Reviewed: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/855997 Committed: https://opendev.org/openstack/neutron-tempest-plugin/commit/14d9215c9ab22e84788ce83cbc563535f2fdf1c7 Submitter: "Zuul (22348)" Branch: master
commit 14d9215c9ab22e84788ce83cbc563535f2fdf1c7 Author: yangjianfeng <[email protected]> Date: Tue Sep 6 10:42:29 2022 +0800 Create extra external network with address scope for `ndp proxy` tests For details, please refer to https://review.opendev.org/855850 Closes-Bug: #1987410 Change-Id: I9f3176a9688db8c4f4417139b712d1570c5ab7bb ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1987410 Title: NDP proxy allows address takeover when address scope is not used Status in neutron: Fix Released Status in OpenStack Security Advisory: Won't Fix Bug description: When the new NDP proxy feature is configured without an address scope being used on the external network, there is no protection against addresses being used multiple times. This can be exploited by a malicious tenant via creating a subnet with a prefix that covers an address that is already in use and take over (part of) the traffic flowing towards that address. The success of the attack depends on winning the race of who answers the NDP query first, but still a 50% chance of capturing traffic seems dangerous. The attack works not only against other addresses served by NDP proxy, but also against other hosts that may exist, potentially even the gateway for the external network. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1987410/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
