It is possible that VMs can send ICMPv6 Neighbor Advertisement packets to mis-direct traffic to them. It needs to first send packet with correct IP address in the nd_target field and quickly after that send packet with spoofed IP address. Reference: https://bugzilla.redhat.com/show_bug.cgi?id=2005408
Any update?
Created openvswitch tracking bugs for this issue: Affects: fedora-all [bug 2240831]
I don't have access to the original bug (bz#2005408). It seems this problem has been solved by the commit below: https://github.com/openvswitch/ovs/commit/489553b1c21692063931a9f50b6849b23128443c Do you have a reproducer to verify the fix? Thanks fbl
I don't. Rob, switching the needinfo to you as the task owner.
Flavio - I added you to the bz, there is a reproducer available there.
*** Bug 2240833 has been marked as a duplicate of this bug. ***
Important note about this issue - there are really two issues with the test and results. First, there was a bug which we resolved with commit https://github.com/openvswitch/ovs/commit/61a1f14b26be12b5643f00e1fa24f08f5ff418ee which also addresses one issue with matching an nd_target - that of an overbroad match. That is probably what could be considered as the bigger security issue because it would make IPv6 packet movement able to be controlled by a malicious attacker who knows what the rules look like. Second, there is an issue with the OpenFlow spec that doesn't specify required matching on both icmp_type and icmp_code, rather it only specifies icmp_type as the required match - however, that is really a bug. ICMP type and code are required to properly flag a neighbor discovery packet. Our products, and most products afaik will generate matches on both icmp_type and icmp_code, so for most deployments, it won't likely be hit. However, I recently did post a possible workaround to the ovs security mailing list and we are debating the right way to implement the workaround. Unfortunately, because it is really an issue with the spec, we need to make a decision and hope that a future version of the spec doesn't make our fix incompatible, so there is some discussion. When the icmp_type + icmp_code masking patch gets accepted, I'll update this bz.
Correction - the correct commit is: https://github.com/openvswitch/ovs/commit/489553b1c21692063931a9f50b6849b23128443c