Bug 1853766

Summary: Antispoofing prefix not set for ipv6
Product: Red Hat OpenStack Reporter: Marc Methot <mmethot>
Component: python-networking-ovnAssignee: Rodolfo Alonso <ralonsoh>
Status: CLOSED CURRENTRELEASE QA Contact: Eran Kuris <ekuris>
Severity: medium Docs Contact:
Priority: medium    
Version: 16.0 (Train)CC: apevec, ebenes, eolivare, igramic, jlibosva, lhh, majopela, ralonsoh, scohen
Target Milestone: z2Keywords: Reopened, Triaged
Target Release: 16.1 (Train on RHEL 8.2)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-06-02 13:12:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1856898    
Bug Blocks:    

Description Marc Methot 2020-07-03 20:32:28 UTC 
When operator disables spoofing for IPV6::/64 OVN is creating the following rule:
~~~
 cookie=0x66d3d855, duration=4.723s, table=9, n_packets=0, n_bytes=0, idle_age=4, priority=90,ipv6,reg14=0x3,metadata=0x1c,dl_src=fa:(...):13,ipv6_src=IPV6:: actions=resubmit(,10)
~~~

It is missing prefix and spoofing is still active. The Expected flow should be:
~~~
 cookie=0x66d3d855, duration=4.723s, table=9, n_packets=0, n_bytes=0, idle_age=4,priority=90,ipv6,reg14=0x3,metadata=0x1c,dl_src=fa:(...):13,ipv6_src=IPV6::/64 actions=resubmit(,10)
~~~

Version-Release number of selected component (if applicable):
~~~
[mmethot@supportshell 02683232]$ egrep 'openvswitch|neutron' sosreport-20200619-161152/compute-az3-16.osp-002.prod.iad2.dc.redhat.com/installed-rpms 
network-scripts-openvswitch2.11-2.11.0-50.el8fdp.x86_64     Wed May 13 12:41:06 2020
openvswitch2.11-2.11.0-50.el8fdp.x86_64                     Wed May 13 12:41:40 2020
openvswitch-selinux-extra-policy-1.0-22.el8fdp.noarch       Wed May 13 12:41:09 2020
puppet-neutron-15.4.1-0.20200403215743.37f7994.el8ost.noarch Wed May 13 12:41:59 2020
python3-neutronclient-6.14.0-0.20200221162537.115f60f.el8ost.noarch Wed May 13 12:37:59 2020
rhosp-openvswitch-2.11-0.6.el8ost.noarch                    Wed May 13 12:42:14 2020
~~~

How reproducible:
Everytime

Steps to Reproduce:
1. Start instance on network where you have both ipv4, ipv6
2. Add allowed mac address pair for that instance port. It needs to be some ipv6 subnet
3. Check flows on compute and see if prefix is there or not.
Comment 2 Rodolfo Alonso 2020-07-07 15:50:33 UTC 
Hello Marc:

An IP/MAC address pair consists of a IP address (v4/v6) and a MAC address. Although the API is "flexible" (that means, we don't check that the IP address is not a CIDR or a network address), the value used in the OF field "ipv6_src" or "nw_src" is just the IP address without the mask.

That means, when creating a port with allowed pairs, remember that the IP address provided will not be taken as a CIDR but as a IP.

In the example you are providing, the address "2620:52:4:8000::/64" is a valid IPv6 address (because the ::0 address is valid too, unlike in IPv4). That's why you can use it and OVN is setting this rule.

Examples of ports with IPv6 pairs and OF rules:
1) allowed_address_pairs   | ip_address='2620:52:4:8000::1', mac_address='ca:fe:ca:fe:ca:02'

 cookie=0x99ac60fd, duration=829.487s, table=9, n_packets=0, n_bytes=0, priority=90,ipv6,reg14=0x6,metadata=0x1,dl_src=ca:fe:ca:fe:ca:02,ipv6_src=2620:52:4:8000::1 actions=resubmit(,10)


2) allowed_address_pairs   | ip_address='2620:52:4:8000::2/64', mac_address='ca:fe:ca:fe:ca:03'

 cookie=0x8cd38909, duration=616.954s, table=9, n_packets=0, n_bytes=0, priority=90,ipv6,reg14=0x8,metadata=0x1,dl_src=ca:fe:ca:fe:ca:03,ipv6_src=2620:52:4:8000::2 actions=resubmit(,10)


3) allowed_address_pairs   | ip_address='2620:52:4:8000::', mac_address='ca:fe:ca:fe:ca:05'

 cookie=0x7785e571, duration=22.365s, table=9, n_packets=0, n_bytes=0, idle_age=22, priority=90,ipv6,reg14=0xa,metadata=0x1,dl_src=ca:fe:ca:fe:ca:05,ipv6_src=2620:52:4:8000:: actions=resubmit(,10)


The current behavior is correct.

