The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/7476
This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === Reported-by: Etienne Champetier <champetier.etie...@gmail.com> Signed-off-by: Thomas Parrott <thomas.parr...@canonical.com>
From e3d998fe351951d2e8dfead0be23bac2b6513b0b Mon Sep 17 00:00:00 2001 From: Thomas Parrott <thomas.parr...@canonical.com> Date: Fri, 15 May 2020 11:28:00 +0100 Subject: [PATCH] doc/security: Adds notes about IPv6 router advertisement security Reported-by: Etienne Champetier <champetier.etie...@gmail.com> Signed-off-by: Thomas Parrott <thomas.parr...@canonical.com> --- doc/security.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/doc/security.md b/doc/security.md index bfd878199b..9e500ce19a 100644 --- a/doc/security.md +++ b/doc/security.md @@ -204,6 +204,8 @@ hosts/subnets. ## Network security +### Bridged NIC security + The default networking mode in LXD is to provide a 'managed' private network bridge that each instance connects to. In this mode, there is an interface on the host called `lxdbr0` that acts as the bridge for the instances. @@ -222,6 +224,12 @@ In this default configuration, whilst DNS names cannot not be spoofed, the insta bridge and can transmit any layer 2 traffic that it wishes, which means an untrusted instance can effectively do MAC or IP spoofing on the bridge. +It is also possible in the default configuration for instances connected to the bridge to modify the LXD host's +IPv6 routing table by sending (potentially malicious) IPv6 router advertisements to the bridge. This is because +the `lxdbr0` interface is created with `/proc/sys/net/ipv6/conf/lxdbr0/accept_ra` set to `2` meaning that the +LXD host will accept router advertisements even though `forwarding` is enabled (see +https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt for more info). + However LXD offers several `bridged` NIC security features that can be used to control the type of traffic that an instance is allowed to send onto the network. These NIC settings should be added to the profile that the instance is using, or can be added to individual instances, as shown below. @@ -250,4 +258,19 @@ same network as their parent. The IP filtering features block ARP and NDP advertisements that contain a spoofed IP, as well as blocking any packets that contain a spoofed source address. +If `security.ipv4\_filtering` or `security.ipv6\_filtering` is enabled and the instance cannot be allocated an IP +address (because `ipvX.address=none` or there is no DHCP service enabled on the bridge) then all IP traffic for +that protocol is blocked from the instance. + +When `security.ipv6\_filtering` is enabled IPv6 router advertisements are blocked from the instance. + +### Routed NIC security + +An alternative networking mode is available called `routed` that provides a veth pair between container and host. +In this networking mode the LXD host functions as a router and static routes are added to the host directing +traffic for the container's IPs towards the container's veth interface. +By default the veth interface created on the host has its `accept_ra` setting disabled to prevent router +advertisements from the container modifying the IPv6 routing table on the LXD host. In addition to that the +`rp_filter` on the host is set to `1` to prevent source address spoofing for IPs that the host does not know the +container has.
_______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
