutron/commit/a8a9d225d8496c044db7057552394afd6c950a8e

https://www.ietf.org/rfc/rfc4890.txt


Commands are:
neutron port-update --no-security-groups
0307f016-0cc8-468b-bf3e-36ebe50e13ac

ping6 from vm to dhcp

ip6tables rules in compute node:
PS: seems rules for type 131/135/143 are included in the rule

# ip6tables-save | grep 08a0812a
-A neutron-openvswi-o08a0812a-9 -s ::/128 -d ff02::/16 -p ipv6-icmp -m
icmp6 --icmpv6-type 131 -m comment --comment "Allow IPv6 ICMP traffic." -j
RETURN
-A neutron-openvswi-o08a0812a-9 -s ::/128 -d ff02::/16 -p ipv6-icmp -m
icmp6 --icmpv6-type 135 -m comment --comment "Allow IPv6 ICMP traffic." -j
RETURN
-A neutron-openvswi-o08a0812a-9 -s ::/128 -d ff02::/16 -p ipv6-icmp -m
icmp6 --icmpv6-type 143 -m comment --comment "Allow IPv6 ICMP traffic." -j
RETURN
-A neutron-openvswi-o08a0812a-9 -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m
comment --comment "Drop IPv6 Router Advts from VM Instance." -j DROP
-A neutron-openvswi-o08a0812a-9 -p ipv6-icmp -m comment --comment "Allow
IPv6 ICMP traffic." -j RETURN
-A neutron-openvswi-o08a0812a-9 -m comment --comment "Send unmatched
traffic to the fallback chain." -j neutron-openvswi-sg-fallback

full rules are at Ref #3




REF #1
ml2_config.ini
[securitygroup]
firewall_driver =
neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver

Ref #2
Chain neutron-openvswi-o08a0812a-9 (2 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 RETURN     icmpv6    *      *       ::
ff02::/16            ipv6-icmptype 131 /* Allow IPv6 ICMP traffic. */
    1    72 RETURN     icmpv6    *      *       ::
ff02::/16            ipv6-icmptype 135 /* Allow IPv6 ICMP traffic. */
    2   152 RETURN     icmpv6    *      *       ::
ff02::/16            ipv6-icmptype 143 /* Allow IPv6 ICMP traffic. */
    5   344 neutron-openvswi-s08a0812a-9  all      *      *       ::/0
            ::/0
    0     0 DROP       icmpv6    *      *       ::/0                 ::/0
              ipv6-icmptype 134 /* Drop IPv6 Router Advts from VM Instance.
*/
    5   344 RETURN     icmpv6    *      *       ::/0                 ::/0
              /* Allow IPv6 ICMP traffic. */
    0     0 RETURN     udp      *      *       ::/0                 ::/0
              udp spt:546 dpt:547 /* Allow DHCP client traffic. */
    0     0 DROP       udp      *      *       ::/0                 ::/0
              udp spt:547 dpt:546 /* Prevent DHCP Spoofing by VM. */
    0     0 RETURN     all      *      *       ::/0                 ::/0
              state RELATED,ESTABLISHED /* Direct packets associated with a
known session to the RETURN chain. */
    0     0 DROP       all      *      *       ::/0                 ::/0
              state INVALID /* Drop packets that appear related to an
existing connection (e.g. TCP ACK/FIN) but do not have an entry in
conntrack. */
    0     0 neutron-openvswi-sg-fallback  all      *      *       ::/0
            ::/0                 /* Send unmatched traffic to the fallback
chain. */

