| opendevreview | Erno Kuvaja proposed openstack/security-doc master: Correct the scope of OSSN-0090 https://review.opendev.org/c/openstack/security-doc/+/861878 | 11:51 |
|---|---|---|
| d34dh0r5- | fungi: not sure why, but chanserv kicked me from #openstack-vmt | 12:36 |
| d34dh0r5- | ahh, that’s why | 12:36 |
| fungi | heh | 12:36 |
| fungi | yeah, you need to be authenticated to the server or identified to nickserv before joining protected channels so chanserv can match you to the access list | 12:37 |
| opendevreview | Merged openstack/security-doc master: Correct the scope of OSSN-0090 https://review.opendev.org/c/openstack/security-doc/+/861878 | 12:38 |
| d34dh0r5- | fungi: can you unban this nick on that channel? I'm not able to change my nick while it's banned | 13:14 |
| fungi | you should be able to `/msg chanserv unban #openstack-vmt` | 13:15 |
| fungi | (i think that's the syntax) | 13:15 |
| fungi | you're allowed to unban yourself once authenticated | 13:15 |
| fungi | we'll be starting in about 5 minutes at https://meetpad.opendev.org/oct2022-ptg-openstack-security | 14:55 |
| Tengu | let's see if it works here :) | 14:57 |
| Tengu | fungi: hm, guess I need to learn a bit more about RA and the whole IPv6 world, because I don't understand why the advertised router could be unreachable, if the rogue operator sets its security groups properly ? | 16:03 |
| Tengu | (and it's probably a good time to play with HE and their ipv6 tunnel thingy :)) | 16:03 |
| Tengu | but that's for another day. getting late here.. | 16:04 |
| fungi | Tengu: ra is v6 broadcast traffic, not unicast or even multicast, so the kernel is listening for those | 16:04 |
| fungi | so something is causing/allowing the rogue ra to end up on the wrong vlan | 16:05 |
| fungi | or virtual bridge even. the rogue router guest and "victim" guest might need to be running on the same host, we don't know at this point | 16:06 |
| fungi | really the only thing we know is that (very rarely) a persistent server in one tenant saw ra broadcasts from a test node in a completely different tenant, so added a route to it (and we only found out because the server stopped responding over ipv6 until that route expired) | 16:10 |
| fungi | the infrequency suggests there was probably some outside requirement like a service restart on the host or a port creation racing filters being installed or... | 16:11 |
| fungi | we repeatedly tried to directly reproduce it, unsuccessfully, and given i've heard nobody else reporting it there must be some unusual combination of requirements which probably makes it impractical for an attacker to control directly | 16:19 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!