[NETVIRT-513] AAP with prefix 0.0.0.0/0 shouldn't be supported for remote security group rules - OpenDaylight JIRA

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Resolution: Done
Affects Version/s: Boron
Fix Version/s: None
Component/s: General
Labels:
None
Environment:

Operating System: All
Platform: All

External issue ID:
7912

Description

Supporting AAP with prefix 0.0.0.0/0 for remote security group rules would lead to a potential security breach. This would result in allowing the traffic from all the IPs.

Below is a sample flow related to remote security group rules for VM (10.10.10.3). This would include nw_src match to allow traffic from VM (10.10.10.3).

cookie=0x6900000, duration=3111.415s, table=252, n_packets=0, n_bytes=0, priority=1001,ct_state=+new+trk,ip,metadata=0x30000000000/0xfffff0000000000,nw_src=10.10.10.3 actions=ct(commit,zone=5001),resubmit(,220)

Below is a sample flow related to remote security group rules for VM having AAP with prefix 0.0.0.0/0. This doesn't have nw_src match which would result in allowing the traffic from all the IPs.

cookie=0x6900000, duration=3111.415s, table=252, n_packets=0, n_bytes=0, priority=1001,ct_state=+new+trk,ip,metadata=0x30000000000/0xfffff0000000000 actions=ct(commit,zone=5001),resubmit(,220).

This bug is raised to not support AAP with 0.0.0.0/0 as part of remote security group rules/flows.

Attachments

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

No reviews matched the request. Check your Options in the drop-down menu of this sections header.

Activity

People

Assignee:: Somashekar Byrappa

Reporter:: Somashekar Byrappa

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 07/Mar/17 6:50 AM

Updated:: 03/Apr/17 5:40 PM

Resolved:: 03/Apr/17 5:40 PM