Ref #3
# ip6tables-save | grep 08a0812a

-A neutron-openvswi-PREROUTING -m physdev --physdev-in qvb08a0812a-9e -m
comment --comment "Set zone for 812a-9ef7-45e3-9d81-9463dd80e63e" -j CT
--zone 4104
-A neutron-openvswi-PREROUTING -i qvb08a0812a-9e -m comment --comment "Set
zone for 812a-9ef7-45e3-9d81-9463dd80e63e" -j CT --zone 4104
-A neutron-openvswi-PREROUTING -m physdev --physdev-in tap08a0812a-9e -m
comment --comment "Set zone for 812a-9ef7-45e3-9d81-9463dd80e63e" -j CT
--zone 4104
:neutron-openvswi-i08a0812a-9 - [0:0]
:neutron-openvswi-o08a0812a-9 - [0:0]
:neutron-openvswi-s08a0812a-9 - [0:0]
-A neutron-openvswi-FORWARD -m physdev --physdev-out tap08a0812a-9e
--physdev-is-bridged -m comment --comment "Direct traffic from the VM
interface to the security group chain." -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tap08a0812a-9e
--physdev-is-bridged -m comment --comment "Direct traffic from the VM
interface to the security group chain." -j neutron-openvswi-sg-chain
-A neutron-openvswi-INPUT -m physdev --physdev-in tap08a0812a-9e
--physdev-is-bridged -m comment --comment "Direct incoming traffic from VM
to the security group chain." -j neutron-openvswi-o08a0812a-9
-A neutron-openvswi-i08a0812a-9 -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j
RETURN
-A neutron-openvswi-i08a0812a-9 -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j
RETURN
-A neutron-openvswi-i08a0812a-9 -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j
RETURN
-A neutron-openvswi-i08a0812a-9 -m state --state RELATED,ESTABLISHED -m
comment --comment "Direct packets associated with a known session to the
RETURN chain." -j RETURN
-A neutron-openvswi-i08a0812a-9 -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j
RETURN
-A neutron-openvswi-i08a0812a-9 -d 20ff::c/128 -p udp -m udp --sport 547
--dport 546 -j RETURN
-A neutron-openvswi-i08a0812a-9 -d fe80::/64 -p udp -m udp --sport 547
--dport 546 -j RETURN
-A neutron-openvswi-i08a0812a-9 -m state --state INVALID -m comment
--comment "Drop packets that appear related to an existing connection (e.g.
TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-openvswi-i08a0812a-9 -m comment --comment "Send unmatched
traffic to the fallback chain." -j neutron-openvswi-sg-fallback
-A neutron-openvswi-o08a0812a-9 -s ::/128 -d ff02::/16 -p ipv6-icmp -m
icmp6 --icmpv6-type 131 -m comment --comment "Allow IPv6 ICMP traffic." -j
RETURN
-A neutron-openvswi-o08a0812a-9 -s ::/128 -d ff02::/16 -p ipv6-icmp -m
icmp6 --icmpv6-type 135 -m comment --comment "Allow IPv6 ICMP traffic." -j
RETURN
-A neutron-openvswi-o08a0812a-9 -s ::/128 -d ff02::/16 -p ipv6-icmp -m
icmp6 --icmpv6-type 143 -m comment --comment "Allow IPv6 ICMP traffic." -j
RETURN
-A neutron-openvswi-o08a0812a-9 -j neutron-openvswi-s08a0812a-9
-A neutron-openvswi-o08a0812a-9 -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m
comment --comment "Drop IPv6 Router Advts from VM Instance." -j DROP
-A neutron-openvswi-o08a0812a-9 -p ipv6-icmp -m comment --comment "Allow
IPv6 ICMP traffic." -j RETURN
-A neutron-openvswi-o08a0812a-9 -p udp -m udp --sport 546 --dport 547 -m
comment --comment "Allow DHCP client traffic." -j RETURN
-A neutron-openvswi-o08a0812a-9 -p udp -m udp --sport 547 --dport 546 -m
comment --comment "Prevent DHCP Spoofing by VM." -j DROP
-A neutron-openvswi-o08a0812a-9 -m state --state RELATED,ESTABLISHED -m
comment --comment "Direct packets associated with a known session to the
RETURN chain." -j RETURN
-A neutron-openvswi-o08a0812a-9 -m state --state INVALID -m comment
--comment "Drop packets that appear related to an existing connection (e.g.
TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-openvswi-o08a0812a-9 -m comment --comment "Send unmatched
traffic to the fallback chain." -j neutron-openvswi-sg-fallback
-A neutron-openvswi-s08a0812a-9 -s 20ff::c/128 -m mac --mac-source
FA:16:3E:7C:D8:C0 -m comment --comment "Allow traffic from defined IP/MAC
pairs." -j RETURN
-A neutron-openvswi-s08a0812a-9 -s fe80::f816:3eff:fe7c:d8c0/128 -m mac
--mac-source FA:16:3E:7C:D8:C0 -m comment --comment "Allow traffic from
defined IP/MAC pairs." -j RETURN
-A neutron-openvswi-s08a0812a-9 -m comment --comment "Drop traffic without
an IP/MAC allow rule." -j DROP
-A neutron-openvswi-sg-chain -m physdev --physdev-out tap08a0812a-9e
--physdev-is-bridged -m comment --comment "Jump to the VM specific chain."
-j neutron-openvswi-i08a0812a-9
-A neutron-openvswi-sg-chain -m physdev --physdev-in tap08a0812a-9e
--physdev-is-bridged -m comment --comment "Jump to the VM specific chain."
-j neutron-openvswi-o08a0812a-9
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20191011/7b5dfa32/attachment-0001.html>