Regards.
Comment 3 igramic 2020-07-14 12:28:08 UTC 
Hi guys,

I am not sure why this was closed as not a bug when it was clear that it is not working as expected.
Once you set IPV6 Subnet under anti spoofing option it is still blocked unless you enter host entry. 
We cant add host entries for whole ipv6 subnet.
Comment 4 Rodolfo Alonso 2020-07-14 13:01:41 UTC 
Hi Igor:

Making c#2 public.

Regards.
Comment 5 igramic 2020-07-14 13:12:08 UTC 
Hi Rodolfo,

Thank you for this. Problem that we saw is,
If we enter 2620:52:4:8000::/64 in GUI OSP creates

cookie=0x7785e571, duration=22.365s, table=9, n_packets=0, n_bytes=0, idle_age=22, priority=90,ipv6,reg14=0xa,metadata=0x1,dl_src=ca:fe:ca:fe:ca:05,ipv6_src=2620:52:4:8000:: actions=resubmit(,10)

Then anti spoofing is dropping all packets coming from our client with 2620:52:4:8000::1

When we enter 2620:52:4:8000::1/128

cookie=0x99ac60fd, duration=829.487s, table=9, n_packets=0, n_bytes=0, priority=90,ipv6,reg14=0x6,metadata=0x1,dl_src=ca:fe:ca:fe:ca:02,ipv6_src=2620:52:4:8000::1 actions=resubmit(,10)

And all works.

Our issue seems to be that anti spoofing is ignoring IPV6 network statements.
Comment 6 Rodolfo Alonso 2020-07-14 13:37:16 UTC 
Hello Igor:

As commented in c#2, although the API allows to provide a CIDR or an IP address. Actually, both are stored untouched in the Neutron DB. But the OVS agent converts any CIDR/IP to IP address. That means the network mask will be removed. In the example you are providing, "2620:52:4:8000::/64" will be converted to "2620:52:4:8000::", a valid IP address. The IP address "2620:52:4:8000::1" won't be allowed.

The customer should provide the specific IP to be allowed in the address pair register, not the network CIDR.

Regards.
Comment 7 igramic 2020-07-14 13:48:31 UTC 
Hi Rodolfo,

And that is exactly why this was open.

With IPv4 you support:
 - host ip's
 - subnets

IPV6 must support both as well. CIDR is a valid IPV6 interpretation. Not having it is just a bug.

I will explain our situation. We are running VPN server on OSP, so it has a bunch of clients. By default spoofing is dropping them. 
For IPV4 easy fix we just add our CIDR we need same option for IPV6. We dont want to enter tons of client IPV6.

Hope it makes sense now.

Igor
Comment 8 Rodolfo Alonso 2020-07-14 16:19:55 UTC 
Hi Igor:

I'll reopen this bug to track another one in OVN. Indeed when the IPv4 address is a network address (192.168.1.0/24), the Logical_Flow register in the SB contains the CIDR. If the IP address is a valid one (v4 or v6), the Logical_Flow register only stores the address (192.168.1.1/24 --> 192.168.1.1).

Because, for example, 2620:52:4:8000:: is a valid address (at least for router ports [1]), I guess ovn-northd does not store the mask.

Anyway, I opened https://bugzilla.redhat.com/show_bug.cgi?id=1856898 to handle this issue.

Regards.

[1]https://tools.ietf.org/html/rfc4291#section-2.6.1
Comment 9 igramic 2020-07-15 06:18:28 UTC 
Thank you Rodolfo
Comment 13 igramic 2020-09-01 13:26:21 UTC 
Hi Rodolfo,

We upgraded to 16.1 and issue is still present. Did this shift to some other version ?

Thanks
Igor
Comment 14 Rodolfo Alonso 2020-09-03 14:35:01 UTC 
Hi Igor:

Until https://bugzilla.redhat.com/show_bug.cgi?id=1856898 is not solved, this BZ won't be fixed.

Regards.